Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot download .exe files


  • This topic is locked This topic is locked
10 replies to this topic

#1 Jai Reh

Jai Reh

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 February 2013 - 09:04 AM

please help, i dont know what to do.. i can download anything (.zip, mp3, .docx, etcs) but .exe files only downloads at 99% and stops.

here are the logs:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.9.2
Run by Reynaldo Home at 21:52:17 on 2013-02-08
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2038.1237 [GMT 8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\McAfee Security Scan\2.0.189\SSScheduler.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe
C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\REYNAL~1\LOCALS~1\Temp\windblpp.exe
C:\DOCUME~1\REYNAL~1\LOCALS~1\Temp\winnaqhxr.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\DOCUME~1\REYNAL~1\LOCALS~1\Temp\winnrhb.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468
mStart Page = hxxp://home.sweetim.com/?barid={99F357B5-E828-11E0-94D2-002197964227}
uProxyServer = 116.48.147.1:3128
uProxyOverride = local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13157&gct=&gc=1&q=%s
uURLSearchHooks: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - c:\program files\ytd toolbar\ie\6.6\ytdToolbarIE.dll
dURLSearchHooks: MHURLSearchHook Class: {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - LocalServer32 - <no file>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: GigagetIEHelper Class: {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - c:\windows\system32\gigagetbho_v10.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: uTorrentControl_v2 Toolbar: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - c:\program files\utorrentcontrol_v2\prxtbuTor.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.0.2.14\AVG Secure Search_toolbar.dll
BHO: Babylon IE plugin: {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - LocalServer32 - <no file>
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Softonic Helper Object: {E87806B5-E908-45FD-AF5E-957D83E58E68} - c:\program files\softonic\softonic\1.5.24.3\bh\Softonic.dll
BHO: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - c:\program files\ytd toolbar\ie\6.6\ytdToolbarIE.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: uTorrentControl2 Toolbar: {687578B9-7132-4A7A-80E4-30EE31099E03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
TB: uTorrentControl_v2 Toolbar: {7473B6BD-4691-4744-A82B-7854EB3D70B6} - c:\program files\utorrentcontrol_v2\prxtbuTor.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.0.2.14\AVG Secure Search_toolbar.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
TB: uTorrentControl_v2 Toolbar: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - c:\program files\utorrentcontrol_v2\prxtbuTor.dll
TB: Softonic Toolbar: {5018CFD2-804D-4C99-9F81-25EAEA2769DE} - c:\program files\softonic\softonic\1.5.24.3\SoftonicTlbr.dll
TB: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - c:\program files\ytd toolbar\ie\6.6\ytdToolbarIE.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"  /MINIMIZED
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Akamai NetSession Interface] "c:\documents and settings\reynaldo home\local settings\application data\akamai\netsession_win.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\reynaldo home\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [ASUSWebStorage] c:\program files\asus\asus webstorage\3.0.130.270\AsusWSPanel.exe /S
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.189\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: Shell = explorer.exe,c:\documents and settings\reynaldo home\application data\Mhzizu.exe
mPolicies-System: EnableLUA = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - hxxps://www.e-games.com.ph/com/EGamesPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.13.0.cab
TCP: NameServer = 124.106.5.2 124.106.7.2
TCP: Interfaces\{90DF3E01-EE65-4262-A309-BA47D7CCB199} : DHCPNameServer = 124.106.5.2 124.106.7.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - LocalServer32 - <no file>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\14.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\reynaldo home\application data\mozilla\firefox\profiles\61esoj9c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=
FF - plugin: c:\documents and settings\reynaldo home\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\reynaldo home\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\reynaldo home\application data\mozilla\firefox\profiles\61esoj9c.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\reynaldo home\application data\mozilla\firefox\profiles\61esoj9c.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}\plugins\np-mswmp.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\14.0.1\npsitesafety.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 23:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2009-12-20 18:12; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.Softonic.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.Softonic_i.hmpg - true
FF - user.js: extensions.Softonic.hmpgUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=13&cc=
FF - user.js: extensions.Softonic.hpOld - hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=13
FF - user.js: extensions.Softonic.hpNew - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=13&cc=
FF - user.js: extensions.Softonic.dfltSrch - true
FF - user.js: extensions.Softonic.srchPrvdr - Search the web (Softonic)
FF - user.js: extensions.Softonic.keyWordUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=2&cc=&q=
FF - user.js: extensions.Softonic.dspOld - uTorrentControl2 Customized Web Search
FF - user.js: extensions.Softonic.dspNew - Search the web (Softonic)
FF - user.js: extensions.Softonic_i.dnsErr - true
FF - user.js: extensions.Softonic.newTabUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=15&cc=
FF - user.js: extensions.Softonic.autoRvrt - false
FF - user.js: extensions.Softonic_i.newTab - false
FF - user.js: extensions.Softonic.tlbrSrchUrl - hxxp://search.softonic.com/MON00001/tb_v1?SearchSource=1&cc=&q=
FF - user.js: extensions.Softonic.id - 3c9b550c000000000000002197964227
FF - user.js: extensions.Softonic.instlDay - 15635
FF - user.js: extensions.Softonic.vrsn - 1.5.24.3
FF - user.js: extensions.Softonic.vrsni - 1.5.24.3
FF - user.js: extensions.Softonic_i.vrsnTs - 1.5.24.38:17:54
FF - user.js: extensions.Softonic.prtnrId - softonic
FF - user.js: extensions.Softonic.prdct - Softonic
FF - user.js: extensions.Softonic.aflt - orgnl
FF - user.js: extensions.Softonic_i.smplGrp - none
FF - user.js: extensions.Softonic.tlbrId - base
FF - user.js: extensions.Softonic.instlRef - MON00001
FF - user.js: extensions.Softonic.dfltLng -
FF - user.js: extensions.Softonic.excTlbr - false
FF - user.js: extensions.Softonic.admin - false
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-29 442200]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-4 31576]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2012-11-28 793600]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-22 398184]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-21 50704]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\splashtop\splashtop remote\server\SRService.exe [2011-11-10 520040]
R2 SSUService;Splashtop Software Updater Service;c:\program files\splashtop\splashtop software updater\SSUService.exe [2011-11-10 370504]
R2 vToolbarUpdater14.0.1;vToolbarUpdater14.0.1;c:\program files\common files\avg secure search\vtoolbarupdater\14.0.1\ToolbarUpdater.exe [2013-1-23 945328]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\hsgpqk.sys --> c:\windows\system32\drivers\hsgpqk.sys [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-9 21104]
R3 SRS_HDAL_Service;HD Audio Lab;c:\windows\system32\drivers\SRS_HDAL_i386.sys [2011-8-30 390944]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-8-30 2127728]
S0 rtjif;rtjif;c:\windows\system32\drivers\bqph.sys --> c:\windows\system32\drivers\bqph.sys [?]
S2 aozgkerw;Microsoft System Management BIOS Monitor;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 chrofu;Monitor Shell;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 decatj;Microsoft Installer;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 gheuajfaq;Shell Config;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 lvtkhthl;Config Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-9 682344]
S2 ncodhzcg;System Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 nurgrhmdn;Driver Center;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S2 ssyqpqz;Time Image;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 zfzmlhulc;Helper Time;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\reynal~1\locals~1\temp\xhs9.tmp --> c:\docume~1\reynal~1\locals~1\temp\XHS9.tmp [?]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2011-9-29 21632]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.189\McCHSvc.exe [2010-9-3 227232]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-8-18 27064]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva337;XDva337;\??\c:\windows\system32\xdva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\xdva344.sys --> c:\windows\system32\XDva344.sys [?]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-17 20568]
S4 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-17 320856]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-17 44768]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile="c:\windows\system32\notepad.exe" "%1"
.
=============== Created Last 30 ================
.
2013-02-08 09:20:07    1565229056    ----a-w-    c:\program files\GarenaHoN_3000008.exe
2013-02-08 05:22:02    --------    d-----w-    c:\documents and settings\reynaldo home\application data\Garena
2013-01-25 05:18:34    --------    d-----w-    C:\disk d
2013-01-23 08:30:29    --------    d-----w-    c:\windows\system32\cache
2013-01-21 06:14:11    --------    d-sh--w-    C:\found.000
2013-01-13 11:53:47    --------    d-----w-    c:\documents and settings\reynaldo home\application data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2013-01-13 09:37:55    --------    d-----w-    c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2013-01-13 08:20:50    --------    d-----w-    c:\program files\Adobe Flash Pro CS5.5
2013-01-12 08:02:08    --------    d-----w-    c:\documents and settings\reynaldo home\local settings\application data\NetBeans
2013-01-12 08:02:07    --------    d-----w-    c:\documents and settings\reynaldo home\application data\NetBeans
2013-01-12 07:46:09    --------    d-----w-    c:\program files\glassfish-3.1.2.2
2013-01-12 07:25:21    --------    d-----w-    c:\program files\NetBeans 7.2.1
2013-01-12 07:20:29    --------    d-----w-    c:\documents and settings\reynaldo home\.nbi
2013-01-11 11:57:25    114688    ----a-r-    c:\documents and settings\reynaldo home\application data\microsoft\installer\{885a63ea-382b-4dd4-a755-14809b8557d6}\ARPPRODUCTICON.exe
.
==================== Find3M  ====================
.
2013-01-23 08:29:16    31576    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2012-12-16 12:23:59    290560    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 08:49:28    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-11-13 01:25:12    1866368    ----a-w-    c:\windows\system32\win32k.sys
2011-10-01 15:36:25    34884718    ----a-w-    c:\program files\iTunes.lnk.exe
2004-07-08 20:08:36    538112    ----a-w-    c:\program files\dxsetup.exe
.
============= FINISH: 21:53:49.64 ===============
 



