Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER & RSIT log


  • This topic is locked This topic is locked
52 replies to this topic

#1 schaffnuts

schaffnuts

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 04 February 2010 - 10:54 PM

OOOOOOOOOOK, so here is where i am at...
Orange Blossom has been helping me over at this link
http://www.bleepingcomputer.com/forums/t/289997/computer-will-not-boot-properly-well-at-all/

i have tried everything OB has suggested to me, and these are the 1st programs that did what they were supposed to do

i was unable to make DDS work properly

i believe i have more than 1 problem, but the most noticeable is internet security 2010


RSIT LOG FILE
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-02-04 15:51:13
Microsoft Windows XP Professional Service Pack 2
System drive C: has 26 GB (67%) free of 38 GB
Total RAM: 2047 MB (85% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:57 PM, on 2/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O4 - HKUS\S-1-5-18\..\Run: [BMIMZMHMFM] C:\WINDOWS\TEMP\Kkl.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WS9E3IQBKY] C:\WINDOWS\TEMP\Kkk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [extrac64_cab.exe] C:\WINDOWS\TEMP\extrac64_cab.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [BMIMZMHMFM] C:\WINDOWS\TEMP\Kkl.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1264199972000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4801 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\WGASetup.job
C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2004-08-04 158208]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]
"smss32.exe"=C:\WINDOWS\system32\smss32.exe [2010-01-24 20992]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Internet Security 2010"=C:\Program Files\InternetSecurity2010\IS2010.exe [2010-01-26 1117184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-11-12 180269]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
C:\PROGRA~1\COMMON~1\AUTODE~1\ACSTAR~1.EXE [2004-02-24 10872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=1
"NoActiveDesktopChanges"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Corel\DVD9\WinDVD.exe"="C:\Program Files\Corel\DVD9\WinDVD.exe:*:Enabled:WinDVD"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
shell\AutoRun\command - L:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2010-02-04 15:51:14 ----D---- C:\Program Files\trend micro
2010-02-04 15:51:13 ----D---- C:\rsit
2010-01-30 13:49:05 ----A---- C:\WINDOWS\system32\12052.exe
2010-01-30 13:29:05 ----A---- C:\WINDOWS\system32\4031.exe
2010-01-30 13:09:05 ----A---- C:\WINDOWS\system32\15574.exe
2010-01-30 12:49:05 ----A---- C:\WINDOWS\system32\23655.exe
2010-01-30 12:29:05 ----A---- C:\WINDOWS\system32\24767.exe
2010-01-30 12:09:05 ----A---- C:\WINDOWS\system32\22355.exe
2010-01-30 11:49:05 ----A---- C:\WINDOWS\system32\18636.exe
2010-01-30 11:29:05 ----A---- C:\WINDOWS\system32\9161.exe
2010-01-30 11:09:05 ----A---- C:\WINDOWS\system32\13290.exe
2010-01-30 10:49:05 ----A---- C:\WINDOWS\system32\23986.exe
