Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojans. Can't remove (RUext.dll and others)


  • This topic is locked This topic is locked
55 replies to this topic

#1 espelled

espelled

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 17 November 2011 - 08:35 AM

Hello,
Hope you can help me with this problem.
For some time now I've been getting all kinds of Svchost.exe error messages:
0x6f8917c2 tried to write to memory 0x6f8917c2 but could not be written.
If I press OK - the computer freezes. So I just push the warning to the bottom of the screen and keep on working. Just didn't have the time to get around to it. But it's been getting worse.
I ran antimalware and it found some problems and purported to solve them.
c:\downloads\revo uninstaller pro 2.5.3 - stevsinus030\revo.uninstaller.pro.2.x.x.generic.patch-jw.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\downloads\OFFICE\0010-0000-0000-0111\activation\keygen.exe (Hacktool.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\AutoKMS.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\WINDOWS\installer\MSI455.tmp (HackTool.Hiderun) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\x (Worm.Conficker.H) -> Quarantined and deleted successfully.
c:\WORK\less-frequent-work\sagir2010\march2010\docxconverter\docxconverter 2.01\3000000083600002i\WINWORD.EXE (Trojan.IRCBot) -> Quarantined and deleted successfully.
c:\program files\vs revo group\revo uninstaller pro\revo.uninstaller.pro.2.x.x.generic.patch-jw.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
Then I tried to delete the directory "vs revo group" but was able to delete because of a file: RUext.dll - I tried to delete the file - no go. In safe mode. No go.
In the meantime the Svchost.exe continues to pop up.


I've attached the two files created by the GMER and DDS. However, ark.txt was too large to upload (952 KB) so I deleted some lines that seemed repetitive. Also, I saw the GMER dialogue contained much more information under different tabs than was saved in the ark.txt file.


Thanks in advance for your help! :thumbup2:

Here is the log from the DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_25
Run by Administrator at 19:57:31 on 2011-11-16
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.3070.2133 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kilgray\memoQ40\AUClient.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\שולחן העבודה\Defogger.exe
C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - c:\progra~1\agat\agform\AGFORM~1.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} -
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - c:\program files\agat\agform\AGForms.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000325.dll
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000325.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration304000026.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: &ייצוא אל Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: SYSTRAN: &Clear Translation Cache - c:\program files\systran\standard\menuClearCache.html
IE: SYSTRAN: &Options - c:\program files\systran\standard\menuConfigure.html
IE: SYSTRAN: &Register - c:\program files\systran\standard\menuRegister.html
IE: SYSTRAN: &Translate - c:\program files\systran\standard\menuTranslate.html
IE: SYSTRAN: Check for &Updates - c:\program files\systran\standard\menuUpdate.html
IE: SYSTRAN: Translate All &Frames - c:\program files\systran\standard\menuTranslateAll.html
IE: {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuTranslate.html
IE: {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuTranslateAll.html
IE: {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuConfigure.html
IE: {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuClearCache.html
IE: {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuRegister.html
IE: {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuUpdates.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 212.143.212.143 194.90.1.5
TCP: Interfaces\{D3885D42-A1FD-4C05-8488-B4D9B9A5125B} : DhcpNameServer = 212.143.212.143 194.90.1.5
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1425416&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1425416&q=
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.5.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.6.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\imtcp_xpcom.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - component: c:\program files\copernic desktop search - home\firefox36connector\components\CSPXPCOMBridge.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-10 11608]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-6-27 162544]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-6-27 44720]
R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-12-22 814344]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-10 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-10 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-10 66616]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]
R2 Kilgray Translation Technologies: memoQ update permissions manager. 979430.;Kilgray Translation Technologies: memoQ update permissions manager. 979430.;c:\program files\kilgray\memoq40\auclient.exe -permissionmanagerrun --> c:\program files\kilgray\memoq40\AUClient.exe -PermissionManagerRun [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-8-12 47640]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-8-27 90112]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-8-15 100712]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-5-16 111280]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-5-16 122224]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-12 36640]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-3-9 30192]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcdevice.sys [2009-12-1 323584]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-7-8 27064]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-6-27 33072]
S4 B-Service;B-Service;c:\documents and settings\administrator\application data\mikogo extra\B-Service.exe [2010-2-1 185640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-11-16 17:38:58 54016 ----a-w- c:\windows\system32\drivers\ggfqgjsu.sys
2011-11-11 12:29:19 -------- d-----w- C:\GERMAN_AND_YIDDISH
2011-11-10 16:20:56 -------- d-----w- c:\documents and settings\administrator\application data\Fbg2
2011-11-10 16:20:22 -------- d-----w- c:\program files\Falling Block Game 2
2011-11-08 11:14:00 -------- d-----w- C:\WAY_TO_KOKHAV_YAAKOV
.
==================== Find3M ====================
.
2011-10-07 15:05:50 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-09-13 21:57:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-02 05:41:04 205 ----a-w- c:\windows\system32\lsprst7.dll
2011-09-01 07:37:43 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 17:16:19 29541108 ----a-w- c:\program files\OmegaT_2.0.5_04_Windows.exe
2011-02-10 16:37:35 141032958 ----a-w- c:\program files\OOo_3.1.1_he_install_win32_091014.exe
2009-10-14 07:19:24 9794560 ----a-w- c:\program files\openofficeorg31.msi
2009-10-14 07:19:24 451072 ----a-w- c:\program files\setup.exe
2009-10-14 07:19:24 1822848 ----a-w- c:\program files\instmsiw.exe
2009-10-14 07:19:24 1709160 ----a-w- c:\program files\instmsia.exe
.
============= FINISH: 19:58:10.07 ===============

Attached Files


Edited by espelled, 17 November 2011 - 08:59 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 22 November 2011 - 08:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/428258 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:31 PM

Posted 23 November 2011 - 01:32 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 espelled

espelled
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 23 November 2011 - 04:47 AM

Dear Gringo,
Am I glad to hear from you!
The problem is getting increasingly worse
The main problems I've been having are windows popping up informing me that Svchost.exe could not write 0x6f8916e2.
Then the Generic Host process for Win32 error is posted.
I ignore these messages and push them to the bottom of my screen and keep working. (If I try to close them, the computer freezes).
Occasionally my computer bleeps ominously.
From time to time, my Malwarebytes anti-malware trial version informs me that Worm.Conficker.H has been trying to get in touch with the internet.
At some point, one of my programs hangs (usually MS Word) and my system freezes up (can't click with the mouse - although alt-tab does recycle through the open applications).
I've tried running gmer.exe again, as instructed by the bot - but the system always crashed before it finished (I have many files on my system).
Now I'm getting a blue screen of death, with an IRQL_Not_Less_or_Equal message.
Technical information: STOP: 0x0000000A (0xB8BB5008, 0x00000005,0x00000001, 0x806ECA9A)
Here are the RkU and DDS data.
Thank you
Shakhar