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:08 AM

Posted 08 February 2013 - 09:17 AM

Hi Jai Reh,

 

can you please post a log from gmer too as explained here:

 


Please run a scan with gmer too:
Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

 


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Jai Reh

Jai Reh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 February 2013 - 09:40 AM

hi myrti,

 

thanks for replying

 

here are the logs from gmer:

 

GMER 2.0.18454 - http://www.gmer.net
Rootkit scan 2013-02-08 22:34:31
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3320613AS rev.SD22 298.09GB
Running: yrty5hjb.exe; Driver: C:\DOCUME~1\REYNAL~1\LOCALS~1\Temp\ugrdapob.sys


---- System - GMER 2.0 ----

SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwAddBootEntry [0xA35F0374]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwClose [0xA3614829]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateEvent [0xA35F2996]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateEventPair [0xA35F29EE]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateIoCompletion [0xA35F2B04]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateKey [0xA36141DD]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateMutant [0xA35F28EC]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateSection [0xA35F2A3E]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateSemaphore [0xA35F2940]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwCreateTimer [0xA35F2AB2]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwDeleteBootEntry [0xA35F0398]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwDeleteKey [0xA3614EEF]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwDeleteValueKey [0xA36151A5]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwDuplicateObject [0xA35F2D88]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwEnumerateKey [0xA3614D5A]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwEnumerateValueKey [0xA3614BC5]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwLoadDriver [0xA35F0162]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwModifyBootEntry [0xA35F03BC]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwNotifyChangeKey [0xA35F2EFC]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwNotifyChangeMultipleKeys [0xA35F0E54]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenEvent [0xA35F29C6]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenEventPair [0xA35F2A16]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenIoCompletion [0xA35F2B2E]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenKey [0xA3614539]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenMutant [0xA35F2918]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenProcess [0xA35F2BC0]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenSection [0xA35F2A7E]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenSemaphore [0xA35F296E]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenThread [0xA35F2CA4]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwOpenTimer [0xA35F2ADC]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwQueryKey [0xA3614A40]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwQueryObject [0xA35F0D1A]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwQueryValueKey [0xA3614892]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwRestoreKey [0xA3613850]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwSetBootEntryOrder [0xA35F03E0]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwSetBootOptions [0xA35F0404]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwSetSystemInformation [0xA35F01BC]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwSetSystemPowerState [0xA35F02F8]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwSetValueKey [0xA3614FF6]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwShutdownSystem [0xA35F02D4]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwSystemDebugControl [0xA35F031C]
SSDT      \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                ZwVdmControl [0xA35F0428]

INT 0x63  ?                                                                                                                    8AA7ABF8
INT 0x73  ?                                                                                                                    8AE83BF8
INT 0x73  ?                                                                                                                    8AE83BF8
INT 0x73  ?                                                                                                                    8AA7ABF8
INT 0x73  ?                                                                                                                    8AE83BF8
INT 0x83  ?                                                                                                                    8AA7ABF8
INT 0xB4  ?                                                                                                                    8AA7ABF8

