Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware infection - Windows XP Pro (requested logs attached)


  • This topic is locked This topic is locked
5 replies to this topic

#1 wab

wab

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 12 September 2011 - 09:29 PM

Greetings. I believe a computer I am responsible for may be infected with some malware/virus. Several months ago I removed on this same system a google redirecting virus. I believe I used Malwarebytes Anti-Malware to remove it. Since then, we have had two episodes where using either Internet Explorer (versions 6, 7 AND 8) as well as Firefox (versions 3 and 4) lock up when attempting to browse the web. They usually load the initial homepage and then fail from that point on. Note that they lock up after reading SOME (but I presume not all) of the data received from the webserver. I know this because when the GUI freezes, the correct title is displayed on the tab. Also, if I wait it out, the GUI eventually returns and runs better, but still slow following the initial freeze. I can't say how long the initial freeze took as I wasn't timing it, but I would guess anywhere from five to 10 minutes.

If I telnet to, for example, www.google.com:80 and type:

GET /


I get data back instantly. I am concerned that some part of this old virus (or part of a new one) remains. I run ESET NOD32 Antivirus and have completed several scans with Malwarebytes AntiMalware. Neither scan produces any results, although the NOD32 startup scan a few days ago reported Mebroot trojan which it claims it was unable to remove. After downloading the manual remover from the ESET website, the removal tool said that Mebroot was not found on the system. I have no explanation for the seeming contradiction.

When Firefox and IE are both unresponsive, neither is using a significant chunk of CPU, RAM, nor are there excessive reads/writes to the disk (according to Task Manager). I can only assume they are unresponsive because of something having to do with the network. Perhaps the old google redirector is still hooked in and trying to call home, but failing?

The first time this problem appeared, a repair install of Windows XP Pro seemed to clear it up. This time, however, no such luck. Following the repair install the symptoms persist. Note that a side-effect of this is that Windows seems to be unable to activate itself. As such, I had to install an AntiWPA patch just to login to the system. If I can find the problem, I fully intend to remove it and activate the software.

I realize that the board instructions say to use DDR rather than HJT, but I thought for sake of thoroughness I would include both.

HijackThis 2.0.4 log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:14:02 PM, on 9/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\StorageCraft\ImageManager\ImageManager.exe
C:\Program Files\Advantage 10.10\Server\ADS.EXE
C:\WINDOWS\system32\vsnapvss.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtect.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Carol\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://secure.eyefinity.com/eyefinity/html/eyefinity_logon.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: subst.lnk = C:\subst.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307073747609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233798552015
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compulink-softwaretraining.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Advantage Database Server (Advantage) - iAnywhere Solutions, Inc. - C:\Program Files\Advantage 10.10\Server\ADS.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ShadowProtect Service (ShadowProtectSvc) - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
O23 - Service: StorageCraft Image Manager - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ImageManager\ImageManager.exe
O23 - Service: StorageCraft Shadow Copy Provider (VSNAPVSS) - StorageCraft Technology Corporation - C:\WINDOWS\system32\vsnapvss.exe
O24 - Desktop Component 0: (no name) - http://www.kidshannon.com/artists/leick/lg/5.jpg

