Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD posable malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 haig11

haig11

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nanaimo BC
  • Local time:08:21 PM

Posted 14 August 2010 - 02:27 AM

Hello my computer had a random BSOD Error the thing about this blue screen was it did not look real and it did not cover the hole screen

My computer was running slower before the blue screen happened there was a progress in task manger called dfsvc.exe and rundll32.exe I Have never Seen them before so if you can tell me if im infected please do so here is a log




DDS (Ver_10-03-17.01) - NTFSX64
Run by haig at 0:13:47.10 on Sat 08/14/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2811.1786 [GMT -7:00]


============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k RPCSS
c:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:Windowssystem32atiesrxx.exe
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k LocalService
C:WindowsSystem32svchost.exe -k NetworkService
C:Windowssystem32WLANExt.exe
C:Windowssystem32conhost.exe
C:Windowssystem32atieclxx.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:WindowsSystem32spoolsv.exe
C:Windowssystem32Dwm.exe
C:Windowssystem32taskhost.exe
C:Program FilesBlue Coat K9 Web Protectionk9filter.exe
C:Program FilesAcerAcer ePower ManagementePowerSvc.exe
C:Windowssystem32lxebcoms.exe
C:Windowssystem32svchost.exe -k LocalServiceAndNoImpersonation
C:Windowssystem32svchost.exe -k imgsvc
C:Program Files (x86)TeamViewerVersion5TeamViewer_Service.exe
C:WindowsSystem32rundll32.exe
C:Windowsexplorer.exe
C:Windowssystem32SearchIndexer.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:Windowssystem32wbemwmiprvse.exe
C:WindowsservicingTrustedInstaller.exe
C:Windowssystem32sppsvc.exe
C:Windowssystem32msiexec.exe
C:Program Files (x86)BitTorrentbittorrent.exe
C:UsershaigAppDataLocalGoogleChromeApplicationchrome.exe
C:UsershaigAppDataLocalGoogleChromeApplicationchrome.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:UsershaigDesktopdds.scr
C:Windowssystem32conhost.exe
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.google.com/
mLocal Page = c:windowssyswow64blank.htm
mWinlogon: Userinit=userinit.exe
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRunOnce: [{D2C5E510-BE6D-42CC-9F61-E4F939078474}] c:windowssystem32cmd.exe /c rmdir /q /s "c:program filesLexmark Printable Web"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {18E37951-7ABB-4D2D-8866-37B58830C341} = 156.154.70.22,156.154.71.22
TCP: {5480E43D-4DD1-4451-B282-02D528C904D5} = 156.154.70.22,156.154.71.22
TCP: {827FAFD1-3D66-4A4E-8FAE-BC6C87204ECE} = 156.154.70.22,156.154.71.22
TCP: 449636B637F6E602E4564777F627B6 = 156.154.70.22,156.154.71.22
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [MSSE] "c:program filesmicrosoft security essentialsmsseces.exe" -hide -runkey
mRun-x64: [lxebmon.exe] "c:program files (x86)lexmark pro200-s500 serieslxebmon.exe"
mRun-x64: [EzPrint] "c:program files (x86)lexmark pro200-s500 seriesezprint.exe"
mRunOnce-x64: [*WerKernelReporting] %SYSTEMROOT%SYSTEM32WerFault.exe -k -rq

============= SERVICES / DRIVERS ===============

R1 bckd;bckd;c:windowssystem32driversbckd.sys [2009-12-4 93808]
R1 MpFilter;Microsoft Malware Protection Driver;c:windowssystem32driversMpFilter.sys [2010-3-25 173984]
R1 vwififlt;Virtual WiFi Filter Driver;c:windowssystem32driversvwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;c:windowssystem32atiesrxx.exe [2009-8-18 203264]
R2 bckwfs;Blue Coat K9 Web Protection;c:program filesblue coat k9 web protectionk9filter.exe [2009-12-4 3505264]
R2 ePowerSvc;Acer ePower Service;c:program filesaceracer epower managementePowerSvc.exe [2010-7-25 865824]
R2 lxeb_device;lxeb_device;c:windowssystem32lxebcoms.exe -service --> c:windowssystem32lxebcoms.exe -service [?]
R2 TeamViewer5;TeamViewer 5;c:program files (x86)teamviewerversion5TeamViewer_Service.exe [2010-7-6 173352]
R3 k57nd;Broadcom NetLink Gigabit Ethernet;c:windowssystem32driversk57amd64.sys [2010-3-21 334376]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:windowssystem32driversMpNWMon.sys [2010-3-25 40832]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:windowssystem32driversvwifimp.sys [2009-7-13 17920]
S2 gupdate;Google Update Service (gupdate);c:program files (x86)googleupdateGoogleUpdate.exe [2010-7-27 136176]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:windowssystem32spooldriversx643lxebserv.exe [2010-8-13 33960]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:windowssystem32driverse1y60x64.sys [2009-6-10 281088]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:windowssystem32driversnetr28ux.sys [2009-6-10 867328]
S3 netr7364;Conceptronic RT73 Wireles Driver for Vista;c:windowssystem32driversnetr7364.sys [2009-6-10 707072]
S3 WatAdminSvc;Windows Activation Technologies Service;c:windowssystem32watWatAdminSvc.exe [2010-7-24 1255736]

