Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows explorer locks up computer when i try to watch movie from downloads folder.


  • Please log in to reply
15 replies to this topic

#1 pokerprick

pokerprick

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 May 2012 - 05:14 PM

I am running XP Professional, my computer specs are on file here. When I try to play movie from C:/... My Documents/downloads/{movie title} my computer locks up totally; have to hit power button before it will react again. Even after numerous minutes of waiting. The only website I thought I was connected to was Yahoo. Soon before this; I ran a scan with Superantispyware: the program did not find anything but I did "manage Quarantine" and deleted three trojan horses that had to be from last scan{numerous days ago}. Now as far as I can tell it only locks when I am in that folder trying to play movie. I can play games in that folder and open pictures. I uninstalled my media player and was gonna reinstall but havent yet once I realized it wasnt that. I have windows media player as default. Computer tells me that Windows Explorer has had a problem and needs to close and than it locks. Was playing game last window open in system. No updates or downloads for awhile. I think I included anything I know that will help. Txz for help. You people always do me right.I would be so lost without ya'll.

Edited by hamluis, 06 May 2012 - 05:37 PM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:46 PM

Posted 06 May 2012 - 06:36 PM

Hello,

I will be helping you with your problems

Some points for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do NOT run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

----------------------------------------------

Please do the following:

Step 1

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.


Step 2

Please download Farbar Service Scanner to your Desktop and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Step 3

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Step 4

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes'
    Anti-Malware
    and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log back here.

Note: Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 May 2012 - 10:38 PM

Thanks for your time. No improvement. Here are files.

#4 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 May 2012 - 10:53 PM

Thanks for your time. Problem still exists. Here are logs. Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
Java™ 6 Update 31
Adobe Flash Player 11.1.102.62
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

Edited by pokerprick, 06 May 2012 - 10:56 PM.


#5 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 May 2012 - 11:03 PM

Thanks for your time. No imprFarbar Service Scanner Version: 30-04-2012 01
Ran by Cool One (administrator) on 06-05-2012 at 19:07:04
Running from "C:\Documents and Settings\Cool One\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0C0000000500000001000000020000000300000004000000080000000B0000000C0000000600000007000000090000000A000000
IpSec Tag value is correct.

**** End of log ****ovement. Here are files.

#6 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 May 2012 - 11:12 PM

more...Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.06.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cool One :: MARK-DJPO0JUHPG [administrator]

5/6/2012 7:54:37 PM
mbam-log-2012-05-06 (19-54-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 234803
Time elapsed: 15 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 May 2012 - 11:22 PM

more...MiniToolBox by Farbar Version: 18-01-2012
Ran by Cool One (administrator) on 06-05-2012 at 21:18:00
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Atheros AR5007EG Wireless Network Adapter = Wireless Network Connection 2 (Connected)
Realtek PCIe FE Family Controller = Local Area Connection 2 (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection 2"

set address name="Wireless Network Connection 2" source=dhcp
set dns name="Wireless Network Connection 2" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection 2" source=dhcp

# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : mark-djpo0juhpg

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Wireless Network Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter

Physical Address. . . . . . . . . : 00-24-D2-EA-F1-F8

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Sunday, May 06, 2012 8:14:27 PM

Lease Expires . . . . . . . . . . : Monday, May 07, 2012 8:14:27 PM



Ethernet adapter Local Area Connection 2:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek PCIe FE Family Controller

Physical Address. . . . . . . . . : 00-1E-33-DE-1C-1F

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.224.104, 74.125.224.99, 74.125.224.110, 74.125.224.102
74.125.224.98, 74.125.224.97, 74.125.224.96, 74.125.224.103, 74.125.224.105
74.125.224.101, 74.125.224.100



Pinging google.com [74.125.224.73] with 32 bytes of data:



Reply from 74.125.224.73: bytes=32 time=19ms TTL=55

Reply from 74.125.224.73: bytes=32 time=21ms TTL=55



Ping statistics for 74.125.224.73:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 19ms, Maximum = 21ms, Average = 20ms

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24



Pinging yahoo.com [72.30.38.140] with 32 bytes of data:



Reply from 72.30.38.140: bytes=32 time=136ms TTL=51

Reply from 72.30.38.140: bytes=32 time=32ms TTL=51



Ping statistics for 72.30.38.140:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 32ms, Maximum = 136ms, Average = 84ms

Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 24 d2 ea f1 f8 ...... Atheros AR5007EG Wireless Network Adapter - Packet Scheduler Miniport
0x3 ...00 1e 33 de 1c 1f ...... Realtek RTL8102E Family PCI-E Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 25
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 25
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 25
255.255.255.255 255.255.255.255 192.168.1.3 3 1
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/06/2012 08:12:51 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (05/06/2012 08:12:44 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00011053.
Processing media-specific event for [explorer.exe!ws!]

