Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with: a variant of Win32/Olmasco.O trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 ECG

ECG

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 10 October 2011 - 12:31 AM

I was using my PC and everything froze, then all of the icons on my desktop disappeared (became hidden) and all that was on the screen was my wallpaper. Suddenly I received like 15 pop-ups stating that "Windows -Delayed Write Failed" and that my PC's RAM was low and the system was not able to save any data. It also ran some scan detector showing all the problems with my PC. There was also something about HDD error that the scan detector mentioned.

I had no choice but to restart my PC. Once I restarted my PC my wallpaper disappeared (now I have a black screen) and all of my files/programs were no where to be found since the virus hide all of them and made all of them inaccessible.

I tried to reboot my PC again and in the process of starting up in Safe Mode all I keep getting was the Blue Screen of Death... (0x0000007B). I didnt install any hardware or software on my PC so I do not know why I received this BSOD code.

I do not want to reformat my PC as I have files that I hope to keep if I can some how find a way remove this virus. I managed to download a demo of ESET and it detected that I had this infiltration: Operating memory - a variant of Win32/Olmasco.O trojan - unable to clean

With this said.....

I have followed all of the instructions as laid out in the "Preparation Guide." All was fine until I got to step number 8 to create the GMER log.

Upon opening the gmer.exe file, I receive this message: LoadDriver( "C:\DOCUME~1\Promise\LOCALS~1\Temp\axtdypoc.sys" ) error:0xC000010E: Cannot create a stable subkey under a volatile parent key.

Once I press the "OK" button after the error message, the GMER program loads, BUT the only settings that are available for checking/un-checking are Services, Registry, and Files, along with the C:/ and D:/ drives, as well as ADS. All of the other settings from System to Libraries are greyed out; I am unable to check/un-check them.

After waiting for sometime, after running the gmer.exe program, no log appeared, only this pop-up message: GMER hasn't found any system modification. Hence, I do not have the ark.txt file.

So, with that said, I will only post the DDS AND ATTACH LOG FILES.

DDS.TXT

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by Promise at 2:22:40 on 2011-10-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.159 [GMT -2:00]
.
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
E:\ekrn.exe
E:\egui.exe
.
============== Pseudo HJT Report ===============
.
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [egui] "E:\egui.exe" /hide /waitservice
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFaUDItUko3UFItN0dOTVUtQUJMRTYtVFBRQ0ktNg"&"inst=NzYtOTMxMDcyODQ4LVNUMTJGT0krMS1ERFQrMC1TVDEyQVBQKzE"&"prod=94"&"ver=2012.0.1809"&"mid=ee675fcad92447d1b960d15a4456c3f6-7a619d169bcc801eeca15d9f16d06667c9cabce1
uPolicies-explorer: NoDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303802538656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F063A04D-877F-40EF-B91D-CE065ECE11DE} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\promise\application data\mozilla\firefox\profiles\5ouxkhrn.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R2 ekrn;ESET Service;E:\ekrn.exe [2011-9-22 974944]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-4-26 6609920]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qpggqi.sys --> c:\windows\system32\drivers\qpggqi.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2011-5-8 9728]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2011-5-8 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2011-5-8 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2011-5-8 106752]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S4 JoinMEPlayUI Assistant Service;JoinMEPlayUI Assistant Service;c:\program files\joinme drivers\JoinMEPlayAssistantServices.exe [2011-5-8 242176]
S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
.
=============== Created Last 30 ================
.
2011-10-10 03:08:52 -------- d-----w- c:\documents and settings\promise\local settings\application data\ESET
2011-10-10 03:08:52 -------- d-----w- c:\documents and settings\promise\application data\ESET
2011-10-09 23:47:54 514406 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-10-09 21:20:21 340992 ---ha-w- c:\documents and settings\all users\application data\6DSS92c31Apgjk.exe
2011-10-09 21:16:40 449536 ---ha-w- c:\documents and settings\all users\application data\YFQfMsobLp.exe
2011-09-30 13:45:30 2106216 ---ha-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-30 13:45:28 1998168 ---ha-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-29 01:55:34 73728 ---ha-w- c:\windows\system32\javacpl.cpl
2011-09-29 01:55:33 476904 ---ha-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-29 01:55:32 472808 ---ha-w- c:\windows\system32\deployJava1.dll
2011-09-25 18:15:11 -------- d--h--w- c:\documents and settings\promise\application data\Malwarebytes
2011-09-25 18:15:03 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-25 18:14:59 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-09-25 18:14:59 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-09-25 17:06:47 -------- d--h--w- c:\program files\ESET
2011-09-25 03:44:42 -------- d--h--w- C:\$AVG
2011-09-25 03:29:11 -------- d--h--w- c:\windows\system32\drivers\AVG
2011-09-25 02:32:22 -------- d--h--w- c:\documents and settings\promise\application data\AVG2012
2011-09-25 02:30:18 -------- d--h--w- c:\documents and settings\all users\application data\AVG2012
2011-09-25 02:29:34 -------- d--h--w- c:\program files\AVG
2011-09-25 02:26:08 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-09-25 02:25:56 -------- d--h--w- c:\documents and settings\all users\application data\MFAData
2011-09-12 05:51:32 -------- d--h--w- c:\documents and settings\promise\application data\streamripper
2011-09-12 05:50:06 -------- d--h--w- c:\program files\Streamripper
2011-09-12 05:46:47 -------- d--h--w- c:\documents and settings\promise\local settings\application data\Adobe
.
==================== Find3M ====================
.
2011-09-26 21:01:27 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-09 16:24:52 154136 ----a-w- c:\windows\system32\drivers\eamon.sys
2011-08-09 11:37:28 39824 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2011-08-04 11:20:38 61936 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2011-08-04 11:20:38 147480 ----a-w- c:\windows\system32\drivers\epfw.sys
2011-08-04 11:20:36 118104 ----a-w- c:\windows\system32\drivers\ehdrv.sys
.
============= FINISH: 2:29:06.25 ===============

Attached Files


Edited by ECG, 10 October 2011 - 12:40 AM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 14 October 2011 - 03:31 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 ECG

ECG
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 14 October 2011 - 10:23 PM

Hi Elle,

I am happy to hear from you. :) Below is the DDS log and GMER log. I would like you to know that upon opening the GMER.exe program, I received this error message:

LoadDriver( "C:\DOCUME~1\Promise\LOCALS~1\Temp\axtdypoc.sys" ) error:0xC000010E: Cannot create a stable subkey under a volatile parent key.