=============== Created Last 30 ================

2010-08-14 07:09:35 0 d-----w- c:program filesMicrosoft SDKs
2010-08-14 06:47:40 396717425 ----a-w- c:windowsMEMORY.DMP
2010-08-14 05:10:45 0 d-----w- c:program files (x86)TeamViewer
2010-08-14 03:30:53 0 d-----w- c:programdataLx_cats
2010-08-14 03:26:30 109056 ----a-w- c:windowssystem32lxebvs.dll
2010-08-14 03:26:26 829952 ----a-w- c:windowssystem32lxebcoin.dll
2010-08-14 03:26:24 1462272 ----a-w- c:windowssystem32lxk_g.dll
2010-08-14 03:26:13 983121 ----a-w- c:windowssystem32lxk_gf.dll
2010-08-14 03:26:13 65106 ----a-w- c:windowssystem32lxebprpr.chm
2010-08-14 03:26:12 65536 ----a-w- c:windowssystem32lxebgcfg.dll
2010-08-14 03:26:10 8694 ----a-w- c:windowssystem32lxebcommuilogo_rtl.bmp
2010-08-14 03:26:10 8694 ----a-w- c:windowssystem32lxebcommuilogo.bmp
2010-08-14 03:26:10 399360 ----a-w- c:windowssystem32lxebcui.dll
2010-08-14 03:26:10 148480 ----a-w- c:windowssystem32lxebcuir.dll
2010-08-14 03:25:43 510464 ----a-w- c:windowssystem32LXEBwupd.dll
2010-08-14 03:25:43 295592 ----a-w- c:windowssystem32LXEBwupd.exe
2010-08-14 03:24:26 0 d-----w- c:program filesLexmark
2010-08-14 03:23:51 0 d-----w- c:program files (x86)Lexmark Toolbar
2010-08-14 03:23:36 0 d-----w- c:program filesLexmark Printable Web
2010-08-14 03:22:52 229094 ----a-w- c:windowssystem32LexFiles.ulf
2010-08-14 03:22:31 0 d-----w- c:program files (x86)Lexmark Pro200-S500 Series
2010-08-14 03:22:05 0 d-----w- c:program filesLexmark Pro200-S500 Series
2010-08-14 02:07:31 0 d-----w- c:programdataComodo Downloader
2010-08-13 22:05:40 0 d-----w- c:program files (x86)Cisco
2010-08-13 22:05:12 696680 ----a-w- c:windowssystem32oem14.inf
2010-08-13 22:04:08 95544 ----a-w- c:windowssystem32bcmwlcoi.dll
2010-08-13 22:04:08 6656 ----a-w- c:windowssystem32bcmwlrc.dll
2010-08-13 22:04:07 3896632 ----a-w- c:windowssystem32bcmihvsrv64.dll
2010-08-13 22:04:07 3561272 ----a-w- c:windowssystem32bcmihvui64.dll
2010-08-13 22:04:07 3060800 ----a-w- c:windowssystem32driversBCMWL664.SYS
2010-08-13 22:04:07 0 d-----w- c:program filesBroadcom
2010-08-13 01:40:32 0 d-----w- c:program files (x86)Movie Maker 2.6
2010-08-12 17:56:15 3850760 ----a-w- c:windowsd3dx9_38.dll
2010-08-12 17:55:23 3850760 ----a-w- c:windowssystem32d3dx9_38.dll
2010-08-12 07:15:27 0 d-----w- c:program files (x86)Microsoft Games
2010-08-12 00:18:09 0 d-----w- C:wallpapers
2010-08-11 23:45:20 0 d-----w- C:Halo Modz
2010-08-11 04:37:38 463360 ----a-w- c:windowssystem32driverssrv.sys
2010-08-11 04:37:38 404992 ----a-w- c:windowssystem32driverssrv2.sys
2010-08-11 04:37:37 162304 ----a-w- c:windowssystem32driverssrvnet.sys
2010-08-11 04:37:36 340992 ----a-w- c:windowssystem32schannel.dll
2010-08-11 04:37:36 224256 ----a-w- c:windowssyswow64schannel.dll
2010-08-11 04:37:09 1896832 ----a-w- c:windowssystem32driverstcpip.sys
2010-08-11 04:37:08 5507968 ----a-w- c:windowssystem32ntoskrnl.exe
2010-08-11 04:37:07 3955080 ----a-w- c:windowssyswow64ntkrnlpa.exe
2010-08-11 04:37:07 3899784 ----a-w- c:windowssyswow64ntoskrnl.exe
2010-08-11 04:37:01 5971456 ----a-w- c:windowssyswow64mshtml.dll
2010-08-10 21:23:37 0 ---ha-w- c:windowssystem32driversMsft_User_WpdMtpDr_01_09_00.Wdf
2010-08-10 19:04:56 0 d-----w- C:roms
2010-08-10 17:51:23 0 d-----w- c:program files (x86)Auto Gametypes
2010-08-10 17:49:25 0 d-----w- c:program files (x86)MSXML 4.0
2010-08-10 11:20:41 0 d-----w- c:windowsCheckSur
2010-08-10 08:32:29 0 d-----w- c:usershaigappdataroamingBump Technologies, Inc
2010-08-10 07:18:35 306688 ----a-w- c:windowsIsUninst.exe
2010-08-10 07:18:34 0 ----a-w- c:windows_delis32.ini
2010-08-10 07:09:34 0 d-----w- c:program files (x86)AnvSoft
2010-08-10 07:01:01 0 d-----w- C:Fraps
2010-08-10 06:55:11 0 d-----w- c:usershaigappdataroamingAnvSoft
2010-08-10 06:32:52 585728 ------w- c:windowssyswow64msvcr80.dll
2010-08-10 06:32:51 528384 ------w- c:windowssyswow64msvcp80.dll
2010-08-09 23:25:42 0 d-----w- c:windowssyswow64QuickTime
2010-08-09 23:25:37 0 d-----w- c:programdataTechSmith