2010-01-30 10:29:05 ----A---- C:\WINDOWS\system32\16512.exe
2010-01-30 10:09:05 ----A---- C:\WINDOWS\system32\5097.exe
2010-01-30 09:49:05 ----A---- C:\WINDOWS\system32\15573.exe
2010-01-30 09:29:05 ----A---- C:\WINDOWS\system32\26777.exe
2010-01-30 09:09:05 ----A---- C:\WINDOWS\system32\5829.exe
2010-01-30 08:49:05 ----A---- C:\WINDOWS\system32\6270.exe
2010-01-30 08:29:05 ----A---- C:\WINDOWS\system32\19072.exe
2010-01-30 08:09:05 ----A---- C:\WINDOWS\system32\26924.exe
2010-01-30 07:49:05 ----A---- C:\WINDOWS\system32\28745.exe
2010-01-30 07:29:05 ----A---- C:\WINDOWS\system32\5021.exe
2010-01-30 07:09:05 ----A---- C:\WINDOWS\system32\22386.exe
2010-01-30 06:49:05 ----A---- C:\WINDOWS\system32\31673.exe
2010-01-30 06:29:05 ----A---- C:\WINDOWS\system32\2306.exe
2010-01-30 06:09:05 ----A---- C:\WINDOWS\system32\13977.exe
2010-01-30 05:49:05 ----A---- C:\WINDOWS\system32\9930.exe
2010-01-30 05:29:05 ----A---- C:\WINDOWS\system32\22704.exe
2010-01-30 05:09:05 ----A---- C:\WINDOWS\system32\29658.exe
2010-01-30 04:49:05 ----A---- C:\WINDOWS\system32\4639.exe
2010-01-30 04:29:05 ----A---- C:\WINDOWS\system32\31115.exe
2010-01-30 04:09:05 ----A---- C:\WINDOWS\system32\4833.exe
2010-01-30 03:49:05 ----A---- C:\WINDOWS\system32\16541.exe
2010-01-30 03:29:05 ----A---- C:\WINDOWS\system32\22929.exe
2010-01-30 03:09:05 ----A---- C:\WINDOWS\system32\2082.exe
2010-01-30 02:49:05 ----A---- C:\WINDOWS\system32\16118.exe
2010-01-30 02:29:05 ----A---- C:\WINDOWS\system32\21538.exe
2010-01-30 02:09:05 ----A---- C:\WINDOWS\system32\5537.exe
2010-01-30 01:49:05 ----A---- C:\WINDOWS\system32\11323.exe
2010-01-30 01:29:05 ----A---- C:\WINDOWS\system32\24626.exe
2010-01-30 01:09:05 ----A---- C:\WINDOWS\system32\32439.exe
2010-01-30 00:49:05 ----A---- C:\WINDOWS\system32\16944.exe
2010-01-30 00:29:05 ----A---- C:\WINDOWS\system32\26308.exe
2010-01-30 00:09:05 ----A---- C:\WINDOWS\system32\13931.exe
2010-01-29 23:49:05 ----A---- C:\WINDOWS\system32\7376.exe
2010-01-29 23:29:05 ----A---- C:\WINDOWS\system32\4966.exe
2010-01-29 23:09:05 ----A---- C:\WINDOWS\system32\11840.exe
2010-01-29 22:49:05 ----A---- C:\WINDOWS\system32\18756.exe
2010-01-29 22:29:05 ----A---- C:\WINDOWS\system32\19954.exe
2010-01-29 22:09:05 ----A---- C:\WINDOWS\system32\24084.exe
2010-01-29 21:49:05 ----A---- C:\WINDOWS\system32\12623.exe
2010-01-29 21:29:05 ----A---- C:\WINDOWS\system32\19629.exe
2010-01-29 21:09:05 ----A---- C:\WINDOWS\system32\3548.exe
2010-01-29 20:49:05 ----A---- C:\WINDOWS\system32\24393.exe
2010-01-29 20:29:05 ----A---- C:\WINDOWS\system32\31101.exe
2010-01-29 20:09:05 ----A---- C:\WINDOWS\system32\15006.exe
2010-01-29 19:49:05 ----A---- C:\WINDOWS\system32\15350.exe
2010-01-29 19:29:05 ----A---- C:\WINDOWS\system32\24370.exe
2010-01-29 19:09:05 ----A---- C:\WINDOWS\system32\6729.exe
2010-01-29 18:49:05 ----A---- C:\WINDOWS\system32\15890.exe
2010-01-29 18:29:05 ----A---- C:\WINDOWS\system32\23805.exe
2010-01-29 18:09:05 ----A---- C:\WINDOWS\system32\27446.exe
2010-01-29 17:49:05 ----A---- C:\WINDOWS\system32\22648.exe
2010-01-29 17:29:05 ----A---- C:\WINDOWS\system32\19264.exe