---- Kernel code sections - GMER 2.0 ----

PAGE      ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC                                                                          80576705 4 Bytes  CALL A35F14AF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
?         spqp.sys                                                                                                             The system cannot find the file specified. !
.text     USBPORT.SYS!DllUnload                                                                                                B90158AC 5 Bytes  JMP 8AA7A1D8
.text     ahm8vdwy.SYS                                                                                                         B8F8D386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text     ahm8vdwy.SYS                                                                                                         B8F8D3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text     ahm8vdwy.SYS                                                                                                         B8F8D3C4 3 Bytes  [00, 80, 02]
.text     ahm8vdwy.SYS                                                                                                         B8F8D3C9 1 Byte  [30]
.text     ahm8vdwy.SYS                                                                                                         B8F8D3C9 11 Bytes  [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text     ...                                                                                                                  
.text     win32k.sys!EngFreeUserMem + 674                                                                                      BF80991D 5 Bytes  JMP A35F3E48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngDeleteSurface + 45                                                                                     BF813911 5 Bytes  JMP A35F3D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngSetLastError + 79A8                                                                                    BF8240DB 5 Bytes  JMP A35F30DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngCreateBitmap + F9C                                                                                     BF828A45 5 Bytes  JMP A35F3FB2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngUnmapFontFileFD + 2C50                                                                                 BF831490 5 Bytes  JMP A35F41BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngUnmapFontFileFD + B687                                                                                 BF839EC7 5 Bytes  JMP A35F3CC4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!FONTOBJ_pxoGetXform + C2CF                                                                                BF85176B 5 Bytes  JMP A35F3016 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!XLATEOBJ_iXlate + 3581                                                                                    BF85E304 5 Bytes  JMP A35F3326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!XLATEOBJ_iXlate + 360C                                                                                    BF85E38F 5 Bytes  JMP A35F34CC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngCreatePalette + 88                                                                                     BF85F600 5 Bytes  JMP A35F2FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngCreatePalette + 5466                                                                                   BF8649DE 5 Bytes  JMP A35F3D7E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngGetCurrentCodePage + 418E                                                                              BF873D6B 5 Bytes  JMP A35F34A4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngGradientFill + 26EE                                                                                    BF894410 5 Bytes  JMP A35F3EFA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngStretchBltROP + 583                                                                                    BF894EE8 5 Bytes  JMP A35F4118 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngCopyBits + 4DF7                                                                                        BF89D833 5 Bytes  JMP A35F314A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngEraseSurface + A977                                                                                    BF8C1CCC 5 Bytes  JMP A35F31E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngFillPath + 1517                                                                                        BF8CA15D 5 Bytes  JMP A35F3254 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngFillPath + 1797                                                                                        BF8CA3DD 5 Bytes  JMP A35F328E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngDeleteSemaphore + 3B2E                                                                                 BF8EBD71 5 Bytes  JMP A35F2F32 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngCreateClip + 1A40                                                                                      BF914401 5 Bytes  JMP A35F3096 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngCreateClip + 2614                                                                                      BF914FD5 5 Bytes  JMP A35F31AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngCreateClip + 4F8D                                                                                      BF91794E 5 Bytes  JMP A35F35E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text     win32k.sys!EngPlgBlt + 1934                                                                                          BF947AAD 5 Bytes  JMP A35F4070 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
?         C:\WINDOWS\system32\drivers\hsgpqk.sys                                                                               The system cannot find the file specified. !
?         C:\DOCUME~1\REYNAL~1\LOCALS~1\Temp\mbr.sys                                                                           The system cannot find the file specified. !

---- User code sections - GMER 2.0 ----

.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] kernel32.dll!LoadLibraryExW + C4                               7C801BB9 4 Bytes  CALL 01B30001
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ADVAPI32.dll!RegSetValueExW                                    77DDD767 6 Bytes  JMP 01B91581 C:\Program Files\Common Files\Spigot\Search Settings\wth156.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ADVAPI32.dll!RegSetValueW                                      77E36116 6 Bytes  JMP 01B9155E C:\Program Files\Common Files\Spigot\Search Settings\wth156.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxParamW                                     7E4247AB 5 Bytes  JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!CreateWindowExW                                     7E42D0A3 5 Bytes  JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxIndirectParamW                             7E432072 5 Bytes  JMP 3E3E725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxIndirectA                                 7E43A082 5 Bytes  JMP 3E3E7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxParamA                                     7E43B144 5 Bytes  JMP 3E3E71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxExW                                       7E450838 5 Bytes  JMP 3E3E7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxExA                                       7E45085C 5 Bytes  JMP 3E3E70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!DialogBoxIndirectParamA                             7E456D7D 5 Bytes  JMP 3E3E72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] USER32.dll!MessageBoxIndirectW                                 7E4664D5 5 Bytes  JMP 3E3E7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!WSALookupServiceNextW                               71AB3181 6 Bytes  JMP 71A20F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!WSALookupServiceEnd                                 71AB350E 6 Bytes  JMP 719F0F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!WSALookupServiceBeginW                              71AB35EF 6 Bytes  JMP 71AF0F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!send                                                71AB4C27 6 Bytes  JMP 719C0F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!WSARecv                                             71AB4CB5 6 Bytes  JMP 71930F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!recv                                                71AB676F 6 Bytes  JMP 71990F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!WSASend                                             71AB68FA 6 Bytes  JMP 71960F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[1640] ws2_32.dll!WSAGetOverlappedResult                              71AC0D1B 6 Bytes  JMP 71900F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] kernel32.dll!LoadLibraryExW + C4                               7C801BB9 4 Bytes  CALL 00EC0001
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] ADVAPI32.dll!RegSetValueExW                                    77DDD767 6 Bytes  JMP 00F21581 C:\Program Files\Common Files\Spigot\Search Settings\wth156.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] ADVAPI32.dll!RegSetValueExA                                    77DDEAE7 7 Bytes  JMP 055B1C00 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] ADVAPI32.dll!RegSetValueA                                      77DFC79E 5 Bytes  JMP 055B1A80 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] ADVAPI32.dll!RegSetValueW                                      77E36116 6 Bytes  JMP 055B1B40 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateDialogParamW                                  7E41EA3B 5 Bytes  JMP 055B1E90 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxParamW                                     7E4247AB 5 Bytes  JMP 055B21F0 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!SetWindowsHookExW                                   7E42820F 5 Bytes  JMP 3E2E9AB5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CallNextHookEx                                      7E42B3C6 5 Bytes  JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateWindowExW                                     7E42D0A3 5 Bytes  JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!UnhookWindowsHookEx                                 7E42D5F3 5 Bytes  JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxIndirectParamW                             7E432072 5 Bytes  JMP 3E3E725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxIndirectA                                 7E43A082 5 Bytes  JMP 3E3E7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxParamA                                     7E43B144 5 Bytes  JMP 055B2100 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateDialogParamA                                  7E43C7DB 5 Bytes  JMP 055B2010 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxA                                         7E4507EA 5 Bytes  JMP 055B2370 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxExW                                       7E450838 5 Bytes  JMP 3E3E7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxExA                                       7E45085C 5 Bytes  JMP 3E3E70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxIndirectParamA                             7E456D7D 5 Bytes  JMP 3E3E72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!TrackPopupMenu                                      7E46531E 5 Bytes  JMP 02FD1170 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl_v2\tbuTor.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxIndirectW                                 7E4664D5 5 Bytes  JMP 3E3E7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxW                                         7E466534 5 Bytes  JMP 055B2450 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl2\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!TrackPopupMenuEx                                    7E46CF62 5 Bytes  JMP 02FD12D0 C:\Documents and Settings\Reynaldo Home\Local Settings\Application Data\uTorrentControl_v2\tbuTor.dll (Conduit Toolbar/Conduit Ltd.)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] ole32.dll!CoCreateInstance                                     774FF1BC 5 Bytes  JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] ole32.dll!OleLoadFromStream                                    7752983B 5 Bytes  JMP 3E3E75C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!WSALookupServiceNextW                               71AB3181 6 Bytes  JMP 71A60F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!WSALookupServiceEnd                                 71AB350E 6 Bytes  JMP 71A30F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!WSALookupServiceBeginW                              71AB35EF 6 Bytes  JMP 71AF0F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!send                                                71AB4C27 6 Bytes  JMP 71A00F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!WSARecv                                             71AB4CB5 6 Bytes  JMP 71970F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!recv                                                71AB676F 6 Bytes  JMP 719D0F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!WSASend                                             71AB68FA 6 Bytes  JMP 719A0F5A
.text     C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!WSAGetOverlappedResult                              71AC0D1B 6 Bytes  JMP 71940F5A

