Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help running gmer - PC keeps crashing


  • This topic is locked This topic is locked
21 replies to this topic

#1 mvb

mvb

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 19 September 2010 - 05:06 AM

Hi - I was trying to put together everything as listed in your guide before posting but.....

I've tried to run gmer 4 times so far and each time (after a long time) I find that the PC has rebooted.

Can anyone give me any advice on how to overcome this.

Many thanks

mvb

Edited by mvb, 19 September 2010 - 05:15 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 26 September 2010 - 01:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 01 October 2010 - 06:50 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 mvb

mvb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 08 October 2010 - 12:08 PM

As per your PM I am sending you all of the details as listed in you guide.

I have made screenshots of the NIS reports etc which I will attach as a separate file.

As far as I can see from the reports history activity started +/- 14.45 on 31 Aug while I was visiting a website shown as safe by NIS. At 15.00 NIS found and blocked oamsrcewxn.tmp, sphlp.dll, hlp.dat
screenshots 1 - 5

Results from Norton Internet Security 2010 appeared to be okay and the computer seemed to be running as normal.

On Sept 10 I realised that there had been no recent Windows updates when I tried to run them manually I received an error message. A solution I found for this was to delete the temp files, which I did, immediately NIS blocked a file 5b.tmp
screenshots 6 7 NIS Sonar Report and 5b.tmp.

I was away for the weekend and left the PC turned off until Sept 13; I ran Spybot +/- 15.00 which found quarantined Win32.Agent.ws
screenshot 8

Sept 13 - 17 each time the PC was turned on NIS detected intrusion attempts
screenshot 9

Sept 18 NIS found Backdoor.Tidserv.I!inf
screenshot 10 - 11

Sept 18 Norton File Insight reported Backdoor.Tidserv.I!inf again
screen shot 12 13

And Backdoor.Tidserv.I!inf again
screenshot 14 -15

October 2 NIS reported Trojan FakeAV
screenshot 16 - 18

Since this date no virus warning or intrusion attempts have been reported, but there have a number of unused port blocking reports
screenshots 19 20

and a lot of unauthorized access reports mostly related to Google and Norton.

Im sorry but at some point I did manage to download and run Microsofts Malicious Software Removal Tool but I cannot find the notes I made afterwards I was able to run Windows updates.

I also downloaded and ran Malwarebytes but those details are obviously with the Microsoft notes too.

The PC is now only connected to the internet to download the files needed to complete this posting.

Many thanks for you help.

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by P&M at 13:58:06.93 on 04/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1393 [GMT 2:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belgacom\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\P&M\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.skynet.be/search
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GZAZ_en
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [<NO NAME>]
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-30 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-30 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100901.003\BHDrvx86.sys [2010-9-14 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-30 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-30 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-30 126392]
R2 sprtsvc_belgacom;SupportSoft Sprocket Service (belgacom);c:\program files\belgacom\bin\sprtsvc.exe [2008-5-29 202016]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-2-28 5120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100930.005\IDSXpx86.sys [2010-10-1 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101003.002\NAVENG.SYS [2010-10-4 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101003.002\NAVEX15.SYS [2010-10-4 1371184]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1562096]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2010-10-04 11:57:14 0 ----a-w- c:\documents and settings\p&m\defogger_reenable
2010-09-23 07:59:38 0 d-----w- c:\windows\pss
2010-09-19 11:50:47 0 d-----w- c:\docume~1\p&m\applic~1\Malwarebytes
2010-09-19 11:50:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 11:50:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-19 11:50:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-19 11:50:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 21:17:25 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-09-17 21:15:17 0 dc-h--w- c:\windows\ie8
2010-09-17 18:57:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-17 18:49:18 37248 ----a-w- c:\windows\system32\drivers\ISAPNP.SYS
2010-09-17 14:47:43 0 d-----w- c:\windows\system32\MpEngineStore
2010-09-17 14:46:09 0 d-----w- C:\b881181b7fdf0dc6fc
2010-09-13 13:04:36 0 d-----w- c:\program files\Safer Networking
2010-09-13 12:23:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-09-13 12:23:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-09-10 10:17:32 0 d-----w- c:\docume~1\p&m\applic~1\Tific

==================== Find3M ====================

2010-08-19 14:38:33 29576 ----a-w- c:\docume~1\p&m\applic~1\GDIPFONTCACHEV1.DAT
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 13:58:47.65 ===============

Attached Files


Edited by mvb, 08 October 2010 - 12:31 PM.