2010-01-29 17:09:05 ----A---- C:\WINDOWS\system32\8942.exe
2010-01-29 16:49:05 ----A---- C:\WINDOWS\system32\9040.exe
2010-01-29 16:29:05 ----A---- C:\WINDOWS\system32\30106.exe
2010-01-29 16:09:05 ----A---- C:\WINDOWS\system32\288.exe
2010-01-29 15:49:05 ----A---- C:\WINDOWS\system32\1842.exe
2010-01-29 15:29:05 ----A---- C:\WINDOWS\system32\22190.exe
2010-01-29 15:09:05 ----A---- C:\WINDOWS\system32\3035.exe
2010-01-29 14:49:05 ----A---- C:\WINDOWS\system32\12316.exe
2010-01-29 14:29:05 ----A---- C:\WINDOWS\system32\778.exe
2010-01-29 14:09:05 ----A---- C:\WINDOWS\system32\27529.exe
2010-01-29 13:49:05 ----A---- C:\WINDOWS\system32\9741.exe
2010-01-29 13:29:05 ----A---- C:\WINDOWS\system32\8723.exe
2010-01-29 13:09:05 ----A---- C:\WINDOWS\system32\12859.exe
2010-01-29 12:49:05 ----A---- C:\WINDOWS\system32\20037.exe
2010-01-29 12:29:05 ----A---- C:\WINDOWS\system32\32757.exe
2010-01-29 12:09:05 ----A---- C:\WINDOWS\system32\32662.exe
2010-01-29 11:49:05 ----A---- C:\WINDOWS\system32\27644.exe
2010-01-29 11:29:05 ----A---- C:\WINDOWS\system32\25547.exe
2010-01-29 11:09:05 ----A---- C:\WINDOWS\system32\6868.exe
2010-01-29 10:49:05 ----A---- C:\WINDOWS\system32\28253.exe
2010-01-29 10:29:05 ----A---- C:\WINDOWS\system32\7711.exe
2010-01-29 10:09:05 ----A---- C:\WINDOWS\system32\15141.exe
2010-01-29 09:49:05 ----A---- C:\WINDOWS\system32\4664.exe
2010-01-29 09:29:05 ----A---- C:\WINDOWS\system32\17673.exe
2010-01-29 09:09:05 ----A---- C:\WINDOWS\system32\30333.exe
2010-01-29 08:49:05 ----A---- C:\WINDOWS\system32\31322.exe
2010-01-29 08:29:05 ----A---- C:\WINDOWS\system32\23811.exe
2010-01-29 08:09:05 ----A---- C:\WINDOWS\system32\28703.exe
2010-01-29 07:49:05 ----A---- C:\WINDOWS\system32\9894.exe
2010-01-29 07:29:05 ----A---- C:\WINDOWS\system32\17035.exe
2010-01-29 07:09:05 ----A---- C:\WINDOWS\system32\26299.exe
2010-01-29 06:49:05 ----A---- C:\WINDOWS\system32\25667.exe
2010-01-29 06:29:05 ----A---- C:\WINDOWS\system32\19912.exe
2010-01-29 06:09:05 ----A---- C:\WINDOWS\system32\1869.exe
2010-01-29 05:49:05 ----A---- C:\WINDOWS\system32\11538.exe
2010-01-29 05:29:05 ----A---- C:\WINDOWS\system32\14771.exe
2010-01-29 05:09:05 ----A---- C:\WINDOWS\system32\21726.exe
2010-01-29 04:49:05 ----A---- C:\WINDOWS\system32\5447.exe
2010-01-29 04:29:05 ----A---- C:\WINDOWS\system32\19895.exe
2010-01-29 04:09:05 ----A---- C:\WINDOWS\system32\19718.exe
2010-01-29 03:49:05 ----A---- C:\WINDOWS\system32\18716.exe
2010-01-29 03:29:05 ----A---- C:\WINDOWS\system32\17421.exe
2010-01-29 03:09:05 ----A---- C:\WINDOWS\system32\12382.exe
2010-01-29 02:49:05 ----A---- C:\WINDOWS\system32\292.exe
2010-01-29 02:29:05 ----A---- C:\WINDOWS\system32\153.exe
2010-01-29 02:09:05 ----A---- C:\WINDOWS\system32\3902.exe
2010-01-29 01:49:05 ----A---- C:\WINDOWS\system32\14604.exe
2010-01-29 01:29:05 ----A---- C:\WINDOWS\system32\32391.exe
2010-01-29 01:09:05 ----A---- C:\WINDOWS\system32\5436.exe
2010-01-29 00:49:05 ----A---- C:\WINDOWS\system32\4827.exe
2010-01-29 00:29:05 ----A---- C:\WINDOWS\system32\11942.exe
2010-01-29 00:09:05 ----A---- C:\WINDOWS\system32\2995.exe
