Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


diffusely faulty system

  • This topic is locked This topic is locked
2 replies to this topic

#1 battlecommand


  • Members
  • 1 posts
  • Local time:08:53 PM

Posted 20 September 2011 - 05:12 PM


I am on WinXP SP3, build 2600.xpsp_sp3_gdr.101209-1647. I am in a private home, no Kids, no unsupervised Guests. I am trying to keep track of whats going on on my computer since i first used an Amiga in 1989, PC since 2001. I consider myself pretty advanced in system knowledge, but i believe, i need to learn alot. And yes, i admit, sometimes i do dumb stuff, like the other day, when i wanted to create a WinXPUSBBoot Disk and clicked before i read and thus corrupted my usb drivers. Luckily enough, i had made a full backup the other day and was able to revert everything _entirely_. (I do a offline backup frequently).

But. I had occasional random bluescreens throughout the last months, system freezes, sudden application exits, desktop crashes.. The usual stuff, i thought. Then i had time and wanted to fix some problems, and whilst focusing on them, i got deeper and deeper into a web of problems of users i read about that i thought: hey, wait a moment .. i have that, too. and that. and that. Windows, some might say. But more and more, i was drawn closer to the problem of malware and rootkits. From which i felt safe. Hey man, i am double firewalled, behind a switch, a router and a modem firewall. I have a retail AV product (which really annoyed me the last few weeks since i believe somehow the programmers enhanced it so it hinders stuff in the system... wait a minute)... And today i read about Cubase32.sys, for which i found no reason to actually exsist, but hey - its there.

I had two or three issues of which i do not know when they started. 1) I cant do system restores anymore, the restore just fails. 2) The event manager crashes upon exit. 3) something freezes my system out of the blue, its not reproducible, but it doesnt happen, when i dont touch the computer (ram, bios and all hardware is fine, i currently check if it is a usb problem)
I just ignored them. Until today. I admit, against any warning, i then ran combofix.exe. Which found an infection (which i _sadly_ did not note) and it produced this log. Currently, my system seems stable. But there are some items in the log, that i have no idea about.

I´d be so thankful and willing to follow instructions, if someone please took the time to look into it...