Error: (05/06/2012 07:39:02 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00011053.
Processing media-specific event for [explorer.exe!ws!]

Error: (05/06/2012 02:41:28 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (05/06/2012 02:41:18 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00011053.
Processing media-specific event for [explorer.exe!ws!]

Error: (05/06/2012 02:10:11 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00012437.
Processing media-specific event for [explorer.exe!ws!]

Error: (05/06/2012 00:40:21 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (05/06/2012 00:39:44 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00011053.
Processing media-specific event for [explorer.exe!ws!]

Error: (05/06/2012 00:37:41 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x0001101a.
Processing media-specific event for [explorer.exe!ws!]

Error: (05/06/2012 00:25:40 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00010f1e.
Processing media-specific event for [explorer.exe!ws!]


System errors:
=============
Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
TfFsMon
TfSysMon

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The W55U01 service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The Swmsflt service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The SGIR service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The A88xXBar service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The AVWLP_USB service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The Tmesrv3 service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The TOSHIBASoftModem service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The Se2Eunic service terminated with the following error:
%%126

Error: (05/06/2012 08:15:53 PM) (Source: Service Control Manager) (User: )
Description: The Vmauthdservice service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================
Error: (05/06/2012 08:12:51 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.55120001295d

Error: (05/06/2012 08:12:44 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.605500011053

Error: (05/06/2012 07:39:02 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.605500011053

Error: (05/06/2012 02:41:28 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.55120001295d

Error: (05/06/2012 02:41:18 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.605500011053

Error: (05/06/2012 02:10:11 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.605500012437

Error: (05/06/2012 00:40:21 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.55120001295d

Error: (05/06/2012 00:39:44 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.605500011053

Error: (05/06/2012 00:37:41 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.60550001101a

Error: (05/06/2012 00:25:40 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.605500010f1e


=========================== Installed Programs ============================

ABBYY FineReader 5.0 Sprint (Version: 5.0.482.3421)
Adobe Flash Player 10 ActiveX (Version: 10.2.152.32)
Adobe Flash Player 11 Plugin (Version: 11.1.102.62)
Adobe Reader 6.0.1 (Version: 006.000.001)
Adobe SVG Viewer 3.0 (Version: 3.0)
ANIO Service
ANIWZCS2 Service
Ashampoo Burning Studio 11 v.11.0.4 (Version: 11.0.4)
Atheros Client Utility
BitTorrent (Version: 7.2.1)
Blades of Time
BovadaPoker (Version: )
Cake Poker 2.0 (Version: 2.0.1.4376)
Camera Assistant Software for Toshiba (Version: 1.7.193.0508L)
DAEMON Tools Lite (Version: 4.45.3.0297)
Deep Black : Reloaded (Version: Deep Black : Reloaded)
Dell AIO Printer A920
DriverMax 6 (Version: 6.3.0.323)
FaxTools (Version: 5.10)
Future Wars
Game Booster 3 (Version: 3.3.1)
Heavy Fire: Afghanistan (Version: 1.0.0)
InstaCodecs (Version: 1.0)
Intel® Graphics Media Accelerator Driver
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
jZip
K-Lite Codec Pack 7.0.0 (Standard) (Version: 7.0.0)
Legend of Grimrock
LIMBO
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Games for Windows - LIVE (Version: 3.0.86.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.0.17.0)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 12.0 (x86 en-US) (Version: 12.0)
Mozilla Maintenance Service (Version: 12.0)
NASCAR® Racing 3
Need for Speed™ Carbon
NetWaiting (Version: 2.5.52)
NVIDIA PhysX (Version: 9.09.0203)
Painkiller Recurring Evil
PL-2303 USB-to-Serial
PokerStove version 1.24
PostgreSQL 8.3 (Version: 8.3)
RealNetworks - Microsoft Visual C++ 2005 Runtime (Version: 8.0)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.16.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.6449)
RealUpgrade 1.1 (Version: 1.1.0)
skidrow
Sniper Elite V2
Star Defender 4 v1.11
SUPERAntiSpyware (Version: 5.0.1146)
System Requirements Lab for Intel (Version: 4.1.66.0)
Theatre of the Absurd CE version 1.0 (Version: 1.0)
Tony Hawks Pro Skater 4 (Version: 1.00.0000)
TOSHIBA ConfigFree (Version: 5.90.10)
TOSHIBA Software Modem (Version: 2.2.97)
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toy Soldiers
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Vessel
WebFldrs XP (Version: 9.50.6513)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0 (Version: 2)
Windows XP Service Pack 3 (Version: 20080414.031525)
Wireless G WUA-1340 (Version: )
XML Paper Specification Shared Components Pack 1.0
Xvid Video Codec (Version: 1.3.2)
Yahoo! Software Update

