Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very slow startup


  • This topic is locked This topic is locked
17 replies to this topic

#1 reversiblean

reversiblean

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 13 November 2013 - 01:47 AM

My computer has been acting weird lately. It's been only about 4-5 days since I fully formatted my disk and it was at least usable at first. But there was some errors constantly showing up in the event log (TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts). Also the ip protection of Malwarebytes turns itself back on/off on reboot. Sometimes it works, sometimes it doesn't and other times it won't work at all.

 

I was a bit impatient, so I ran RogueKiller and Combofix. :nono:

 

And the result is as follows.  I would really appreciate any help..

 

//-------------------------------------------------------------------------------------------------

 

RogueKiller V8.7.6 [Oct 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : gayan [Admin rights]
Mode : Remove -- Date : 11/12/2013 21:40:13
| ARK || FAK |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[0]_D_11122013_214012.txt >>
RKreport[0]_S_11122013_212951.txt;RKreport[0]_S_11122013_213240.txt
 

 

 

 

 

 

 

 

//-------------------------------------------------------------------------------------------------

ComboFix 13-11-07.01 - gayan 11/10/2013  17:25:13.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1278.722 [GMT 5.5:30]
Running from: c:\documents and settings\gayan\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-10 to 2013-11-10  )))))))))))))))))))))))))))))))
.
.
2013-11-09 05:59 . 2013-11-09 05:59    --------    d-----w-    C:\NVIDIA
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-10 03:50 . 2013-11-10 03:50    403440    ----a-w-    c:\windows\system32\drivers\aswsp.sys.1384056599
2013-11-09 10:50 . 2008-04-14 12:00    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-09 10:50 . 2008-04-14 12:00    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-23 18:33 . 2013-06-12 15:46    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-09-23 18:33 . 2013-06-12 15:46    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-09-23 18:33 . 2013-06-12 15:46    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-09-23 18:33 . 2013-06-12 15:46    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-09-23 18:06 . 2013-06-12 15:46    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-29 01:31 . 2013-06-12 15:45    1878656    ----a-w-    c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2013-06-12 . E17798E1E6FF1CA9C67B8576570E05EE . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-10 09:40    321752    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link D-Link DWA-140"="c:\program files\D-Link\DWA-140 revB\AirNCFG.exe" [2011-06-29 1074496]
"D-Link DWA-140 WZCSLDR2"="c:\program files\D-Link\DWA-140 revB\WZCSLDR2.exe" [2010-07-12 122880]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 14864384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-10-23 15709984]
"NvMediaCenter"="NvMCTray.dll" [2013-10-23 209184]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-10-23 2602784]
"Nvtmru"="c:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-10-18 1028384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-10 3568312]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0aswBoot.exe /A:* /L:1033 /heur:80 /RA:ask /pup /archives /IA:0 /KBD:2 /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders    msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [11/10/2013 4:44 PM 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [11/10/2013 4:44 PM 247192]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [11/10/2013 3:10 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [11/10/2013 3:10 PM 178304]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [6/12/2013 9:23 PM 14184]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [6/12/2013 9:23 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [6/12/2013 9:23 PM 14184]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [11/10/2013 4:44 PM 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/10/2013 3:10 PM 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [11/10/2013 3:10 PM 403440]
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [11/8/2013 9:45 PM 29411]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/10/2013 3:10 PM 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [11/10/2013 3:10 PM 70384]
R2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [11/10/2013 4:44 PM 116776]
R2 D_Link_DWA-140_WPS;D_Link_DWA-140_WPS Service;c:\program files\D-Link\DWA-140 revB\ANIWConnService.exe [11/8/2013 9:45 PM 53248]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/10/2013 11:42 AM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2013 11:42 AM 701512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2013 11:42 AM 22856]
S0 Si3112r;Si3112r;c:\windows\system32\drivers\Si3112r.sys [6/12/2013 9:23 PM 116264]
S2 D_Link_DWA-140;D_Link_DWA-140 Service;c:\program files\D-Link\DWA-140 revB\ANIWZCSdS.exe [11/8/2013 9:45 PM 126976]
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-12 10:50]
.
2013-11-10 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-11-10 09:40]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\gayan\Application Data\Mozilla\Firefox\Profiles\yec5znx8.default\
FF - ExtSQL: 2013-11-09 10:16; {DDC359D1-844A-42a7-9AA1-88A850A938A8}; c:\documents and settings\gayan\Application Data\Mozilla\Firefox\Profiles\yec5znx8.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
FF - ExtSQL: 2013-11-10 12:17; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-10 17:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-11-10  17:35:16
ComboFix-quarantined-files.txt  2013-11-10 12:05
.
Pre-Run: 7,213,555,712 bytes free
Post-Run: 7,784,112,128 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 25696AC9FB1FDE3B672E40F91E10F9EF
8F558EB6672622401DA993E1E865C861