ComboFix 11-09-20.04 - Administrator 20.09.2011 23:26:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1033.18.3327.2623 [GMT 2:00]
ausgeführt von:: c:\documents and settings\Administrator\Desktop\ComboFix.exe
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
c:\documents and settings\Administrator\Application Data\ImgBurn.exe
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Default User\Application Data\Desktopicon
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
((((((((((((((((((((((( Dateien erstellt von 2011-08-20 bis 2011-09-20 ))))))))))))))))))))))))))))))
2011-09-06 16:58 . 2011-09-06 17:09 -------- d-----w- C:\FLX
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
"SetDefaultMIDI"="MIDIDef.exe" [2008-03-20 31232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"CTHelper"="CTHELPER.EXE" [2008-03-20 23040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-05 281768]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"nltide_3"="advpack.dll" [2011-06-21 124928]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2011-9-6 262144]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 01000000
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"c:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\S.T.A.L.K.E.R. - Call Of Pripyat\\bin\\xrEngine.exe"=
"c:\\Program Files\\S.T.A.L.K.E.R. - Call Of Pripyat\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\Program Files\\Atari\\Civilization III Complete\\Conquests\\Civ3Conquests.exe"=
"c:\\FL Studio 9\\FL3gb.exe"=
"c:\\Program Files\\TrillianAstra\\trillian.exe"=
"AllowRedirect"= 1 (0x1)
R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [06.09.2011 06:06 308248]
R0 inic1620;inic1620;c:\windows\system32\drivers\inic1620.sys [06.09.2011 06:06 20096]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [06.09.2011 06:06 143360]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06.09.2011 06:06 717296]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [06.09.2011 05:48 340136]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [06.09.2011 05:48 136360]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [06.09.2011 05:48 428200]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [06.09.2011 06:06 70704]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [06.09.2011 06:06 36224]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [06.09.2011 06:06 98328]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [06.09.2011 06:06 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [06.09.2011 06:06 309784]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [06.09.2011 06:06 47360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [06.09.2011 06:06 130384]
S2 Cubase32;Cubase32;c:\windows\system32\drivers\Cubase32.sys [06.09.2011 06:06 11808]
S3 CamdAudio;CamdAudio;c:\windows\system32\drivers\CamdAudio.sys [06.09.2011 06:06 23096]
S3 CamdVideo;CamdVideo;c:\windows\system32\drivers\CamdVideo.sys [06.09.2011 06:06 3768]
S3 catdrive;Catweasel Drive Driver;c:\windows\system32\drivers\catdri2k.sys [06.09.2011 06:06 6877]
S3 catjoyst;Catweasel joystick Driver;c:\windows\system32\drivers\catjoy2k.sys [06.09.2011 06:06 5040]
S3 catSID64;Catweasel SID Driver;c:\windows\system32\drivers\catSID2k.sys [06.09.2011 06:06 9247]
S3 catweasl;Catweasel Driver;c:\windows\system32\drivers\Catwea2k.sys [06.09.2011 06:06 88863]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [06.09.2011 06:06 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [06.09.2011 06:06 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [06.09.2011 06:06 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [06.09.2011 06:06 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [06.09.2011 06:06 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [06.09.2011 06:06 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [06.09.2011 06:06 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [06.09.2011 06:06 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [06.09.2011 06:06 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [06.09.2011 06:06 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [06.09.2011 06:06 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [06.09.2011 06:06 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [06.09.2011 06:06 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [06.09.2011 06:06 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [06.09.2011 06:06 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [06.09.2011 06:06 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [06.09.2011 06:06 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [06.09.2011 06:06 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [06.09.2011 06:06 534040]
S3 DualCoreCenter;DualCoreCenter;\??\c:\program files\MSI\DualCoreCenter\NTGLM7X.sys --> c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [?]
S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [06.09.2011 06:06 264704]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [06.09.2011 05:57 14424]
S3 RushTopDevice2;RushTopDevice2;\??\c:\program files\MSI\DualCoreCenter\RushTop.sys --> c:\program files\MSI\DualCoreCenter\RushTop.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [06.09.2011 06:06 23552]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [06.09.2011 05:50 563760]
S3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [06.09.2011 06:06 18432]
S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [06.09.2011 06:06 15488]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [06.09.2011 06:06 753504]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [06.09.2011 06:06 134912]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06.09.2011 05:54 135664]
--- Andere Dienste/Treiber im Speicher ---
*NewlyCreated* - HELPSVC
*Deregistered* - ArcRec
------- Zusätzlicher Suchlauf -------
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: An vorhandenes PDF anfügen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
LSP: c:\windows\system32\RSLSP.dll
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
TCP: DhcpNameServer =
------- Dateityp-Verknüpfung -------
- - - - Entfernte verwaiste Registrierungseinträge - - - -
AddRemove-Big_Tick_Angelina_1.3 - c:\windows\iun6002.exe
AddRemove-MadTracker 2 - c:\windows\MTUn9235.exe
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-20 23:31
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 1953535998 (+255): user != kernel
--------------------- Gesperrte Registrierungsschluessel ---------------------
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'lsass.exe'(856)
c:\program files\Avira\AntiVir Desktop\avsda.dll
- - - - - - - > 'explorer.exe'(1876)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Windows Media Player\wmpband.dll
------------------------ Weitere laufende Prozesse ------------------------
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe
Zeit der Fertigstellung: 2011-09-20 23:33:41 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2011-09-20 21:33
Vor Suchlauf: 894.816.206.848 bytes free
Nach Suchlauf: 21 Verzeichnis(se), 894.689.480.704 Bytes frei
[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 61EEA61FA467EE7646642BBCABFB2D05


Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)


#2 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,740 posts
  • Gender:Male
  • Local time:02:53 PM

Posted 25 September 2011 - 05:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419783 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,740 posts
  • Gender:Male
  • Local time:02:53 PM

Posted 29 September 2011 - 01:19 PM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users