========================= Devices: ================================

Name:
Description:
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


========================= Memory info: ===================================

Percentage of memory in use: 25%
Total physical RAM: 1915.93 MB
Available physical RAM: 1432.61 MB
Total Pagefile: 3809.11 MB
Available Pagefile: 3232.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.67 MB

========================= Partitions: =====================================

1 Drive c: (250GB) (Fixed) (Total:232.88 GB) (Free:14.58 GB) NTFS
3 Drive f: (Sniper Elite V2) (CDROM) (Total:5.13 GB) (Free:0 GB) CDFS
4 Drive g: (PORTAL) (CDROM) (Total:1.93 GB) (Free:0 GB) CDFS
5 Drive h: (Crazy Machines) (CDROM) (Total:0.95 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\MARK-DJPO0JUHPG

Administrator ASPNET Cool One
Guest HelpAssistant postgres
SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini032612-01.dmp

**** End of log ****
Sorry I am brain dead tonight. on heavy medication.. cant remember S***

#8 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:46 PM

Posted 07 May 2012 - 04:38 AM

Hi pokerprick,

Please do the following:

Step 1

Please download Rkill by Grinler and save it to your desktop.Link 1
Link 2
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.

If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Step 2

  • Launch Malwarebytes' Anti-Malware (MBAM)
  • Click on the tab update, then click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Then on the Scanner tab select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log in your next reply.

NOTE: If asked to restart the computer, please do so. You may need to run rkill again - if so please also post the log for this run of rkill

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Step 3

How is your computer running now?

Edited by dev00790, 07 May 2012 - 04:38 AM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#9 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 07 May 2012 - 05:45 AM

here you go...This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/07/2012 at 3:14:17.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 05/07/2012 at 3:14:21.
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.06.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cool One :: MARK-DJPO0JUHPG [administrator]

5/7/2012 3:18:24 AM
mbam-log-2012-05-07 (03-18-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235272
Time elapsed: 15 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
I still have same problem

#10 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:46 PM

Posted 07 May 2012 - 07:48 AM

Hi

The previous scan you did with MBAM & posted was a quick scan.

Please do a full scan with MBAM as per step 2 on my earlier post
Post the log in your next reply, and the rkill log if rkill is run again.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#11 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 07 May 2012 - 02:07 PM

Sorry shoulg have read better. Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.06.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cool One :: MARK-DJPO0JUHPG [administrator]

5/7/2012 9:06:39 AM
mbam-log-2012-05-07 (09-06-39).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 392307
Time elapsed: 2 hour(s), 7 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\Cool One\My Documents\Downloads\Rayman.Origins.REPACK-KaOs\d3drm.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cool One\My Documents\Downloads\left\Left 4 Dead 2\left4dead2\addons\Name_Enabler.dll (Malware.UPX.Mod) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A1E14D8-8FCE-4D4D-A92F-6593635DD8EE}\RP188\A0086045.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A1E14D8-8FCE-4D4D-A92F-6593635DD8EE}\RP84\A0030179.exe (HackTool.GamesCheat) -> Quarantined and deleted successfully.

(end)
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/07/2012 at 12:02:27.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 05/07/2012 at 12:02:30. . Computer still wont play videos. Now Firefox will not open either. It says "firefox has encountered a problem and needs to close" Havemt notice any other quirks, but just restarted.