Once I press the "OK" button after the error message, the GMER program loads, BUT the only settings that are available for checking/un-checking are Services, Registry, and Files, along with the C:/ and D:/ drives, as well as ADS. All of the other settings from System to Libraries are greyed out; I am unable to check/un-check them.

DDS LOG:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by Promise at 22:50:46 on 2011-10-14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.418 [GMT -2:00]
.
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFaUDItUko3UFItN0dOTVUtQUJMRTYtVFBRQ0ktNg"&"inst=NzYtOTMxMDcyODQ4LVNUMTJGT0krMS1ERFQrMC1TVDEyQVBQKzE"&"prod=94"&"ver=2012.0.1809"&"mid=ee675fcad92447d1b960d15a4456c3f6-7a619d169bcc801eeca15d9f16d06667c9cabce1
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303802538656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F063A04D-877F-40EF-B91D-CE065ECE11DE} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\promise\application data\mozilla\firefox\profiles\5ouxkhrn.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-4-26 6609920]
S1 7612002drv;7612002drv;c:\windows\system32\drivers\7612002drv.sys [2011-10-10 475736]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qpggqi.sys --> c:\windows\system32\drivers\qpggqi.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2011-5-8 9728]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2011-5-8 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2011-5-8 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2011-5-8 106752]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S4 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-9-22 974944]
S4 JoinMEPlayUI Assistant Service;JoinMEPlayUI Assistant Service;c:\program files\joinme drivers\JoinMEPlayAssistantServices.exe [2011-5-8 242176]
S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
.
=============== Created Last 30 ================
.
2011-10-11 23:52:16 -------- d-----w- c:\program files\ESET
2011-10-11 23:41:12 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-11 22:43:58 -------- d--h--w- C:\kleaner.tmp
2011-10-10 20:34:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-10 20:27:00 475736 ----a-w- c:\windows\system32\drivers\7612002drv.sys
2011-10-10 03:08:52 -------- d-----w- c:\documents and settings\promise\local settings\application data\ESET
2011-10-10 03:08:52 -------- d-----w- c:\documents and settings\promise\application data\ESET
2011-10-09 23:47:54 514406 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-09-30 13:45:30 2106216 ---ha-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-30 13:45:28 1998168 ---ha-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-29 01:55:34 73728 ---ha-w- c:\windows\system32\javacpl.cpl
2011-09-29 01:55:33 476904 ---ha-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-29 01:55:32 472808 ---ha-w- c:\windows\system32\deployJava1.dll
2011-09-25 18:15:11 -------- d--h--w- c:\documents and settings\promise\application data\Malwarebytes
2011-09-25 18:15:03 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-25 03:44:42 -------- d--h--w- C:\$AVG
2011-09-25 03:29:11 -------- d--h--w- c:\windows\system32\drivers\AVG
2011-09-25 02:32:22 -------- d--h--w- c:\documents and settings\promise\application data\AVG2012
2011-09-25 02:30:18 -------- d--h--w- c:\documents and settings\all users\application data\AVG2012
2011-09-25 02:29:34 -------- d--h--w- c:\program files\AVG
2011-09-25 02:26:08 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-09-25 02:25:56 -------- d--h--w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-09-26 21:01:27 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-09 16:24:52 154136 ----a-w- c:\windows\system32\drivers\eamon.sys
2011-08-09 11:37:28 39824 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2011-08-04 11:20:38 61936 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2011-08-04 11:20:38 147480 ----a-w- c:\windows\system32\drivers\epfw.sys
2011-08-04 11:20:36 118104 ----a-w- c:\windows\system32\drivers\ehdrv.sys
.
============= FINISH: 22:57:15.93 ===============


GMER LOG:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-14 23:17:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Promise\LOCALS~1\Temp\axtdypoc.sys


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Promise\Cookies\promise@spotxchange[1].txt 1462 bytes
File C:\Documents and Settings\Promise\Local Settings\Temporary Internet Files\Content.IE5\BLLNYEIT\aceUACping[4].htm 0 bytes
File C:\Documents and Settings\Promise\Local Settings\Temporary Internet Files\Content.IE5\CDA309U3\wbk25B.tmp 0 bytes
File C:\Documents and Settings\Promise\Local Settings\Temporary Internet Files\Content.IE5\CDA309U3\wbk25D.tmp 0 bytes
File C:\Documents and Settings\Promise\Local Settings\Temporary Internet Files\Content.IE5\CDA309U3\wbk25F.tmp 0 bytes
File C:\Documents and Settings\Promise\Local Settings\Temporary Internet Files\Content.IE5\CDA309U3\dot[2].gif 0 bytes
File C:\Documents and Settings\Promise\Local Settings\Temporary Internet Files\Content.IE5\CDA309U3\CA6JWDUJ 0 bytes
File C:\Documents and Settings\Promise\UserData\QPWKXM9R\meebo[18].xml 0 bytes

---- EOF - GMER 1.0.15 ----

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 16 October 2011 - 07:09 AM

Hi there :) ,




I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove AVG 2012 as it seems like the uninstallation process wasn't completed.

