Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD uTorrent DRIVER_IRQL_NOT_LESS_OR_EQUAL and Shut Down Problems


  • This topic is locked This topic is locked
15 replies to this topic

#1 Xenios90

Xenios90

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 10 February 2012 - 08:10 AM

About my PC:

OS: Windows 7 Professional SP1, 64-bit
CPU: Intel Core i5-750, overclocked to 3,25GHz
CPU Cooler: Zalman CNPS9900 LED
Motherboard: ASUS P7P55D-E
RAM: 2x4GB Corsair XMS3
Graphics Card: AMD Radeon HD 4870
Power Supply: Thermaltake ToughPower XT 575W ATX 2.3
Hard Disc: Seagate Barracuda 7200.12 1000GB


So, I've used uTorrent for quite a long time now (last fresh Windows install was in November 2010, I think) without any troubles. But since I started the download of a specific file, my PC crashes after a few (between 1 and 30) minutes of downloading. I get a BSOD with the text "DRIVER_IRQL_NOT_LESS_OR_EQUAL", referring to NETIO.SYS. I've further analysed this error, it only happens with Torrent-Software when it reaches the maximum data throughput, or so it seems. When I set the limit in uTorrent to 500kbyte/s, it crashes when reaching it. Without any threshold, it crashes when reaching the overall connection limit (about 1200kbyte/s).
I use Avira Antivir as Malware-Protection, which didn't find anything.

I de-installed the network driver, used the standard-Windows 7-driver, updated that driver via Windows and installed the newest driver from the ASUS-Homepage. In all these cases, the same error happened. Now I'm using the Realtek-driver version 7.48.823.2011.

Additionally, my PC doesn't shut down when I'm shutting it down. It hangs in the Windows-Screen "Shutting down..." or continues running with a black screen, but the power remains on.

In November, I asked about this issue on the Windows 7-Forums. You can find BSOD-Information in this thread. Since I tried all of their suggestions, they redirected me to you.