2010-08-09 23:25:28 0 d-----w- c:program files (x86)common filesTechSmith Shared
2010-08-09 23:25:16 0 d-----w- c:usershaig.VirtualBox
2010-08-09 23:16:35 202960 ----a-w- c:windowssystem32driversVBoxDrv.sys
2010-08-09 23:16:22 53968 ----a-w- c:windowssystem32driversVBoxUSBMon.sys
2010-08-09 23:16:15 0 d-----w- c:program filesOracle
2010-08-09 22:33:32 0 d-----w- c:program files (x86)ReadPlease 2003
2010-08-09 22:21:05 0 d-----w- c:program files (x86)Microsoft Antimalware
2010-08-09 22:20:59 0 d-----w- c:program filesMicrosoft Security Essentials
2010-08-09 21:58:00 0 d-----w- c:program files (x86)common filesSoftware Update Utility
2010-08-09 21:57:59 0 d-----w- c:program files (x86)common filesAOL
2010-08-09 21:57:46 347 ---ha-w- C:IPH.PH
2010-08-09 06:33:53 0 d-----w- c:usershaigappdataroamingBitZipper
2010-08-09 06:33:52 0 d-----w- c:program files (x86)BitZipper
2010-08-09 04:12:41 20 ----a-w- c:windows¸öª
2010-08-09 04:09:42 0 d-----w- c:usershaigappdataroamingBitTorrent
2010-08-09 04:09:16 0 d-----w- c:program files (x86)BitTorrent
2010-08-09 03:47:39 0 d-----w- C:Windows Registry Backups
2010-08-09 03:38:12 0 d-----w- c:program files (x86)CCleaner
2010-08-09 02:00:59 0 ------w- c:windowssyswow64eRLog.ini
2010-08-09 01:47:53 258048 ----a-w- c:windowssyswow64Uninstall_eRecovery.exe
2010-08-09 01:42:55 69632 ----a-w- c:windowssyswow64eRecUtil.dll
2010-08-09 01:42:47 49152 ----a-w- c:windowssyswow64SysMonitor.exe
2010-08-09 01:42:38 12867584 ----a-w- c:windowssyswow64shell32.dll
2010-08-09 01:33:42 65536 --sha-w- c:usershaigntuser.dat{1845b2cf-a356-11df-b561-705ab6e2ff38}.TM.blf
2010-08-09 01:33:42 524288 --sha-w- c:usershaigntuser.dat{1845b2cf-a356-11df-b561-705ab6e2ff38}.TMContainer00000000000000000002.regtrans-ms
2010-08-09 01:33:42 524288 --sha-w- c:usershaigntuser.dat{1845b2cf-a356-11df-b561-705ab6e2ff38}.TMContainer00000000000000000001.regtrans-ms
2010-08-09 00:46:13 0 d-----w- c:program files (x86)Launch Manager
2010-08-05 21:02:56 144720 ----a-w- c:windowssystem32driversVBoxNetAdp.sys
2010-08-05 21:02:54 318992 ----a-w- c:windowssystem32VBoxNetFltNotify.dll
2010-08-05 21:02:54 164240 ----a-w- c:windowssystem32driversVBoxNetFlt.sys
2010-07-30 02:06:53 0 d-----w- c:program filesBlue Coat K9 Web Protection
2010-07-29 18:54:55 0 ----a-w- c:windowssyswow64config.nt
2010-07-29 18:54:34 0 d-----w- c:programdataAlwil Software
2010-07-29 18:54:34 0 d-----w- c:program filesAlwil Software
2010-07-29 00:50:01 65536 --sha-w- c:usershaigntuser.dat{262a7da9-9aab-11df-a307-705ab6e2ff38}.TM.blf
2010-07-29 00:50:01 524288 --sha-w- c:usershaigntuser.dat{262a7da9-9aab-11df-a307-705ab6e2ff38}.TMContainer00000000000000000002.regtrans-ms
2010-07-29 00:50:01 524288 --sha-w- c:usershaigntuser.dat{262a7da9-9aab-11df-a307-705ab6e2ff38}.TMContainer00000000000000000001.regtrans-ms
2010-07-28 22:32:39 0 d-----w- c:programdataVirtualizedApplications
2010-07-28 20:36:10 0 d-----w- c:windowsWindows 7 (RED)
2010-07-28 20:23:29 0 d-----w- c:programdataMicrosoft Help
2010-07-28 20:23:16 0 d-----w- c:programdataAdobe
2010-07-28 20:19:28 0 d-----w- c:usershaigappdataroamingSoftGrid Client
2010-07-28 19:42:23 731106 ----a-w- c:windowssyswow64PerfStringBackup.INI
2010-07-28 19:39:50 0 d-----w- c:usershaigappdataroamingTP
2010-07-27 20:08:18 56 ---ha-w- c:windowssyswow64ezsidmv.dat
2010-07-27 20:02:55 0 d-----w- c:programdataSkype
2010-07-26 20:13:25 0 d-----w- c:programdataKaspersky Lab
2010-07-26 19:59:11 0 d-----w- c:usershaigappdataroamingTeamViewer
2010-07-26 19:28:41 0 d-----w- c:program filesWinRAR
2010-07-26 08:48:48 217 ----a-w- c:windowsiepreview.ini
2010-07-26 08:46:51 0 d-----w- c:usershaigappdataroamingUniblue
2010-07-26 04:49:33 0 d-----w- c:programdataOEM
2010-07-26 04:49:24 0 d-----w- c:program filesAcer
2010-07-26 04:38:28 65536 ----a-w- c:windowsocsetup_uninstall_OEMHelpCustomization.etl
2010-07-26 04:30:56 131072 ----a-w- c:windowsocsetup_install_OEMHelpCustomization.etl
2010-07-26 03:47:00 65536 --sha-w- c:usershaigntuser.dat{5b7fa1d0-9868-11df-8bd2-705ab6e2ff38}.TM.blf