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 19 October 2010 - 05:18 PM

Sorry for the delay, this did not appear in my subscribed topics, I may have accidentally unwatched it. I'll research and get back to you tonight. Again, I'm really sorry I missed your response.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 19 October 2010 - 08:15 PM

Hello, mvb.

Please don't miss my last post above...I think I forgot to re-subscribe when I reopened the thread. Feel free to PM me (see the link in my signature below) if I don't respond within 2 days.

Bamital and Tidserv are a backdoor infections. Let's run a couple other scans to dig into it.

The port requests seems to be inbound which is fairly normal.



Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578










Step 1

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 2

Scan With RKUnHooker

  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 mvb

mvb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 21 October 2010 - 04:22 AM

Hi

Firstly, thanks for the info. I think that I will end up re-installing XP but before I do that (this will be the 3rd re-install in 8 months, the first after fitting a bigger hd, 2nd because the new hd died and now this!) Before I bite the bullett I need to get my files backed up. So I have run the MBRCheck and RKunhooker details below.

I will wait with running backups etc until I hear from you.

MbRCheck Report:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 ISAPNP.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF74C0000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A0000 fltmgr.sys
0xF744A000 SYMDS.SYS
0xF741D000 SYMEFA.SYS
0xF7717000 PxHelp20.sys
0xF7876000 symsnap.sys
0xF7406000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7849000 NDIS.sys
0xF782F000 Mup.sys
0xBA726000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8931000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB891D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB88F5000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7777000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB88D1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF777F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB96CA000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB88BD000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA716000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB96BA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB96B2000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA706000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA7C0000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7667000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7677000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7687000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB889A000 \SystemRoot\system32\DRIVERS\ks.sys
0xB969A000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA489000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7B0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8883000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7587000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF778F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8872000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7577000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF779F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7567000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8774000 \SystemRoot\system32\DRIVERS\update.sys
0xBA505000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7557000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB072E000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xB070A000 \SystemRoot\system32\drivers\portcls.sys
0xF7517000 \SystemRoot\system32\drivers\drmk.sys
0xB06EA000 \SystemRoot\system32\drivers\AEAudio.sys
0xB068A000 \SystemRoot\system32\drivers\Senfilt.sys
0xF7507000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79EB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77DF000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB060B000 \SystemRoot\System32\Drivers\NIS\1108000.005\SRTSP.SYS
0xB05EC000 \SystemRoot\system32\drivers\NIS\1108000.005\Ironx86.SYS
0xBA796000 \SystemRoot\system32\drivers\NIS\1108000.005\SRTSPX.SYS
0xB049E000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101009.002\NAVEX15.SYS
0xB0479000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xB0465000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101009.002\NAVENG.SYS
0xF79F1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A9E000 \SystemRoot\System32\Drivers\Null.SYS
0xF79F5000 \SystemRoot\System32\Drivers\Beep.SYS
0xF775F000 \SystemRoot\System32\drivers\vga.sys
0xF79F9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79FD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF776F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB96C2000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA7F4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0432000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB03D9000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB0382000 \SystemRoot\System32\Drivers\NIS\1108000.005\SYMTDI.SYS
0xB035C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA776000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB02DC000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101008.002\IDSxpx86.sys
0xB02B4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB0292000 \SystemRoot\System32\drivers\afd.sys
0xBA766000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB0267000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB01F7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA756000 \SystemRoot\System32\Drivers\Fips.SYS
0xB00F9000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB00DC000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB005D000 \SystemRoot\system32\drivers\NIS\1108000.005\ccHPx86.sys
0xAFFB1000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys
0xF7697000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAFF99000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A05000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB0682000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77B7000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB9F2A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xADE65000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xADBFC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79B3000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAD99D000 \SystemRoot\system32\DRIVERS\srv.sys
0xB9692000 \SystemRoot\system32\DRIVERS\v2imount.sys
0xF780F000 \SystemRoot\system32\drivers\LVPr2Mon.sys
0xAD438000 \SystemRoot\system32\drivers\wdmaud.sys
0xAD3EC000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAD67D000 \SystemRoot\system32\drivers\sysaudio.sys
0xACD13000 \SystemRoot\System32\Drivers\HTTP.sys
0xACB65000 \??\C:\WINDOWS\system32\drivers\VProEventMonitor.sys
0xAC9F2000 \SystemRoot\system32\drivers\kmixer.sys
0xAD515000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
456 C:\WINDOWS\system32\smss.exe
504 csrss.exe
532 C:\WINDOWS\system32\winlogon.exe
576 C:\WINDOWS\system32\services.exe
588 C:\WINDOWS\system32\lsass.exe
740 C:\WINDOWS\system32\ati2evxx.exe
768 C:\WINDOWS\system32\svchost.exe
888 svchost.exe
944 C:\WINDOWS\system32\svchost.exe
1000 svchost.exe
1072 svchost.exe
1176 C:\WINDOWS\system32\spoolsv.exe
1220 C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
1264 svchost.exe
1308 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1340 C:\Program Files\Bonjour\mDNSResponder.exe
1420 C:\Program Files\Java\jre6\bin\jqs.exe
1500 C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
1564 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
1636 C:\Program Files\Belgacom\bin\sprtsvc.exe
1684 C:\WINDOWS\system32\svchost.exe
1740 C:\WINDOWS\system32\dllhost.exe
2020 C:\Program Files\Canon\CAL\CALMAIN.exe
1316 C:\WINDOWS\system32\dllhost.exe
1368 C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
2136 C:\WINDOWS\system32\ati2evxx.exe
2332 alg.exe
2392 C:\WINDOWS\explorer.exe
2868 C:\WINDOWS\system32\wscntfy.exe
3160 C:\Program Files\Analog Devices\Core\smax4pnp.exe
3192 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
3300 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3372 msdtc.exe
3376 C:\WINDOWS\system32\ctfmon.exe
3824 C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
3580 SymDB.exe
3880 E:\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: STM3500418AS, Rev: CC37