#12 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:46 PM

Posted 07 May 2012 - 03:23 PM

Hi

Please do the following next:

Step 1


Clear the Java cache

Clearing the Java Plug-in cache forces the browser to load the latest versions of web pages and programs.

To clear the Java Plug-in cache:

  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel. The Java Control Panel appears.
  • Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  • Click Delete Files. The Delete Temporary Files dialog box appears.
  • Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

Step 2

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe on yourr desktop to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click on change parameters
  • Check the boxes next to Verify file digital signatures and Detect TDLFS file system, then click OK.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



Step 3

I'd like us to scan your machine with ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Note: Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • On ESET: Click the Back button, then the Finish button.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!



Step 4

How is your computer running now?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#13 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 08 May 2012 - 12:02 AM

thank you for hard work. C:\Documents and Settings\Cool One\Local Settings\Temp\Killing.Floor.Steam.Plus.6.Trainer.zip a variant of Win32/GameHack.O application deleted - quarantined
C:\Documents and Settings\Cool One\Local Settings\Temp\nsb64.tmp.exe Win32/Toolbar.SearchSuite application deleted - quarantined
C:\Documents and Settings\Cool One\Local Settings\Temp\SetupDataMngr_jZip.exe Win32/Toolbar.SearchSuite application deleted - quarantined
Thats what ESET Scanner removed from laptop. Had file log; but after lock up things got lost. That file one of them. I am doing it again just spent so much time that I wanted something to show for it.Not my week. 21:42:03.0015 0852 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
21:42:03.0546 0852 ============================================================
21:42:03.0546 0852 Current date / time: 2012/05/07 21:42:03.0546
21:42:03.0546 0852 SystemInfo:
21:42:03.0546 0852
21:42:03.0546 0852 OS Version: 5.1.2600 ServicePack: 3.0
21:42:03.0546 0852 Product type: Workstation
21:42:03.0546 0852 ComputerName: MARK-DJPO0JUHPG
21:42:03.0546 0852 UserName: Cool One
21:42:03.0546 0852 Windows directory: C:\WINDOWS
21:42:03.0546 0852 System windows directory: C:\WINDOWS
21:42:03.0546 0852 Processor architecture: Intel x86
21:42:03.0546 0852 Number of processors: 2
21:42:03.0546 0852 Page size: 0x1000
21:42:03.0546 0852 Boot type: Normal boot
21:42:03.0546 0852 ============================================================
21:42:06.0078 0852 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:42:06.0390 0852 ============================================================
21:42:06.0390 0852 \Device\Harddisk0\DR0:
21:42:06.0390 0852 MBR partitions:
21:42:06.0390 0852 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x6, StartLBA 0x3F, BlocksNum 0x1D1C4542
21:42:06.0390 0852 ============================================================
21:42:06.0437 0852 C: <-> \Device\Harddisk0\DR0\Partition0
21:42:06.0437 0852 ============================================================
21:42:06.0437 0852 Initialize success
21:42:06.0437 0852 ============================================================
21:42:30.0015 2972 Deinitialize success
When I tested this time it is the same,but after the "encountered problem" for Wins Explorer another same error window but for Postmortem something something. Went away too fast. Anyway I dont want to freeze up right now/ Im going to bed so good night and thanks very much. Wont be online for about 20 hours. talk to ya than, well maybe lol.

#14 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:46 PM

Posted 08 May 2012 - 04:37 AM

Hi,

Since TDSSkiller was not able to run completely, please do this next:

Please follow step 8 of the preparation guide here, and post the log in your next reply.
If GMER crashes please give details along with any error message if applicable.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#15 pokerprick

pokerprick
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 09 May 2012 - 02:22 AM

Hello, here is file GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-09 00:14:49
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK2555GSX rev.FG001M
Running: gmer.exe; Driver: C:\DOCUME~1\COOLON~1\LOCALS~1\Temp\uwnyrfob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA4B8B640]

INT 0x63 ? 8AA29CB8
INT 0x63 ? 8AA29CB8
INT 0x63 ? 8AA29CB8
INT 0x63 ? 8AA29CB8
INT 0x63 ? 8A883F00
INT 0x63 ? 8A883F00
INT 0x63 ? 8AA29CB8
INT 0x73 ? 8A883F00
INT 0x73 ? 8A883F00
INT 0x94 ? 8A883F00
INT 0xA4 ? 8A883F00