---- Kernel IAT/EAT - GMER 2.0 ----

IAT       \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                                   8AE852D8
IAT       pci.sys[ntoskrnl.exe!IoDetachDevice]                                                                                 [F750FDDC] spqp.sys
IAT       pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack]                                                                    [F750FE30] spqp.sys
IAT       atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                   [F74E5042] spqp.sys
IAT       atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                           [F74E513E] spqp.sys
IAT       atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                  [F74E50C0] spqp.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                          [F74E5800] spqp.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                  [F74E56D6] spqp.sys
IAT       \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                                 8AA7A2D8
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlInitUnicodeString]                                         8800001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!swprintf]                                                     001CBA86
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeSetEvent]                                                   C61AEB00
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoCreateSymbolicLink]                                         001C8986
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoGetConfigurationInformation]                                86C61200
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoDeleteSymbolicLink]                                         00001C8B
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmFreeMappingAddress]                                         96868801
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoFreeErrorLogEntry]                                          8800001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoDisconnectInterrupt]                                        001CB286
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmUnmapIoSpace]                                               88968B00
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ObReferenceObjectByPointer]                                   8900001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IofCompleteRequest]                                           001CA496
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlCompareUnicodeString]                                      C6168B00
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IofCallDriver]                                                001CC186
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmAllocateMappingAddress]                                     428A0A00
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry]                                      C286880C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoConnectInterrupt]                                           8B00001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoDetachDevice]                                               24A48DFA
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeWaitForSingleObject]                                        00000000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeInitializeEvent]                                            4B8BDF8B
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeCancelTimer]                                                8D3F0304
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString]                                 CB033043
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlInitAnsiString]                                            0673C13B
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest]                                C13B0003
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoQueueWorkItem]                                              8366FA72
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmMapIoSpace]                                                 75000E7B
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations]                                  0B7D80E3
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoReportDetectedDevice]                                       307B8D00
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoReportResourceForDetection]                                 00AA840F
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize]                                  83660000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!NlsMbCodePageTag]                                             6A000E7A
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!PoRequestPowerIrp]                                            C6647400
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue]                                     001CC386
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection]                             4F8B0200
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!sprintf]                                                      968D5140
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache]                                 00001C98
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ObfDereferenceObject]                                         22F6E852
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference]                                 478B0000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoInvalidateDeviceState]                                      50016A40
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ZwClose]                                                      1CB48E8D
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ObReferenceObjectByHandle]                                    E8510000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ZwCreateDirectoryObject]                                      000022E4
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest]                                 6A18538B
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!PoStartNextPowerIrp]                                          868D5200
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoCreateDevice]                                               00001CA0
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlCopyUnicodeString]                                         22D2E850
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension]                              4B8B0000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlQueryRegistryValues]                                       51016A18
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ZwOpenKey]                                                    1CBC968D
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlFreeUnicodeString]                                         E8520000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoStartTimer]                                                 000022C0
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeInitializeTimer]                                            8A05478A
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoInitializeTimer]                                            001CC38E
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeInitializeDpc]                                              30C48300
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeInitializeSpinLock]                                         1CC58688
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoInitializeIrp]                                              80E90000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ZwCreateKey]                                                  C6000000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString]                               001CC386
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString]                                    438B0100
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ZwSetValueKey]                                                8E8D5018
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeInsertQueueDpc]                                             00001C98
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel]                                 2292E851
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoStartPacket]                                                538B0000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel]                               52016A18
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest]                                1CB4868D
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoFreeMdl]                                                    E8500000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmUnlockPages]                                                00002280
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoWriteErrorLogEntry]                                         8A05478A
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue]                                     001CC38E
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping]                          18C48300
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmUnmapReservedMapping]                                       1CC58688
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeSynchronizeExecution]                                       43EB0000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoStartNextPacket]                                            320C538A
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeBugCheckEx]                                                 88F93BC0
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeRemoveDeviceQueue]                                          001CC396
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeSetTimer]                                                   F6317300
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!_allmul]                                                      74070647
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmProbeAndLockPages]                                          75C0841A
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!_except_handler3]                                             05578A0B
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!PoSetPowerState]                                              968801B0
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey]                                      00001CC5
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlWriteRegistryValue]                                        57B60F66
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlDeleteRegistryValue]                                       533B6604
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!_aulldiv]                                                     03087408
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!strstr]                                                       72F93B3F
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!_strupr]                                                      8A09EBDA
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeQuerySystemTime]                                            86880547
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoWMIRegistrationControl]                                     00001CC5
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!KeTickCount]                                                  88084B8A
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack]                                  001CC68E
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoDeleteDevice]                                               40578B00
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ExAllocatePoolWithTag]                                        8D52006A
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoAllocateWorkItem]                                           001CC886
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoAllocateIrp]                                                11E85000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoAllocateMdl]                                                8B000022
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool]                                    001CC08E
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmLockPagableDataSection]                                     C4968B00
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoGetDriverObjectExtension]                                   8900001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmUnlockPagableImageSection]                                  001CCC8E
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!ExFreePoolWithTag]                                            D0968900
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoFreeIrp]                                                    8B00001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!IoFreeWorkItem]                                               016A4047
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!InitSafeBootMode]                                             D4C68150
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!RtlCompareMemory]                                             5600001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!PoCallDriver]                                                 0021E7E8
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!memmove]                                                      18C48300
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[ntoskrnl.exe!MmHighestUserAddress]                                         5D5B5E5F
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!KfAcquireSpinLock]                                                 18C4830E
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!READ_PORT_UCHAR]                                                   1C959E88
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!KeGetCurrentIrql]                                                  9E880000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!KfRaiseIrql]                                                       00001CB1
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!KfLowerIrql]                                                       0E798366
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!HalGetInterruptVector]                                             74AAB000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!HalTranslateBusAddress]                                            8986C636
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!KeStallExecutionProcessor]                                         1A00001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!KfReleaseSpinLock]                                                 1C8B86C6
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                           C6020000
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!READ_PORT_USHORT]                                                  001C9686
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                          86C60200
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                  00001CB2
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[WMILIB.SYS!WmiSystemControl]                                               8800001C
IAT       \SystemRoot\System32\Drivers\ahm8vdwy.SYS[WMILIB.SYS!WmiCompleteRequest]                                             001CB99E

---- User IAT/EAT - GMER 2.0 ----

IAT       C:\Program Files\Internet Explorer\iexplore.exe[2352] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]  [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Registry - GMER 2.0 ----

Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@start                                                              1
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@type                                                               1
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@group                                                              file system
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@imagepath                                                          \systemroot\system32\drivers\hjgruiufwysiee.sys
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main (not active ControlSet)                                       
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main@aid                                                           10081
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main@sid                                                           0
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\delete (not active ControlSet)                                
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\injector (not active ControlSet)                              
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\injector@*                                                    hjgruiwsp.dll
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\tasks (not active ControlSet)                                 
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules (not active ControlSet)                                    
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruirk.sys                                               \systemroot\system32\drivers\hjgruiufwysiee.sys
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruicmd.dll                                              \systemroot\system32\hjgruipaudvnpy.dll
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruilog.dat                                              \systemroot\system32\hjgruimtnqllxb.dat
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruiwsp.dll                                              \systemroot\system32\hjgruifxrmafkx.dll
Reg       HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgrui.dat                                                 \systemroot\system32\hjgruioveoryru.dat
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                 
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                      0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                      0
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                   0xE9 0xA9 0xA1 0xB5 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)        
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                          0x5A 0x0C 0xE8 0xDF ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)   
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                     0x27 0x62 0x4E 0xCC ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                   771343423
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                   285507792
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                   1
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                     
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                  C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                  0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                  0
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                               0xE9 0xA9 0xA1 0xB5 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                            
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                         0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                      0x5A 0x0C 0xE8 0xDF ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                       
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                 0x9C 0x8F 0x65 0x9E ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                 
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                      0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                      0
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                   0xE9 0xA9 0xA1 0xB5 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)        
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                          0x5A 0x0C 0xE8 0xDF ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)   
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                     0x9C 0x8F 0x65 0x9E ...
Reg       HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk                                            0xA8 0xED 0xCB 0xC2 ...
Reg       HKLM\SOFTWARE\Classes\CLSID\{f85501a0-75e0-4ab8-ade6-d40b4832a06e}@Model                                             288
Reg       HKLM\SOFTWARE\Classes\CLSID\{f85501a0-75e0-4ab8-ade6-d40b4832a06e}@Therad                                            30
Reg       HKLM\SOFTWARE\Classes\CLSID\{f85501a0-75e0-4ab8-ade6-d40b4832a06e}@MData                                             0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 2.0 ----
 



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:08 AM

Posted 08 February 2013 - 09:54 AM

Hi,

there is some interference from CD emulation.Could you please disable CD emulation as described here: http://www.bleepingcomputer.com/forums/t/293569/why-we-request-you-disable-cd-emulation-when-receiving-malware-removal-advice/ reboot and rerun gmer after that.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Jai Reh

Jai Reh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 February 2013 - 06:20 PM

hi myrti,

 

i have done what you said and here are the gmer logs:

 

GMER 2.0.18454 - http://www.gmer.net
Rootkit scan 2013-02-09 07:19:07
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3320613AS rev.SD22 298.09GB
Running: yrty5hjb.exe; Driver: C:\DOCUME~1\REYNAL~1\LOCALS~1\Temp\ugrdapob.sys


---- System - GMER 2.0 ----

SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwAddBootEntry [0xA828A374]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwClose [0xA82AE829]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateEvent [0xA828C996]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateEventPair [0xA828C9EE]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateIoCompletion [0xA828CB04]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateKey [0xA82AE1DD]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateMutant [0xA828C8EC]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateSection [0xA828CA3E]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateSemaphore [0xA828C940]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwCreateTimer [0xA828CAB2]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwDeleteBootEntry [0xA828A398]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwDeleteKey [0xA82AEEEF]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwDeleteValueKey [0xA82AF1A5]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwDuplicateObject [0xA828CD88]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwEnumerateKey [0xA82AED5A]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwEnumerateValueKey [0xA82AEBC5]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwLoadDriver [0xA828A162]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwModifyBootEntry [0xA828A3BC]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwNotifyChangeKey [0xA828CEFC]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwNotifyChangeMultipleKeys [0xA828AE54]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenEvent [0xA828C9C6]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenEventPair [0xA828CA16]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenIoCompletion [0xA828CB2E]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenKey [0xA82AE539]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenMutant [0xA828C918]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenProcess [0xA828CBC0]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenSection [0xA828CA7E]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenSemaphore [0xA828C96E]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenThread [0xA828CCA4]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwOpenTimer [0xA828CADC]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwQueryKey [0xA82AEA40]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwQueryObject [0xA828AD1A]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwQueryValueKey [0xA82AE892]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwRestoreKey [0xA82AD850]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwSetBootEntryOrder [0xA828A3E0]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwSetBootOptions [0xA828A404]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwSetSystemInformation [0xA828A1BC]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwSetSystemPowerState [0xA828A2F8]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwSetValueKey [0xA82AEFF6]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwShutdownSystem [0xA828A2D4]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwSystemDebugControl [0xA828A31C]
SSDT   \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                               ZwVdmControl [0xA828A428]

---- Kernel code sections - GMER 2.0 ----

.text  ntoskrnl.exe!ZwYieldExecution + DA                                                                                  804E4934 4 Bytes  CALL E9F9F163
.text  ntoskrnl.exe!ZwYieldExecution + 2F6                                                                                 804E4B50 4 Bytes  [40, EA, 2A, A8]
.text  ntoskrnl.exe!ZwYieldExecution + 33A                                                                                 804E4B94 4 Bytes  [92, E8, 2A, A8]
PAGE   ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC                                                                         80576705 4 Bytes  CALL A828B4AF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngFreeUserMem + 674                                                                                     BF80991D 5 Bytes  JMP A828DE48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngDeleteSurface + 45                                                                                    BF813911 5 Bytes  JMP A828DD54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngSetLastError + 79A8                                                                                   BF8240DB 5 Bytes  JMP A828D0DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCreateBitmap + F9C                                                                                    BF828A45 2 Bytes  JMP A828DFB2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCreateBitmap + F9F                                                                                    BF828A48 2 Bytes  [A6, E8]
.text  win32k.sys!EngUnmapFontFileFD + 2C50                                                                                BF831490 5 Bytes  JMP A828E1BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngUnmapFontFileFD + B687                                                                                BF839EC7 5 Bytes  JMP A828DCC4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!FONTOBJ_pxoGetXform + C2CF                                                                               BF85176B 5 Bytes  JMP A828D016 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!XLATEOBJ_iXlate + 3581                                                                                   BF85E304 5 Bytes  JMP A828D326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!XLATEOBJ_iXlate + 360C                                                                                   BF85E38F 5 Bytes  JMP A828D4CC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCreatePalette + 88                                                                                    BF85F600 5 Bytes  JMP A828CFFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCreatePalette + 5466                                                                                  BF8649DE 5 Bytes  JMP A828DD7E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngGetCurrentCodePage + 418E                                                                             BF873D6B 5 Bytes  JMP A828D4A4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngGradientFill + 26EE                                                                                   BF894410 5 Bytes  JMP A828DEFA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngStretchBltROP + 583                                                                                   BF894EE8 5 Bytes  JMP A828E118 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCopyBits + 4DF7                                                                                       BF89D833 5 Bytes  JMP A828D14A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngEraseSurface + A977                                                                                   BF8C1CCC 5 Bytes  JMP A828D1E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngFillPath + 1517                                                                                       BF8CA15D 5 Bytes  JMP A828D254 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngFillPath + 1797                                                                                       BF8CA3DD 5 Bytes  JMP A828D28E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngDeleteSemaphore + 3B2E                                                                                BF8EBD71 5 Bytes  JMP A828CF32 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCreateClip + 1A40                                                                                     BF914401 5 Bytes  JMP A828D096 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCreateClip + 2614                                                                                     BF914FD5 5 Bytes  JMP A828D1AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngCreateClip + 4F8D                                                                                     BF91794E 5 Bytes  JMP A828D5E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text  win32k.sys!EngPlgBlt + 1934                                                                                         BF947AAD 5 Bytes  JMP A828E070 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
?      C:\WINDOWS\system32\drivers\hsgpqk.sys                                                                              The system cannot find the file specified. !