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
>Drivers
==============================================
0xB6F52000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 9625600 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 260.99 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6361088 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 260.99 )
0xB3A25000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 5197824 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB7E22000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB37F0000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB6D7D000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB3949000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB21E7000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB1D93000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB6E2C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB2533000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7DF5000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB11F0000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB3860000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB6F16000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB38F9000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB37C9000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 159744 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xB7F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB38D3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB388B000 C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys 155648 bytes (Oracle Corporation, VirtualBox Support Driver)
0xB375F000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB3F1A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB6EF2000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB6ECF000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB38B1000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7EEB000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB37AB000 C:\WINDOWS\System32\Drivers\usbvideo.sys 122880 bytes (Microsoft Corporation, USB Video Class Driver)
0xB6E0F000 C:\WINDOWS\system32\DRIVERS\mcdbus.sys 118784 bytes (MagicISO, Inc., MagicISO SCSI Host Controller)
0xB6EB2000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 118784 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB6DDB000 C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys 114688 bytes (Oracle Corporation, VirtualBox Bridged Networking Driver)
0xB7DDB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB6E5C000 C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys 106496 bytes (Oracle Corporation, VirtualBox Host-Only Network Adapter Driver)
0xB7F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB3747000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB6DF7000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB2A23000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 94208 bytes (Avira GmbH, Avira Minifilter Driver)
0xB7EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB6E87000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB3F3E000 C:\WINDOWS\system32\drivers\nvhda32.sys 94208 bytes (NVIDIA Corporation, NVIDIA HDMI Audio Driver)
0xB25D6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB6E9E000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB6F3E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB39A2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7EAF000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7ED9000 sr.sys 73728 bytes (Microsoft Corporation, מנהל התקן של מסנן מערכת קבצים של שחזור המערכת)
0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB6E76000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB8138000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB81D8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB81F8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB8288000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB26DB000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB8298000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB81E8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 57344 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB80E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB8208000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB8218000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB8238000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB82D8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB81C8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB8228000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB81B8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xB80A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB2399000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0xB8268000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB80F8000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB8258000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB127B000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB80D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB82F8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB276B000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xB8248000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB82B8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB82C8000 C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys 36864 bytes (Oracle Corporation, VirtualBox USB Monitor Driver)
0xB82A8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB8468000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8478000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB8408000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB8450000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB8490000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xB8488000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB8410000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB8430000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB8470000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xB8400000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB8458000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB8460000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8420000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8428000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB8418000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB8350000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB2B32000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xB85A4000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB29F7000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB7A31000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB4F9D000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB39ED000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB3A21000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB3A1D000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7A2D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB7A39000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB85E0000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xB85D8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB85AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB85EC000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xB85D6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB85DA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB8650000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xB85DC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB85CC000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB8652000 C:\WINDOWS\System32\Drivers\TBPanel.SYS 8192 bytes (Windows ® 2000 DDK provider, Display Control Program)
0xB85D2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB86E4000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB874D000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB86E3000 C:\WINDOWS\system32\DRIVERS\lmimirr.sys 4096 bytes (LogMeIn, Inc., LogMeIn Mirror Miniport Driver)
0xB86BD000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================



I have my original Windows CD available.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_25
Run by Administrator at 22:34:58 on 2011-11-22
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.3070.2089 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kilgray\memoQ40\AUClient.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - c:\progra~1\agat\agform\AGFORM~1.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} -
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - c:\program files\agat\agform\AGForms.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000325.dll
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000325.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration304000026.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: &ייצוא אל Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: SYSTRAN: &Clear Translation Cache - c:\program files\systran\standard\menuClearCache.html
IE: SYSTRAN: &Options - c:\program files\systran\standard\menuConfigure.html
IE: SYSTRAN: &Register - c:\program files\systran\standard\menuRegister.html
IE: SYSTRAN: &Translate - c:\program files\systran\standard\menuTranslate.html
IE: SYSTRAN: Check for &Updates - c:\program files\systran\standard\menuUpdate.html
IE: SYSTRAN: Translate All &Frames - c:\program files\systran\standard\menuTranslateAll.html
IE: {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuTranslate.html
IE: {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuTranslateAll.html
IE: {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuConfigure.html
IE: {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuClearCache.html
IE: {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuRegister.html
IE: {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\systran\standard\MenuUpdates.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 212.143.212.143 194.90.1.5
TCP: Interfaces\{D3885D42-A1FD-4C05-8488-B4D9B9A5125B} : DhcpNameServer = 212.143.212.143 194.90.1.5
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1425416&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1425416&q=
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.5.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.6.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\imtcp_xpcom.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u43pwaqf.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - component: c:\program files\copernic desktop search - home\firefox36connector\components\CSPXPCOMBridge.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-10 11608]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-6-27 162544]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-6-27 44720]
R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-12-22 814344]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-10 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-10 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-10 66616]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]
R2 Kilgray Translation Technologies: memoQ update permissions manager. 979430.;Kilgray Translation Technologies: memoQ update permissions manager. 979430.;c:\program files\kilgray\memoq40\auclient.exe -permissionmanagerrun --> c:\program files\kilgray\memoq40\AUClient.exe -PermissionManagerRun [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-8-12 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-9 366152]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-8-27 90112]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-9 22216]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-8-15 100712]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-5-16 111280]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-5-16 122224]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-12 36640]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-3-9 30192]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcdevice.sys [2009-12-1 323584]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-7-8 27064]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-6-27 33072]
S4 B-Service;B-Service;c:\documents and settings\administrator\application data\mikogo extra\B-Service.exe [2010-2-1 185640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-11-11 12:29:19 -------- d-----w- C:\GERMAN_AND_YIDDISH
2011-11-10 16:20:56 -------- d-----w- c:\documents and settings\administrator\application data\Fbg2
2011-11-10 16:20:22 -------- d-----w- c:\program files\Falling Block Game 2
2011-11-08 11:14:00 -------- d-----w- C:\WAY_TO_KOKHAV_YAAKOV
.
==================== Find3M ====================
.
2011-10-07 15:05:50 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-09-13 21:57:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-02 05:41:04 205 ----a-w- c:\windows\system32\lsprst7.dll
2011-09-01 07:37:43 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 17:16:19 29541108 ----a-w- c:\program files\OmegaT_2.0.5_04_Windows.exe
2011-02-10 16:37:35 141032958 ----a-w- c:\program files\OOo_3.1.1_he_install_win32_091014.exe
2009-10-14 07:19:24 9794560 ----a-w- c:\program files\openofficeorg31.msi
2009-10-14 07:19:24 451072 ----a-w- c:\program files\setup.exe
2009-10-14 07:19:24 1822848 ----a-w- c:\program files\instmsiw.exe
2009-10-14 07:19:24 1709160 ----a-w- c:\program files\instmsia.exe
.
============= FINISH: 22:35:52.95 ===============

