Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I don't know what type of infection I have

  • This topic is locked This topic is locked
17 replies to this topic

#1 Khalan


  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 21 December 2011 - 11:05 AM

Several days ago my computer screen had vertical lines in it and went blank (I had a free version of Avira installed). I was able to restore to an earlier version but I uninstalled Avira and installed paid version of Webroot instead. Webroot didn't find any infections and every time that my computer boots up I get a message about Avira. SO Avira is not completely uninstalled and my computer is freezing up and is in a very unstable state. This is a computer for an office practice and I really need help as I can't afford to buy a new one. Operating system is Windows Vista HOme premium service pack 2. I know next to nothing about infection removal and I know something is wrong. Here is my Hijack this log file if anyone can help me:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:45:09 AM, on 12/21/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Safe mode

Running processes:
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files (x86)\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [DT HPW] "C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" -HPW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [D-Link D-Link Xtreme N Dual Band DWA-160] "C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [WRSVC] "C:\Program Files (x86)\Webroot\WRSA.exe" -ul
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: eCentral.lnk = C:\Program Files (x86)\Eshasoft\Calendar and Day Planner (USA Edition)\eCentral.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ANIWConn Service (ANIWConnService) - Unknown owner - C:\Windows\system32\ANIWConnService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AviraUpgradeService) - Unknown owner - C:\Windows\TEMP\AVSETUP_4ee77fe8\avupgsvc.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: WRSVC - Webroot - C:\Program Files (x86)\Webroot\WRSA.exe
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

BC AdBot (Login to Remove)


#2 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 21 December 2011 - 11:24 AM

Also when I run Hijackthis I get the following weird message:

For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run, and type


and press Enter
Find the lines HijackThis reports and delete them. Save the files as 'hosts' (with quotes) and reboot

For vista simply exit Hijack this Right click on the HijackThis icon and choose run as administrator

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,631 posts
  • Gender:Male
  • Local time:02:01 AM

Posted 27 December 2011 - 02:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433747 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:01 AM

Posted 29 December 2011 - 07:21 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please carry out HelpBot's instructions above and we can take it from there.
Posted Image
m0le is a proud member of UNITE

#5 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 30 December 2011 - 02:03 PM

No actions have been performed yet, same problems problems as included in the description above. The picture on the screen was shaky this morning and did fade out a couple of times but then it came back up. Windows Vista Home Premium service pak 2 64 bit operating system. I do not have the original Windows CD/DVD. I do have a "Recovery Disk" that I made myself.

Edited by Khalan, 30 December 2011 - 02:15 PM.

#6 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 30 December 2011 - 02:10 PM

Results of DDS logfile:

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Owner at 14:07:38 on 2011-12-30
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6014.4116 [GMT -5:00]
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Webroot\WRSA.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: CutePDF Form Filler Helper: {d41289f2-69c6-417b-897e-c653d677cbaf} - C:\Program Files (x86)\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] C:\HP\KBD\KbdStub.EXE
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [DT HPW] "C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" -HPW
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ANIWZCS2Service] "C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
mRun: [D-Link D-Link Xtreme N Dual Band DWA-160] "C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [WRSVC] "C:\Program Files (x86)\Webroot\WRSA.exe" -ul
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\eCentral.lnk - C:\Program Files (x86)\Eshasoft\Calendar and Day Planner (USA Edition)\eCentral.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: internet
Trusted Zone: valantmed.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer =
TCP: Interfaces\{52EE6C9A-FAA5-4EAF-850F-263B7EA20248} : DhcpNameServer =
TCP: Interfaces\{D6CCF123-A69F-4A5C-9310-038C02218CBD} : DhcpNameServer =
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: CutePDF Form Filler Helper: {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files (x86)\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
BHO-X64: CutePDF Form Filler - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun-x64: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun-x64: [KBD] C:\HP\KBD\KbdStub.EXE
mRun-x64: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [DT HPW] "C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" -HPW
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [ANIWZCS2Service] "C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
mRun-x64: [D-Link D-Link Xtreme N Dual Band DWA-160] "C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [WRSVC] "C:\Program Files (x86)\Webroot\WRSA.exe" -ul
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\g5x8vh6d.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\g5x8vh6d.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
============= SERVICES / DRIVERS ===============
R0 WRkrn;WRkrn;C:\Windows\system32\drivers\WRkrn.sys --> C:\Windows\system32\drivers\WRkrn.sys [?]
R1 anodlwf;ANOD Network Security Filter driver;C:\Windows\system32\DRIVERS\anodlwfx.sys --> C:\Windows\system32\DRIVERS\anodlwfx.sys [?]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2008-1-20 21504]
R2 ANIWConnService;ANIWConn Service;C:\Windows\System32\ANIWConnService.exe [2011-6-1 151552]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MSSQL$AMAZINGCHARTS;SQL Server (AMAZINGCHARTS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R2 WRSVC;WRSVC;C:\Program Files (x86)\Webroot\WRSA.exe [2011-12-13 637208]
R3 arusb_lhx;D-Link DWA-160 device driver;C:\Windows\system32\DRIVERS\dwarusb_lhx.sys --> C:\Windows\system32\DRIVERS\dwarusb_lhx.sys [?]
R3 CAXHWBS3;CAXHWBS3;C:\Windows\system32\DRIVERS\CAXHWBS3.sys --> C:\Windows\system32\DRIVERS\CAXHWBS3.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-2-28 136360]
S2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-2-28 269480]
S2 AviraUpgradeService;Avira Upgrade Service;"C:\Windows\TEMP\AVSETUP_4ee77fe8\avupgsvc.exe" /TEMPSTART:""C:\Windows\TEMP\AVSETUP_4ee77fe8\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> C:\Windows\TEMP\AVSETUP_4ee77fe8\avupgsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 dhdusb.NTamd64;Dynex Wireless G USB Network Adapter Service;C:\Windows\system32\DRIVERS\bcmusbdhdlh64.sys --> C:\Windows\system32\DRIVERS\bcmusbdhdlh64.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-1-25 89920]
=============== File Associations ===============
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
=============== Created Last 30 ================
2011-12-21 15:34:16 -------- d-----w- C:\Windows\pss
2011-12-21 15:24:08 388096 ----a-r- C:\Users\Owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-21 15:24:07 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-12-21 15:03:04 121816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-12-21 15:03:03 97240 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2011-12-21 15:03:03 814040 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-12-21 15:03:03 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-21 15:03:03 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-21 15:03:03 486360 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2011-12-21 15:03:03 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-21 15:03:03 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2011-12-21 15:03:03 2124760 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2011-12-21 15:03:03 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-12-21 15:03:03 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-12-21 15:03:03 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2011-12-15 15:53:52 91832 ----a-w- C:\Windows\System32\WRusr.dll
2011-12-14 14:03:43 85504 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-14 14:03:41 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-14 14:03:41 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-14 14:03:38 559616 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-14 14:03:38 429056 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-14 14:03:37 2764800 ----a-w- C:\Windows\System32\win32k.sys
2011-12-14 14:03:37 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-12-14 14:03:37 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-12-13 17:43:26 141272 ----a-w- C:\Windows\SysWow64\WRusr.dll
2011-12-13 17:43:26 108896 ----a-w- C:\Windows\System32\drivers\WRkrn.sys
2011-12-13 17:43:25 -------- d-----w- C:\Program Files (x86)\Webroot
2011-12-13 16:45:59 -------- d-----w- C:\Users\Owner\AppData\Roaming\QuickScan
2011-12-13 16:45:30 1426304 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-12-13 16:45:29 893440 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-12-13 16:45:29 707584 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-12-13 16:45:29 50688 ----a-w- C:\Program Files\Windows Mail\wabimp.dll
2011-12-13 15:13:03 -------- d-----w- C:\ProgramData\Avira
2011-12-07 17:00:30 -------- d-----w- C:\ProgramData\WRData
==================== Find3M ====================
2011-12-13 17:40:09 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-03 09:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
============= FINISH: 14:08:16.22 ===============

#7 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 30 December 2011 - 02:12 PM

I have 64 bit so I guess I shouldn't run GMER anti-rootkit Scanner?