Please refer to this link in order to get rid of it easily: AVG remover


==========================================================================================================================
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 ECG

ECG
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 17 October 2011 - 01:48 AM

Hi Elle,

Here is the TDSS KILLER LOG:



04:46:13.0453 3612 TDSS rootkit removing tool 2.6.9.0 Oct 14 2011 11:33:24
04:46:14.0312 3612 ============================================================
04:46:14.0312 3612 Current date / time: 2011/10/17 04:46:14.0312
04:46:14.0312 3612 SystemInfo:
04:46:14.0312 3612
04:46:14.0312 3612 OS Version: 5.1.2600 ServicePack: 3.0
04:46:14.0312 3612 Product type: Workstation
04:46:14.0312 3612 ComputerName: SHMMN
04:46:14.0312 3612 UserName: Promise
04:46:14.0312 3612 Windows directory: C:\WINDOWS
04:46:14.0312 3612 System windows directory: C:\WINDOWS
04:46:14.0312 3612 Processor architecture: Intel x86
04:46:14.0312 3612 Number of processors: 2
04:46:14.0312 3612 Page size: 0x1000
04:46:14.0312 3612 Boot type: Normal boot
04:46:14.0312 3612 ============================================================
04:46:16.0328 3612 Initialize success
04:46:25.0656 0548 ============================================================
04:46:25.0656 0548 Scan started
04:46:25.0656 0548 Mode: Manual; SigCheck; TDLFS;
04:46:25.0656 0548 ============================================================
04:46:26.0906 0548 13779351 (186b54479d98e48aee0e9ada4b3c4d31) C:\WINDOWS\system32\DRIVERS\13779351.sys
04:46:27.0156 0548 13779351 - ok
04:46:27.0437 0548 Abiosdsk - ok
04:46:27.0703 0548 abp480n5 - ok
04:46:28.0125 0548 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
04:46:28.0296 0548 ACPI - ok
04:46:28.0640 0548 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
04:46:28.0750 0548 ACPIEC - ok
04:46:29.0031 0548 adpu160m - ok
04:46:29.0421 0548 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
04:46:29.0625 0548 aec - ok
04:46:29.0984 0548 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
04:46:30.0015 0548 AFD - ok
04:46:30.0328 0548 Aha154x - ok
04:46:30.0609 0548 aic78u2 - ok
04:46:30.0890 0548 aic78xx - ok
04:46:31.0171 0548 AliIde - ok
04:46:31.0453 0548 amsint - ok
04:46:31.0750 0548 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
04:46:31.0906 0548 Arp1394 - ok
04:46:32.0187 0548 asc - ok
04:46:32.0468 0548 asc3350p - ok
04:46:32.0734 0548 asc3550 - ok
04:46:33.0046 0548 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
04:46:33.0156 0548 AsyncMac - ok
04:46:33.0531 0548 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
04:46:33.0703 0548 atapi - ok
04:46:33.0984 0548 Atdisk - ok
04:46:35.0171 0548 ati2mtag (2573c08729dd52b7b4f18df1592e0b37) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
04:46:35.0875 0548 ati2mtag - ok
04:46:36.0218 0548 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
04:46:36.0328 0548 Atmarpc - ok
04:46:36.0640 0548 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
04:46:36.0765 0548 audstub - ok
04:46:37.0078 0548 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
04:46:37.0234 0548 Beep - ok
04:46:37.0546 0548 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
04:46:37.0656 0548 cbidf2k - ok
04:46:37.0968 0548 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
04:46:38.0078 0548 CCDECODE - ok
04:46:38.0359 0548 cd20xrnt - ok
04:46:38.0718 0548 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
04:46:38.0906 0548 Cdaudio - ok
04:46:39.0234 0548 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
04:46:39.0343 0548 Cdfs - ok
04:46:39.0703 0548 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
04:46:39.0718 0548 Cdrom - ok
04:46:40.0000 0548 Changer - ok
04:46:40.0328 0548 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
04:46:40.0515 0548 CmBatt - ok
04:46:40.0781 0548 CmdIde - ok
04:46:41.0062 0548 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
04:46:41.0265 0548 Compbatt - ok
04:46:41.0640 0548 Cpqarray - ok
04:46:42.0015 0548 dac2w2k - ok
04:46:42.0453 0548 dac960nt - ok
04:46:42.0843 0548 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
04:46:43.0031 0548 Disk - ok
04:46:43.0906 0548 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
04:46:44.0343 0548 dmboot - ok
04:46:44.0796 0548 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
04:46:44.0906 0548 dmio - ok
04:46:45.0281 0548 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
04:46:45.0390 0548 dmload - ok
04:46:45.0718 0548 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
04:46:45.0828 0548 DMusic - ok
04:46:46.0109 0548 dpti2o - ok
04:46:46.0406 0548 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
04:46:46.0515 0548 drmkaud - ok
04:46:46.0890 0548 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
04:46:47.0000 0548 Fastfat - ok
04:46:47.0328 0548 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
04:46:47.0437 0548 Fdc - ok
04:46:47.0796 0548 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
04:46:47.0890 0548 Fips - ok
04:46:48.0312 0548 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
04:46:48.0546 0548 Flpydisk - ok
04:46:48.0937 0548 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
04:46:49.0062 0548 FltMgr - ok
04:46:49.0359 0548 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
04:46:49.0468 0548 Fs_Rec - ok
04:46:49.0828 0548 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
04:46:49.0953 0548 Ftdisk - ok
04:46:50.0281 0548 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
04:46:50.0406 0548 Gpc - ok
04:46:50.0765 0548 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
04:46:50.0875 0548 HDAudBus - ok
04:46:51.0203 0548 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
04:46:51.0312 0548 HidUsb - ok
04:46:51.0609 0548 hpn - ok
04:46:52.0062 0548 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
04:46:52.0093 0548 HTTP - ok
04:46:52.0359 0548 i2omgmt - ok
04:46:52.0640 0548 i2omp - ok
04:46:52.0984 0548 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
04:46:53.0156 0548 i8042prt - ok
04:46:53.0515 0548 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
04:46:53.0625 0548 Imapi - ok
04:46:53.0921 0548 ini910u - ok
04:46:54.0203 0548 IntelIde - ok