#5 espelled

espelled
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 23 November 2011 - 06:23 AM

Hello Gringo. Additional info: Malwarebytes just reported blocking a malicious website: 193.106.172.172
Thanks,
Shakhar

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:31 PM

Posted 23 November 2011 - 07:19 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 espelled

espelled
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 23 November 2011 - 08:20 AM

Hello Gringo,
After I initiated combo-fix, the Svchost.exe error came up: instruction 0x594116e2 could not be written to memory 0x0114005c.
I ignored this and let combo-fix install the recovery console, but after installation combofix stopped running.
I then tried running Combofix again and this time it produced the log, which I've attached below.
After combofix finished, the Svchost.exe error came up with instruction 0x6fe217c2 could not be written to memory at 0x6fe217c2, and "Generic Host Process for Win32 Services has encountered a problem message".
Thanks
Shakhar


ComboFix 11-11-22.03 - Administrator 23/11/2011 15:00:38.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.3070.2417 [GMT 2:00]
Running from: c:\documents and settings\Administrator\שולחן העבודה\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\My Documents\~WRL1516.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\hpe7F.dll
c:\documents and settings\All Users\Application Data\TEMP
C:\install.exe
c:\program files\OOo_3.1.1_he_install_win32_091014.exe
c:\program files\Setup.exe
C:\Thumbs.db
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\lsprst7.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\zlibwapi.dll
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))
.
.
2011-11-23 09:20 . 2011-11-23 09:51 -------- d-----w- C:\FIGHTING THE
2011-11-18 08:33 . 2011-11-23 10:44 163185 ----a-w- c:\windows\system32\x
2011-11-11 12:29 . 2011-11-11 12:29 -------- d-----w- C:\GERMAN_AND_YIDDISH
2011-11-10 16:20 . 2011-11-10 16:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fbg2
2011-11-10 16:20 . 2011-11-10 16:36 -------- d-----w- c:\program files\Falling Block Game 2
2011-11-08 11:14 . 2011-11-08 11:19 -------- d-----w- C:\WAY_TO_KOKHAV_YAAKOV
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 15:05 . 2011-10-07 15:05 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-09-13 21:57 . 2011-09-13 21:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 15:00 . 2010-08-09 17:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 17:16 . 2011-02-10 16:55 29541108 ----a-w- c:\program files\OmegaT_2.0.5_04_Windows.exe
2009-10-14 07:19 . 2009-10-14 07:19 9794560 ----a-w- c:\program files\openofficeorg31.msi
2009-10-14 07:19 . 2009-10-14 07:19 1822848 ----a-w- c:\program files\instmsiw.exe
2009-10-14 07:19 . 2009-10-14 07:19 1709160 ----a-w- c:\program files\instmsia.exe
2009-08-08 23:11 . 2009-08-08 23:11 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-08-08 23:30 . 2009-08-08 23:30 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2011-11-23 09:17 . 2011-05-08 21:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-09 12:55 . 2011-03-09 12:55 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-08-09 . 2F6B767422A6EEEDB29BC29D831FC5A6 . 1571328 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 16:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-05 198160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-08-09 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-08-12 15:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^תפריט התחלה^תוכניות^הפעלה^Greenshot.lnk]
path=c:\documents and settings\Administrator\תפריט התחלה\תוכניות\הפעלה\Greenshot.lnk
backup=c:\windows\pss\Greenshot.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^תפריט התחלה^תוכניות^הפעלה^MagicDisc.lnk]
path=c:\documents and settings\Administrator\תפריט התחלה\תוכניות\הפעלה\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^תפריט התחלה^תוכניות^הפעלה^Netvision Cable Connect.url]
path=c:\documents and settings\Administrator\תפריט התחלה\תוכניות\הפעלה\Netvision Cable Connect.url
backup=c:\windows\pss\Netvision Cable Connect.urlStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^תפריט התחלה^תוכניות^הפעלה^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Administrator\תפריט התחלה\תוכניות\הפעלה\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Microsoft Office.lnk]
path=c:\documents and settings\All Users\תפריט התחלה\תוכניות\הפעלה\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^SDL Trados 2007 Speed Launcher.lnk]
path=c:\documents and settings\All Users\תפריט התחלה\תוכניות\הפעלה\SDL Trados 2007 Speed Launcher.lnk
backup=c:\windows\pss\SDL Trados 2007 Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\תפריט התחלה\תוכניות\הפעלה\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\תפריט התחלה\תוכניות\הפעלה\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2010-06-09 08:53 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 09:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStart PC Studio]
2010-03-11 17:23 2049376 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NewPCStudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-03-11 17:20 116056 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bonus.SSR.FR10]
2010-01-27 09:29 941320 ----a-w- c:\program files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-13 16:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-25 16:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Copernic Desktop Search - Home]
2010-09-07 19:16 1611736 ----a-w- c:\program files\Copernic Desktop Search - Home\DesktopSearchService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2011-03-09 12:55 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-27 09:04 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 09:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2010-07-23 10:46 222496 ----a-w- c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 14:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LangOver]
2010-11-05 16:35 1486848 ----a-w- c:\program files\LangOver\LangOver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 15:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 15:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-07-09 13:39 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nuance.ctfmngr]
2011-07-22 03:16 39856 ----a-w- c:\program files\Nuance\NaturallySpeaking11\Program\ctfmngr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-10-16 10:04 13851752 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-10-16 10:04 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-08-25 22:12 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 13:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reader Library Launcher]
2010-07-12 23:34 906648 ----a-w- c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-01-13 06:37 18084864 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Companion]
2009-12-08 12:51 774144 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-03-16 16:09 148888 ----a-w- c:\program files\Java\jre1.6.0_14\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