#8 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:01 AM

Posted 30 December 2011 - 06:02 PM

You can run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:01 AM

Posted 02 January 2012 - 11:31 AM


I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#10 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 03 January 2012 - 09:43 AM

I am sorry I haven't been to work in a few days. Here are the results of the aswMBR

aswMBR version Copyright© 2011 AVAST Software
Run date: 2012-01-03 09:39:55
09:39:55.553 OS Version: Windows x64 6.0.6002 Service Pack 2
09:39:55.553 Number of processors: 4 586 0x202
09:39:55.553 ComputerName: OWNER-PC UserName: Owner
09:39:57.082 Initialize success
09:40:13.283 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000050
09:40:13.283 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
09:40:13.314 Disk 0 MBR read successfully
09:40:13.329 Disk 0 MBR scan
09:40:13.329 Disk 0 unknown MBR code
09:40:13.329 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 597236 MB offset 63
09:40:13.376 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13241 MB offset 1223140905
09:40:13.376 Service scanning
09:40:14.234 Service WRkrn C:\Windows\System32\drivers\WRkrn.sys **LOCKED** 32
09:40:14.765 Modules scanning
09:40:14.765 Disk 0 trace - called modules:
09:40:14.796 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
09:40:14.811 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80077233e0]
09:40:14.811 3 CLASSPNP.SYS[fffffa60007a2c33] -> nt!IofCallDriver -> [0xfffffa80064d4e40]
09:40:14.827 5 acpi.sys[fffffa60008f8fde] -> nt!IofCallDriver -> \Device\00000050[0xfffffa800641f060]
09:40:14.843 Scan finished successfully
09:40:44.025 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
09:40:44.040 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"

#11 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:01 AM

Posted 03 January 2012 - 06:23 PM

Can you run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#12 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 04 January 2012 - 09:54 AM

Okay here it is:

MBRCheck, version 1.2.3
© 2010, AD

Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: HP-Pavilion
System Product Name: FK562AA-ABA a6614f
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 145):
0x02853000 \SystemRoot\system32\ntoskrnl.exe
0x0280D000 \SystemRoot\system32\hal.dll
0x00609000 \SystemRoot\system32\kdcom.dll
0x00613000 \SystemRoot\system32\PSHED.dll
0x00627000 \SystemRoot\system32\CLFS.SYS
0x00684000 \SystemRoot\system32\CI.dll
0x00808000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E2000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008F0000 \SystemRoot\system32\drivers\acpi.sys
0x00946000 \SystemRoot\system32\drivers\WMILIB.SYS
0x0094F000 \SystemRoot\system32\drivers\msisadrv.sys
0x00959000 \SystemRoot\system32\drivers\pci.sys
0x00989000 \SystemRoot\System32\drivers\partmgr.sys
0x0099E000 \SystemRoot\system32\drivers\volmgr.sys
0x00736000 \SystemRoot\System32\drivers\volmgrx.sys
0x009B2000 \SystemRoot\system32\drivers\pciide.sys
0x009B9000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009C9000 \SystemRoot\System32\drivers\mountmgr.sys
0x009DC000 \SystemRoot\system32\drivers\nvraid.sys
0x0079C000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x00800000 \SystemRoot\system32\drivers\atapi.sys
0x007C8000 \SystemRoot\system32\drivers\ataport.SYS
0x00A0E000 \SystemRoot\system32\drivers\nvstor64.sys
0x00A39000 \SystemRoot\system32\drivers\storport.sys
0x00A96000 \SystemRoot\system32\drivers\fltmgr.sys
0x00ADD000 \SystemRoot\system32\drivers\fileinfo.sys
0x00AF1000 \SystemRoot\System32\drivers\WRkrn.sys
0x00B0F000 \SystemRoot\System32\drivers\msrpc.sys
0x00B5F000 \SystemRoot\System32\drivers\NETIO.SYS
0x00C07000 \SystemRoot\System32\drivers\NDIS.SYS
0x00DCA000 \SystemRoot\System32\drivers\TDI.SYS
0x00E02000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00E89000 \SystemRoot\System32\drivers\tcpip.sys
0x00BB8000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01004000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01184000 \SystemRoot\system32\drivers\volsnap.sys
0x011C8000 \SystemRoot\System32\Drivers\spldr.sys
0x011D0000 \SystemRoot\System32\Drivers\mup.sys
0x01201000 \SystemRoot\System32\drivers\ecache.sys
0x0122D000 \SystemRoot\system32\drivers\disk.sys
0x01241000 \SystemRoot\system32\drivers\crcdisk.sys
0x0128E000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0129B000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x012A4000 \SystemRoot\system32\DRIVERS\processr.sys
0x012B7000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x012C2000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x01308000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x01319000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x0132B000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x0340A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x0360D000 \SystemRoot\system32\DRIVERS\nvmfdx64.sys
0x03779000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x03795000 \SystemRoot\system32\DRIVERS\CAXHWBS3.sys
0x034F7000 \SystemRoot\system32\DRIVERS\ks.sys
0x03801000 \SystemRoot\system32\DRIVERS\CAX_DP.sys
0x0352B000 \SystemRoot\system32\DRIVERS\CAX_CNXT.sys
0x03974000 \SystemRoot\system32\drivers\modem.sys
0x03A0F000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x04402000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x044E5000 \SystemRoot\System32\drivers\watchdog.sys
0x044F5000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x0452E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04551000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x0455D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0458E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0459E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x045BC000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x045D4000 \SystemRoot\system32\DRIVERS\termdd.sys
0x045E7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x0432F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x045F5000 \SystemRoot\system32\DRIVERS\swenum.sys
0x0433B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x04346000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04356000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0439E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04A01000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x04B69000 \SystemRoot\system32\drivers\portcls.sys
0x04BA4000 \SystemRoot\system32\drivers\drmk.sys
0x04BC7000 \SystemRoot\system32\drivers\ksthunk.sys
0x04BCD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x04BD7000 \SystemRoot\System32\Drivers\Null.SYS
0x04BEB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x043C8000 \SystemRoot\System32\drivers\vga.sys
0x043D6000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x04BF3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x04BE0000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03A00000 \SystemRoot\System32\Drivers\Msfs.SYS
0x043B2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x045F7000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x03983000 \SystemRoot\system32\DRIVERS\tdx.sys
0x039A0000 \SystemRoot\system32\DRIVERS\smb.sys
0x039BB000 \SystemRoot\System32\DRIVERS\netbt.sys
0x0133B000 \SystemRoot\system32\drivers\afd.sys
0x013A6000 \SystemRoot\system32\DRIVERS\pacer.sys
0x037E5000 \SystemRoot\system32\DRIVERS\anodlwfx.sys
0x037EE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x013C4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x04C09000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04C56000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04C62000 \SystemRoot\System32\Drivers\dfsc.sys
0x04C7F000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x04CA3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x04CAC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x04CBE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04CC0000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x04CCB000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x04CE7000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x04CF7000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x04D02000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x04D1A000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04D28000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x04D32000 \SystemRoot\System32\Drivers\dump_nvstor64.sys