04:46:54.0515 0548 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
04:46:54.0625 0548 intelppm - ok
04:46:54.0937 0548 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
04:46:55.0046 0548 Ip6Fw - ok
04:46:55.0359 0548 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
04:46:55.0484 0548 IpFilterDriver - ok
04:46:55.0796 0548 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
04:46:55.0906 0548 IpInIp - ok
04:46:56.0328 0548 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
04:46:56.0531 0548 IpNat - ok
04:46:56.0875 0548 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
04:46:56.0984 0548 IPSec - ok
04:46:57.0296 0548 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
04:46:57.0406 0548 IRENUM - ok
04:46:57.0765 0548 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
04:46:57.0953 0548 isapnp - ok
04:46:58.0343 0548 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
04:46:58.0484 0548 Kbdclass - ok
04:46:58.0906 0548 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
04:46:59.0093 0548 kmixer - ok
04:46:59.0453 0548 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
04:46:59.0500 0548 KSecDD - ok
04:46:59.0781 0548 lbrtfdc - ok
04:47:00.0125 0548 massfilter_hs (38bfa8fa6d838cbab58a1c2b49ebf96b) C:\WINDOWS\system32\drivers\massfilter_hs.sys
04:47:00.0140 0548 massfilter_hs - ok
04:47:00.0453 0548 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
04:47:00.0593 0548 mnmdd - ok
04:47:00.0921 0548 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
04:47:01.0031 0548 Modem - ok
04:47:01.0343 0548 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
04:47:01.0484 0548 Mouclass - ok
04:47:01.0796 0548 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
04:47:01.0906 0548 mouhid - ok
04:47:02.0265 0548 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
04:47:02.0359 0548 MountMgr - ok
04:47:02.0687 0548 mraid35x - ok
04:47:03.0156 0548 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
04:47:03.0328 0548 MRxDAV - ok
04:47:03.0859 0548 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
04:47:04.0046 0548 MRxSmb - ok
04:47:04.0390 0548 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
04:47:04.0562 0548 Msfs - ok
04:47:04.0906 0548 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
04:47:05.0015 0548 MSKSSRV - ok
04:47:05.0328 0548 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
04:47:05.0500 0548 MSPCLOCK - ok
04:47:05.0812 0548 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
04:47:05.0906 0548 MSPQM - ok
04:47:06.0218 0548 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
04:47:06.0390 0548 mssmbios - ok
04:47:06.0687 0548 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
04:47:06.0796 0548 MSTEE - ok
04:47:07.0140 0548 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
04:47:07.0250 0548 Mup - ok
04:47:07.0609 0548 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
04:47:07.0781 0548 NABTSFEC - ok
04:47:08.0250 0548 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
04:47:08.0359 0548 NDIS - ok
04:47:08.0656 0548 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
04:47:08.0765 0548 NdisIP - ok
04:47:09.0140 0548 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
04:47:09.0234 0548 NdisTapi - ok
04:47:09.0546 0548 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
04:47:09.0656 0548 Ndisuio - ok
04:47:10.0015 0548 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
04:47:10.0125 0548 NdisWan - ok
04:47:10.0484 0548 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
04:47:10.0500 0548 NDProxy - ok
04:47:10.0859 0548 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
04:47:10.0968 0548 NetBIOS - ok
04:47:11.0359 0548 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
04:47:11.0468 0548 NetBT - ok
04:47:15.0312 0548 NETwLx32 (72062b53186e4a3f5fcbc41ebb62b905) C:\WINDOWS\system32\DRIVERS\NETwLx32.sys
04:47:18.0609 0548 NETwLx32 - ok
04:47:19.0000 0548 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
04:47:19.0140 0548 NIC1394 - ok
04:47:19.0453 0548 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
04:47:19.0609 0548 Npfs - ok
04:47:20.0187 0548 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
04:47:20.0421 0548 Ntfs - ok
04:47:20.0750 0548 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
04:47:20.0859 0548 Null - ok
04:47:21.0171 0548 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
04:47:21.0359 0548 NwlnkFlt - ok
04:47:21.0656 0548 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
04:47:21.0781 0548 NwlnkFwd - ok
04:47:22.0109 0548 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
04:47:22.0296 0548 ohci1394 - ok
04:47:22.0656 0548 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
04:47:22.0750 0548 Parport - ok
04:47:23.0140 0548 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
04:47:23.0328 0548 PartMgr - ok
04:47:23.0640 0548 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
04:47:23.0750 0548 ParVdm - ok
04:47:24.0109 0548 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
04:47:24.0250 0548 PCI - ok
04:47:24.0562 0548 PCIDump - ok
04:47:24.0953 0548 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
04:47:25.0125 0548 PCIIde - ok
04:47:25.0578 0548 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
04:47:25.0687 0548 Pcmcia - ok
04:47:26.0015 0548 PDCOMP - ok
04:47:26.0296 0548 PDFRAME - ok
04:47:26.0562 0548 PDRELI - ok
04:47:26.0843 0548 PDRFRAME - ok
04:47:27.0125 0548 perc2 - ok
04:47:27.0406 0548 perc2hib - ok
04:47:27.0781 0548 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
04:47:27.0953 0548 PptpMiniport - ok
04:47:28.0359 0548 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
04:47:28.0453 0548 PSched - ok
04:47:28.0765 0548 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
04:47:28.0921 0548 Ptilink - ok
04:47:29.0296 0548 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
04:47:29.0328 0548 PxHelp20 - ok
04:47:29.0671 0548 ql1080 - ok
04:47:29.0953 0548 Ql10wnt - ok
04:47:30.0234 0548 ql12160 - ok
04:47:30.0531 0548 ql1240 - ok
04:47:30.0812 0548 ql1280 - ok
04:47:31.0140 0548 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
04:47:31.0250 0548 RasAcd - ok
04:47:31.0593 0548 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
04:47:31.0687 0548 Rasl2tp - ok