2010-01-28 23:49:05 ----A---- C:\WINDOWS\system32\491.exe
2010-01-28 23:29:05 ----A---- C:\WINDOWS\system32\9961.exe
2010-01-28 23:09:05 ----A---- C:\WINDOWS\system32\16827.exe
2010-01-28 22:49:05 ----A---- C:\WINDOWS\system32\23281.exe
2010-01-28 22:29:05 ----A---- C:\WINDOWS\system32\28145.exe
2010-01-28 22:09:05 ----A---- C:\WINDOWS\system32\5705.exe
2010-01-28 21:49:05 ----A---- C:\WINDOWS\system32\24464.exe
2010-01-28 21:29:05 ----A---- C:\WINDOWS\system32\26962.exe
2010-01-28 21:09:05 ----A---- C:\WINDOWS\system32\29358.exe
2010-01-28 20:49:05 ----A---- C:\WINDOWS\system32\11478.exe
2010-01-28 20:29:05 ----A---- C:\WINDOWS\system32\15724.exe
2010-01-28 20:09:05 ----A---- C:\WINDOWS\system32\19169.exe
2010-01-28 19:49:05 ----A---- C:\WINDOWS\system32\26500.exe
2010-01-28 19:29:05 ----A---- C:\WINDOWS\system32\6334.exe
2010-01-28 19:09:05 ----A---- C:\WINDOWS\system32\18467.exe
2010-01-26 16:27:18 ----D---- C:\Program Files\InternetSecurity2010
2010-01-26 16:15:05 ----A---- C:\WINDOWS\system32\41.exe
2010-01-25 00:48:43 ----D---- C:\ERDNT
2010-01-25 00:48:22 ----A---- C:\WINDOWS\resetlog.txt
2010-01-25 00:07:42 ----D---- C:\Program Files\Spyware Doctor
2010-01-25 00:07:42 ----D---- C:\Program Files\Common Files\PC Tools
2010-01-25 00:07:42 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2010-01-25 00:07:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-01-24 17:13:23 ----D---- C:\Documents and Settings\Administrator\Application Data\Sun
2010-01-24 17:00:27 ----D---- C:\Documents and Settings\Administrator\Application Data\U3
2010-01-24 16:28:32 ----A---- C:\WINDOWS\system32\helper32.dll
2010-01-24 16:28:20 ----A---- C:\WINDOWS\system32\winlogon32.exe
2010-01-24 16:28:20 ----A---- C:\WINDOWS\system32\smss32.exe
2010-01-22 02:29:59 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2010-01-20 23:29:10 ----D---- C:\WINDOWS\pss
2010-01-20 23:02:59 ----D---- C:\Documents and Settings\Administrator\Application Data\Real
2010-01-20 22:46:40 ----D---- C:\Documents and Settings\Administrator\Application Data\Mozilla
2010-01-20 19:40:35 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2010-01-20 19:38:48 ----ASH---- C:\Documents and Settings\Administrator\Application Data\desktop.ini
2010-01-20 19:38:47 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2010-01-20 19:38:31 ----SHD---- C:\WINDOWS\CSC
2010-01-20 19:21:36 ----A---- C:\WINDOWS\ntbtlog.txt
2010-01-20 17:20:03 ----D---- C:\Program Files\Malware Defense
2010-01-20 17:15:41 ----RA---- C:\WINDOWS\system32\GEARAspi.dll
2010-01-20 17:14:43 ----D---- C:\WINDOWS\LastGood
2010-01-20 17:14:38 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-01-20 17:13:08 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-01-20 17:12:21 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2010-01-20 17:09:20 ----A---- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
2010-01-19 16:20:46 ----A---- C:\WINDOWS\system32\sshnas21.dll
2010-01-13 03:03:09 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-01-13 03:02:56 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$