//-------------------------------------------------------------------------------------------------

ComboFix-quarantined-files.txt

 

2013-11-12 17:55:53 . 2013-11-12 17:55:53              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-03431191.sys.reg.dat
2013-11-12 17:50:59 . 2013-11-12 17:50:59            5,667 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-11-12 17:45:27 . 2013-11-12 17:45:27              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2013-11-12 17:41:53 . 2013-11-12 17:41:53               51 ----a-w-  C:\Qoobox\Quarantine\catchme.log

 

 

 

 

 

//-------------------------------------------------------------------------------------------------

Add-remove programs

Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Android SDK Tools
avast! Internet Security
D-Link DWA-140
FlashDevelop 4.5.0
Java 7 Update 45
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Mozilla Firefox 25.0 (x86 en-US)
Mozilla Maintenance Service
NVIDIA Control Panel 331.65
NVIDIA GeForce Experience 1.7
NVIDIA Graphics Driver 331.65
NVIDIA Install Application
NVIDIA nView 140.75
NVIDIA PhysX
NVIDIA PhysX System Software 9.13.0725
NVIDIA Update 9.3.16
NVIDIA Update Components
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Windows Internet Explorer 8 (KB2879017)
Security Update for Windows Media Player (KB2803821-v2)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2847311)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2862330)
Security Update for Windows XP (KB2862335)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2883150)
Update for Windows XP (KB2863058)
WebFldrs XP
WinRAR 5.00 (32-bit)
 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 14 November 2013 - 02:53 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Please upload C:\Qoobox\Quarantine\MBR_HardDisk0.mbr here:

 

Submit Malware


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 reversiblean

reversiblean
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 14 November 2013 - 04:05 AM

Done. I will definitely follow through all your instructions. Thanks for getting back to me :)

 

 

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 14 November 2013 - 04:14 AM

Scan with SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    sfcfiles.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

 

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 reversiblean

reversiblean
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 14 November 2013 - 05:12 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 14:51 on 14/11/2013 by gayan
Administrator - Elevation successful

========== filefind ==========

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll    --a---- 1614848 bytes    [15:51 12/06/2013]    [15:51 12/06/2013] E17798E1E6FF1CA9C67B8576570E05EE