2010-07-26 03:47:00 524288 --sha-w- c:usershaigntuser.dat{5b7fa1d0-9868-11df-8bd2-705ab6e2ff38}.TMContainer00000000000000000002.regtrans-ms
2010-07-26 03:47:00 524288 --sha-w- c:usershaigntuser.dat{5b7fa1d0-9868-11df-8bd2-705ab6e2ff38}.TMContainer00000000000000000001.regtrans-ms
2010-07-26 03:11:25 0 d-----w- c:usershaigappdataroamingWinBatch
2010-07-25 09:59:41 0 d-----w- c:programdataQMI
2010-07-25 05:28:33 0 d-----w- c:programdataSecTaskMan
2010-07-25 04:32:05 0 d-----w- c:usershaigappdataroamingabelhadigital.com
2010-07-25 04:32:05 0 d-----w- c:programdataabelhadigital.com
2010-07-25 02:50:42 0 d-----w- c:programdataAvira
2010-07-25 00:45:40 0 d-----w- c:usershaigTracing
2010-07-25 00:43:37 4398360 ----a-w- c:windowssystem32d3dx9_32.dll
2010-07-25 00:43:37 3426072 ----a-w- c:windowssyswow64d3dx9_32.dll
2010-07-25 00:39:29 0 d-----w- c:program files (x86)common filesWindows Live
2010-07-24 23:45:11 0 d-----w- c:usershaigappdataroamingDeviceDoctorSoftware
2010-07-24 23:41:47 0 d-----w- c:usershaigappdataroamingDriverCure
2010-07-24 23:41:42 0 d-----w- c:programdataDriverCure
2010-07-24 22:08:34 0 d-----w- c:windowssyswow64Macromed
2010-07-24 21:58:48 0 d-----w- c:windowssyswow64Wat
2010-07-24 21:58:48 0 d-----w- c:windowssystem32Wat
2010-07-24 21:56:30 99176 ----a-w- c:windowssyswow64PresentationHostProxy.dll
2010-07-24 21:56:30 49472 ----a-w- c:windowssyswow64netfxperf.dll
2010-07-24 21:56:30 48960 ----a-w- c:windowssystem32netfxperf.dll
2010-07-24 21:56:30 444752 ----a-w- c:windowssystem32mscoree.dll
2010-07-24 21:56:30 320352 ----a-w- c:windowssystem32PresentationHost.exe
2010-07-24 21:56:30 297808 ----a-w- c:windowssyswow64mscoree.dll
2010-07-24 21:56:30 295264 ----a-w- c:windowssyswow64PresentationHost.exe
2010-07-24 21:56:30 1942856 ----a-w- c:windowssystem32dfshim.dll
2010-07-24 21:56:30 1130824 ----a-w- c:windowssyswow64dfshim.dll
2010-07-24 21:56:30 109912 ----a-w- c:windowssystem32PresentationHostProxy.dll
2010-07-24 21:47:13 311808 ----a-w- c:windowssystem32msv1_0.dll
2010-07-24 21:47:13 257024 ----a-w- c:windowssyswow64msv1_0.dll
2010-07-24 21:25:53 0 d-----w- c:programdataUAB
2010-07-24 21:24:02 0 d-----w- c:programdataPC Drivers HeadQuarters
2010-07-24 21:09:22 286720 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-07-24 21:08:59 70656 ----a-w- c:windowssyswow64fontsub.dll
2010-07-24 21:08:59 46080 ----a-w- c:windowssystem32atmlib.dll
2010-07-24 21:08:59 366080 ----a-w- c:windowssystem32atmfd.dll
2010-07-24 21:08:59 34304 ----a-w- c:windowssyswow64atmlib.dll
2010-07-24 21:08:59 293888 ----a-w- c:windowssyswow64atmfd.dll
2010-07-24 21:08:59 100864 ----a-w- c:windowssystem32fontsub.dll
2010-07-24 21:05:13 0 ----a-w- c:windowsativpsrm.bin
2010-07-24 21:02:32 270208 ------w- c:windowssystem32MpSigStub.exe
2010-07-24 21:01:07 220672 ----a-w- c:windowssystem32wintrust.dll
2010-07-24 21:01:07 172032 ----a-w- c:windowssyswow64wintrust.dll
2010-07-24 21:01:03 139264 ----a-w- c:windowssystem32cabview.dll
2010-07-24 21:01:03 132608 ----a-w- c:windowssyswow64cabview.dll
2010-07-24 19:22:10 0 ---ha-w- c:windowssystem32driversMsft_User_WpdFs_01_09_00.Wdf
2010-07-24 17:24:39 0 d-----w- c:usershaigappdataroamingMalwarebytes
2010-07-24 17:24:30 24664 ----a-w- c:windowssystem32driversmbam.sys
2010-07-24 17:24:30 0 d-----w- c:programdataMalwarebytes
2010-07-24 17:24:30 0 d-----w- c:program files (x86)Malwarebytes' Anti-Malware
2010-07-24 17:23:43 0 d-----w- c:programdataYahoo! Companion
2010-07-24 05:31:42 0 d-----w- c:windowspss
2010-07-24 04:41:42 0 d--h--w- c:program files (x86)Driver Checker
2010-07-24 01:51:52 0 d-----w- c:windowsPanther
2010-07-24 01:47:53 0 d-----w- c:usershaigappdataroamingBACS.exe
2010-07-24 01:44:18 0 d-----w- c:windowsDownloaded Installations
2010-07-24 01:25:04 0 d--h--w- C:found.000
2010-07-24 01:09:28 2212352 ----a-w- c:windowssystem32driversathrx.sys
2010-07-24 01:09:02 0 d-sh--w- c:windowsInstaller
2010-07-23 23:59:56 0 d-----w- C:temp