Here's the content of the DDS.txt-File:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Johannes at 13:49:27 on 2012-02-10
Microsoft Windows 7 Professional 6.1.7601.1.1252.43.1031.18.8190.6050 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Pogoplug\dokanmnt.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Pogoplug\HBPLUG\HBADMIN.exe
C:\Windows\system32\LMabcoms.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
D:\Programme\X-Fi Mode Changer\XFiMode.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Lexmark\ErrorApp\lmab1err.exe
C:\Program Files (x86)\Pogoplug\PogoplugMonitor.exe
C:\Program Files (x86)\Suunto\Moveslink for Movestick Mini\Moveslink.exe
C:\Program Files (x86)\EventGhost\EventGhost.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ph.tum.de/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [micoach] "C:\Program Files (x86)\adidas\miCoach Manager\miCoachManager.exe" /autostart
uRun: [XFMC] D:\Programme\X-Fi Mode Changer\XFiMode.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [LMab1err] C:\Program Files\Lexmark\ErrorApp\LMab1err.exe
uRun: [miCoach Manager] C:\Program Files (x86)\adidas\miCoach Manager\SyncManager.exe -autorun
uRun: [Pogoplug] "C:\Program Files (x86)\Pogoplug\PogoplugMonitor.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\Users\Johannes\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVENTG~1.LNK - C:\Program Files (x86)\EventGhost\EventGhost.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOVESL~1.LNK - C:\Windows\Installer\{4D036ACA-DFDF-41B2-A680-E0D736F3E947}\_22A9010B636AF7A61D8E03.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: An OneNote s&enden - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15114/CTPID.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{F0EBCF1B-8EA7-4415-A382-2C73B8B5434F} : DhcpNameServer = 192.168.178.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Johannes\AppData\Roaming\Mozilla\Firefox\Profiles\msbmuqvo.default\
FF - prefs.js: browser.search.selectedEngine - LEO Eng-Deu
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.104.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R2 acedrv11;acedrv11;\??\C:\Windows\system32\drivers\acedrv11.sys --> C:\Windows\system32\drivers\acedrv11.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira AntiVir Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-1-29 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-1-29 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 DokanCEDriver;DokanCEDriver;C:\Program Files (x86)\Pogoplug\dokance.sys [2012-1-31 66880]
R2 DokanCEMounter;DokanCEMounter;C:\Program Files (x86)\Pogoplug\dokanmnt.exe [2011-12-23 115520]
R2 HBAdmin;HBAdmin;C:\Program Files (x86)\Pogoplug\HBPLUG\hbadmin.exe [2011-12-23 1064256]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2011-9-9 475088]
R3 acsock;acsock;C:\Windows\system32\DRIVERS\acsock64.sys --> C:\Windows\system32\DRIVERS\acsock64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 libusb0;libusb-win32 - Kernel Driver 04/08/2011 1.2.4.0;C:\Windows\system32\DRIVERS\libusb0.sys --> C:\Windows\system32\DRIVERS\libusb0.sys [?]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 xcetap0;XCETAP0 Adapter;C:\Windows\system32\DRIVERS\xcetap0.sys --> C:\Windows\system32\DRIVERS\xcetap0.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-29 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-28 79360]
S3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\DDLLicensing.exe [2011-1-29 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 51740536]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 StorSvc;Speicherdienst;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows-Aktivierungstechnologieservice;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSDScan;WSD-Scanunterstützung durch UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-02-06 15:57:36 -------- d-----w- C:\ProgramData\EventGhost
2012-02-05 15:22:42 -------- d-----w- C:\Users\Johannes\AppData\Roaming\Suunto
2012-02-05 15:22:37 -------- d-----w- C:\Program Files (x86)\Suunto
2012-02-05 15:11:26 -------- d-----w- C:\ProgramData\Ant
2012-02-05 11:30:54 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-01-31 20:20:20 87040 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPPAE.DLL
2012-01-31 20:20:20 28672 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPDAE.DLL
2012-01-31 20:20:10 361472 ----a-w- C:\Windows\System32\CNMLMAE.DLL
2012-01-25 15:33:51 -------- d-----w- C:\Users\Johannes\AppData\Local\{2EC20B08-D0FC-4F19-9F71-07AF21AFD60A}
2012-01-25 15:33:30 -------- d-----w- C:\Users\Johannes\AppData\Local\{F1DA6F9C-02E2-4DA1-B20E-6268D4C2ABD8}
2012-01-24 16:43:45 -------- d-----w- C:\Program Files (x86)\Terrafirma
2012-01-13 13:17:55 -------- d-----w- C:\Program Files (x86)\Pogoplug
2012-01-11 15:40:49 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-01-11 15:40:49 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-01-11 15:40:49 1572864 ----a-w- C:\Windows\System32\quartz.dll
2012-01-11 15:40:49 1328128 ----a-w- C:\Windows\SysWow64\quartz.dll
2012-01-11 15:40:47 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-01-11 15:40:47 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-01-11 15:40:46 77312 ----a-w- C:\Windows\System32\packager.dll
2012-01-11 15:40:46 67072 ----a-w- C:\Windows\SysWow64\packager.dll
.
==================== Find3M ====================
.
2012-01-10 17:11:57 279616 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2012-01-08 23:45:52 530488 ----a-w- C:\Windows\System32\drivers\sptd.sys
2011-12-12 22:18:27 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-12 22:18:27 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-12 21:47:18 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-12-06 21:15:23 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-12-06 03:45:40 10720256 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-12-06 03:18:38 25371136 ----a-w- C:\Windows\System32\atio6axx.dll
2011-12-06 03:17:50 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-12-06 03:17:36 778752 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-12-06 03:16:00 933888 ----a-w- C:\Windows\System32\aticfx64.dll
2011-12-06 03:12:52 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-12-06 03:12:36 494080 ----a-w- C:\Windows\System32\atieclxx.exe
2011-12-06 03:11:56 235520 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-12-06 03:10:38 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-12-06 03:10:20 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-12-06 03:10:12 360448 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-12-06 03:10:00 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-12-06 03:09:56 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-12-06 03:09:50 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-12-06 03:09:44 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-12-06 03:06:38 6159872 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-12-06 02:56:40 19125760 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-12-06 02:51:22 7520768 ----a-w- C:\Windows\System32\atidxx64.dll
2011-12-06 02:39:58 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-12-06 02:39:24 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-12-06 02:39:12 4072960 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-12-06 02:34:28 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-12-06 02:34:24 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-12-06 02:34:16 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-12-06 02:34:14 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-12-06 02:34:00 13738496 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-12-06 02:33:36 5919232 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-12-06 02:29:30 11484672 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-12-06 02:28:50 4206592 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-12-06 02:24:02 7511040 ----a-w- C:\Windows\System32\atiumd64.dll
2011-12-06 02:18:46 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-12-06 02:13:02 509952 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-12-06 02:12:52 356352 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-12-06 02:12:38 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-12-06 02:12:34 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-12-06 02:12:34 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-12-06 02:12:30 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-12-06 02:12:22 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-12-06 02:12:14 327168 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-12-06 02:11:24 42496 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-12-06 02:11:16 33280 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-12-06 02:11:10 39936 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-12-06 02:11:02 29696 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-12-06 02:10:48 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-12-06 02:10:48 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-12-06 02:10:42 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-12-06 02:10:42 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-12-06 02:10:24 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-12-05 21:04:06 69632 ----a-w- C:\Windows\System32\OpenVideo64.dll
2011-12-05 21:04:00 59904 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2011-12-05 21:03:54 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
2011-12-05 21:03:52 54784 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2011-12-05 21:03:42 17580544 ----a-w- C:\Windows\System32\amdocl64.dll
2011-12-05 21:03:04 14499328 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-22 17:45:07 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-17 06:49:14 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\Windows\System32\drivers\cng.sys
2011-11-17 06:35:28 395776 ----a-w- C:\Windows\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\Windows\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows\System32\lsass.exe
2011-11-17 05:35:02 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2011-11-15 16:58:56 146432 ----a-w- C:\Windows\System32\SlotMaximizerAg.dll
2011-11-15 16:58:54 3507712 ----a-w- C:\Windows\System32\SlotMaximizerBe.dll
2011-11-15 16:57:06 2463744 ----a-w- C:\Windows\SysWow64\SlotMaximizerBe.dll
2011-11-15 16:57:02 122880 ----a-w- C:\Windows\SysWow64\SlotMaximizerAg.dll
.
============= FINISH: 13:50:11,31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 13 February 2012 - 06:10 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Xenios90