======List of files/folders modified in the last 1 months======

2010-02-04 15:51:14 ----RD---- C:\Program Files
2010-02-04 15:50:52 ----D---- C:\WINDOWS\system32
2010-02-04 15:50:19 ----D---- C:\WINDOWS\Temp
2010-01-26 16:23:37 ----D---- C:\Program Files\Mozilla Firefox
2010-01-25 00:48:22 ----D---- C:\WINDOWS
2010-01-25 00:08:05 ----D---- C:\WINDOWS\system32\drivers
2010-01-25 00:07:42 ----D---- C:\Program Files\Common Files
2010-01-24 20:51:20 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-24 15:48:28 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-22 17:42:57 ----SHD---- C:\RECYCLER
2010-01-22 17:35:49 ----D---- C:\WINDOWS\SoftwareDistribution
2010-01-22 02:20:54 ----D---- C:\WINDOWS\system32\appmgmt
2010-01-22 02:14:13 ----HD---- C:\WINDOWS\inf
2010-01-22 00:38:15 ----SH---- C:\boot.ini
2010-01-22 00:38:15 ----A---- C:\WINDOWS\win.ini
2010-01-22 00:38:15 ----A---- C:\WINDOWS\system.ini
2010-01-20 19:38:46 ----D---- C:\Documents and Settings
2010-01-20 17:26:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-20 17:15:30 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-01-20 17:15:13 ----SD---- C:\WINDOWS\Tasks
2010-01-20 17:09:52 ----D---- C:\WINDOWS\Prefetch
2010-01-20 16:56:40 ----D---- C:\WINDOWS\Microsoft.NET
2010-01-17 18:51:05 ----A---- C:\WINDOWS\system32\CmdLineExt03.dll
2010-01-17 00:52:40 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-15 18:42:25 ----D---- C:\Program Files\iEvony
2010-01-13 03:19:39 ----D---- C:\WINDOWS\AppPatch
2010-01-13 03:03:07 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-13 03:03:03 ----A---- C:\WINDOWS\imsins.BAK

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2010-01-20 26600]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2005-09-20 10368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
S2 CDRPDACC;Quinnware CDDA Driver (by InfinaDyne); \??\C:\Program Files\Quintessential Media Player\cdrpdacc.sys []
S2 regi;regi; C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 11032]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-03 701440]
S3 EraserUtilDrvI9;EraserUtilDrvI9; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
S2 PSI_SVC_2;Protexis Licensing V2; C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
S2 SSHNAS;SSHNAS; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2009-07-13 74360]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2009-06-28 79360]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------




GMER LOG FILE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-04 22:46:33
Windows 5.1.2600 Service Pack 2
Running: s2k15stv.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdypow.sys


---- System - GMER 1.0.15 ----

Code 89A275C8 ZwEnumerateKey
Code 899E7480 ZwFlushInstructionCache
Code 899E41F6 IofCallDriver
Code 899EF2AE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 899E41FB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 899EF2B3
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D3E 2 Bytes JMP 89A275CC
PAGE ntoskrnl.exe!ZwEnumerateKey + 3 80570D41 2 Bytes [4B, 09]
PAGE ntoskrnl.exe!ZwFlushInstructionCache 8057917C 5 Bytes JMP 899E7484

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\lsass.exe[296] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009E000A
.text C:\WINDOWS\Explorer.EXE[888] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\ctfmon.exe[1112] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\smss32.exe[1136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CF000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTluqanonsjb.sys (*** hidden *** ) BADCD000-BADE9000 (114688 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTnpwxrcnnlb.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [236] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTnpwxrcnnlb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [572] 0x00960000
Library \\?\globalroot\systemroot\system32\H8SRTnpwxrcnnlb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [620] 0x00960000
Library \\?\globalroot\systemroot\system32\H8SRTnpwxrcnnlb.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1224] 0x01130000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTluqanonsjb.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTluqanonsjb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTluqanonsjb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTirxjamayyf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTjummjcxvog.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTyldxraqfdq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTnpwxrcnnlb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTsfybpecuit.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTerrors \\?\globalroot\systemroot\system32\H8SRTbpkbmuscvv.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x29 0x91 0x00 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0x7A 0xD5 0xE5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0E 0x63 0x2B 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFF 0x9D 0xB2 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x29 0x91 0x00 0x4E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0x7A 0xD5 0xE5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0E 0x63 0x2B 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFF 0x9D 0xB2 0xC2 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3AF796C1-11DB-11DF-91C0-EEBB7828B187}.dat 4608 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temp\h8srtmainqt.dll 16706 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PH304IY9\dnserrordiagoff[1] 0 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PH304IY9\down[1] 0 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PH304IY9\background_gradient[2] 0 bytes
File C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll 1537 bytes
File C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll 10736 bytes
File C:\Documents and Settings\schaff13\Local Settings\Temp\h8srtmainqt.dll 16722 bytes
File C:\WINDOWS\system32\drivers\H8SRTluqanonsjb.sys 40448 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRTbpkbmuscvv.log 101 bytes
File C:\WINDOWS\system32\H8SRTirxjamayyf.dll 23552 bytes executable
File C:\WINDOWS\system32\H8SRTjummjcxvog.dat 239 bytes
File C:\WINDOWS\system32\H8SRTnpwxrcnnlb.dll 16896 bytes executable
File C:\WINDOWS\system32\H8SRTsfybpecuit.dll 45056 bytes executable
File C:\WINDOWS\system32\h8srtshsyst.dll 524 bytes
File C:\WINDOWS\system32\H8SRTyldxraqfdq.dll 45056 bytes executable
File C:\WINDOWS\Temp\H8SRTa09f.tmp 343040 bytes executable
File C:\WINDOWS\Temp\H8SRTf31a.tmp 248 bytes
File C:\WINDOWS\Temp\H8SRTfe16.tmp 248 bytes