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:windowssyswow64iccvid.dll
2010-06-30 07:13:46 1192960 ----a-w- c:windowssystem32wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:windowssyswow64wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:windowssyswow64urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:windowssyswow64mstime.dll
2010-06-30 06:22:33 64512 ----a-w- c:windowssyswow64msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:windowssyswow64jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:windowssyswow64iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:windowssyswow64ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:windowssyswow64ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:windowssyswow64iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:windowssyswow64msfeedssync.exe
2010-06-23 05:30:48 411480 ----a-w- c:windowssyswow64tsccvid.dll
2010-06-19 06:53:18 52224 ----a-w- c:windowssystem32rtutils.dll
2010-06-19 06:23:50 37376 ----a-w- c:windowssyswow64rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:windowssystem32win32k.sys
2010-06-15 02:16:24 86016 ----a-w- c:windowssyswow64frapsvid.dll
2010-06-15 02:16:22 84992 ----a-w- c:windowssystem32frapsv64.dll
2010-06-08 06:02:06 1233920 ----a-w- c:windowssyswow64msxml3.dll
2010-06-08 05:36:31 1877504 ----a-w- c:windowssystem32msxml3.dll
2010-05-19 19:48:12 144384 ----a-w- c:windowssystem32cdd.dll
2009-07-14 05:37:38 31548 ----a-w- c:windowsinfperflib0409perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:windowsinfperflib0409perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:windowsinfperflib0409perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:windowsinfperflib0409perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:program filesdesktop.ini
2009-07-14 04:54:24 174 --sha-w- c:program files (x86)desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:windowsinfperflib0000perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:windowsinfperflib0000perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:windowsinfperflib0000perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:windowsinfperflib0000perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:windowsfontsStaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:windowswinsxsamd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:windowswinsxsx86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86cWinMail.exe