---- User code sections - GMER 2.0 ----

.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!LdrLoadDll                                             7C91632D 5 Bytes  JMP 0116B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] kernel32.dll!LoadLibraryExW + C4                                 7C801BB9 4 Bytes  CALL 02760001
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] kernel32.dll!lstrlenW + 43                                       7C809AEC 7 Bytes  JMP 0141B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] kernel32.dll!MapViewOfFileEx + 6A                                7C80B9A0 7 Bytes  JMP 0141B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] kernel32.dll!MoveFileExW                                         7C81473B 6 Bytes  JMP 027C1485 C:\Program Files\Common Files\Spigot\Search Settings\wth156.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] GDI32.dll!SetDIBitsToDevice + 20A                                77F19E14 7 Bytes  JMP 0141B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!WSALookupServiceNextW                                 71AB3181 6 Bytes  JMP 71A50F5A
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!WSALookupServiceEnd                                   71AB350E 6 Bytes  JMP 71A20F5A
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!WSALookupServiceBeginW                                71AB35EF 6 Bytes  JMP 71AF0F5A
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!send                                                  71AB4C27 6 Bytes  JMP 719F0F5A
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!WSARecv                                               71AB4CB5 6 Bytes  JMP 71960F5A
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!recv                                                  71AB676F 6 Bytes  JMP 719C0F5A
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!WSASend                                               71AB68FA 6 Bytes  JMP 71990F5A
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3668] WS2_32.dll!WSAGetOverlappedResult                                71AC0D1B 6 Bytes  JMP 71930F5A

---- Registry - GMER 2.0 ----

Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@start                                                             1
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@type                                                              1
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@group                                                             file system
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm@imagepath                                                         \systemroot\system32\drivers\hjgruiufwysiee.sys
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main (not active ControlSet)                                      
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main@aid                                                          10081
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main@sid                                                          0
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\delete (not active ControlSet)                               
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\injector (not active ControlSet)                             
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\injector@*                                                   hjgruiwsp.dll
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\main\tasks (not active ControlSet)                                
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules (not active ControlSet)                                   
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruirk.sys                                              \systemroot\system32\drivers\hjgruiufwysiee.sys
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruicmd.dll                                             \systemroot\system32\hjgruipaudvnpy.dll
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruilog.dat                                             \systemroot\system32\hjgruimtnqllxb.dat
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgruiwsp.dll                                             \systemroot\system32\hjgruifxrmafkx.dll
Reg    HKLM\SYSTEM\ControlSet001\Services\hjgruiirxrkibm\modules@hjgrui.dat                                                \systemroot\system32\hjgruioveoryru.dat
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0xE9 0xA9 0xA1 0xB5 ...
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x5A 0x0C 0xE8 0xDF ...
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x27 0x62 0x4E 0xCC ...
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0xE9 0xA9 0xA1 0xB5 ...
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x5A 0x0C 0xE8 0xDF ...
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x9C 0x8F 0x65 0x9E ...
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0xE9 0xA9 0xA1 0xB5 ...
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x5A 0x0C 0xE8 0xDF ...
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x9C 0x8F 0x65 0x9E ...
Reg    HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk                                           0xA8 0xED 0xCB 0xC2 ...
Reg    HKLM\SOFTWARE\Classes\CLSID\{f85501a0-75e0-4ab8-ade6-d40b4832a06e}@Model                                            288
Reg    HKLM\SOFTWARE\Classes\CLSID\{f85501a0-75e0-4ab8-ade6-d40b4832a06e}@Therad                                           30
Reg    HKLM\SOFTWARE\Classes\CLSID\{f85501a0-75e0-4ab8-ade6-d40b4832a06e}@MData                                            0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 2.0 ----
 



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:08 AM

Posted 08 February 2013 - 07:24 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
     
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
 


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

 


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Jai Reh

Jai Reh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 February 2013 - 08:33 PM

hi myrti,

thanks again for replying,

heres the combofix log:

 