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


RKunhooker Report:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2367488 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB049E000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101009.002\NAVEX15.SYS 1368064 bytes (Symantec Corporation, AV Engine)
0xB8931000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1331200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xAFFB1000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys 704512 bytes (Symantec Corporation, BASH Driver)
0xBF2F4000 C:\WINDOWS\System32\ativvaxx.dll 643072 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB005D000 C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0xB01F7000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB068A000 C:\WINDOWS\system32\drivers\Senfilt.sys 393216 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xB00F9000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB8774000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB03D9000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB02DC000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101008.002\IDSxpx86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0xB060B000 C:\WINDOWS\System32\Drivers\NIS\1108000.005\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0xAD99D000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB0382000 C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS 356352 bytes (Symantec Corporation, Network Dispatch Driver)
0xF744A000 SYMDS.SYS 352256 bytes
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xACD13000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF07D000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 212992 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xADBFC000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7849000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF741D000 SYMEFA.SYS 184320 bytes
0xAC9F2000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB0267000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB88F5000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB02B4000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB072E000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 155648 bytes (Analog Devices, Inc., High Definition Audio Function Driver(Release Candidate 1))
0xB035C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB0479000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xAD3EC000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB070A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB88D1000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB889A000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB0292000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF7876000 symsnap.sys 135168 bytes (StorageCraft, StorageCraft Volume Snap-Shot)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB06EA000 C:\WINDOWS\system32\drivers\AEAudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xF74A0000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB05EC000 C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0xB00DC000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF782F000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAFF99000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7406000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8883000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAD438000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB0465000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101009.002\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xB88BD000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB891D000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB0432000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8872000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7697000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7677000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA706000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7517000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7687000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAD67D000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7507000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA716000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7587000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA756000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7667000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 ISAPNP.SYS 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7557000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA796000 C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xF7567000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA726000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7577000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA766000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB01D7000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA776000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB96C2000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF777F000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB9692000 C:\WINDOWS\system32\DRIVERS\v2imount.sys 32768 bytes (Symantec Corporation, V2iMount.sys - Image Mounting Device Driver)
0xB96CA000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB96D2000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB969A000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB96BA000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB96B2000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7777000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF775F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF780F000 C:\WINDOWS\system32\drivers\LVPr2Mon.sys 20480 bytes (-, -)
0xF776F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF779F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7717000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF778F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77B7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA505000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xADE65000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA7C0000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB0682000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA7B0000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA7F4000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xACB65000 C:\WINDOWS\system32\drivers\VProEventMonitor.sys 12288 bytes (Symantec Corporation, VProEventMonitor.Sys - Event Monitoring driver)
0xF79F5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A05000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79F1000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79F9000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79B3000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79FD000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79DF000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79EB000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA489000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB9F2A000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A9E000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