04:47:32.0109 0548 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
04:47:32.0265 0548 RasPppoe - ok
04:47:32.0609 0548 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
04:47:32.0765 0548 Raspti - ok
04:47:33.0218 0548 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
04:47:33.0328 0548 Rdbss - ok
04:47:33.0656 0548 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
04:47:33.0843 0548 RDPCDD - ok
04:47:34.0234 0548 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
04:47:34.0343 0548 RDPWD - ok
04:47:34.0796 0548 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
04:47:34.0968 0548 redbook - ok
04:47:35.0406 0548 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
04:47:35.0515 0548 sdbus - ok
04:47:35.0843 0548 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
04:47:36.0015 0548 Secdrv - ok
04:47:36.0359 0548 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
04:47:36.0468 0548 Serial - ok
04:47:36.0781 0548 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
04:47:36.0921 0548 sffdisk - ok
04:47:37.0218 0548 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
04:47:37.0328 0548 sffp_sd - ok
04:47:37.0640 0548 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
04:47:37.0734 0548 Sfloppy - ok
04:47:38.0015 0548 Simbad - ok
04:47:38.0328 0548 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
04:47:38.0500 0548 SLIP - ok
04:47:38.0781 0548 Sparrow - ok
04:47:39.0078 0548 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
04:47:39.0250 0548 splitter - ok
04:47:39.0593 0548 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
04:47:39.0703 0548 sr - ok
04:47:40.0218 0548 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
04:47:40.0375 0548 Srv - ok
04:47:41.0578 0548 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
04:47:42.0156 0548 STHDA - ok
04:47:42.0562 0548 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
04:47:42.0656 0548 streamip - ok
04:47:42.0953 0548 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
04:47:43.0140 0548 swenum - ok
04:47:43.0484 0548 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
04:47:43.0593 0548 swmidi - ok
04:47:43.0890 0548 symc810 - ok
04:47:44.0187 0548 symc8xx - ok
04:47:44.0484 0548 sym_hi - ok
04:47:44.0781 0548 sym_u3 - ok
04:47:45.0187 0548 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
04:47:45.0281 0548 sysaudio - ok
04:47:45.0796 0548 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
04:47:45.0953 0548 Tcpip - ok
04:47:46.0265 0548 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
04:47:46.0375 0548 TDPIPE - ok
04:47:46.0671 0548 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
04:47:46.0781 0548 TDTCP - ok
04:47:47.0093 0548 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
04:47:47.0234 0548 TermDD - ok
04:47:47.0531 0548 TosIde - ok
04:47:47.0890 0548 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
04:47:48.0062 0548 Udfs - ok
04:47:48.0343 0548 ultra - ok
04:47:48.0843 0548 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
04:47:49.0078 0548 Update - ok
04:47:49.0453 0548 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
04:47:49.0609 0548 usbaudio - ok
04:47:49.0921 0548 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
04:47:50.0015 0548 usbccgp - ok
04:47:50.0375 0548 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
04:47:50.0546 0548 usbehci - ok
04:47:50.0875 0548 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
04:47:50.0984 0548 usbhub - ok
04:47:51.0312 0548 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
04:47:51.0484 0548 usbscan - ok
04:47:51.0812 0548 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
04:47:51.0921 0548 USBSTOR - ok
04:47:52.0234 0548 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
04:47:52.0375 0548 usbuhci - ok
04:47:52.0765 0548 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
04:47:52.0937 0548 usbvideo - ok
04:47:53.0312 0548 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
04:47:53.0421 0548 VgaSave - ok
04:47:53.0765 0548 ViaIde - ok
04:47:54.0093 0548 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
04:47:54.0234 0548 VolSnap - ok
04:47:54.0593 0548 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
04:47:54.0765 0548 Wanarp - ok
04:47:55.0312 0548 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
04:47:55.0484 0548 Wdf01000 - ok
04:47:55.0781 0548 WDICA - ok
04:47:56.0140 0548 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
04:47:56.0250 0548 wdmaud - ok
04:47:56.0593 0548 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
04:47:56.0625 0548 WinUSB - ok
04:47:56.0953 0548 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
04:47:57.0125 0548 WmiAcpi - ok
04:47:57.0437 0548 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
04:47:57.0546 0548 WSTCODEC - ok
04:47:57.0921 0548 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
04:47:57.0937 0548 WudfPf - ok
04:47:58.0296 0548 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
04:47:58.0312 0548 WudfRd - ok
04:47:58.0687 0548 zgwhsdiag (ff737af88f2198dc63a3bedf21f3c657) C:\WINDOWS\system32\DRIVERS\zgwhsdiag.sys
04:47:58.0703 0548 zgwhsdiag - ok
04:47:59.0093 0548 zgwhsmdm (ff737af88f2198dc63a3bedf21f3c657) C:\WINDOWS\system32\DRIVERS\zgwhsmdm.sys
04:47:59.0125 0548 zgwhsmdm - ok
04:47:59.0453 0548 zgwhsnmea (ff737af88f2198dc63a3bedf21f3c657) C:\WINDOWS\system32\DRIVERS\zgwhsnmea.sys
04:47:59.0468 0548 zgwhsnmea - ok
04:47:59.0828 0548 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
04:47:59.0843 0548 zumbus - ok
04:47:59.0890 0548 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
04:48:00.0406 0548 \Device\Harddisk0\DR0 - ok
04:48:00.0421 0548 Boot (0x1200) (5c0fbbcda374c372a5dc0d6d4cd48eb3) \Device\Harddisk0\DR0\Partition0
04:48:00.0421 0548 \Device\Harddisk0\DR0\Partition0 - ok
04:48:00.0437 0548 Boot (0x1200) (f89afb3b9c2c0548d3a6c790e12df047) \Device\Harddisk0\DR0\Partition1
04:48:00.0437 0548 \Device\Harddisk0\DR0\Partition1 - ok
04:48:00.0437 0548 ============================================================
04:48:00.0437 0548 Scan finished
04:48:00.0437 0548 ============================================================
04:48:00.0546 2188 Detected object count: 0
04:48:00.0546 2188 Actual detected object count: 0