============= FINISH: 0:14:18.85 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Home Premium
Boot Device: DeviceHarddiskVolume2
Install Date: 7/23/2010 6:02:54 PM
System Uptime: 8/13/2010 11:59:06 PM (1 hours ago)

Motherboard: Acer | | Aspire 5251
Processor: AMD V120 Processor | Socket S1G4 | 2200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 219 GiB total, 168.636 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP67: 8/8/2010 9:00:27 PM - Fresh Start
RP68: 8/8/2010 9:12:45 PM - Installed DirectX
RP69: 8/8/2010 9:52:33 PM - avast! Free Antivirus Setup
RP70: 8/8/2010 9:53:05 PM - avast! Free Antivirus Setup
RP71: 8/8/2010 9:53:23 PM - avast! Free Antivirus Setup
RP72: 8/8/2010 11:38:07 PM - avast! Free Antivirus Setup
RP73: 8/9/2010 12:08:51 PM - Windows Update
RP74: 8/9/2010 2:53:29 PM - Removed Windows Live Upload Tool
RP75: 8/9/2010 2:54:08 PM - avast! Free Antivirus Setup
RP76: 8/9/2010 3:13:58 PM - Windows Update
RP77: 8/9/2010 3:17:33 PM - Removed Windows Live Upload Tool
RP78: 8/9/2010 3:18:04 PM - Removed Windows Live Sign-in Assistant
RP79: 8/9/2010 3:19:05 PM - Removed Windows Live Sync
RP80: 8/9/2010 3:20:14 PM - Removed Broadcom Management Programs.
RP81: 8/9/2010 3:24:09 PM - Windows Update
RP82: 8/9/2010 4:15:42 PM - Installed Oracle VM VirtualBox 3.2.8
RP83: 8/9/2010 4:25:02 PM - Installed Camtasia Studio 7
RP84: 8/10/2010 1:30:22 AM - h
RP85: 8/10/2010 1:31:28 AM - Installed Microsoft Visual C++ 2005 Redistributable
RP86: 8/10/2010 4:20:24 AM - Windows Update
RP87: 8/10/2010 10:50:34 AM - Installed Project64 1.6
RP88: 8/10/2010 9:40:07 PM - Windows Update
RP89: 8/11/2010 3:00:11 AM - Windows Update
RP90: 8/12/2010 6:38:58 PM - Installed Windows Movie Maker 2.6
RP91: 8/12/2010 6:40:16 PM - Installed Windows Movie Maker 2.6
RP92: 8/13/2010 5:50:41 PM - Removed Cisco PEAP Module
RP93: 8/13/2010 7:09:38 PM - Installed K9 Web Protection
RP94: 8/13/2010 7:11:32 PM - Installed COMODO Internet Security
RP95: 8/13/2010 8:33:20 PM - Removed Project64 1.6
RP96: 8/13/2010 11:55:45 PM - Removed COMODO Internet Security
RP97: 8/14/2010 12:02:49 AM - Windows Update