Xenios90
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 13 February 2012 - 06:33 PM

Hi!

Thank you for your reply! I hope we can solve this together. :)

Edited by Xenios90, 13 February 2012 - 06:33 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 13 February 2012 - 08:00 PM

Let's see what we can do.

The P2P story seems to scream that we are dealing with a very prevalent rootkit so let's start with that.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Xenios90

Xenios90
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 15 February 2012 - 07:59 AM

I tried scanning with that tool, but it crashed in normal mode and in safe mode as well. The last line it showed was 'Scanning C:\Windows\Assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications'[... the window ended there]

This is the log it showed when starting to scan:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-15 12:41:59
-----------------------------
12:41:59.641 OS Version: Windows x64 6.1.7601 Service Pack 1
12:41:59.641 Number of processors: 4 586 0x1E05
12:41:59.641 ComputerName: JOHANNES-PC UserName: Johannes
12:42:02.795 Initialize success
12:42:05.397 AVAST engine defs: 12021500
12:42:09.371 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4
12:42:09.373 Disk 0 Vendor: ST31000528AS CC38 Size: 953869MB BusType: 3
12:42:09.384 Disk 0 MBR read successfully
12:42:09.387 Disk 0 MBR scan
12:42:09.391 Disk 0 Windows 7 default MBR code
12:42:09.394 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49899 MB offset 206848
12:42:09.406 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 903868 MB offset 102400000
12:42:09.413 Service scanning
12:42:10.388 Modules scanning
12:42:10.392 Disk 0 trace - called modules:
12:42:10.398 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
12:42:10.402 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b93060]
12:42:10.406 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa80078ea520]
12:42:10.412 5 ACPI.sys[fffff88000e1a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-4[0xfffffa80078e6680]
12:42:13.017 AVAST engine scan C:\Windows
12:42:14.724 AVAST engine scan C:\Windows\system32
12:42:23.425 Disk 0 MBR has been saved successfully to "D:\Downloads\MBR.dat"
12:42:23.429 The log file has been saved successfully to "D:\Downloads\aswMBR.txt"



And I do have Avira AntiVir installed on my PC, the last scan was on the 21.10.2011, so I have scanned after the problem started, with no real detections.

Edited by Xenios90, 15 February 2012 - 08:00 AM.


#6 Xenios90

Xenios90
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 15 February 2012 - 04:36 PM

I just ran a complete scan with Avira Antivir and it found two pieces of Malware on my PC. uTorrent seems to work now, but I will continue testing since it already happened once that it didn't crash for a day of running uTorrent.

I will keep you posted!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 15 February 2012 - 06:52 PM

Please stop running uTorrent and make sure to disable the antivirus each time we use a scan/removal tool.

