Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I don't know what's happening


  • This topic is locked This topic is locked
23 replies to this topic

#1 Lynn8

Lynn8

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 23 July 2010 - 09:55 AM

I have the following issues:
1. facebook was hacked
2. can't access outlook express
3. received windows system error -- IP address conflict.
That's all I've noticed so far.
I was able to run the first requested scan (DDS)but the gmer scan would not complete and rebooted my pc. The second time I tried I got a blue screen saying windows had shut down with the following info: page_fault_in_nonpaged_area pxtdapog.sys. When I tried to access this forum as I was posting the same blue screen saying windows had shut down came up. I saved the DDS scan to a flash drive.
Attached are the DDS logs.

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 31 July 2010 - 07:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Lynn8

Lynn8
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 02 August 2010 - 08:18 PM

I was finally able to run the gmer scan in safe mode.
Since I originally posted I ran and adaware scan and it quarantined 2 level 10 threats. Attached are the requested scans.

Attached Files

  • Attached File  OTL.Txt   105.58KB   3 downloads
  • Attached File  ark.txt   841bytes   3 downloads
  • Attached File  Extras.Txt   26.24KB   3 downloads

Edited by Lynn8, 02 August 2010 - 08:20 PM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 04 August 2010 - 06:07 PM

Hello, Lynn8.
are you able to get into Outlook Express and do you still have the other issues you referenced above?

I see you have the Dealio Toolbar installed. This comes bundled with third party applications they dont' tell you about during installation. Please see here: Dealio FAQ I strongly suggest you uninstall both Dealio Toolbar and Search Settings as they are considered foistware.









Viewpoint (foistware) Warning"

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.







Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Lynn8

Lynn8
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 07 August 2010 - 10:53 AM

I wasn't aware of any Dealio toolbar or anything with viewpoint. I will follow your instructions.
Yes - I can now get into outlook express and i haven't noticed any ip address conflicts.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 07 August 2010 - 11:13 AM

Ok, I'll keep an eye out. Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Lynn8

Lynn8
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 07 August 2010 - 11:13 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4404

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/7/2010 12:11:52 PM
mbam-log-2010-08-07 (12-11-52).txt

Scan type: Quick scan
Objects scanned: 137209
Time elapsed: 8 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 07 August 2010 - 11:20 AM

Hello, Lynn8.

OK, you may have resolved the issues. Let's look deeper to confirm nothing worse came along for the ride.



Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.



Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 3

Download and run HAMeb_check.exe
Post the contents of the resulting log.



Step 4

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 5

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 21 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.



Step 6

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaInfo.sys -- (LMIInfo)
    IE - HKU\S-1-5-21-1275210071-73586283-725345543-1003\..\URLSearchHook: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - No CLSID value found.
    :Commands
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.



Step 7

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Lynn8

Lynn8
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 07 August 2010 - 03:49 PM

what items do i want to backup for erunt?

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 08 August 2010 - 06:44 AM

all items.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 12 August 2010 - 06:02 PM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 Lynn8

Lynn8
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 13 August 2010 - 06:36 PM

Sorry -- I've been sick and busy and haven't had a chance to complete the recommended scans. Planning on getting to it this weekend.

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 15 August 2010 - 07:27 PM

Ok...have you had a chance to complete them this weekend? Hope you feel better.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 Lynn8

Lynn8
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 16 August 2010 - 06:35 PM