#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 17 October 2011 - 12:27 PM

Hi there,



Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.







Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 ECG

ECG
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 17 October 2011 - 04:24 PM

Hi Elle,

Here is the Combofix LOG:

ComboFix 11-10-17.02 - Promise 10/17/2011 16:41:10.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.360 [GMT -2:00]
Running from: c:\documents and settings\Promise\Desktop\ComboFix.exe
AV: ESET Smart Security 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Promise\LOCALS~1\Temp\3139880\7612002.exe
c:\docume~1\Promise\LOCALS~1\Temp\3139880\advdis.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\avlib.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\avpgs.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\avpgui.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\avs.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\avspm.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\avzkrnl.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\avzscan.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\base64.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\base64p.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\basegui.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\avengine.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\avpcure.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\kavbase.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\kavsys.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\kjim.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\klavemu.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\mark.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\pbs.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bases\qscan.kdl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\bl.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\btdisk.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\btimages.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\buffer.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\clldr.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\crpthlpr.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\dbghelp.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\deflate.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\diffs.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\dmap.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\dtreg.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\filemap.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\fsdrvplg.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\fssync.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\hashmd5.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\hashsha1.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\icheck3.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\inflate.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\inifile.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\kldw.exe
c:\docume~1\Promise\LOCALS~1\Temp\3139880\klsrlsvc.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\mailmsg.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\mdb.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\mdmap.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\memmng.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\memmodsc.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\memscan.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\minizip.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\mkavio.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\msoe.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\msvcm80.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\msvcp80.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\msvcr80.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\ndetect.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\netdtls.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\nfio.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\ntfsstrm.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\ods.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\params.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\passdmap.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\prloader.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\procmon.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\propmap.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\proxydet.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\prremote.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\prseqio.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\prtransp.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\prutil.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\pxstub.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\qb.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\quantum.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\regmap.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\report.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\reportdb.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\resip.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\schedule.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\sfdb.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\stat.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\stdcomp.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\stenum2.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\superio.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\syswatch.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\thpimpl.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\timer.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\tm.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\uniarc.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\updater.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\urlflt.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\ushata.dll
c:\docume~1\Promise\LOCALS~1\Temp\3139880\volenum.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\wdiskio.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\winreg.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\wmihlpr.ppl
c:\docume~1\Promise\LOCALS~1\Temp\3139880\xorio.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\7612002.exe
c:\documents and settings\Promise\Local Settings\Temp\3139880\advdis.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\avlib.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\avpgs.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\avpgui.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\avs.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\avspm.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\avzkrnl.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\avzscan.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\base64.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\base64p.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\basegui.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\avengine.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\avpcure.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\kavbase.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\kavsys.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\kjim.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\klavemu.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\mark.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\pbs.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\qscan.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bases\vlns.kdl
c:\documents and settings\Promise\Local Settings\Temp\3139880\bl.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\btdisk.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\btimages.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\buffer.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\clldr.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\crpthlpr.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\dbghelp.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\deflate.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\diffs.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\dmap.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\dtreg.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\filemap.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\fsdrvplg.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\fssync.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\hashmd5.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\hashsha1.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\icheck3.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\inflate.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\inifile.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\kldw.exe