2009-05-12 13:43 2158592 ----a-w- c:\program files\Vtune\TBPANEL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-05 18:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"B-Service"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\KMSEmulator.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IBM\\SPSS\\Smartreader\\20\\JRE\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\20\\stats.exe"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\20\\stats.com"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\20\\WinWrapIDE.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4100:UDP"= 4100:UDP:uPNP Router Control Port
.
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [27/06/2011 15:15 162544]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [27/06/2011 15:15 44720]
R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe [22/12/2009 01:08 814344]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/08/2010 15:14 136360]
R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [23/07/2010 13:19 296808]
R2 Kilgray Translation Technologies: memoQ update permissions manager. 979430.;Kilgray Translation Technologies: memoQ update permissions manager. 979430.;c:\program files\Kilgray\memoQ40\AUClient.exe -PermissionManagerRun --> c:\program files\Kilgray\memoQ40\AUClient.exe -PermissionManagerRun [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/08/2010 19:28 366152]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [27/08/2010 09:11 90112]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/08/2010 19:28 22216]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [15/08/2010 17:53 100712]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [16/05/2011 19:01 111280]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [16/05/2011 19:01 122224]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [12/07/2010 13:23 36640]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [09/03/2011 14:55 30192]
S3 mcdevice;mcdevice;c:\windows\system32\drivers\mcdevice.sys [01/12/2009 17:02 323584]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [08/07/2011 08:30 27064]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [27/06/2011 15:15 33072]
S4 B-Service;B-Service;c:\documents and settings\Administrator\Application Data\Mikogo Extra\B-Service.exe [01/02/2010 20:39 185640]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-26 19:51]
.
2011-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-842925246-1801674531-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 09:04]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-842925246-1801674531-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 09:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ייצוא אל Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: SYSTRAN: &Clear Translation Cache - c:\program files\Systran\Standard\menuClearCache.html
IE: SYSTRAN: &Options - c:\program files\Systran\Standard\menuConfigure.html
IE: SYSTRAN: &Register - c:\program files\Systran\Standard\menuRegister.html
IE: SYSTRAN: &Translate - c:\program files\Systran\Standard\menuTranslate.html
IE: SYSTRAN: Check for &Updates - c:\program files\Systran\Standard\menuUpdate.html
IE: SYSTRAN: Translate All &Frames - c:\program files\Systran\Standard\menuTranslateAll.html
IE: {{703436F1-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\Systran\Standard\MenuTranslate.html
IE: {{703436F2-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\Systran\Standard\MenuTranslateAll.html
IE: {{703436F3-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\Systran\Standard\MenuConfigure.html
IE: {{703436F4-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\Systran\Standard\MenuClearCache.html
IE: {{703436F5-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\Systran\Standard\MenuRegister.html
IE: {{703436F6-3E1F-11d3-8F6B-00105A2A1D59} - c:\program files\Systran\Standard\MenuUpdates.html
TCP: DhcpNameServer = 212.143.212.143 194.90.1.5
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u43pwaqf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1425416&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1425416&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
AddRemove-Diff Doc_is1 - c:\program files\Softinterface
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_MS_USB_Modem_Driver - c:\program files\SAMSUNG\USB Drivers\22_MS_USB_Modem_Driver\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-23 15:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Administrator\c:\documents and settings\Administrator\ 142 bytes
c:\documents and settings\Administrator\ 355 bytes
c:\documents and settings\Administrator\ 173 bytes
c:\documents and settings\Administrator\ 176 bytes
c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\ 399 bytes
c:\documents and settings\Administrator\ 218 bytes
c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\ 104 bytes
c:\documents and settings\Administrator\ 0 bytes
c:\documents and settings\Administrator\ 0 bytes
c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\ 14417920 bytes
c:\documents and settings\Administrator\ 1024 bytes
c:\documents and settings\Administrator\ 8912896 bytes
c:\documents and settings\Administrator\ 0 bytes
c:\documents and settings\Administrator\ 278 bytes
c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\c:\documents and settings\Administrator\
c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\
.
scan completed successfully
hidden files: 45
.
**************************************************************************
"ImagePath"="system32\DRIVERS\kbdhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Kilgray Translation Technologies: memoQ update permissions manager. 979430.]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-842925246-1801674531-500\Software\Microsoft\Ntbackup\   *װׂׁױ]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1390067357-842925246-1801674531-500\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\dfrg.msc"
"File2"="c:\\WINDOWS\\system32\\services.msc"
"File3"="c:\\WINDOWS\\system32\\ciadv.msc"
"File4"="c:\\Program Files\\Runtime Software\\DriveImage XML\\diskmagn.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1124)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(264)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kilgray\memoQ40\AUClient.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2011-11-23 15:11:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-23 13:11
.
Pre-Run: 14,895,153,152 bytes free
Post-Run: 16,815,546,368 bytes free
.
- - End Of File - - ACB365B7CEA6B6FC0B93CD65A50A5AF2

#8 espelled

espelled
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 23 November 2011 - 09:02 AM

Hi Gringo,
In the meantime Malwarebytes reported twice that 174.120.244.218 has been blocked.
All the best,
Shakhar

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:31 PM

Posted 23 November 2011 - 10:42 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 espelled

espelled
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 23 November 2011 - 11:28 AM

Hello Gringo,
TDSS did not find any infected or suspicious files. Log is attached.
Some more info:
There are more frequent attempts to contact the internet. URLs: 98.100.18.194 and 174.120.244.218.
Also, I've been working with no browsers open for about an hour and no error windows came up. It could be a coincidence but I just thought I'd mention it.
Thanks
Shakhar