I've installed erunt and updated adobe so far. On to the scans................
MBRCheck, version 1.2.3
2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF8A75000 \WINDOWS\system32\KDCOM.DLL
0xF8985000 \WINDOWS\system32\BOOTVID.dll
0xF8446000 ACPI.sys
0xF8A77000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF8435000 pci.sys
0xF8575000 isapnp.sys
0xF8585000 ohci1394.sys
0xF8595000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xF8B3D000 pciide.sys
0xF87F5000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF85A5000 MountMgr.sys
0xF8416000 ftdisk.sys
0xF8A79000 dmload.sys
0xF83F0000 dmio.sys
0xF87FD000 PartMgr.sys
0xF85B5000 VolSnap.sys
0xF83D8000 atapi.sys
0xF85C5000 disk.sys
0xF85D5000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF83B8000 fltmgr.sys
0xF83A6000 sr.sys
0xF85E5000 Lbd.sys
0xF838F000 KSecDD.sys
0xF8302000 Ntfs.sys
0xF82D5000 NDIS.sys
0xF82BB000 Mup.sys
0xF86D5000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF7D0A000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF7CF6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7CCE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF886D000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF7CAA000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF8875000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7C10000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF7BED000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7AF0000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF7A40000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF8895000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A2C000 \SystemRoot\System32\DRIVERS\parport.sys
0xF86E5000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF88A5000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF86F5000 \SystemRoot\System32\DRIVERS\serial.sys
0xF8A39000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF8705000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF8715000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8725000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF8BEB000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF8BEC000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8735000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8A4D000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7A15000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8745000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8755000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF88CD000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF79DC000 \SystemRoot\System32\DRIVERS\psched.sys
0xF8765000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF88DD000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF88ED000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF79AC000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF8775000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF88FD000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8A85000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF794E000 \SystemRoot\System32\DRIVERS\update.sys
0xF8A71000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF8785000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA4AE000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA48A000 \SystemRoot\system32\drivers\portcls.sys
0xF87A5000 \SystemRoot\system32\drivers\drmk.sys
0xF87B5000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8A8F000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF8A93000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C21000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A97000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8945000 \SystemRoot\System32\drivers\vga.sys
0xF8A9B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A9F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8955000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8965000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A09000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xAA42F000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xAA3D6000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF87E5000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAA388000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF85F5000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xAA360000 \SystemRoot\System32\DRIVERS\netbt.sys
0xAA33E000 \SystemRoot\System32\drivers\afd.sys
0xF8605000 \SystemRoot\System32\DRIVERS\netbios.sys
0xAA313000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xAA2A3000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF8625000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA27C000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF880D000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xAA258000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF883D000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF792A000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF8645000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF884D000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF885D000 \SystemRoot\System32\DRIVERS\usbprint.sys
0xF8277000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xAA218000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8AA5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA476000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8885000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8C99000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1CC000 \SystemRoot\System32\igxpdx32.DLL
0xAA462000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xAA11C000 \SystemRoot\System32\DRIVERS\mdc8021x.sys
0xA9FD2000 \SystemRoot\System32\DRIVERS\nwlnkipx.sys
0xAA1F8000 \SystemRoot\System32\DRIVERS\nwlnknb.sys
0xAA10C000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xA9F43000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xF8635000 \SystemRoot\System32\DRIVERS\nwlnkspx.sys
0xA9BF6000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xA9B91000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9D33000 \SystemRoot\system32\drivers\sysaudio.sys
0xF8ABD000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAA1D8000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xA9BB2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA968A000 \SystemRoot\System32\DRIVERS\srv.sys
0xA98C1000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF88C5000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA92FE000 \??\C:\WINDOWS\system32\GTNDIS5.SYS
0xA8FCF000 \SystemRoot\system32\drivers\kmixer.sys
0xA8F6E000 \SystemRoot\System32\DRIVERS\ar5211.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
496 C:\WINDOWS\system32\smss.exe
560 csrss.exe
584 C:\WINDOWS\system32\winlogon.exe
628 C:\WINDOWS\system32\services.exe
640 C:\WINDOWS\system32\lsass.exe
812 C:\WINDOWS\system32\svchost.exe
860 svchost.exe
928 C:\WINDOWS\system32\svchost.exe
1032 svchost.exe
1116 svchost.exe
1248 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1368 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1836 C:\WINDOWS\system32\LEXBCES.EXE
1864 C:\WINDOWS\system32\LEXPPS.EXE
1860 C:\WINDOWS\system32\spoolsv.exe
2012 svchost.exe
416 C:\WINDOWS\system32\WgaTray.exe
428 C:\WINDOWS\explorer.exe
984 C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
1088 C:\Program Files\Dynex Wireless G Adapter\WLService.exe
1160 C:\Program Files\Dynex Wireless G Adapter\WLanCfgG.exe
1168 C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
1220 C:\Program Files\Java\jre6\bin\jqs.exe
1424 C:\WINDOWS\system32\svchost.exe
1592 C:\WINDOWS\SOUNDMAN.EXE
2104 C:\WINDOWS\ALCWZRD.EXE
2112 C:\WINDOWS\ALCMTR.EXE
2120 C:\WINDOWS\system32\igfxtray.exe
2132 C:\WINDOWS\system32\hkcmd.exe
2144 C:\WINDOWS\system32\igfxpers.exe
2272 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
2280 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
2352 C:\WINDOWS\system32\ctfmon.exe
2376 C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
2416 C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
3024 unsecapp.exe
3624 wmiprvse.exe
C:\Documents and Settings\Lynn Miller\Desktop\HAMeb_check.exe
Mon 08/16/2010 at 19:43:19.78

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Edited by Lynn8, 16 August 2010 - 06:44 PM.


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 AM

Posted 16 August 2010 - 06:48 PM

the MBR Check log appears to be cutoff...can you please doublecheck? Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users