c:\documents and settings\Promise\Local Settings\Temp\3139880\klsrlsvc.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\mailmsg.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\mdb.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\mdmap.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\memmng.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\memmodsc.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\memscan.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\minizip.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\mkavio.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\msoe.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\msvcm80.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\msvcp80.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\msvcr80.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\ndetect.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\netdtls.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\nfio.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\ntfsstrm.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\ods.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\params.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\passdmap.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\prloader.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\procmon.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\propmap.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\proxydet.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\prremote.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\prseqio.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\prtransp.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\prutil.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\pxstub.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\qb.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\quantum.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\regmap.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\report.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\reportdb.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\resip.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\schedule.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\sfdb.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\stat.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\stdcomp.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\stenum2.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\superio.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\syswatch.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\thpimpl.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\timer.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\tm.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\uniarc.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\updater.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\urlflt.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\ushata.dll
c:\documents and settings\Promise\Local Settings\Temp\3139880\volenum.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\wdiskio.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\winreg.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\wmihlpr.ppl
c:\documents and settings\Promise\Local Settings\Temp\3139880\x64\wmi64.exe
c:\documents and settings\Promise\Local Settings\Temp\3139880\xorio.ppl
c:\documents and settings\Promise\Start Menu\Programs\System Restore
c:\documents and settings\Promise\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\Promise\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ABP470N5
.
.
((((((((((((((((((((((((( Files Created from 2011-09-17 to 2011-10-17 )))))))))))))))))))))))))))))))
.
.
2011-10-17 18:04 . 2011-10-17 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-10-17 07:19 . 2011-10-17 07:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-10-17 07:16 . 2011-10-17 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-10-17 06:45 . 2011-10-17 06:46 -------- d-----w- C:\New Folder
2011-10-17 05:59 . 2011-10-11 03:31 133208 ----a-w- c:\windows\system32\drivers\13779351.sys
2011-10-17 05:00 . 2011-10-17 19:15 -------- d-----w- c:\program files\ESET
2011-10-17 01:39 . 2011-08-31 19:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-17 01:39 . 2011-10-17 01:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-16 02:53 . 2011-10-16 02:53 -------- d-----w- c:\program files\Trend Micro
2011-10-16 01:29 . 2011-10-16 01:29 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-11 22:43 . 2011-10-11 22:43 -------- d-----w- C:\kleaner.tmp
2011-10-10 03:08 . 2011-10-10 03:08 -------- d-----w- c:\documents and settings\Promise\Local Settings\Application Data\ESET
2011-10-10 03:08 . 2011-10-10 03:08 -------- d-----w- c:\documents and settings\Promise\Application Data\ESET
2011-10-10 03:04 . 2011-10-10 03:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-10-09 23:47 . 2011-10-17 07:24 514406 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-09-30 13:45 . 2011-09-30 13:45 2106216 ---ha-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-30 13:45 . 2011-09-30 13:45 1998168 ---ha-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-09-29 01:56 . 2011-09-29 01:56 -------- d--h--w- c:\windows\Sun
2011-09-29 01:55 . 2011-09-29 01:55 -------- d--h--w- c:\program files\Common Files\Java
2011-09-29 01:55 . 2011-09-29 01:55 73728 ---ha-w- c:\windows\system32\javacpl.cpl
2011-09-29 01:55 . 2011-09-29 01:55 476904 ---ha-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-09-29 01:55 . 2011-09-29 01:55 472808 ---ha-w- c:\windows\system32\deployJava1.dll
2011-09-29 01:54 . 2011-09-29 01:54 -------- d--h--w- c:\program files\Java
2011-09-26 21:01 . 2011-09-26 21:01 -------- d--h--w- c:\documents and settings\All Users\Application Data\Yahoo!
2011-09-25 18:15 . 2011-09-25 18:15 -------- d--h--w- c:\documents and settings\Promise\Application Data\Malwarebytes
2011-09-25 18:15 . 2011-10-17 01:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-25 02:32 . 2011-09-25 02:32 -------- d--h--w- c:\documents and settings\Promise\Application Data\AVG2012
2011-09-25 02:30 . 2011-10-17 05:53 -------- d--h--w- c:\documents and settings\All Users\Application Data\AVG2012
2011-09-25 02:29 . 2011-09-25 02:29 -------- d--h--w- c:\program files\AVG
2011-09-25 02:26 . 2011-09-25 02:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-25 02:25 . 2011-10-17 05:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 21:01 . 2011-05-18 16:41 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-09 16:24 . 2011-08-09 16:24 154136 ----a-w- c:\windows\system32\drivers\eamon.sys
2011-08-09 11:37 . 2011-08-09 11:37 39824 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2011-08-04 11:20 . 2011-08-04 11:20 61936 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2011-08-04 11:20 . 2011-08-04 11:20 147480 ----a-w- c:\windows\system32\drivers\epfw.sys
2011-08-04 11:20 . 2011-08-04 11:20 118104 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2011-10-01 14:35 . 2011-04-26 06:31 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzM3MzY1NzA0LVNUMTJGT0krMS1ERFQrMC1TVDEyQVBQKzEtRVVMQSsxLVNUMTJGQVBQKzE&prod=90&ver=2012.0.1809&mid=ee675fcad92447d1b960d15a4456c3f6-7a619d169bcc801eeca15d9f16d06667c9cabce1" [?]
.
c:\documents and settings\Promise\Start Menu\Programs\Startup\
_uninst_13779351.lnk - c:\documents and settings\Promise\Local Settings\Temp\_uninst_13779351.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-03 00:41 45056 ---ha-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2006-05-24 05:01 26112 ---ha-w- c:\windows\system32\Ati2mdxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ---ha-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 17:22 405504 ---ha-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 14:59 254696 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2011-03-22 18:37 74752 ---ha-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-11-11 20:55 159472 ---ha-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Spooler"=2 (0x2)
"SharedAccess"=2 (0x2)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"WMZuneComm"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"YahooAUService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JoinMEPlayUI Assistant Service"=2 (0x2)
"idsvc"=3 (0x3)
"avgwd"=2 (0x2)
"AVP"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\Documents and Settings\\Promise\\My Documents\\Downloads\\avg_free_stb_all_2012_1808_cnet.exe"=
.
R0 13779351;13779351;c:\windows\system32\drivers\13779351.sys [10/17/2011 3:59 AM 133208]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [8/4/2011 9:20 AM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [4/26/2011 3:56 AM 6609920]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [5/8/2011 5:59 PM 9728]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [5/8/2011 5:59 PM 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [5/8/2011 5:59 PM 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [5/8/2011 5:59 PM 106752]
S4 JoinMEPlayUI Assistant Service;JoinMEPlayUI Assistant Service;c:\program files\JoinME Drivers\JoinMEPlayAssistantServices.exe [5/8/2011 5:59 PM 242176]
S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 6:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Promise\Application Data\Mozilla\Firefox\Profiles\5ouxkhrn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-91820353.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
MSConfigStartUp-Broadcom Wireless Manager UI - c:\windows\system32\WLTRAY.exe
MSConfigStartUp-Yahoo Messengger - c:\windows\system32\SSVICHOSST.exe
MSConfigStartUp-YFQfMsobLp - c:\documents and settings\All Users\Application Data\YFQfMsobLp.exe
AddRemove-AIM_7 - c:\program files\AIM\uninst.exe
AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 17:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2011-10-17 17:30:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-17 19:29
.
Pre-Run: 145,439,866,880 bytes free
Post-Run: 146,929,463,296 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 07433B18AFC61DED57488A3977B48208

#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 19 October 2011 - 02:35 PM

Hi there,


Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

==============================================================================================================




Please open Malwarebytes' Anti-Malware and update it from the Update tab.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
=================================================================================================================================

Also, your Adobe Reader installation is outdated. Please download the latest version of Adobe Reader and install it to ensure your software is updated. :)



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 ECG

ECG
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 20 October 2011 - 08:59 PM

Hi Elle,

Before I post the malwarebytes log, I want to let you know that the virus was removed from my PC. I have retrieved all of my files now, however, when I start-up my PC, it takes like 3-4 minutes for the windows screen to complete loading and then the computer proceeds to load. My PC is very very slow and it lags horribly. I went to msconfig and unchecked all of the unnecessary programs that don't need to start-up and yet, my PC still shows no signs of improvement. I scanned my PC for viruses and for malware and nothing showed-up, as shown in the LOG below. Also, the CPU usage is always running high jumping to random percentile numbers: 48, 50, 46, 70, 68, etc...The system idle process is the same: 89, 99, 97, 49, 65, etc...And the System's memory usage remains at 240K, while the CPU number jumps from 01, 05, 03, 00, ETC....