18:20:19.0656 3604 TDSS rootkit removing tool 2.6.20.0 Nov 22 2011 12:05:55
18:20:20.0062 3604 ============================================================
18:20:20.0062 3604 Current date / time: 2011/11/23 18:20:20.0062
18:20:20.0062 3604 SystemInfo:
18:20:20.0062 3604
18:20:20.0062 3604 OS Version: 5.1.2600 ServicePack: 3.0
18:20:20.0062 3604 Product type: Workstation
18:20:20.0062 3604 ComputerName: WINXPSP3
18:20:20.0062 3604 UserName: Administrator
18:20:20.0062 3604 Windows directory: C:\WINDOWS
18:20:20.0062 3604 System windows directory: C:\WINDOWS
18:20:20.0062 3604 Processor architecture: Intel x86
18:20:20.0062 3604 Number of processors: 4
18:20:20.0062 3604 Page size: 0x1000
18:20:20.0062 3604 Boot type: Normal boot
18:20:20.0062 3604 ============================================================
18:20:21.0640 3604 Initialize success
18:21:11.0500 3840 ============================================================
18:21:11.0500 3840 Scan started
18:21:11.0500 3840 Mode: Manual;
18:21:11.0500 3840 ============================================================
18:21:11.0812 3840 Abiosdsk - ok
18:21:11.0828 3840 abp480n5 - ok
18:21:11.0859 3840 ACPI (26a773e6c500277c5a817fab68cd0bb9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:21:11.0859 3840 ACPI - ok
18:21:11.0890 3840 ACPIEC (ea755aa1a97ed90d446e1a43ae3fb619) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:21:11.0890 3840 ACPIEC - ok
18:21:11.0906 3840 adpu160m - ok
18:21:11.0937 3840 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:21:11.0937 3840 aec - ok
18:21:11.0953 3840 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
18:21:11.0968 3840 AFD - ok
18:21:12.0031 3840 Aha154x - ok
18:21:12.0046 3840 aic78u2 - ok
18:21:12.0046 3840 aic78xx - ok
18:21:12.0046 3840 AliIde - ok
18:21:12.0062 3840 amsint - ok
18:21:12.0062 3840 asc - ok
18:21:12.0062 3840 asc3350p - ok
18:21:12.0078 3840 asc3550 - ok
18:21:12.0093 3840 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:21:12.0093 3840 AsyncMac - ok
18:21:12.0125 3840 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:21:12.0125 3840 atapi - ok
18:21:12.0140 3840 Atdisk - ok
18:21:12.0171 3840 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:21:12.0187 3840 Atmarpc - ok
18:21:12.0187 3840 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:21:12.0203 3840 audstub - ok
18:21:12.0265 3840 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
18:21:12.0265 3840 avgio - ok
18:21:12.0375 3840 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
18:21:12.0375 3840 avgntflt - ok
18:21:12.0406 3840 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
18:21:12.0406 3840 avipbb - ok
18:21:12.0421 3840 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:21:12.0421 3840 Beep - ok
18:21:12.0468 3840 Cardex (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPANEL.SYS
18:21:12.0468 3840 Cardex - ok
18:21:12.0468 3840 catchme - ok
18:21:12.0562 3840 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:21:12.0562 3840 cbidf2k - ok
18:21:12.0578 3840 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:21:12.0578 3840 CCDECODE - ok
18:21:12.0578 3840 cd20xrnt - ok
18:21:12.0609 3840 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:21:12.0609 3840 Cdaudio - ok
18:21:12.0640 3840 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:21:12.0640 3840 Cdfs - ok
18:21:12.0687 3840 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:21:12.0703 3840 Cdrom - ok
18:21:12.0781 3840 Changer - ok
18:21:12.0781 3840 CmdIde - ok
18:21:12.0796 3840 Cpqarray - ok
18:21:12.0796 3840 dac2w2k - ok
18:21:12.0796 3840 dac960nt - ok
18:21:12.0812 3840 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:21:12.0812 3840 Disk - ok
18:21:12.0843 3840 dmboot (759a1336055e6b614b2462d0f45d6278) C:\WINDOWS\system32\drivers\dmboot.sys
18:21:12.0859 3840 dmboot - ok
18:21:12.0937 3840 dmio (8ca1a6932d84b2c23d5d488d23d3b01d) C:\WINDOWS\system32\drivers\dmio.sys
18:21:12.0953 3840 dmio - ok
18:21:12.0953 3840 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:21:12.0953 3840 dmload - ok
18:21:12.0984 3840 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:21:12.0984 3840 DMusic - ok
18:21:13.0000 3840 dpti2o - ok
18:21:13.0000 3840 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:21:13.0015 3840 drmkaud - ok
18:21:13.0031 3840 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:21:13.0031 3840 Fastfat - ok
18:21:13.0109 3840 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:21:13.0109 3840 Fdc - ok
18:21:13.0156 3840 Fips (11bb3067883475f2ecbb77c01181e2d5) C:\WINDOWS\system32\drivers\Fips.sys
18:21:13.0156 3840 Fips - ok
18:21:13.0156 3840 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:21:13.0171 3840 Flpydisk - ok
18:21:13.0203 3840 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:21:13.0203 3840 FltMgr - ok
18:21:13.0234 3840 FsUsbExDisk (b07663a810e861eebfd0eac7e82ca62d) C:\WINDOWS\system32\FsUsbExDisk.SYS
18:21:13.0265 3840 FsUsbExDisk - ok
18:21:13.0359 3840 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:21:13.0375 3840 Fs_Rec - ok
18:21:13.0375 3840 Ftdisk (edf3126968525a17de8b382aec99cdcc) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:21:13.0375 3840 Ftdisk - ok
18:21:13.0421 3840 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
18:21:13.0421 3840 gdrv - ok
18:21:13.0468 3840 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:21:13.0468 3840 Gpc - ok
18:21:13.0500 3840 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:21:13.0500 3840 HDAudBus - ok
18:21:13.0593 3840 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:21:13.0593 3840 HidUsb - ok
18:21:13.0593 3840 hpn - ok
18:21:13.0625 3840 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
18:21:13.0625 3840 HTTP - ok
18:21:13.0625 3840 i2omgmt - ok
18:21:13.0625 3840 i2omp - ok
18:21:13.0656 3840 i8042prt (97eef4179f7ec9138254c944bb0e1ef8) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:21:13.0656 3840 i8042prt - ok
18:21:13.0671 3840 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:21:13.0671 3840 Imapi - ok
18:21:13.0671 3840 ini910u - ok
18:21:13.0796 3840 IntcAzAudAddService (2feb5bf0312e1cb76cd2caa875cbaa5d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:21:13.0812 3840 IntcAzAudAddService - ok
18:21:13.0890 3840 IntelIde - ok
18:21:13.0921 3840 intelppm (f2fcd248738a7f5fb2857341832591a6) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:21:13.0921 3840 intelppm - ok
18:21:13.0937 3840 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:21:13.0937 3840 Ip6Fw - ok
18:21:13.0968 3840 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:21:13.0968 3840 IpFilterDriver - ok
18:21:13.0984 3840 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:21:13.0984 3840 IpInIp - ok
18:21:14.0000 3840 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:21:14.0000 3840 IpNat - ok
18:21:14.0093 3840 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:21:14.0109 3840 IPSec - ok