Thanks
Maureen

Edited by mvb, 21 October 2010 - 04:53 AM.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 21 October 2010 - 05:49 PM

Hello, mvb.

I would back up sooner rather than later. The infections can sometimes be stubborn and there's always a chance of data loss. We can back up, then clean it further, then do a clean backup if you want; or you can back up now and reformat. If you do back up, only back up documents, photos, videos, music, saved games, that kind of thing. To minimize your chance of copying the infection over, do not copy any program files (C:\program files, EXE, COM, BAT, PIF, SCR, etc.) or system files (C:\windows, SYS, DLL). Then, after the reformat, isntall an antivirus and an antispwyare (like Malwarebytes' Anti-malware or SuperAntiSpyware), update them both, and scan your backup before copying it over.



etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 mvb

mvb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 21 October 2010 - 06:19 PM

Hi
Okay, it's 01.00am here so I will go ahead and and backup My Docs and Outlook Express tomorrow morning. Will update you once I've finished so that hopefully we can move on.

Thanks again

Maureen

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 21 October 2010 - 06:24 PM

Sounds good. I'll keep an eye out.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 mvb

mvb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 22 October 2010 - 01:20 PM

Hi

Everything is backed up but I have a question.

I have some fixes that I downloaded from the Canon site for my camera - they are all exe files so I'm assuming that they are a no, no? Also do I have to do anything My Docs and Outlook Express which I've backed up on an external drive?

We've got visitors this weekend so I won't be able to do the reinstall until Monday.

Thanks again for the help

Maureen

Edited by mvb, 22 October 2010 - 01:21 PM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 22 October 2010 - 05:39 PM

If you downloaded them from the Canon website, I would not back them up and re-download them from the Canon website to be safe.

Also do I have to do anything My Docs and Outlook Express which I've backed up on an external drive?

I'm not entirely sure what you are asking here. You should back up My Documents. Your Outlook Express inbox may be there, or may not be. Here's an article that may help you find it:
http://support.microsoft.com/kb/188854


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 mvb

mvb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 24 October 2010 - 04:43 PM

Sorry my question wasn't very clear, what I meant to say was: once I reinstalled XP, what if anything should I do to my data before I copy it back to the PC.

Thanks
Maureen

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 PM

Posted 26 October 2010 - 10:19 PM

First, make surer you install and update an antivirus and antispyware program on the reformatted computer. I can recommend a few free ones in each category if you want me to. Next, scan the drive with the antivirus, then scan with the antispyware. Let them take care of any infections they find. Then you should be good to copy the files over.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 mvb

mvb
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 27 October 2010 - 01:43 PM

Thanks.

I've done the reinstall of XP. As I still have quite a few months to run on the NIS I have installed it, but I would be very grateful if you would give me the names of any virus and antispyware that you recommend, especially given that Norton allowed the virus through.

As far as the My Docs folder what, if anything needs to be done before I transfer the files back, other than run a virus check on the folder on the external drive.

Can you help me with one more thing. Where can I find a safe site to download a DVD decoder ideally free.

Thursday 28

I finished installing and running updates our software today. I downloaded updates for Adobe 7 Professional, during the installation Spybot gave a message that these files were found:

riskware.tool.ck - Spybot showed a blank and I chose to remove it

agobot-ku worm - Spybot showed the file updmgr - file removed by Spybot

I have run the following
Malwarebytes
Spybot
NIS 2011 Full Scan

butnothing was found. Since Then IE8 has been slow and hangs occasionally. I have downloaded the files From you site and will post the reports later on.

Thanks
Maureen

Edited by mvb, 28 October 2010 - 11:44 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users