--
End of file - 7475 bytes


DDR log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Carol at 14:23:36 on 2011-09-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1371 [GMT -10:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\StorageCraft\ImageManager\ImageManager.exe
C:\Program Files\Advantage 10.10\Server\ADS.EXE
C:\WINDOWS\system32\vsnapvss.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtect.exe
C:\WINDOWS\system32\mstsc.exe
C:\Documents and Settings\Carol\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = https://secure.eyefinity.com/eyefinity/html/eyefinity_logon.htm
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\carol\startm~1\programs\startup\subst.lnk - c:\subst.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307073747609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233798552015
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://compulink-softwaretraining.webex.com/client/T25L/training/ieatgpc.cab
DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} - hxxps://skyfex.com/download/SkyFexClient.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{288889CA-E346-4DD3-A013-9F3804FEA103} : DhcpNameServer = 192.168.108.3
TCP: Interfaces\{6590970E-ECCD-45D9-B562-1E22C7415095} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F7E56FB2-5A7B-4250-89B0-85F2CC8468FD} : DhcpNameServer = 24.25.227.15 66.75.160.15 24.25.227.33
Notify: Antiwpa - antiwpa.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\carol\application data\mozilla\firefox\profiles\zgtbzjv0.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/a/eyecareofkona.com/#inbox|https://secure.eyefinity.com/eyefinity/html/eyefinity_logon.htm
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2009-3-26 144288]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-12-21 94872]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2009-3-26 95776]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\storagecraft\shadowprotect\ShadowProtectSvc.exe [2009-3-26 1255968]
R2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\storagecraft\imagemanager\ImageManager.exe [2008-9-23 90112]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2009-3-26 70176]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-17 110080]
R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2011-09-13 00:08:59 916480 ------w- c:\windows\system32\SET2AE.tmp
2011-09-13 00:08:59 105984 ------w- c:\windows\system32\SET2B0.tmp
2011-09-13 00:08:58 5969920 ------w- c:\windows\system32\SET2B4.tmp
2011-09-13 00:08:58 1212416 ------w- c:\windows\system32\SET2AF.tmp
2011-09-13 00:08:42 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-09-13 00:08:42 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-09-13 00:08:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-09-13 00:08:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-09-13 00:08:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-09-13 00:08:41 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-09-13 00:08:40 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-09-12 23:43:30 60416 ----a-w- c:\windows\system32\antiwpa.dll
2011-09-11 01:16:59 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2011-09-11 01:15:59 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2011-09-10 23:22:39 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-09-10 23:22:39 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-09-10 23:22:39 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-09-10 23:22:39 13312 ----a-w- c:\windows\system32\irclass.dll
2011-09-10 23:22:29 16535 ----a-r- c:\windows\SETFD.tmp
2011-09-10 23:22:28 1088840 ----a-r- c:\windows\SETF1.tmp
2011-09-10 23:22:27 1296669 ----a-r- c:\windows\SETEE.tmp
2011-08-26 23:43:17 1409 ----a-w- c:\windows\QTFont.for
.
==================== Find3M ====================
.
2011-09-07 19:57:27 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-07-07 05:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 05:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 14:29:36.13 ===============


ark.txt:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-12 16:28:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.01.0
Running: gmer.exe; Driver: C:\DOCUME~1\Carol\LOCALS~1\Temp\uftdypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xA8444610]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xA8444C10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xA8444730]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xA84444B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xA8444570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xA84446D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xA8444790]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xA8444690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xA8444650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xA84447D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xA8444510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xA8444590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xA84444D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xA84445D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xA8444750]