18:21:14.0140 3840 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:21:14.0140 3840 IRENUM - ok
18:21:14.0187 3840 isapnp (e058a0e262c184f4d47a7677291ac81e) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:21:14.0187 3840 isapnp - ok
18:21:14.0218 3840 Kbdclass (e05fd8a6f54f4fd6f628b48c0ccee2a4) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:21:14.0218 3840 Kbdclass - ok
18:21:14.0328 3840 kbdhid (9c5f0cb2a0fd3180ab17b5d3566f5033) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:21:14.0328 3840 kbdhid - ok
18:21:14.0359 3840 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:21:14.0359 3840 kmixer - ok
18:21:14.0375 3840 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
18:21:14.0375 3840 KSecDD - ok
18:21:14.0390 3840 lbrtfdc - ok
18:21:14.0437 3840 LMIInfo - ok
18:21:14.0484 3840 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
18:21:14.0484 3840 lmimirr - ok
18:21:14.0500 3840 LMIRfsClientNP - ok
18:21:14.0515 3840 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
18:21:14.0531 3840 LMIRfsDriver - ok
18:21:14.0609 3840 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
18:21:14.0609 3840 MBAMProtector - ok
18:21:14.0640 3840 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
18:21:14.0640 3840 mcdbus - ok
18:21:14.0718 3840 mcdevice (47c2f03b43bd5ae99c2f36f1773152ff) C:\WINDOWS\system32\DRIVERS\mcdevice.sys
18:21:14.0718 3840 mcdevice - ok
18:21:14.0765 3840 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:21:14.0765 3840 mnmdd - ok
18:21:14.0859 3840 Modem (c8088f5ceae5784a8b4addd9355ef247) C:\WINDOWS\system32\drivers\Modem.sys
18:21:14.0859 3840 Modem - ok
18:21:14.0890 3840 Mouclass (57c0574c8b9a26092ec301f88861919c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:21:14.0890 3840 Mouclass - ok
18:21:14.0906 3840 mouhid (67d4fcccf487a1d4277ab31151e33d42) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:21:14.0906 3840 mouhid - ok
18:21:14.0921 3840 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:21:14.0921 3840 MountMgr - ok
18:21:14.0937 3840 mraid35x - ok
18:21:14.0953 3840 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:21:14.0953 3840 MRxDAV - ok
18:21:14.0984 3840 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:21:15.0000 3840 MRxSmb - ok
18:21:15.0093 3840 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:21:15.0109 3840 Msfs - ok
18:21:15.0140 3840 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:21:15.0140 3840 MSKSSRV - ok
18:21:15.0140 3840 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:21:15.0140 3840 MSPCLOCK - ok
18:21:15.0156 3840 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:21:15.0156 3840 MSPQM - ok
18:21:15.0171 3840 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:21:15.0171 3840 mssmbios - ok
18:21:15.0187 3840 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:21:15.0187 3840 MSTEE - ok
18:21:15.0187 3840 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:21:15.0203 3840 Mup - ok
18:21:15.0218 3840 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:21:15.0234 3840 NABTSFEC - ok
18:21:15.0343 3840 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:21:15.0359 3840 NDIS - ok
18:21:15.0375 3840 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:21:15.0390 3840 NdisIP - ok
18:21:15.0390 3840 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:21:15.0406 3840 NdisTapi - ok
18:21:15.0406 3840 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:21:15.0406 3840 Ndisuio - ok
18:21:15.0421 3840 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:21:15.0421 3840 NdisWan - ok
18:21:15.0531 3840 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:21:15.0531 3840 NDProxy - ok
18:21:15.0546 3840 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:21:15.0546 3840 NetBIOS - ok
18:21:15.0562 3840 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:21:15.0578 3840 NetBT - ok
18:21:15.0578 3840 nmwcdnsu - ok
18:21:15.0593 3840 nmwcdnsuc - ok
18:21:15.0593 3840 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:21:15.0593 3840 Npfs - ok
18:21:15.0609 3840 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:21:15.0625 3840 Ntfs - ok
18:21:15.0640 3840 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:21:15.0640 3840 Null - ok
18:21:15.0843 3840 nv (b9b1bb146eb9a83dcf0f5635b09d3d43) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:21:15.0984 3840 nv - ok
18:21:16.0078 3840 NVHDA (311d7c3c8fc53f47f03df9633c0e1498) C:\WINDOWS\system32\drivers\nvhda32.sys
18:21:16.0093 3840 NVHDA - ok
18:21:16.0140 3840 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:21:16.0156 3840 NwlnkFlt - ok
18:21:16.0171 3840 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:21:16.0171 3840 NwlnkFwd - ok
18:21:16.0187 3840 Parport (bd549622b39da6ef5ba31cb01b2179d3) C:\WINDOWS\system32\DRIVERS\parport.sys
18:21:16.0187 3840 Parport - ok
18:21:16.0203 3840 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:21:16.0203 3840 PartMgr - ok
18:21:16.0250 3840 ParVdm (ad8f8e81709e222076678a501bd6d1e1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:21:16.0250 3840 ParVdm - ok
18:21:16.0328 3840 PCI (40f8158057494d56d22038e4536c5395) C:\WINDOWS\system32\DRIVERS\pci.sys
18:21:16.0328 3840 PCI - ok
18:21:16.0375 3840 PCIDump - ok
18:21:16.0390 3840 PCIIde (6683c158d30ded5dbfd5733ce066be9a) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:21:16.0390 3840 PCIIde - ok
18:21:16.0421 3840 Pcmcia (5f8c49e11d221e6a9c7f016758bd9c92) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:21:16.0437 3840 Pcmcia - ok
18:21:16.0437 3840 PDCOMP - ok
18:21:16.0437 3840 PDFRAME - ok
18:21:16.0453 3840 PDRELI - ok
18:21:16.0453 3840 PDRFRAME - ok
18:21:16.0453 3840 perc2 - ok
18:21:16.0468 3840 perc2hib - ok
18:21:16.0484 3840 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:21:16.0484 3840 PptpMiniport - ok
18:21:16.0515 3840 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:21:16.0515 3840 PSched - ok
18:21:16.0546 3840 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:21:16.0562 3840 Ptilink - ok
18:21:16.0625 3840 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:21:16.0625 3840 PxHelp20 - ok
18:21:16.0640 3840 ql1080 - ok
18:21:16.0640 3840 Ql10wnt - ok
18:21:16.0640 3840 ql12160 - ok
18:21:16.0656 3840 ql1240 - ok
18:21:16.0656 3840 ql1280 - ok
18:21:16.0656 3840 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:21:16.0656 3840 RasAcd - ok
18:21:16.0687 3840 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:21:16.0703 3840 Rasl2tp - ok
18:21:16.0718 3840 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:21:16.0718 3840 RasPppoe - ok
18:21:16.0718 3840 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:21:16.0718 3840 Raspti - ok
18:21:16.0734 3840 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:21:16.0750 3840 Rdbss - ok
18:21:16.0796 3840 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:21:16.0796 3840 RDPCDD - ok