-= EOF =-

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by gayan at 14:55:07 on 2013-11-14
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1278.721 [GMT 5.5:30]
.
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled*
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\DWA-140 revB\ANIWConnService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe
C:\Program Files\D-Link\DWA-140 revB\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [D-Link D-Link DWA-140] c:\program files\d-link\dwa-140 revb\AirNCFG.exe
mRun: [D-Link DWA-140 WZCSLDR2] c:\program files\d-link\dwa-140 revb\WZCSLDR2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Nvtmru] "c:\program files\nvidia corporation\nvidia update core\nvtmru.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{4B2C7AFC-E573-4FC1-89D4-FDBCC7280114} : DHCPNameServer = 192.168.1.1 192.168.1.1
SecurityProviders: SecurityProviders = msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gayan\application data\mozilla\firefox\profiles\aqr62itj.default-1384137371000\
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - ExtSQL: 2013-11-10 16:44; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
FF - ExtSQL: 2013-11-11 08:12; {DDC359D1-844A-42a7-9AA1-88A850A938A8}; c:\documents and settings\gayan\application data\mozilla\firefox\profiles\aqr62itj.default-1384137371000\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2013-11-10 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [2013-11-10 247192]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-11-10 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-11-10 178304]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2013-6-12 14184]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2013-6-12 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2013-6-12 14184]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2013-11-10 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-11-10 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2013-11-10 403440]
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [2013-11-8 29411]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-11-10 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-11-10 70384]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-11-10 50344]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2013-11-10 116776]
R2 D_Link_DWA-140_WPS;D_Link_DWA-140_WPS Service;c:\program files\d-link\dwa-140 revb\ANIWConnService.exe [2013-11-8 53248]
R3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2013-11-8 1174976]
S0 Si3112r;Si3112r;c:\windows\system32\drivers\Si3112r.sys [2013-6-12 116264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 D_Link_DWA-140;D_Link_DWA-140 Service;c:\program files\d-link\dwa-140 revb\ANIWZCSdS.exe [2013-11-8 126976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-11-13 17:04:34    --------    d-----w-    c:\documents and settings\gayan\local settings\application data\Greenshot
2013-11-13 17:04:34    --------    d-----w-    c:\documents and settings\gayan\application data\Greenshot
2013-11-13 17:02:56    --------    d-----w-    c:\program files\Greenshot
2013-11-13 16:51:12    --------    d-----w-    c:\documents and settings\gayan\.ssh
2013-11-13 16:45:37    --------    d-----w-    c:\documents and settings\gayan\application data\GitHub
2013-11-13 16:45:16    --------    d-----w-    c:\documents and settings\gayan\local settings\application data\GitHub
2013-11-13 16:25:24    --------    d-----w-    c:\documents and settings\gayan\local settings\application data\Deployment
2013-11-13 11:52:53    134122    ----a-w-    c:\windows\ColorPic Uninstaller.exe
2013-11-13 11:52:52    --------    d-----w-    c:\program files\ColorPic 4.1
2013-11-12 17:42:12    98816    ----a-w-    c:\windows\sed.exe
2013-11-12 17:42:12    256000    ----a-w-    c:\windows\PEV.exe
2013-11-12 17:42:12    208896    ----a-w-    c:\windows\MBR.exe
2013-11-12 17:05:33    177496    ----a-w-    c:\windows\system32\drivers\25554273.sys
2013-11-12 16:28:58    --------    d-----w-    C:\_OTL
2013-11-12 13:43:54    408    ----a-w-    C:\HKEY_LOCAL_MACHINE_Software_Microsoft_Windows_CurrentVersion_Explorer_HideDesktopIcons_NewStartPanel_{20D04FE0-0.reg
2013-11-12 13:24:51    --------    d-----w-    c:\documents and settings\gayan\local settings\application data\FlashDevelop
2013-11-12 13:22:07    --------    d-----w-    c:\program files\ESET
2013-11-12 07:42:43    --------    d--h--w-    c:\windows\PIF
2013-11-12 05:44:24    --------    d-----w-    c:\program files\FlashDevelop
2013-11-11 06:07:01    26368    -c--a-w-    c:\windows\system32\dllcache\usbstor.sys
2013-11-11 03:12:55    --------    d-----w-    c:\documents and settings\gayan\local settings\application data\Adobe
2013-11-10 17:21:42    --------    d-----w-    c:\documents and settings\gayan\.android
2013-11-10 13:04:43    --------    d-----w-    c:\windows\ERUNT
2013-11-10 12:42:52    --------    d-----w-    C:\AdwCleaner
2013-11-10 11:52:31    --------    d-sha-r-    C:\cmdcons
2013-11-10 11:14:47    26136    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2013-11-10 11:14:47    247192    ----a-w-    c:\windows\system32\drivers\aswNdis2.sys
2013-11-10 11:14:21    12112    ----a-w-    c:\windows\system32\drivers\aswNdis.sys
2013-11-10 09:40:15    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-11-10 09:40:15    178304    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-11-10 09:40:14    774392    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-11-10 09:40:14    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-11-10 09:40:07    43152    ----a-w-    c:\windows\avastSS.scr
2013-11-10 09:39:26    --------    d-----w-    c:\program files\AVAST Software
2013-11-10 08:27:29    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-11-10 08:27:19    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-11-10 06:05:41    403440    ----a-w-    c:\windows\system32\drivers\ijlfxeke.sys