==== Installed Programs ======================

Any Video Converter 3.0.7
Ask Toolbar
BitTorrent
Camtasia Studio 7
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Google Chrome
Google Update Helper
Logon Editor
Malwarebytes' Anti-Malware
Microsoft Halo Trial
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
ReadPlease 2003/ReadPlease PLUS 2003
TeamViewer 5
Windows Movie Maker 2.6

==== Event Viewer Messages From Past Week ========

8/9/2010 12:08:46 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
8/8/2010 8:22:57 PM, Error: Service Control Manager [7000] - The int15.sys service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
8/8/2010 7:00:57 PM, Error: Service Control Manager [7000] - The NTIDrvr service failed to start due to the following error: The system cannot find the file specified.
8/8/2010 6:42:33 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 for x64-based Systems (KB2286198).
8/8/2010 6:38:06 PM, Error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
8/8/2010 6:26:50 PM, Error: Service Control Manager [7000] - The OsaFsLoc service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
8/8/2010 6:21:10 PM, Error: Service Control Manager [7000] - The osanbm service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
8/8/2010 6:21:09 PM, Error: Service Control Manager [7000] - The osaio service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
8/8/2010 6:20:45 PM, Error: Service Control Manager [7030] - The AdminWorks Agent X6 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
8/13/2010 8:47:18 PM, Error: Microsoft-Windows-WMPNSS-Service [14365] - Proximity detection failed due to unknown error '0x80004004'. The best proximity time detected was -1 milliseconds.
8/13/2010 8:22:53 PM, Error: Service Control Manager [7030] - The lxeb_device service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
8/13/2010 6:23:27 PM, Error: Server [2505] - The server could not bind to the transport DeviceNetBT_Tcpip_{18E37951-7ABB-4D2D-8866-37B58830C341} because another computer on the network has the same name. The server could not start.
8/13/2010 6:22:29 PM, Error: Server [2505] - The server could not bind to the transport DeviceNetBT_Tcpip_{827FAFD1-3D66-4A4E-8FAE-BC6C87204ECE} because another computer on the network has the same name. The server could not start.
8/13/2010 11:59:39 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxebCATSCustConnectService service to connect.
8/13/2010 11:59:39 PM, Error: Service Control Manager [7000] - The lxebCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/13/2010 11:59:38 PM, Error: Service Control Manager [7000] - The int15.sys service failed to start due to the following error: The system cannot find the path specified.
8/13/2010 11:59:24 PM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
8/13/2010 11:59:24 PM, Error: atikmdag [43029] - Display is not active
8/13/2010 11:47:53 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0xfffffa8005ab8fff, 0x0000000000000001, 0xfffff8800188b3e9, 0x0000000000000000). A dump was saved in: C:WindowsMEMORY.DMP. Report Id: 081310-24398-01.
8/13/2010 1:56:18 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1648.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITYSYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/13/2010 1:56:18 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1648.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITYSYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/12/2010 12:01:18 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.87.1648.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITYSYSTEM Current Engine Version: Previous Engine Version: 1.1.6004.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

==== End Of File ===========================

Update I Goggled http://www.greatis.com/appdata/d/d/dfsvc.exe.htm Please review this to