18:21:16.0812 3840 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:21:16.0828 3840 rdpdr - ok
18:21:16.0843 3840 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:21:16.0859 3840 RDPWD - ok
18:21:16.0875 3840 redbook (62d088cfdf90670dc22cdf236424e9ab) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:21:16.0875 3840 redbook - ok
18:21:16.0921 3840 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
18:21:16.0921 3840 Revoflt - ok
18:21:16.0984 3840 RTLE8023xp (839141088ad7ee90f5b441b2d1afd22c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
18:21:16.0984 3840 RTLE8023xp - ok
18:21:17.0031 3840 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:21:17.0031 3840 Secdrv - ok
18:21:17.0062 3840 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:21:17.0062 3840 serenum - ok
18:21:17.0078 3840 Serial (c4e811de8388c98eb5701a6dd2b14b33) C:\WINDOWS\system32\DRIVERS\serial.sys
18:21:17.0078 3840 Serial - ok
18:21:17.0093 3840 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:21:17.0093 3840 Sfloppy - ok
18:21:17.0093 3840 Simbad - ok
18:21:17.0109 3840 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:21:17.0125 3840 SLIP - ok
18:21:17.0156 3840 Sparrow - ok
18:21:17.0203 3840 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:21:17.0203 3840 splitter - ok
18:21:17.0265 3840 sr (ec70007bab7c42ccd340a068f87873a6) C:\WINDOWS\system32\DRIVERS\sr.sys
18:21:17.0265 3840 sr - ok
18:21:17.0281 3840 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
18:21:17.0296 3840 Srv - ok
18:21:17.0328 3840 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
18:21:17.0328 3840 ssmdrv - ok
18:21:17.0390 3840 ss_bus (54946449a0eb74915a4bb34f7ee51a5a) C:\WINDOWS\system32\DRIVERS\ss_bus.sys
18:21:17.0406 3840 ss_bus - ok
18:21:17.0453 3840 ss_mdfl (4450bc0b2e9d7d9b90e3c3de4ea00a78) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
18:21:17.0453 3840 ss_mdfl - ok
18:21:17.0515 3840 ss_mdm (30b8d0dd01ead1243f329caf7d7d1517) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
18:21:17.0531 3840 ss_mdm - ok
18:21:17.0562 3840 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:21:17.0562 3840 streamip - ok
18:21:17.0578 3840 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:21:17.0593 3840 swenum - ok
18:21:17.0656 3840 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:21:17.0656 3840 swmidi - ok
18:21:17.0687 3840 symc810 - ok
18:21:17.0687 3840 symc8xx - ok
18:21:17.0703 3840 sym_hi - ok
18:21:17.0703 3840 sym_u3 - ok
18:21:17.0750 3840 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:21:17.0750 3840 sysaudio - ok
18:21:17.0765 3840 TBPanel (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPanel.sys
18:21:17.0765 3840 TBPanel - ok
18:21:17.0781 3840 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:21:17.0796 3840 Tcpip - ok
18:21:17.0812 3840 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:21:17.0828 3840 TDPIPE - ok
18:21:17.0875 3840 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:21:17.0875 3840 TDTCP - ok
18:21:17.0906 3840 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:21:17.0906 3840 TermDD - ok
18:21:17.0921 3840 TosIde - ok
18:21:17.0968 3840 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:21:17.0984 3840 Udfs - ok
18:21:17.0984 3840 ultra - ok
18:21:18.0031 3840 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:21:18.0046 3840 Update - ok
18:21:18.0046 3840 upperdev - ok
18:21:18.0078 3840 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:21:18.0078 3840 usbccgp - ok
18:21:18.0140 3840 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:21:18.0140 3840 usbehci - ok
18:21:18.0203 3840 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:21:18.0218 3840 usbhub - ok
18:21:18.0265 3840 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:21:18.0265 3840 usbprint - ok
18:21:18.0312 3840 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:21:18.0312 3840 usbscan - ok
18:21:18.0343 3840 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
18:21:18.0343 3840 usbser - ok
18:21:18.0375 3840 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:21:18.0375 3840 USBSTOR - ok
18:21:18.0406 3840 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:21:18.0406 3840 usbuhci - ok
18:21:18.0484 3840 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
18:21:18.0484 3840 usbvideo - ok
18:21:18.0515 3840 VBoxDrv (9085d8f20ddbcfe8c9077b52d84ff222) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
18:21:18.0531 3840 VBoxDrv - ok
18:21:18.0562 3840 VBoxNetAdp (8e4508c7b571f686129e7c4b89cb673d) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
18:21:18.0562 3840 VBoxNetAdp - ok
18:21:18.0609 3840 VBoxNetFlt (d570f05d62f9edad752107ddaf8e46d5) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
18:21:18.0609 3840 VBoxNetFlt - ok
18:21:18.0656 3840 VBoxUSB (82f8ea163001b1058d8d2cac7196a42f) C:\WINDOWS\system32\Drivers\VBoxUSB.sys
18:21:18.0656 3840 VBoxUSB - ok
18:21:18.0656 3840 VBoxUSBMon (a120efae1dd363a018641934f535409c) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
18:21:18.0671 3840 VBoxUSBMon - ok
18:21:18.0734 3840 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:21:18.0734 3840 VgaSave - ok
18:21:18.0750 3840 ViaIde - ok
18:21:18.0765 3840 VolSnap (77c942f961eca976ca12b12e36f3505a) C:\WINDOWS\system32\drivers\VolSnap.sys
18:21:18.0781 3840 VolSnap - ok
18:21:18.0796 3840 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:21:18.0812 3840 Wanarp - ok
18:21:18.0875 3840 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
18:21:18.0890 3840 Wdf01000 - ok
18:21:18.0890 3840 WDICA - ok
18:21:18.0921 3840 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:21:18.0937 3840 wdmaud - ok
18:21:18.0968 3840 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
18:21:18.0984 3840 WpdUsb - ok
18:21:19.0062 3840 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:21:19.0062 3840 WSTCODEC - ok
18:21:19.0093 3840 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:21:19.0093 3840 WudfPf - ok
18:21:19.0109 3840 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:21:19.0109 3840 WudfRd - ok
18:21:19.0140 3840 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:21:19.0234 3840 \Device\Harddisk0\DR0 - ok
18:21:19.0234 3840 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
18:21:19.0234 3840 \Device\Harddisk1\DR2 - ok
18:21:19.0234 3840 Boot (0x1200) (3713e1167ce762d471101805e5538855) \Device\Harddisk0\DR0\Partition0
18:21:19.0234 3840 \Device\Harddisk0\DR0\Partition0 - ok
18:21:19.0250 3840 Boot (0x1200) (bf36951ec079a608231eec2057193514) \Device\Harddisk1\DR2\Partition0
18:21:19.0250 3840 \Device\Harddisk1\DR2\Partition0 - ok
18:21:19.0250 3840 ============================================================
18:21:19.0250 3840 Scan finished
18:21:19.0250 3840 ============================================================
18:21:19.0250 2680 Detected object count: 0
18:21:19.0250 2680 Actual detected object count: 0