---- EOF - GMER 1.0.15 ----



NOTE: i ran GMER after i ran RSIT, i hope that doesnt affect the results

Edited by schaffnuts, 04 February 2010 - 10:56 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 05 February 2010 - 05:21 AM

Hi schaffnuts,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Important Note: The Combofix could be run in Safe Mode with networking. But when it required a reboot (it might need more than one reboot) let it reboot to normal mode and tell me if you faced any problem.
  1. Download LSPFix.zip to a convenient location. Don't run it now. We need the the tool only if you loose internet connection.

  2. Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.




#3 schaffnuts

schaffnuts
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 05 February 2010 - 10:27 AM

pretty sure i can agree to that

computer is off right now, hopefully i can shut it down and turn it on between each step you help me for


edit: gonna be gone all day, i'll get to this when im back, :-), maybe 5 or 6 pm
oh, and thanks for the super quick response!!

Edited by schaffnuts, 05 February 2010 - 11:06 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 05 February 2010 - 10:35 AM

Please proceed.

#5 schaffnuts

schaffnuts
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 05 February 2010 - 05:20 PM

after running defogger it did not ask me to restart

i never got an error message, but did get this note...

defogger_disable by jpshortstuff (29.01.10.1)
Log created at 17:18 on 05/02/2010 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Already disabled


-=E.O.F=-


i restarted all my own.... and it apparently started up in regular mode

im gonna stop here until i get further instructions...
computer is now turned off

Edited by schaffnuts, 05 February 2010 - 05:26 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 05 February 2010 - 05:42 PM

Booting to normal mode is good and no reason not to run Combofix.

Please proceed and be fast before the infection totally take over. ComboFix has a lot to remove. Run ComboFix preferably in normal mode unless the computer doesn't boot to normal mode. The reboot should be in normal mode.



#7 schaffnuts

schaffnuts
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 05 February 2010 - 07:26 PM

i will try it again, but i tried running combo fix in normal mode after it booted properly, and nothing happened

trying again...


oooo, and when i boot up, my desktop background shows some image saying....

YOUR SYSTEM IS INFECTED!
system has been stopped due to a serious malfunction
spyware activity has been detected
it is recommended to use spyware removal tool to prevent data loss
do not use the computer before all spyware is removed

im thinkin thats part of the virus, we shall see...



OK, nothing happens when i try and open combofix...


p.s. i cannot get into administrator, where i have run all these processes from thus far
it doesnt even show up as an option

using F8... i was able to bring up the start up screen
it showed a completely different screen with many more options for boot up
i can get to admin from here

edit #5, lol

i redownloaded combofix and now it is running, will post log after this... if i get it...
oooooook, combo fix from mirror 2 only shows a loading screen, and it goes away, nothing more...
time to try 3...

and 3 is a broken link

edit: found it on the website after doing a quick search
it did the same thing the 2nd mirror did

Edited by schaffnuts, 05 February 2010 - 07:44 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 05 February 2010 - 09:22 PM

You should realize this is a heavily infected system with all kind of malware (rootkit, rogue, etc.).
Download it from the fist link, rename it to far.exe (preferably before saving) and run it in any mode with internet connection (normal or Safe Mode with Networking). But when needed to reboot let it reboot in normal mode.