INT 0x01 \??\C:\DOCUME~1\Carol\LOCALS~1\Temp\mbr.sys BA439C42

---- Kernel code sections - GMER 1.0.15 ----

? ZR`G\A@J@ The system cannot find the path specified. !
? system32\drivers\xpsec.sys The system cannot find the path specified. !
? system32\drivers\xcpip.sys The system cannot find the path specified. !
? C:\DOCUME~1\Carol\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\dllhost.exe[500] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F39FFA
.text C:\WINDOWS\system32\dllhost.exe[500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F39B97
.text C:\WINDOWS\system32\dllhost.exe[500] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F39EAC
.text C:\WINDOWS\system32\dllhost.exe[500] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F39C78
.text C:\WINDOWS\system32\dllhost.exe[500] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F39D4B
.text C:\WINDOWS\system32\winlogon.exe[860] ntdll.dll!NtLockProductActivationKeys 7C90D490 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll
.text C:\WINDOWS\system32\winlogon.exe[860] Secur32.dll!LsaLogonUser 77FE33D8 5 Bytes JMP 00D62C81
.text C:\WINDOWS\system32\winlogon.exe[860] USER32.dll!GetSystemMetrics 7E418F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll
.text C:\WINDOWS\Explorer.EXE[2012] USER32.dll!DisplayExitWindowsWarnings 7E459F91 5 Bytes JMP 01412A93
.text C:\WINDOWS\Explorer.EXE[2012] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EF9FFA
.text C:\WINDOWS\Explorer.EXE[2012] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EF9B97
.text C:\WINDOWS\Explorer.EXE[2012] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EF9EAC
.text C:\WINDOWS\Explorer.EXE[2012] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EF9C78
.text C:\WINDOWS\Explorer.EXE[2012] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EF9D4B
.text C:\Program Files\Mozilla Firefox\firefox.exe[2208] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2276] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01109FFA
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2276] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01109B97
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2276] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01109EAC
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2276] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01109C78
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2276] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01109D4B
.text C:\WINDOWS\system32\igfxtray.exe[2364] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01769FFA
.text C:\WINDOWS\system32\igfxtray.exe[2364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01769B97
.text C:\WINDOWS\system32\igfxtray.exe[2364] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01769EAC
.text C:\WINDOWS\system32\igfxtray.exe[2364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01769C78
.text C:\WINDOWS\system32\igfxtray.exe[2364] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01769D4B
.text C:\WINDOWS\system32\hkcmd.exe[2372] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011F9FFA
.text C:\WINDOWS\system32\hkcmd.exe[2372] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011F9B97
.text C:\WINDOWS\system32\hkcmd.exe[2372] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011F9EAC
.text C:\WINDOWS\system32\hkcmd.exe[2372] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011F9C78
.text C:\WINDOWS\system32\hkcmd.exe[2372] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011F9D4B
.text C:\WINDOWS\system32\igfxpers.exe[2400] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01119FFA
.text C:\WINDOWS\system32\igfxpers.exe[2400] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01119B97
.text C:\WINDOWS\system32\igfxpers.exe[2400] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01119EAC
.text C:\WINDOWS\system32\igfxpers.exe[2400] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01119C78
.text C:\WINDOWS\system32\igfxpers.exe[2400] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01119D4B
.text C:\WINDOWS\system32\igfxsrvc.exe[2404] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E99FFA
.text C:\WINDOWS\system32\igfxsrvc.exe[2404] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E99B97
.text C:\WINDOWS\system32\igfxsrvc.exe[2404] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E99EAC
.text C:\WINDOWS\system32\igfxsrvc.exe[2404] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E99C78
.text C:\WINDOWS\system32\igfxsrvc.exe[2404] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E99D4B
.text C:\WINDOWS\system32\mstsc.exe[2632] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EE9FFA
.text C:\WINDOWS\system32\mstsc.exe[2632] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EE9B97
.text C:\WINDOWS\system32\mstsc.exe[2632] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EE9EAC
.text C:\WINDOWS\system32\mstsc.exe[2632] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EE9C78
.text C:\WINDOWS\system32\mstsc.exe[2632] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EE9D4B
.text C:\WINDOWS\system32\msdtc.exe[2900] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 009B9FFA
.text C:\WINDOWS\system32\msdtc.exe[2900] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009B9B97
.text C:\WINDOWS\system32\msdtc.exe[2900] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009B9EAC
.text C:\WINDOWS\system32\msdtc.exe[2900] WS2_32.dll!recv 71AB676F 5 Bytes JMP 009B9C78
.text C:\WINDOWS\system32\msdtc.exe[2900] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 009B9D4B
.text C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE[2944] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01549FFA
.text C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE[2944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01549B97
.text C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE[2944] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01549EAC
.text C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE[2944] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01549C78
.text C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE[2944] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01549D4B
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3088] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 098C9FFA
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3088] WS2_32.dll!send 71AB4C27 5 Bytes JMP 098C9B97
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3088] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 098C9EAC
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3088] WS2_32.dll!recv 71AB676F 5 Bytes JMP 098C9C78