---- Kernel code sections - GMER 1.0.15 ----

.sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB97A1089]
.text USBPORT.SYS!DllUnload B89FE8AC 5 Bytes JMP 8A883410
.text ajhkh2ds.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 B86DE900 48 Bytes [A9, E3, 95, 4C, F1, 18, 11, ...]
? C:\WINDOWS\System32\Drivers\ajhkh2ds.SYS suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3400] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10665EE6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3400] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10665E78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3400] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10454822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3400] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10454DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[3428] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Mozilla Firefox\firefox.exe[3456] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0121C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3456] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 0144E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3456] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 0144E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3456] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 0144E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AA281E8
Device \Driver\usbuhci \Device\USBPDO-0 8A8081E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{73A37DC9-4369-4791-ABF0-5DC5D5152D49} 8A24E430
Device \Driver\usbuhci \Device\USBPDO-1 8A8081E8
Device \Driver\usbehci \Device\USBPDO-2 8A8071E8
Device \Driver\usbehci \Device\USBPDO-3 8A8071E8
Device \Driver\usbuhci \Device\USBPDO-4 8A8081E8
Device \Driver\usbuhci \Device\USBPDO-5 8A8081E8
Device \Driver\usbuhci \Device\USBPDO-6 8A8081E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E4D88F34-E6F6-47F7-B2AB-E1F1E90A972F} 8A24E430
Device \Driver\usbuhci \Device\USBPDO-7 8A8081E8
Device \Driver\Cdrom \Device\CdRom0 8A7BA1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12 [B95F9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B95F9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B95F9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B95F9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B95F9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B95F9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8A7BA1E8
Device \Driver\Cdrom \Device\CdRom2 8A7BA1E8
Device \Driver\Cdrom \Device\CdRom3 8A7BA1E8
Device \Driver\dtsoftbus01 \Device\00000075 8A6ED1E8
Device \Driver\Cdrom \Device\CdRom4 8A7BA1E8
Device \Driver\dtsoftbus01 \Device\00000076 8A6ED1E8
Device \Driver\dtsoftbus01 \Device\00000077 8A6ED1E8
Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 8A6ED1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A24E430
Device \Driver\NetBT \Device\NetbiosSmb 8A24E430
Device \Driver\PCI_PNP6154 \Device\0000004d sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
Device \Driver\PCI_PNP6154 \Device\0000004d sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
Device \Driver\usbuhci \Device\USBFDO-0 8A8081E8
Device \Driver\usbuhci \Device\USBFDO-1 8A8081E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A222430
Device \Driver\usbehci \Device\USBFDO-2 8A8071E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A222430
Device \Driver\usbuhci \Device\USBFDO-3 8A8081E8
Device \Driver\usbuhci \Device\USBFDO-4 8A8081E8
Device \Driver\usbuhci \Device\USBFDO-5 8A8081E8
Device \Driver\usbuhci \Device\USBFDO-6 8A8081E8
Device \Driver\usbehci \Device\USBFDO-7 8A8071E8
Device \Driver\ajhkh2ds \Device\Scsi\ajhkh2ds1Port4Path0Target0Lun0 8A74F1E8
Device \Driver\ajhkh2ds \Device\Scsi\ajhkh2ds1 8A74F1E8
Device \FileSystem\Cdfs \Cdfs 8A21F430

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB7 0xED 0xC8 0x29 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x29 0xA1 0xEC 0x0C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x98 0xE3 0xE1 0x37 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9C 0x3B 0x46 0x95 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDB 0x3F 0x7C 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x98 0xE3 0xE1 0x37 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xAC 0xDD 0x8B 0x33 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9C 0x3B 0x46 0x95 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDB 0x3F 0x7C 0x8D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x98 0xE3 0xE1 0x37 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xAC 0xDD 0x8B 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x88 0xD4 0xA6 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x29 0xA1 0xEC 0x0C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB4 0x7A 0x44 0x83 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8E 0xD6 0x34 0xFD ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x29 0xA1 0xEC 0x0C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB4 0x7A 0x44 0x83 ...

---- EOF - GMER 1.0.15 ----
computer is the same




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users