ComboFix 13-02-07.02 - Reynaldo Home 02/09/2013   8:46.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2038.1105 [GMT 8:00]
Running from: c:\documents and settings\Reynaldo Home\Desktop\Download\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\GarenaHoN_3000008.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\20f2b6a93fd2e469.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\XSxS
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-09 to 2013-02-09  )))))))))))))))))))))))))))))))
.
.
2013-02-08 05:22 . 2013-02-08 05:22    --------    d-----w-    c:\documents and settings\Reynaldo Home\Application Data\Garena
2013-01-25 05:18 . 2013-02-03 11:23    --------    d-----w-    C:\disk d
2013-01-21 06:14 . 2013-01-21 06:14    --------    d-----w-    C:\found.000
2013-01-13 11:53 . 2013-01-13 11:53    --------    d-----w-    c:\documents and settings\Reynaldo Home\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2013-01-13 09:37 . 2013-01-13 09:37    --------    d-----w-    c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2013-01-13 08:20 . 2013-01-13 08:21    --------    d-----w-    c:\program files\Adobe Flash Pro CS5.5
2013-01-12 08:02 . 2013-01-12 08:02    --------    d-----w-    c:\documents and settings\Reynaldo Home\Local Settings\Application Data\NetBeans
2013-01-12 08:02 . 2013-01-12 08:02    --------    d-----w-    c:\documents and settings\Reynaldo Home\Application Data\NetBeans
2013-01-12 07:46 . 2013-01-12 07:50    --------    d-----w-    c:\program files\glassfish-3.1.2.2
2013-01-12 07:25 . 2013-01-12 08:02    --------    d-----w-    c:\program files\NetBeans 7.2.1
2013-01-12 07:20 . 2013-01-12 07:56    --------    d-----w-    c:\documents and settings\Reynaldo Home\.nbi
2013-01-11 11:57 . 2013-01-11 11:57    114688    ----a-r-    c:\documents and settings\Reynaldo Home\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-23 08:29 . 2012-09-04 05:30    31576    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2012-12-16 12:23 . 2008-04-14 12:00    290560    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 08:49 . 2011-12-09 06:50    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-11-13 01:25 . 2008-04-14 12:00    1866368    ----a-w-    c:\windows\system32\win32k.sys
2011-10-01 15:36 . 2011-10-01 15:22    34884718    ----a-w-    c:\program files\iTunes.lnk.exe
2004-07-08 20:08 . 2004-07-08 20:08    538112    ----a-w-    c:\program files\dxsetup.exe
2012-10-16 23:11 . 2012-10-16 23:11    136672    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
2006-01-02 09:01 . 2010-10-25 22:29    53248    ----a-w-    c:\program files\mozilla firefox\components\GigagetComponent.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\olepro32.dll
[-] 1999-03-08 09:00 . CE0155405EA902797E88B92A78443AEB . 164112 . . [5.0.4275] . . c:\windows\system32\olepro32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
2011-05-09 09:49    176936    ----a-w-    c:\program files\uTorrentControl2\prxtbuTo0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
2011-05-09 09:49    176936    ----a-w-    c:\program files\uTorrentControl_v2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-01-23 08:29    1883824    ----a-w-    c:\program files\AVG Secure Search\14.0.2.14\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{E87806B5-E908-45FD-AF5E-957D83E58E68}]
2012-05-29 07:05    244840    ----a-w-    c:\program files\Softonic\Softonic\1.5.24.3\bh\Softonic.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\14.0.2.14\AVG Secure Search_toolbar.dll" [2013-01-23 1883824]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTo0.dll" [2011-05-09 176936]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
"{5018CFD2-804D-4C99-9F81-25EAEA2769DE}"= "c:\program files\Softonic\Softonic\1.5.24.3\SoftonicTlbr.dll" [2012-05-29 253032]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_CLASSES_ROOT\clsid\{5018cfd2-804d-4c99-9f81-25eaea2769de}]
[HKEY_CLASSES_ROOT\Softonic.dskBnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[HKEY_CLASSES_ROOT\Softonic.dskBnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{687578B9-7132-4A7A-80E4-30EE31099E03}"= "c:\program files\uTorrentControl2\prxtbuTo0.dll" [2011-05-09 176936]
"{7473B6BD-4691-4744-A82B-7854EB3D70B6}"= "c:\program files\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45    122512    ----a-w-    c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
2012-01-18 02:25    1476448    ----a-w-    c:\program files\ASUS\ASUS WebStorage\3.0.130.270\AsusWSShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
2012-01-18 02:25    1476448    ----a-w-    c:\program files\ASUS\ASUS WebStorage\3.0.130.270\AsusWSShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_U]
@="{1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D}"
[HKEY_CLASSES_ROOT\CLSID\{1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D}]
2012-01-18 02:25    1476448    ----a-w-    c:\program files\ASUS\ASUS WebStorage\3.0.130.270\AsusWSShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-12-27 3271056]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17498800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 11939840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-12-21 1320616]
"ASUSWebStorage"="c:\program files\ASUS\ASUS WebStorage\3.0.130.270\AsusWSPanel.exe" [2012-01-18 740192]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-01-23 1101488]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-08-11 42166896]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 3553136]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 288040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 322480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-11-28 1123720]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-11 1597088]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.189\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"Shell"= explorer.exe,c:\documents and settings\Reynaldo Home\Application Data\Mhzizu.exe
"EnableLUA"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher S.lnk]
backup=c:\windows\pss\Exif Launcher S.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Reynaldo Home^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoMe1]
2008-05-08 11:24    155648    ----a-w-    c:\windows\system32\wscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00    15360    ------w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2011-09-05 20:46    161336    ----a-w-    c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 10:36    30040    ----a-w-    c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2010-08-11 03:31    42166896    ----a-w-    c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-04-17 08:03    170520    ----a-r-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 08:24    124472    -c--a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-04-17 08:03    150040    ----a-r-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 21:42    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-04-17 08:03    141848    ----a-r-    c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 09:38    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
2012-11-28 08:41    1123720    ----a-w-    c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-12-27 05:27    3271056    ----a-w-    c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\Jai Reh\\Half-Life\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\USB Disk Security\\USBGuard.exe"=
"d:\\Jai Reh\\Age of Empires 2\\empires2.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\PowerISO\\PWRISOVM.EXE"=
"c:\\Program Files\\AutoCAD 2008\\acad.exe"=
"c:\\Program Files\\Corel\\CorelDRAW Graphics Suite X5\\Programs\\CORELPP.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\Program Files\\McAfee Security Scan\\2.0.189\\SSScheduler.exe"=
"c:\\Program Files\\VIA\\VIAudioi\\HDADeck\\HDeck.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Anti-phishing Domain Advisor\\visicom_antiphishing.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqbam08.exe"=
"c:\\Program Files\\Common Files\\Spigot\\Search Settings\\SearchSettings.exe"=
"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\mbam-setup.exe"=
"d:\\Jai Reh\\RF Olympic\\RF_Online.bin"=
"d:\\Jai Reh\\RF Olympic\\HSUser.exe"=
"c:\\WINDOWS\\system32\\igfxcfg.exe"=
"c:\\Program Files\\Bobabo\\Media Converter\\MediaConverter.exe"=
"c:\\Program Files\\YouTube Downloader\\ffmpeg.exe"=
"c:\\PROGRA~1\\YOUTUB~1\\FFMPEG.EXE"=
"c:\\Program Files\\DivX\\DivX Plus Player\\DivX Plus Player.exe"=
"c:\\Program Files\\AVG Secure Search\\vprot.exe"=
"c:\\Program Files\\DivX\\DivX Update\\DivXUpdate.exe"=
"c:\\PROGRA~1\\MICROS~2\\Office12\\OIS.EXE"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Corel\\CorelDRAW Graphics Suite X5\\Setup\\SetupARP.exe"=
"c:\\Program Files\\Corel\\CorelDRAW Graphics Suite X4\\Setup\\SetupARP.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\WINDOWS\\system32\\MSSWCHX.EXE"=
"c:\\Program Files\\CyberLink\\PowerDirector\\MUITransfer\\MUIStartMenu.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Documents and Settings\\Reynaldo Home\\Desktop\\Download\\Defogger.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/29/2011 8:47 AM 442200]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [9/4/2012 1:30 PM 31576]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [11/28/2012 4:34 PM 793600]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/22/2012 11:05 PM 398184]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/21/2009 2:19 AM 50704]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [11/10/2011 10:51 AM 520040]
R2 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [11/10/2011 2:04 PM 370504]
R2 vToolbarUpdater14.0.1;vToolbarUpdater14.0.1;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe [1/23/2013 4:30 PM 945328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/9/2011 2:50 PM 21104]
R3 SRS_HDAL_Service;HD Audio Lab;c:\windows\system32\drivers\SRS_HDAL_i386.sys [8/30/2011 10:00 PM 390944]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [8/30/2009 10:26 AM 2127728]
S0 rtjif;rtjif;c:\windows\system32\drivers\bqph.sys --> c:\windows\system32\drivers\bqph.sys [?]
S2 aozgkerw;Microsoft System Management BIOS Monitor;c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 chrofu;Monitor Shell;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 decatj;Microsoft Installer;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 gheuajfaq;Shell Config;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 lvtkhthl;Config Microsoft;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/9/2011 2:50 PM 682344]
S2 ncodhzcg;System Microsoft;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 nurgrhmdn;Driver Center;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 2:14 PM 160944]
S2 ssyqpqz;Time Image;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S2 zfzmlhulc;Helper Time;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 PM 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\REYNAL~1\LOCALS~1\Temp\XHS9.tmp --> c:\docume~1\REYNAL~1\LOCALS~1\Temp\XHS9.tmp [?]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [9/29/2011 3:04 PM 21632]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe [9/3/2010 4:18 AM 227232]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/18/2012 12:37 PM 27064]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\XDva344.sys --> c:\windows\system32\XDva344.sys [?]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/17/2011 3:59 PM 20568]
S4 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/17/2011 3:59 PM 320856]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/1/2010 4:01 PM 691696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
aozgkerw
gheuajfaq
ssyqpqz
zfzmlhulc
chrofu
decatj
ncodhzcg
nurgrhmdn
lvtkhthl
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-22 20:46]
.
2013-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 06:52]
.
2013-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 06:52]
.
2013-02-09 c:\windows\Tasks\ROC_JAN2013_TB_rmv.job
- c:\program files\AVG Secure Search\PostInstall\ROC.exe [2013-01-23 08:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3072253
mStart Page = hxxp://home.sweetim.com/?barid={99F357B5-E828-11E0-94D2-002197964227}
uInternet Settings,ProxyServer = 116.48.147.1:3128
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13157&gct=&gc=1&q=%s
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Reynaldo Home\Application Data\Mozilla\Firefox\Profiles\61esoj9c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=
FF - ExtSQL: !HIDDEN! 2009-09-02 23:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2009-12-20 18:12; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.Softonic.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.Softonic_i.hmpg - true
FF - user.js: extensions.Softonic.hmpgUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=13&cc=
FF - user.js: extensions.Softonic.hpOld - hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=13
FF - user.js: extensions.Softonic.hpNew - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=13&cc=
FF - user.js: extensions.Softonic.dfltSrch - true
FF - user.js: extensions.Softonic.srchPrvdr - Search the web (Softonic)
FF - user.js: extensions.Softonic.keyWordUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=2&cc=&q=
FF - user.js: extensions.Softonic.dspOld - uTorrentControl2 Customized Web Search
FF - user.js: extensions.Softonic.dspNew - Search the web (Softonic)
FF - user.js: extensions.Softonic_i.dnsErr - true
FF - user.js: extensions.Softonic.newTabUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=15&cc=
FF - user.js: extensions.Softonic.autoRvrt - false
FF - user.js: extensions.Softonic_i.newTab - false
FF - user.js: extensions.Softonic.tlbrSrchUrl - hxxp://search.softonic.com/MON00001/tb_v1?SearchSource=1&cc=&q=
FF - user.js: extensions.Softonic.id - 3c9b550c000000000000002197964227
FF - user.js: extensions.Softonic.instlDay - 15635
FF - user.js: extensions.Softonic.vrsn - 1.5.24.3
FF - user.js: extensions.Softonic.vrsni - 1.5.24.3
FF - user.js: extensions.Softonic_i.vrsnTs - 1.5.24.38:17
FF - user.js: extensions.Softonic.prtnrId - softonic
FF - user.js: extensions.Softonic.prdct - Softonic
FF - user.js: extensions.Softonic.aflt - orgnl
FF - user.js: extensions.Softonic_i.smplGrp - none
FF - user.js: extensions.Softonic.tlbrId - base
FF - user.js: extensions.Softonic.instlRef - MON00001
FF - user.js: extensions.Softonic.dfltLng -
FF - user.js: extensions.Softonic.excTlbr - false
FF - user.js: extensions.Softonic.admin - false
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{F3FEE66E-E034-436a-86E4-9690573BEE8A} - (no file)
Toolbar-Locked - (no file)
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\Reynaldo Home\Local Settings\Application Data\Akamai\netsession_win.exe
HKLM-Run-avast - c:\program files\Alwil Software\Avast5\avastUI.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Google Update - c:\documents and settings\Reynaldo Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-09 09:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\REYNAL~1\LOCALS~1\Temp\XHS9.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,ca,9a,03,e9,22,bf,48,b3,d8,3e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,ca,9a,03,e9,22,bf,48,b3,d8,3e,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):a8,ed,cb,c2,f1,8b,0b,35,b0,58,8b,41,0b,2b,82,88,27,9f,fe,6d,94,
   32,84,34,14,90,07,95,19,3b,c5,7a,e1,e7,05,d4,1d,20,cb,ec,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f85501a0-75e0-4ab8-ade6-d40b4832a06e}]
@Denied: (Full) (Everyone)
"Model"=dword:00000120
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,ab,9e,50,1b,eb,77,d1,ab,11,80,6b,0f,8d,a8,35,87,83,e0,8b,c5,07,bb,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1632)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
c:\windows\system32\msi.dll
c:\program files\ASUS\ASUS WebStorage\3.0.130.270\ASUSWSShellExt.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2013-02-09  09:27:31 - machine was rebooted
ComboFix-quarantined-files.txt  2013-02-09 01:27
ComboFix2.txt  2012-11-12 18:15
ComboFix3.txt  2010-02-27 11:01
.
Pre-Run: 43,471,020,032 bytes free
Post-Run: 43,346,796,544 bytes free
.
- - End Of File - - B08DC5609D971AE8169E50D49C85F338