#9 schaffnuts

schaffnuts
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 06 February 2010 - 12:32 PM

i am actually downloading these files to another computer, then moving them to the desktop of the infected computer using an external hard drive

tried renaming it, before moving it to the C drive... i think it did the same thing as before....
however, i do see this txt file vcredist_x86 on my C-drive that i did not see before

could this be the file, or no?



p.s. if i decided to get windows 7 for this computer, would that remove all my problems?


oh, and yes, i realize its pretty bad... dunno if you read that whole link i put at the top, but ever since downloading a file i didnt even want, my computer has been all sorts of f'd up

Edited by schaffnuts, 06 February 2010 - 12:35 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 06 February 2010 - 12:40 PM

QUOTE
p.s. if i decided to get windows 7 for this computer, would that remove all my problems?

This is a Windows XP computer, if it is Vista ready you can reformat and install Windows 7 on it and it will solve all the problems. If it is not Vista ready you might face problems as the new Windows OS has different drivers.

#11 schaffnuts

schaffnuts
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 06 February 2010 - 02:45 PM

what requirements would need to be met?
i have upgraded it a bit since 1st getting it nearly 8 years ago...
also have just reset the computer once before, completely wiped everything from my hard drive, kinda sucked, but at least it worked properly afterwards...

if i cant do it, what should i do next here?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 06 February 2010 - 07:21 PM

I think you have two options. First go to another forum and find out what you need to upgrade to Windows 7, or going on with this topic and do what is needed to do.

Please decide about it. If you decide to remove the infection and I have your full commitment we will go on. I will wait until you decide, but please inform me about your decision anyway within 5-7 days.

Edited by farbar, 07 February 2010 - 07:55 AM.
Spelling


#13 schaffnuts

schaffnuts
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 06 February 2010 - 11:44 PM

why are you getting so temperamental about my question about windows 7?

i asked you a simple question, seeming as i am having problems with EVERYTHING trying to get through this process

i asked you a question of whether it'd be an option... not for you to walk me through anything for windows 7


it'd obviously be cheaper, likely not easier, to try and revive what i got.... i'd like to continue, but the more and more this goes on (from day 1) it seems something else wont work, then something else doesnt work

which is why i broached the question on W7, nothing more, nothing less...



if you think you can help me fix it, im on board, lets roll...., but you still didnt answer my last question about the process.... there is no text file associated with the combofix program, i asked whether a certain file was it.... yet to have an answer........

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 07 February 2010 - 08:31 AM

I didn't get any temperamental, I read my reply once more and couldn't see where I was temperamental. No hard words, no capital letters and any shouting. Could have added a smile.gif to make sure you don't get me wrong.

You asked about Windows 7 and I gave you the proper answer. And I didn't answered your question about the text file on c drive because any talking about ComboFix or any cleaning related step was irrelevant if you wanted to reformat the computer. Why should you and me waste time on cleaning a computer then reformat it to install another OS?

But now that you projected something on me (being temperamental) then remind me of my second wrong doing, which is not answering your question, let me tell you that on contrary I have been very patient with the way you have been progressing. With any small step you were either seeking confirmation or just shutting down the computer (which means another reboot and another round of activating or multiplying the malware) instead of proceeding with the next step.

Now back to the cleaning part. Once again this is a heavily infected computer without the protection of a proper antivirus. It doesn't surprises methat it prevents Combofix from running. In fact if you post back and tell me the computer doesn't boot at all I will not be surprised. And that is the reason I wanted you to harry.

The text file you named is not Combofix log.

Now please give me feedback about what exactly happened when you run Combofix. Did it run at all? Did it tell you it has detected rootkit and needed to reboot? Unless you give me proper feedback I can't see what is happening at the other end.



#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 PM

Posted 07 February 2010 - 11:16 AM

Please don't miss my previous post.

QUOTE
tried renaming it, before moving it to the C drive... i think it did the same thing as before....

You should not have run the renamed ComboFix from C drive. You should have run it from desktop.
    Lets try this once more, but with a different setting.

    You may download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

    ***************************************************
  1. Download ComboFix from one of these locations, rename to to cx.exe before saving it to the desktop of the infec tec computer:

    Link 1
    Link 2


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  2. Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

    Note: If you have SP3, use the SP2 package.

  3. Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
    • Log to your usual account.

  4. Transfer all files you just downloaded, to the desktop of the infected computer.

  5. Drag the setup package onto ComboFix.exe and drop it.


    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




    • At the next prompt, click 'Yes' to run the full ComboFix scan.
    • When the tool is finished, it will produce a report for you.
    Please post the C:\ComboFix.txt in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users