Please now run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 Xenios90

Xenios90
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 16 February 2012 - 09:31 AM

This is the text ComboFix created:

ComboFix 12-02-16.01 - Johannes 16.02.2012 14:39:59.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.43.1031.18.8190.5881 [GMT 1:00]
ausgeführt von:: d:\desktop\comfix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\logs
c:\windows\SysWow64\logs\Setup.log
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-01-16 bis 2012-02-16 ))))))))))))))))))))))))))))))
.
.
2012-02-16 13:54 . 2012-02-16 13:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-15 10:52 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 10:52 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-15 10:52 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 10:52 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 10:52 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 10:52 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 10:52 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 10:52 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-13 21:21 . 2012-02-13 21:21 -------- d-----w- c:\users\Johannes\AppData\Local\SCE
2012-02-13 18:51 . 2012-02-13 23:24 -------- d-----w- c:\users\Johannes\AppData\Roaming\TS3Client
2012-02-13 18:43 . 2012-02-13 18:43 -------- d-----w- c:\program files\TeamSpeak 3 Client
2012-02-06 15:57 . 2012-02-06 15:57 -------- d-----w- c:\programdata\EventGhost
2012-02-05 15:22 . 2012-02-05 15:22 -------- d-----w- c:\users\Johannes\AppData\Roaming\Suunto
2012-02-05 15:22 . 2012-02-05 15:22 -------- d-----w- c:\program files (x86)\Suunto
2012-02-05 15:11 . 2012-02-05 15:11 -------- d-----w- c:\programdata\Ant
2012-02-05 11:30 . 2012-02-05 11:30 -------- d-----w- c:\programdata\ATI
2012-02-05 11:30 . 2012-02-05 11:30 -------- d-----w- c:\program files (x86)\AMD APP
2012-01-31 20:20 . 2012-01-31 20:20 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2012-01-31 20:20 . 2012-01-31 20:20 -------- d--h--w- c:\programdata\CanonBJ
2012-01-31 20:20 . 2010-08-25 04:00 87040 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPAE.DLL
2012-01-31 20:20 . 2010-08-25 04:00 28672 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDAE.DLL
2012-01-31 20:20 . 2010-08-25 04:00 361472 ----a-w- c:\windows\system32\CNMLMAE.DLL
2012-01-24 16:43 . 2012-01-24 16:43 -------- d-----w- c:\program files (x86)\Terrafirma
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-13 22:38 . 2011-11-01 13:43 282864 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-02-13 22:38 . 2011-10-31 18:55 282864 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-02-13 22:37 . 2011-10-31 18:55 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-02-13 19:21 . 2011-10-31 18:55 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-01-10 17:11 . 2012-01-10 17:11 279616 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-01-08 23:45 . 2011-03-01 20:35 530488 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-12-14 13:08 . 2011-04-04 17:11 916304 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-06 03:45 . 2011-12-06 03:45 10720256 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-12-06 03:18 . 2011-12-06 03:18 25371136 ----a-w- c:\windows\system32\atio6axx.dll
2011-12-06 03:17 . 2011-12-06 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-12-06 03:17 . 2011-12-06 03:17 778752 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-12-06 03:16 . 2010-11-26 02:57 933888 ----a-w- c:\windows\system32\aticfx64.dll
2011-12-06 03:12 . 2011-12-06 03:12 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-12-06 03:12 . 2011-12-06 03:12 494080 ----a-w- c:\windows\system32\atieclxx.exe
2011-12-06 03:11 . 2011-12-06 03:11 235520 ----a-w- c:\windows\system32\atiesrxx.exe
2011-12-06 03:10 . 2011-12-06 03:10 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-12-06 03:10 . 2011-12-06 03:10 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-12-06 03:10 . 2011-12-06 03:10 360448 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-12-06 03:10 . 2011-12-06 03:10 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-12-06 03:09 . 2011-12-06 03:09 21504 ----a-w- c:\windows\system32\atimuixx.dll
2011-12-06 03:09 . 2011-12-06 03:09 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-12-06 03:09 . 2011-12-06 03:09 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-12-06 03:06 . 2011-12-06 03:06 6159872 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-12-06 02:56 . 2011-12-06 02:56 19125760 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-12-06 02:51 . 2009-07-13 21:59 7520768 ----a-w- c:\windows\system32\atidxx64.dll
2011-12-06 02:39 . 2011-12-06 02:39 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-12-06 02:39 . 2011-12-06 02:39 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-12-06 02:39 . 2011-12-06 02:39 4072960 ----a-w- c:\windows\system32\atiumd6a.dll