2013-11-10 04:11:11    --------    d-----w-    c:\documents and settings\gayan\application data\AVAST Software
2013-11-09 17:18:39    403440    ----a-w-    c:\windows\system32\drivers\nvddhiuo.sys
2013-11-09 16:58:25    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-11-09 16:57:34    --------    d-----w-    c:\documents and settings\all users\application data\AVAST Software
2013-11-09 16:30:45    743248    ----a-w-    c:\windows\system32\msvcp100d.dll
2013-11-09 16:30:45    1498960    ----a-w-    c:\windows\system32\msvcr100d.dll
2013-11-09 16:30:45    --------    d-----w-    c:\program files\Malwarebytes Anti-Exploit
2013-11-09 14:59:35    --------    d-----w-    c:\windows\system32\appmgmt
2013-11-09 09:06:21    --------    d-----w-    c:\documents and settings\gayan\application data\Malwarebytes
2013-11-09 09:06:11    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-11-09 08:17:40    --------    d-----w-    c:\windows\ie8updates
2013-11-09 08:04:32    --------    d-----w-    c:\documents and settings\gayan\local settings\application data\NVIDIA
2013-11-09 07:54:07    --------    d-----w-    c:\documents and settings\all users\application data\NVIDIA Corporation
2013-11-09 07:52:28    156960    ----a-w-    c:\windows\system32\nvsvc32.exe
2013-11-09 07:52:28    144160    ----a-w-    c:\windows\system32\nvcolor.exe
2013-11-09 07:52:26    209184    ----a-w-    c:\windows\system32\nvmctray.dll
2013-11-09 07:52:26    15709984    ----a-w-    c:\windows\system32\nvcpl.dll
2013-11-09 07:52:24    54272    ----a-w-    c:\windows\system32\nvwddi.dll
2013-11-09 07:49:48    57344    ----a-w-    c:\windows\system32\OpenCL.dll
2013-11-09 07:47:42    1127092    ----a-w-    c:\windows\system32\nvdrsdb0.bin
2013-11-09 07:47:41    1127092    ----a-w-    c:\windows\system32\nvdrsdb1.bin
2013-11-09 07:47:41    1    ----a-w-    c:\windows\system32\nvdrssel.bin
2013-11-09 07:41:54    1049888    ----a-w-    c:\windows\system32\nvdispco3233165.dll
2013-11-09 07:41:53    9506816    ----a-w-    c:\windows\system32\nvcuda.dll
2013-11-09 07:41:53    9465856    ----a-w-    c:\windows\system32\nvopencl.dll
2013-11-09 07:41:53    4073472    ----a-w-    c:\windows\system32\nv4_disp.dll
2013-11-09 07:41:53    2747168    ----a-w-    c:\windows\system32\nvcuvenc.dll
2013-11-09 07:41:53    22171648    ----a-w-    c:\windows\system32\nvoglnt.dll
2013-11-09 07:41:52    893728    ----a-w-    c:\windows\system32\nvdispgenco3233165.dll
2013-11-09 07:41:52    2951968    ----a-w-    c:\windows\system32\nvcuvid.dll
2013-11-09 07:41:52    2631680    ----a-w-    c:\windows\system32\nvapi.dll
2013-11-09 07:41:52    17551360    ----a-w-    c:\windows\system32\nvcompiler.dll
2013-11-09 07:41:52    12658336    ----a-w-    c:\windows\system32\drivers\nv4_mini.sys
2013-11-09 07:39:54    --------    d-----w-    c:\program files\NVIDIA Corporation
2013-11-09 05:59:44    --------    d-----w-    C:\NVIDIA
2013-11-09 04:49:55    12800    -c----w-    c:\windows\system32\dllcache\xpshims.dll
2013-11-09 04:49:54    55296    -c----w-    c:\windows\system32\dllcache\msfeedsbs.dll
2013-11-09 04:49:54    247808    -c----w-    c:\windows\system32\dllcache\ieproxy.dll
2013-11-09 04:49:52    743424    -c----w-    c:\windows\system32\dllcache\iedvtool.dll
2013-11-09 04:49:51    630272    -c----w-    c:\windows\system32\dllcache\msfeeds.dll
2013-11-09 04:49:49    11113472    -c----w-    c:\windows\system32\dllcache\ieframe.dll
2013-11-09 04:49:48    522240    -c----w-    c:\windows\system32\dllcache\jsdbgui.dll
2013-11-09 04:49:48    2006016    -c----w-    c:\windows\system32\dllcache\iertutil.dll
2013-11-09 04:33:08    2193536    -c----w-    c:\windows\system32\dllcache\ntoskrnl.exe
2013-11-09 04:33:08    2149888    -c----w-    c:\windows\system32\dllcache\ntkrnlmp.exe
2013-11-09 04:33:08    2070144    -c----w-    c:\windows\system32\dllcache\ntkrnlpa.exe
2013-11-09 04:33:08    2028544    -c----w-    c:\windows\system32\dllcache\ntkrpamp.exe
2013-11-09 04:32:08    5376    -c----w-    c:\windows\system32\dllcache\usbd.sys
2013-11-09 04:32:08    32384    -c--a-w-    c:\windows\system32\dllcache\usbccgp.sys
2013-11-09 04:32:08    32384    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2013-11-09 04:32:08    30336    -c----w-    c:\windows\system32\dllcache\usbehci.sys
2013-11-09 04:32:08    144128    -c----w-    c:\windows\system32\dllcache\usbport.sys
2013-11-09 04:12:30    --------    d-----w-    c:\documents and settings\gayan\application data\TuneUp Software
2013-11-09 04:12:05    25088    -c----w-    c:\windows\system32\dllcache\hidparse.sys
2013-11-09 04:12:05    14976    -c----w-    c:\windows\system32\dllcache\usbscan.sys
.
==================== Find3M  ====================
.
2013-11-10 03:50:08    403440    ----a-w-    c:\windows\system32\drivers\aswsp.sys.1384056599
2013-11-09 10:50:48    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-09 10:50:48    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-11-08 16:15:53    315392    ----a-w-    c:\windows\system32\ANPDApi.dll
2013-11-08 16:15:52    48640    ----a-w-    c:\windows\system32\ANPD64.SYS
2013-11-08 16:15:52    34008    ----a-w-    c:\windows\system32\ANPD.VXD
2013-11-08 16:15:52    29411    ----a-w-    c:\windows\system32\ANPD.SYS
2013-10-13 07:25:38    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-13 07:25:08    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-13 06:57:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-12 15:56:19    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12:48    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-07 10:59:21    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-05 01:14:01    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
2013-08-29 01:31:44    1878656    ----a-w-    c:\windows\system32\win32k.sys
.
============= FINISH: 14:55:51.90 ===============
 