 



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:08 AM

Posted 09 February 2013 - 09:52 AM

Hi,

 

I have bad news. You have contracted sality.

Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web...


About Sality Virus
Win32/Sality Family

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before co

There is no guarantee the infection can be completely removed. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
Should you decide not to follow that advice, you can try the AVG Win32/Sality Remover. It was last updated in June 2007 and is not always effective for the reasons I indicated above. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights.
alternate download

You probable got infected by an infected USB drive. We need to clean those, independently from your decision on reformatting:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

 

regards myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Jai Reh

Jai Reh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 09 February 2013 - 06:54 PM

hi myrti,

 

do i really need to reformat my computer? but how do i make a backup for my files without the risk of transfering those kind of malwares

because i do not know where that viruses hide?



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:08 AM

Posted 09 February 2013 - 08:45 PM

Hi,

 

the virus is in all files ending in .exe. It modifies all files that have that ending on your machine so that they contain it. That is also why it is almost impossible to delete it. You need to fix all the files on your system and if you miss one, then you get reinfected immediately.

Reformatting a hard disk deletes all data. You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive. Files ending in .doc, .jpeg, .avi should be safe.

 

 

It is possible to try and disinfect, but it is not something I would recommend. It is unlikely your PC will function normally afterwards. If you want to try it anyways, you can check out these tools:

Sality is also able to spread through mapped network drives and shares. If you share any folders on your network, you should perform the above steps on those computers as well.

 

regards myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:08 AM

Posted 09 April 2014 - 09:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users