2011-12-06 02:34 . 2011-12-06 02:34 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-12-06 02:34 . 2011-12-06 02:34 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-12-06 02:34 . 2011-12-06 02:34 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-12-06 02:34 . 2011-12-06 02:34 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-12-06 02:34 . 2011-12-06 02:34 13738496 ----a-w- c:\windows\system32\aticaldd64.dll
2011-12-06 02:33 . 2011-12-06 02:33 5919232 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-12-06 02:29 . 2011-12-06 02:29 11484672 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-12-06 02:28 . 2011-12-06 02:28 4206592 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-12-06 02:24 . 2011-12-06 02:24 7511040 ----a-w- c:\windows\system32\atiumd64.dll
2011-12-06 02:18 . 2010-11-26 02:24 58880 ----a-w- c:\windows\system32\coinst.dll
2011-12-06 02:13 . 2011-12-06 02:13 509952 ----a-w- c:\windows\system32\atiadlxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 356352 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-12-06 02:12 . 2011-12-06 02:12 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-12-06 02:12 . 2011-12-06 02:12 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-12-06 02:12 . 2011-12-06 02:12 327168 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-12-06 02:11 . 2011-11-18 20:52 42496 ----a-w- c:\windows\system32\atiuxp64.dll
2011-12-06 02:11 . 2011-12-06 02:11 33280 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-12-06 02:11 . 2011-12-06 02:11 39936 ----a-w- c:\windows\system32\atiu9p64.dll
2011-12-06 02:11 . 2011-12-06 02:11 29696 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-12-06 02:10 . 2011-12-06 02:10 54784 ----a-w- c:\windows\system32\atimpc64.dll
2011-12-06 02:10 . 2011-12-06 02:10 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-12-06 02:10 . 2011-12-06 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-12-05 21:04 . 2011-12-05 21:04 69632 ----a-w- c:\windows\system32\OpenVideo64.dll
2011-12-05 21:04 . 2011-12-05 21:04 59904 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2011-12-05 21:03 . 2011-12-05 21:03 61952 ----a-w- c:\windows\system32\OVDecode64.dll
2011-12-05 21:03 . 2011-12-05 21:03 54784 ----a-w- c:\windows\SysWow64\OVDecode.dll
2011-12-05 21:03 . 2011-12-05 21:03 17580544 ----a-w- c:\windows\system32\amdocl64.dll
2011-12-05 21:03 . 2011-12-05 21:03 14499328 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-11-22 17:45 . 2011-05-14 10:33 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-19 14:58 . 2012-01-11 15:40 77312 ----a-w- c:\windows\system32\packager.dll
2011-11-19 14:01 . 2012-01-11 15:40 67072 ----a-w- c:\windows\SysWow64\packager.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XFMC"="d:\programme\X-Fi Mode Changer\XFiMode.exe" [2007-12-15 569344]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"LMab1err"="c:\program files\Lexmark\ErrorApp\LMab1err.exe" [2010-08-03 582312]
"Pogoplug"="c:\program files (x86)\Pogoplug\PogoplugMonitor.exe" [2012-01-31 234304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-05 25600]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]
.
c:\users\Johannes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EventGhost.lnk - c:\program files (x86)\EventGhost\EventGhost.exe [2011-4-3 31232]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Moveslink for Movestick Mini.lnk - c:\windows\Installer\{4D036ACA-DFDF-41B2-A680-E0D736F3E947}\_22A9010B636AF7A61D8E03.exe [2012-2-5 15086]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-01-29 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-01-27 79360]
R3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\DDLLicensing.exe [2011-01-29 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R3 WSDScan;WSD-Scanunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-05-01 136360]
S2 DokanCEDriver;DokanCEDriver;c:\program files (x86)\Pogoplug\dokance.sys [2012-01-31 66880]
S2 DokanCEMounter;DokanCEMounter;c:\program files (x86)\Pogoplug\dokanmnt.exe [2011-12-23 115520]
S2 HBAdmin;HBAdmin;c:\program files (x86)\Pogoplug\HBPLUG\HBADMIN.exe [2011-12-23 1064256]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2011-09-09 475088]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
S3 libusb0;libusb-win32 - Kernel Driver 04/08/2011 1.2.4.0;c:\windows\system32\DRIVERS\libusb0.sys [x]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 xcetap0;XCETAP0 Adapter;c:\windows\system32\DRIVERS\xcetap0.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1680976]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.ph.tum.de/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: An OneNote s&enden - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Johannes\AppData\Roaming\Mozilla\Firefox\Profiles\msbmuqvo.default\
FF - prefs.js: browser.search.selectedEngine - LEO Eng-Deu
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-micoach - c:\program files (x86)\adidas\miCoach Manager\miCoachManager.exe
Wow6432Node-HKCU-Run-miCoach Manager - c:\program files (x86)\adidas\miCoach Manager\SyncManager.exe
AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-02-16 15:23:14 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-02-16 14:23
.
Vor Suchlauf: 9.236.123.648 Bytes frei
Nach Suchlauf: 4.369.305.600 Bytes frei
.
- - End Of File - - A8AD05A7EC4C75996992E69CDB109D56