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3088] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 098C9D4B
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[3208] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Java\jre6\bin\jqs.exe[3276] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01469FFA
.text C:\Program Files\Java\jre6\bin\jqs.exe[3276] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01469B97
.text C:\Program Files\Java\jre6\bin\jqs.exe[3276] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01469EAC
.text C:\Program Files\Java\jre6\bin\jqs.exe[3276] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01469C78
.text C:\Program Files\Java\jre6\bin\jqs.exe[3276] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01469D4B
.text C:\WINDOWS\System32\alg.exe[3316] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C29FFA
.text C:\WINDOWS\System32\alg.exe[3316] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C29B97
.text C:\WINDOWS\System32\alg.exe[3316] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C29EAC
.text C:\WINDOWS\System32\alg.exe[3316] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C29C78
.text C:\WINDOWS\System32\alg.exe[3316] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C29D4B
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3376] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C49FFA
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C49B97
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3376] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C49EAC
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3376] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C49C78
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C49D4B
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3392] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02DA9FFA
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3392] ws2_32.dll!send 71AB4C27 5 Bytes JMP 02DA9B97
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3392] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02DA9EAC
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3392] ws2_32.dll!recv 71AB676F 5 Bytes JMP 02DA9C78
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe[3392] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02DA9D4B
.text C:\Program Files\StorageCraft\ImageManager\ImageManager.exe[3712] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FC9FFA
.text C:\Program Files\StorageCraft\ImageManager\ImageManager.exe[3712] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00FC9B97
.text C:\Program Files\StorageCraft\ImageManager\ImageManager.exe[3712] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FC9EAC
.text C:\Program Files\StorageCraft\ImageManager\ImageManager.exe[3712] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00FC9C78
.text C:\Program Files\StorageCraft\ImageManager\ImageManager.exe[3712] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FC9D4B
.text C:\Program Files\Advantage 10.10\Server\ADS.EXE[3920] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02D39FFA
.text C:\Program Files\Advantage 10.10\Server\ADS.EXE[3920] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02D39B97
.text C:\Program Files\Advantage 10.10\Server\ADS.EXE[3920] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02D39EAC
.text C:\Program Files\Advantage 10.10\Server\ADS.EXE[3920] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02D39C78
.text C:\Program Files\Advantage 10.10\Server\ADS.EXE[3920] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02D39D4B
.text C:\WINDOWS\system32\vsnapvss.exe[4004] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AA9FFA
.text C:\WINDOWS\system32\vsnapvss.exe[4004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AA9B97
.text C:\WINDOWS\system32\vsnapvss.exe[4004] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AA9EAC
.text C:\WINDOWS\system32\vsnapvss.exe[4004] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00AA9C78
.text C:\WINDOWS\system32\vsnapvss.exe[4004] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AA9D4B
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtect.exe[4736] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01F19FFA
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtect.exe[4736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01F19B97
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtect.exe[4736] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01F19EAC
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtect.exe[4736] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01F19C78
.text C:\Program Files\StorageCraft\ShadowProtect\ShadowProtect.exe[4736] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01F19D4B
.text C:\Documents and Settings\Carol\Desktop\HijackThis.exe[5968] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03229FFA
.text C:\Documents and Settings\Carol\Desktop\HijackThis.exe[5968] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03229B97
.text C:\Documents and Settings\Carol\Desktop\HijackThis.exe[5968] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03229EAC
.text C:\Documents and Settings\Carol\Desktop\HijackThis.exe[5968] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03229C78
.text C:\Documents and Settings\Carol\Desktop\HijackThis.exe[5968] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03229D4B

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 eamon.sys (Amon monitor/ESET)

Device \Driver\iastor \Device\Ide\iaStor0 A@J@
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 A@J@
Device \Driver\iastor \Device\Ide\IAAStorageDevice-1 A@J@
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 19 September 2011 - 09:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/418742 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:40 AM

Posted 20 September 2011 - 04:13 AM

Hi, if you still need help, please post the requested logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 wab

wab
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 20 September 2011 - 02:16 PM

Hello. Thanks for the non-automated reply. I intend to post the logs as soon as I can get access to the PC from my client. Hopefully today or tomorrow.

Thanks again!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:40 AM

Posted 20 September 2011 - 02:26 PM

Okay, I'll wait for the logs.

As for the automated reply, that actually helps us shorten the waiting time so is a good thing. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:40 AM

Posted 09 October 2011 - 03:49 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users