Another update everytime i start my computer up explorer.exe will not load and the screen stays black and i always have to load it myself with task manger

This is a very interesting hijackthiss log


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:16:29 AM, on 8/14/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:UsershaigDesktopHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = Preserve
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WindowsSysWOW64blank.htm
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM..RunOnce: [{D2C5E510-BE6D-42CC-9F61-E4F939078474}] C:Windowssystem32cmd.exe /c rmdir /q /s "C:Program FilesLexmark Printable Web"
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLMSystemCCSServicesTcpip..{18E37951-7ABB-4D2D-8866-37B58830C341}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLMSystemCCSServicesTcpip..{5480E43D-4DD1-4451-B282-02D528C904D5}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLMSystemCCSServicesTcpip..{827FAFD1-3D66-4A4E-8FAE-BC6C87204ECE}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLMSystemCS1ServicesTcpip..{18E37951-7ABB-4D2D-8866-37B58830C341}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLMSystemCS2ServicesTcpip..{18E37951-7ABB-4D2D-8866-37B58830C341}: NameServer = 156.154.70.22,156.154.71.22
O20 - AppInit_DLLs:
O23 - Service: @%SystemRoot%system32Alg.exe,-112 (ALG) - Unknown owner - C:WindowsSystem32alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:Windowssystem32atiesrxx.exe (file missing)
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Blue Coat Systems, Inc. - C:Program FilesBlue Coat K9 Web Protectionk9filter.exe
O23 - Service: @%SystemRoot%system32efssvc.dll,-100 (EFS) - Unknown owner - C:WindowsSystem32lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:Program FilesAcerAcer ePower ManagementePowerSvc.exe
O23 - Service: @%systemroot%system32fxsresm.dll,-118 (Fax) - Unknown owner - C:Windowssystem32fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:Windowssystem32spoolDRIVERSx643lxebserv.exe
O23 - Service: lxeb_device - - C:Windowssystem32lxebcoms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:WindowsSystem32msdtc.exe (file missing)
O23 - Service: @%SystemRoot%System32netlogon.dll,-102 (Netlogon) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%systemroot%system32psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%systemroot%system32Locator.exe,-2 (RpcLocator) - Unknown owner - C:Windowssystem32locator.exe (file missing)
O23 - Service: @%SystemRoot%system32samsrv.dll,-1 (SamSs) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%SystemRoot%system32snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:WindowsSystem32snmptrap.exe (file missing)
O23 - Service: @%systemroot%system32spoolsv.exe,-1 (Spooler) - Unknown owner - C:WindowsSystem32spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%system32sppsvc.exe,-101 (sppsvc) - Unknown owner - C:Windowssystem32sppsvc.exe (file missing)
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:Program Files (x86)TeamViewerVersion5TeamViewer_Service.exe
O23 - Service: @%SystemRoot%system32ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:Windowssystem32UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%system32vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%SystemRoot%system32vds.exe,-100 (vds) - Unknown owner - C:WindowsSystem32vds.exe (file missing)
O23 - Service: @%systemroot%system32vssvc.exe,-102 (VSS) - Unknown owner - C:Windowssystem32vssvc.exe (file missing)
O23 - Service: @%SystemRoot%system32WatWatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:Windowssystem32WatWatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%system32wbengine.exe,-104 (wbengine) - Unknown owner - C:Windowssystem32wbengine.exe (file missing)
O23 - Service: @%Systemroot%system32wbemwmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:Windowssystem32wbemWmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%Windows Media Playerwmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:Program Files (x86)Windows Media Playerwmpnetwk.exe (file missing)

--
End of file - 5852 bytes




Can someone tell me more about

O17 - HKLMSystemCCSServicesTcpip..{18E37951-7ABB-4D2D-8866-37B58830C341}: NameServer = 156.154.70.22,156.154.71.22

EDIT: Posts merged ~BP
EDIT: Please be patient. There are over 400 unanswered topics in this forum at present and the current average wait time to receive help is over a week. ~BP

Edited by Budapest, 15 August 2010 - 06:30 PM.


BC AdBot (Login to Remove)

 


#2 haig11

haig11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nanaimo BC
  • Local time:08:21 PM

Posted 17 August 2010 - 03:17 PM

I do not need help nomore it turns out that i was infected with a rootkit called atapi.sys

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 PM

Posted 17 August 2010 - 04:27 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users