Edited by Xenios90, 16 February 2012 - 09:32 AM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 16 February 2012 - 09:28 PM

No problems picked up there either.

  • Download BlueScreenView
  • Double click the BlueScreenView.exe file to run the program.
  • Follow the instructions to install the program and click Finish to run the scan
  • When the scanning is complete, select Edit and Select All
  • Then click File and Save Selected Items.
  • Save the report as BSOD.txt.
  • Open BSOD.txt in Notepad, copy the entire content and paste it into your next reply.
More information about the program can be found here
Posted Image
m0le is a proud member of UNITE

#10 Xenios90

Xenios90
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 17 February 2012 - 10:51 AM

Like I said I ran the Avira Scan before (on the 15.2.2012) and it detected (and deleted, should have been clearer about that).

Here is what Avira deleted, from its report:

Beginne mit der Desinfektion:
P:\Serien\How I Met Your Mother\How I Met Your Mother - Season 6\How.I.Met.Your.Mother.S06E22 The Perfect Cocktail HDTV XviD-FEVER.avi
[FUND] Enthält Erkennungsmuster des Exploits EXP/ASF.GetCodec.Gen
[HINWEIS] Die Datei wurde gelöscht.
D:\Documents\Meine empfangenen Dateien\jklicpera1009721756\Spiele\RAIDY\RAIDYSYS.EXE
[FUND] Ist das Trojanische Pferd TR/Gendal.4879382
[HINWEIS] Die Datei wurde gelöscht.


Unfortunately it is in German. But it says that it has deleted the trojan "TR/Gendal.4879382" from the disc and the exploit "EXP/ASF.GetCodec.Gen" from a remotely connected disc. Do you think this was it? My PC didn't crash since then.

You can get information about my BlueScreen in my old threat. I posted the result of BlueScreenViewer in this post. And no, there were no BSODs that said something else than NETIO.SYS since then.

Edited by Xenios90, 17 February 2012 - 10:52 AM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 17 February 2012 - 07:55 PM

Thanks for that log. I would say that if the crashing has stopped that the trojan removal was the cause.


According to Avira:

EXP/ASF.GetCodec.Gen is a detection for multimedia files that contain a special command to download new codecs. Normally, codecs are required to play video or audio formats. This mechanism got hijacked by malware, which simply downloads Trojans instead of a real new codec. ASF, WMA and WMV files are affected, a recent Trojan converts MP3 files into the ASF file format and adds a command to download malicious code.


This corresponds with the uTorrent problem and the NETIO.sys cause. Netio measures the net throughput of a network via TCP/IP, as this would be large during a torrent download if anything else is sucking that resource it would cause an overload.

I would say you are now clean. :)
Posted Image
m0le is a proud member of UNITE

#12 Xenios90

Xenios90
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 17 February 2012 - 09:08 PM

Wonderful, thank you very much! Finally no more crashing! :) The fact that it was on that remote disc would also explain why my laptop had some problems as well! Killed two birds with one stone. ;)

And do you have any ideas about my shut down problems? I read that this can be quite difficult to solve since it can be caused by just any driver or system software that doesn't close correctly during shut down. But maybe you have some trick up your sleeve? ;)

Edited by Xenios90, 18 February 2012 - 07:37 AM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 17 February 2012 - 09:53 PM

It isn't straightforward to troubleshoot and I have don't have any specific tricks up my sleeve but you might want to check this out. Microsoft apparently rectified the shutdown error with SP1. Did you update to this service pack?
Posted Image
m0le is a proud member of UNITE

#14 Xenios90

Xenios90
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 18 February 2012 - 07:41 AM

Yes, I've got the SP1 and am keeping my PC as updated as possible.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 18 February 2012 - 01:55 PM

It could be numerous things so you probably need a hard drive diagnosis. Post a topic on the Windows 7 forum
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users