Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by spyware which makes windows crash when shutting down


  • This topic is locked This topic is locked
4 replies to this topic

#1 itslateatm

itslateatm

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 20 April 2011 - 08:42 PM

hi,
yesterday i was browsing the internet. when i suddenly noticed my nod32 AV started to do strange stuff. It said it had deleted mashta.exe because the file was writing or something. I didn't really understand it so i didn't mind it that much. however not long after the delete, the AV kept spamming the same message: adress is blocked (dunno if that's the correct translations as my av is set to dutch language) the message also gave the url which was sometimes rollangarr0s.com or fr0udsafetycheck0n.com. but that's not the biggest problem, i think. for some reason i can't shut windows down anymore, well not via the normal way that is. It keeps giving me a BSOD saying INTERNAL_POWER_ERROR. the stop code is 0x000000A0(0x00000001,0x00000006, 0x872CE278(i'm not sure about the last set of numbers) ,0x00000000) now i have no idea what this all means but i thought it might be usefull. oh and something is stopping me from updating windows with the updater. also the gmer file isn't complete because if i keep scanning it too long either the gmer crashes or windows recieves another BSOD but then it says IRQL_NOT_LESS_OR_EQUAL don't know the stopcode and parameters for this one anymore. Also after running the gmer a few times, i noticed that the items it shows change from time to time. the first scan which got finished by the aforementioned BSOD kept scanning but didn't show any new results after a while. after the BSOD i ran it another time and then it showed something about windows defender but shortly after it encounter BSOD also. so the ones i have also contain slight changes, yet none of them contain the windows defender result :(. Also is it normal to still have a daemon tools result showing even when i used the defog program, just out of random curiosity.
Well that's about it sorry for the wall of text and thanks in advance.