Also, if I try to play a video on my PC, the sound continually breaks making it static-like and unclear.

I tried started my PC up in safe mode but received the BLUE SCREEN OF DEATH:

0x0000007e (0x0000005, 0xF775C211, 0XF7AC24EC, 0XF7AC21E8)

Do you think my hard drive is failing or it might be something else?

Here is the malwarebytes LOG:

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/20/2011 9:15:10 PM
mbam-log-2011-10-20 (21-15-10).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 206560
Time elapsed: 2 hour(s), 22 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by ECG, 20 October 2011 - 09:11 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 AM

Posted 22 October 2011 - 02:29 AM

Hello, because Elle is away this weekend, I'll take over this topic until she gets back.

Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.

http://download.bleepingcomputer.com/sUBs/...otKeyRepair.exe

To run SafeBootKeyRepair.exe:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click the SafeBootKeyRepair.exe file.
When finished, it shall produce a log for you.
3. Post the entire contents of C:\SafeBoot_Repair.txt in your next reply.

Let me know if you can access Safe Mode after these steps.


Click Start > Run, type chkdsk /r and press enter. When asked to schedule a scan for next reboot, confirm (Y).
Restart your computer and let the disk check run unhindered (note, this can take a long time). When done, let me know if you notice any difference.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 ECG

ECG
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 23 October 2011 - 11:01 AM

Hi Elise,

I thank you for trying to help me fix my computer. It is much appreciated.

Upon restarting my computer I received the BSOD again and I was provided with this code:

"Check to see if you have adequate disk space.If a driver is identified in the error message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for and BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to disable or remove components, restart your computer, press F8 to select Advanced Start-up options, and the select Safe mode.

Technical information: 0x0000007E (0X0000005, 0X85F32541, 0XF7942C08, 0XF7942904)



Begin dump of physical memory.
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance."

Upon seeing the BSOD I restarted my computer and Windows slowly loaded completely. I ran the chkdsk/r and all was fine until I got to stage 4 of 5, where windows verifies data files. Stage four process took well over 12 hours to complete. I fell asleep at 1 am and when I woke up at 11 am my PC had already rebooted and chkdsk/r was complete.

I restarted my PC and was able to access Safe mode, but I still had signs of severe lagging. I restarted my PC again in normal mode this time and I still the same symptoms. I ran the Safebootrepair.exe program and here is the LOG below. I also attached a picture of my task manager so you can see the processes running, etc.

SAFEBOOTREAPIR.EXE LOG

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\91820353.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WudfPf]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WudfRd]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\91820353.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WudfPf]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WudfRd]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\91820353.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PEVSystemStart
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\procexp90.Sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Wdf01000.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WudfPf
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WudfRd
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WudfSvc

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 AM

Posted 23 October 2011 - 11:16 AM

Did things improve after running the chkdsk /r command?

At this point, does ESET sill detect the olmasco.o threat?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ECG

ECG
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 23 October 2011 - 12:33 PM

Hi,

Things did improve as ESET did not detect the olmasco.o torjan virus and I did receive all of my files again. The only problem I have now is the BSOD occasionally and my CPU runs high a lot for some unknown reason and I get severe lag etc.

Edited by ECG, 23 October 2011 - 12:34 PM.


#14 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:10 AM

Posted 24 October 2011 - 03:38 PM

Hi there,

We will try to gather the information of your latest chkdsk log. Even if the scan took too long, the log is stored somewhere on your system.

Go to Start->Run and in the Run box please type the following:

eventvwr.msc
Press Enter after you're done.

A window called Event Viewer should pop up. On the left column you should see "Application"; click on it.
You should see a list on the right column. Under the Source section you should see a certain name like 'Wininit','crypt32' etc. These are not important.
Look for the ones with the 'Winlogon' source.
Now choose the most recent (look at the Date and Time sections).
Double-click on it and copy-paste the description into your next reply.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#15 ECG

ECG
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 24 October 2011 - 09:10 PM

Hello Elle,

This looks complicated; what does this log mean?

Here is the Event Viewer LOG:

Information 10/23/2011 3:23:01 AM Winlogon None 1001 N/A/


Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 178 unused index entries from index $SII of file 0x9.
Cleaning up 178 unused index entries from index $SDH of file 0x9.
Cleaning up 178 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.

204796588 KB total disk space.
63306356 KB in 59133 files.
19656 KB in 4769 indexes.
0 KB in bad sectors.
183472 KB in use by the system.
65536 KB occupied by the log file.
141287104 KB available on disk.

4096 bytes in each allocation unit.
51199147 total allocation units on disk.
35321776 allocation units available on disk.

Internal Info:
50 8f 01 00 aa f9 00 00 1a 49 01 00 00 00 00 00 P........I......
96 12 00 00 02 00 00 00 b8 05 00 00 00 00 00 00 ................
32 3d d7 22 00 00 00 00 7a fe 31 73 00 00 00 00 2=."....z.1s....
fc c6 2f 30 00 00 00 00 7a a8 31 31 52 00 00 00 ../0....z.11R...
2e 22 40 7e 05 00 00 00 d4 cb 7b 9f 58 00 00 00 ."@~......{.X...
99 9e 36 00 00 00 00 00 10 3a 07 00 fd e6 00 00 ..6......:......
00 00 00 00 00 d0 e9 17 0f 00 00 00 a1 12 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users