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:31 PM

Posted 23 November 2011 - 08:33 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 espelled

espelled
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 24 November 2011 - 01:17 AM

Hello Gringo,
Below is the MBR scan log.
Just before it finished the Generic Host Process for Win32 Services error message came it - so perhaps the worm was doing something in the background. Also the MBR program automatically generated and MBR.dat file. Do you need it?
All the best,
Shakhar

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-24 08:10:07
-----------------------------
08:10:07.437 OS Version: Windows 5.1.2600 Service Pack 3
08:10:07.437 Number of processors: 4 586 0x170A
08:10:07.437 ComputerName: WINXPSP3 UserName:
08:10:08.796 Initialize success
08:10:21.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-14
08:10:21.812 Disk 0 Vendor: Hitachi_HDT721032SLA360 ST2OA3AA Size: 305244MB BusType: 3
08:10:23.843 Disk 0 MBR read successfully
08:10:23.843 Disk 0 MBR scan
08:10:23.843 Disk 0 Windows XP default MBR code
08:10:23.843 Disk 0 scanning sectors +625121280
08:10:23.906 Disk 0 scanning C:\WINDOWS\system32\drivers
08:10:31.203 Service scanning
08:10:32.578 Modules scanning
08:10:52.640 Disk 0 trace - called modules:
08:10:52.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
08:10:52.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b1f6ab8]
08:10:52.671 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000076[0x8b2151e0]
08:10:52.671 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-14[0x8b1fbd98]
08:10:52.671 Scan finished successfully
08:11:04.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\????? ??????\MBR.dat"
08:11:04.687 The log file has been saved successfully to "C:\Documents and Settings\Administrator\????? ??????\aswMBR.txt"

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:31 PM

Posted 24 November 2011 - 01:38 AM

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 espelled

espelled
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 24 November 2011 - 01:50 AM

Thanks Gringo, here's the router.bat data:



Windows IP Configuration



Host Name . . . . . . . . . . . . : winxpsp3

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-24-1D-83-1F-DA

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 85.64.44.119

Subnet Mask . . . . . . . . . . . : 255.255.248.0

Default Gateway . . . . . . . . . : 85.64.40.1

DHCP Server . . . . . . . . . . . : 172.18.144.176

DNS Servers . . . . . . . . . . . : 212.143.212.143

194.90.1.5

Lease Obtained. . . . . . . . . . : Wednesday, November 23, 2011 16:20:47

Lease Expires . . . . . . . . . . : Friday, November 25, 2011 10:16:53



Ethernet adapter VirtualBox Host-Only Network:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter

Physical Address. . . . . . . . . : 08-00-27-00-74-30

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.56.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

Server: dns2.netvision.net.il
Address: 212.143.212.143

Name: google.com
Addresses: 74.125.39.104, 74.125.39.105, 74.125.39.106, 74.125.39.147
74.125.39.99, 74.125.39.103

Server: dns2.netvision.net.il
Address: 212.143.212.143

Name: yahoo.com
Addresses: 98.137.149.56, 98.139.180.149, 209.191.122.70, 72.30.2.43



Pinging google.com [74.125.39.147] with 32 bytes of data:



Reply from 74.125.39.147: bytes=32 time=103ms TTL=49

Reply from 74.125.39.147: bytes=32 time=102ms TTL=49



Ping statistics for 74.125.39.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 102ms, Maximum = 103ms, Average = 102ms



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=259ms TTL=49

Reply from 72.30.2.43: bytes=32 time=247ms TTL=49



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 247ms, Maximum = 259ms, Average = 253ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 24 1d 83 1f da ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC - מיני-יציאה של מתזמן מנות
0x3 ...08 00 27 00 74 30 ...... VirtualBox Host-Only Ethernet Adapter - מיני-יציאה של מתזמן מנות
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 85.64.40.1 85.64.44.119 20
85.64.40.0 255.255.248.0 85.64.44.119 85.64.44.119 20
85.64.44.119 255.255.255.255 127.0.0.1 127.0.0.1 20
85.255.255.255 255.255.255.255 85.64.44.119 85.64.44.119 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.56.0 255.255.255.0 192.168.56.1 192.168.56.1 20
192.168.56.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.56.255 255.255.255.255 192.168.56.1 192.168.56.1 20
224.0.0.0 240.0.0.0 85.64.44.119 85.64.44.119 20
224.0.0.0 240.0.0.0 192.168.56.1 192.168.56.1 20
255.255.255.255 255.255.255.255 85.64.44.119 85.64.44.119 1
255.255.255.255 255.255.255.255 192.168.56.1 192.168.56.1 1
Default Gateway: 85.64.40.1
===========================================================================
Persistent Routes:
None

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:31 PM

Posted 24 November 2011 - 01:53 AM

After you have run these steps - you need to let me know how the computer is doing

Resetting Router


  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you donít know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

flush the DNS:

Now lets flush the DNS on the computer:

  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:


    ipconfig /flushdns

Now lets check the router again

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users