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Shiz at 0:32:51,14 on do 21/04/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.32.1043.18.3037.1506 [GMT 2:00]
.
AV: Lavasoft Ad-Watch Live! Antivirus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\PLFSetI.exe
C:\Users\Shiz\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
D:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Shiz\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
D:\program files\Steam\Steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Shiz\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0813&s=2&o=vp32&d=0110&m=aspire_7730g
uStart Page = hxxp://www.google.be/
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0813&s=2&o=vp32&d=0110&m=aspire_7730g
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0813&s=2&o=vp32&d=0110&m=aspire_7730g
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ProductReg] "c:\program files\acer\wr_popup\ProductReg.exe"
uRun: [Octoshape Streaming Services] "c:\users\shiz\appdata\roaming\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [Steam] "d:\program files\steam\steam.exe" -silent
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"
mRun: [eAudio] "c:\program files\acer\empowering technology\eaudio\eAudio.exe"
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\playmovie\PMVService.exe"
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [VirtualCloneDrive] "d:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\shiz\appdata\roaming\mozilla\firefox\profiles\531or9i6.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\shiz\appdata\roaming\mozilla\plugins\npoctoshape.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-20 64512]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-10 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2010-1-31 61424]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2010-1-31 81504]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-4-7 134024]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-4-7 810120]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-4-7 96896]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-10 24576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-19 2146496]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-6 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2010-1-31 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-1-10 81296]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series adapter stuurprogramma onder Windows 7 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-1-27 7087616]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-3-26 122984]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-3-7 25832]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-19 15232]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-10 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-10 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-10 40552]
S3 NETw5s32;Intel® Wireless WiFi Link adapter stuurprogramma onder Windows 7 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
S3 netw5v32;Stuurprogramma voor Intel® Wireless WiFi Link 5000 Series-adapter 32-bits Windows Vista;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-15 1343400]
S3 WSDPrintDevice;WSD-ondersteuning voor afdrukken via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]
.
=============== Created Last 30 ================
.
2011-04-20 21:32:47 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-20 21:21:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-20 21:21:08 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-20 21:18:11 -------- d-----w- c:\users\shiz\appdata\local\Sunbelt Software
2011-04-20 21:17:20 -------- dc-h--w- c:\progra~2\{AA5544E4-9BBC-419B-9204-40B5924D26AA}
2011-04-20 21:16:54 -------- d-----w- c:\program files\Lavasoft
2011-04-20 20:20:02 -------- d-----w- c:\users\shiz\appdata\roaming\SUPERAntiSpyware.com
2011-04-20 20:20:02 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-04-20 20:19:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-20 20:04:28 -------- d-----w- c:\users\shiz\appdata\roaming\Malwarebytes
2011-04-20 20:04:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 20:04:00 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-20 20:03:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 20:03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 19:35:44 -------- d-----w- c:\program files\CCleaner
2011-04-20 19:29:32 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-04-20 18:33:45 -------- dc----w- c:\users\shiz\appdata\local\MigWiz
2011-04-20 17:56:13 -------- d-----w- c:\windows\system32\catroot2
2011-04-20 17:34:43 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-20 16:39:05 -------- d-----w- c:\windows\nl
2011-04-20 16:37:00 18328 ----a-w- c:\progra~2\microsoft\identitycrl\production\ppcrlconfig600.dll
2011-04-20 16:36:24 525656 ----a-w- c:\program files\common files\windows live\.cache\152e84fc1cbff7911\DXSETUP.exe
2011-04-20 16:36:24 1691480 ----a-w- c:\program files\common files\windows live\.cache\152e84fc1cbff7911\dsetup32.dll
2011-04-20 16:36:23 94040 ----a-w- c:\program files\common files\windows live\.cache\152e84fc1cbff7911\DSETUP.dll
2011-04-20 16:36:21 94040 ----a-w- c:\program files\common files\windows live\.cache\140d0b2e1cbff7910\DSETUP.dll
2011-04-20 16:36:21 525656 ----a-w- c:\program files\common files\windows live\.cache\140d0b2e1cbff7910\DXSETUP.exe
2011-04-20 16:36:21 1691480 ----a-w- c:\program files\common files\windows live\.cache\140d0b2e1cbff7910\dsetup32.dll
2011-04-20 16:35:56 -------- d-----w- c:\users\shiz\appdata\local\Windows Live
2011-04-19 21:25:34 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{995e309e-8d8d-41ed-9d1b-c349eb4a055f}\mpengine.dll
2011-04-13 13:53:45 -------- d-----w- c:\program files\common files\INCA Shared
2011-04-13 13:49:30 -------- d-----w- C:\ijji
2011-04-13 13:43:13 -------- d-----w- c:\program files\REACTOR
2011-04-10 13:52:18 -------- d-----w- c:\program files\Ion Assault
2011-04-09 14:04:27 -------- d-----w- c:\windows\8A809006C25A4A3A9DAB94659BCDB107.TMP
2011-03-29 18:21:40 835440 ----a-w- c:\windows\system32\pbsvc.exe
2011-03-28 13:18:29 -------- d-----w- c:\users\shiz\appdata\local\Ubisoft Game Launcher
2011-03-26 15:08:14 -------- d-----w- c:\users\shiz\appdata\roaming\NVIDIA
2011-03-26 14:11:59 -------- d-----w- c:\users\shiz\Option
2011-03-26 12:16:02 837224 ----a-w- c:\windows\system32\nvgenco32hda.dll
2011-03-26 12:16:02 65640 ----a-w- c:\windows\system32\nvapo32v.dll
2011-03-26 12:16:02 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-26 12:16:02 4942952 ----a-w- c:\windows\system32\nvcuda.dll
2011-03-26 12:16:02 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
2011-03-26 12:16:02 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-03-26 12:16:02 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-03-26 12:16:02 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
2011-03-26 12:16:02 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-03-26 12:16:02 122984 ----a-w- c:\windows\system32\drivers\nvhda32v.sys
2011-03-26 12:16:02 10468712 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-03-26 11:03:36 -------- d-----w- c:\users\shiz\appdata\roaming\Easeware
2011-03-26 11:00:20 -------- d-----w- c:\program files\SystemRequirementsLab
.
==================== Find3M ====================
.
2011-04-07 17:43:37 270408 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-07 17:43:37 270408 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-07 17:37:47 270408 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-04-05 16:54:17 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-03-29 18:21:58 138056 ----a-w- c:\users\shiz\appdata\roaming\PnkBstrK.sys
2011-03-17 09:38:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-03-17 09:38:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-03-17 09:38:00 6042216 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-03-17 09:38:00 1965672 ----a-w- c:\windows\system32\nvapi.dll
2011-03-17 09:38:00 10079336 ----a-w- c:\windows\system32\nvd3dum.dll
2011-03-17 02:36:52 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-03-17 02:36:48 3597416 ----a-w- c:\windows\system32\nvcpl.dll
2011-03-17 02:36:40 2620520 ----a-w- c:\windows\system32\nvsvc.dll
2011-03-17 02:36:36 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-03-17 02:36:36 608872 ----a-w- c:\windows\system32\nvvsvc.exe
2011-03-17 02:36:36 288872 ----a-w- c:\windows\system32\nvhotkey.dll
2011-03-17 02:36:36 2558568 ----a-w- c:\windows\system32\nvsvcr.dll
2011-03-17 02:36:36 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-02 16:11:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-01-25 10:50:57 418480 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-25 10:50:57 115432 ----a-w- c:\windows\system32\OpenAL32.dll
.
============= FINISH: 0:34:14,33 ===============

Attached Files


Edited by itslateatm, 20 April 2011 - 08:48 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 PM

Posted 28 April 2011 - 11:58 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 itslateatm

itslateatm
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 30 April 2011 - 12:07 PM

oh, i'm sorry, I totally forgot about this post. Problem is fixed already, thanks for replying and again sorry for the late reply.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 PM

Posted 30 April 2011 - 12:53 PM

No problem and thanks for letting me know



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:25 PM

Posted 03 May 2011 - 07:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users