0x04D5D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x05205000 \SystemRoot\system32\DRIVERS\dwarusb_lhx.sys
0x00030000 \SystemRoot\System32\win32k.sys
0x052EA000 \SystemRoot\System32\drivers\Dxapi.sys
0x052F6000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00460000 \SystemRoot\System32\TSDDD.dll
0x006A0000 \SystemRoot\System32\cdd.dll
0x05309000 \SystemRoot\system32\drivers\luafv.sys
0x0532B000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x0534A000 \SystemRoot\system32\drivers\spsys.sys
0x053E4000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x04D68000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x04D9C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x04DA7000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x09203000 \SystemRoot\system32\drivers\HTTP.sys
0x092A6000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x092CF000 \SystemRoot\system32\DRIVERS\bowser.sys
0x092ED000 \SystemRoot\System32\drivers\mpsdrv.sys
0x09307000 \SystemRoot\system32\drivers\mrxdav.sys
0x0932E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x09357000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x093A0000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x093BF000 \SystemRoot\System32\DRIVERS\srv2.sys
0x09607000 \SystemRoot\System32\DRIVERS\srv.sys
0x0969A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x0969F000 \SystemRoot\system32\drivers\peauth.sys
0x09755000 \SystemRoot\System32\Drivers\secdrv.SYS
0x09760000 \SystemRoot\System32\drivers\tcpipreg.sys
0x09770000 \SystemRoot\system32\DRIVERS\xaudio64.sys
0x09778000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x09798000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x097AE000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x776A0000 \Windows\System32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
480 C:\Windows\System32\smss.exe
556 csrss.exe
596 C:\Windows\System32\wininit.exe
616 csrss.exe
652 C:\Windows\System32\services.exe
668 C:\Windows\System32\lsass.exe
676 C:\Windows\System32\lsm.exe
840 C:\Windows\System32\svchost.exe
864 C:\Windows\System32\winlogon.exe
916 C:\Program Files (x86)\Webroot\WRSA.exe
940 C:\Windows\System32\nvvsvc.exe
968 C:\Windows\System32\svchost.exe
388 C:\Windows\System32\svchost.exe
500 C:\Windows\System32\svchost.exe
508 C:\Windows\System32\svchost.exe
396 C:\Windows\System32\audiodg.exe
516 C:\Windows\System32\svchost.exe
1032 C:\Windows\System32\SLsvc.exe
1088 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\svchost.exe
1388 C:\Windows\System32\rundll32.exe
1676 C:\Windows\System32\spoolsv.exe
1732 C:\Windows\System32\svchost.exe
1884 C:\Windows\System32\dwm.exe
1920 C:\Windows\System32\taskeng.exe
1948 C:\Program Files (x86)\Webroot\WRSA.exe
1960 C:\Windows\explorer.exe
1752 C:\Windows\SysWOW64\svchost.exe
2064 C:\Windows\SysWOW64\ANIWConnService.exe
2144 C:\Windows\System32\taskeng.exe
2236 C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
2308 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
2428 C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2532 C:\Windows\System32\svchost.exe
2612 C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
2708 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2756 C:\Windows\System32\svchost.exe
2880 C:\Windows\System32\svchost.exe
2932 C:\Windows\System32\SearchIndexer.exe
1816 C:\Windows\System32\drivers\XAudio64.exe
3032 WUDFHost.exe
2268 C:\Windows\System32\rundll32.exe
3040 C:\Program Files\Windows Sidebar\sidebar.exe
3388 C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
3468 C:\Windows\ehome\ehtray.exe
3512 C:\Windows\System32\mobsync.exe
3564 C:\Windows\ehome\ehmsas.exe
3660 C:\hp\support\hpsysdrv.exe
3912 C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
3936 C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe
3944 C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe
3960 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2572 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
4020 C:\Windows\System32\svchost.exe
1540 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
3608 C:\hp\KBD\kbd.exe
2980 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
1444 C:\Windows\System32\SearchProtocolHost.exe
3952 C:\Windows\System32\SearchFilterHost.exe
164 dllhost.exe
2792 dllhost.exe
1516 C:\Users\Owner\Downloads\MBRCheck(1).exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000091`cf4c5200 (NTFS)

PhysicalDrive0 Model Number: WDC WD6400AAKS-65A7B, Rev: 01.0

Size Device Name MBR Status
596 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: CEFD837A02A1F4445A136688B10013AE4399C2CF

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Edited by Khalan, 04 January 2012 - 09:54 AM.

#13 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:01 AM

Posted 04 January 2012 - 12:44 PM

That looks fine from those logs.

Please run MBAM and SAS and let's see if anything comes up from there

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.

Posted Image
m0le is a proud member of UNITE

#14 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 05 January 2012 - 09:59 AM

Malware bytes didn't find anything.

Malwarebytes Anti-Malware

Database version: v2012.01.04.04

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

1/4/2012 2:09:47 PM
mbam-log-2012-01-04 (14-09-47).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 330814
Time elapsed: 1 hour(s), 11 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0

#15 Khalan

  • Topic Starter

  • Members
  • 9 posts
  • Local time:01:01 AM

Posted 05 January 2012 - 10:08 AM

My computer still displays this message when I boot up:

CCPLG.XML: Unable to find file (C:\Program Files (x86)\Avira\AntiVir Desktop\ccplg.xml)

Other than that I haven't had any more instances where the screen has faded or any more lines in the screen. I will run Superantispyware today and post the results.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users