 

 

 

 

Attached Files



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 14 November 2013 - 05:23 AM

You also fixed some files with OTL before - please post up that log as well...

Do you have the windows disk?

 

The log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

 


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 reversiblean

reversiblean
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 14 November 2013 - 05:25 AM

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-14 15:36:29
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-b ST340014A rev.8.54 37.27GB
Running: mni7drp8.exe; Driver: C:\DOCUME~1\gayan\LOCALS~1\Temp\kgryifob.sys


---- System - GMER 2.1 ----

SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwAddBootEntry [0xB44A5B10]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwAssignProcessToJobObject [0xB44A65EE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwClose [0xB44EA43E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateEvent [0xB44B25E0]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateEventPair [0xB44B262C]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateIoCompletion [0xB44B27C6]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateKey [0xB44E9DF2]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateMutant [0xB44B254E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateSection [0xB44B2670]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateSemaphore [0xB44B2596]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateThread [0xB44A6B24]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwCreateTimer [0xB44B2780]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwDebugActiveProcess [0xB44A73DC]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwDeleteBootEntry [0xB44A5B76]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwDeleteKey [0xB44EAB04]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwDeleteValueKey [0xB44EADBA]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwDuplicateObject [0xB44AAB58]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwEnumerateKey [0xB44EA96F]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwEnumerateValueKey [0xB44EA7DA]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwLoadDriver [0xB44A575E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwModifyBootEntry [0xB44A5BDC]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwNotifyChangeKey [0xB44AAF4E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwNotifyChangeMultipleKeys [0xB44A7E6C]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenEvent [0xB44B260A]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenEventPair [0xB44B264E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenIoCompletion [0xB44B27EA]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenKey [0xB44EA14E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenMutant [0xB44B2574]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenProcess [0xB44AA452]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenSection [0xB44B26FE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenSemaphore [0xB44B25BE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenThread [0xB44AA83A]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwOpenTimer [0xB44B27A4]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSP.sys                                                                 ZwProtectVirtualMemory [0xB45830CC]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwQueryKey [0xB44EA655]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwQueryObject [0xB44A7D38]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwQueryValueKey [0xB44EA4A7]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwQueueApcThread [0xB44A788E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSP.sys                                                                 ZwRenameKey [0xB4590F22]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwRestoreKey [0xB44E9438]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSetBootEntryOrder [0xB44A5C42]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSetBootOptions [0xB44A5CA8]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSetContextThread [0xB44A7256]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSetSystemInformation [0xB44A57F8]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSetSystemPowerState [0xB44A59CE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSetValueKey [0xB44EAC0B]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwShutdownSystem [0xB44A595C]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSuspendProcess [0xB44A75A6]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSuspendThread [0xB44A7708]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwSystemDebugControl [0xB44A5A56]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwTerminateProcess [0xB44A7094]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwTerminateThread [0xB44A7236]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwVdmControl [0xB44A5D0E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                ZwWriteVirtualMemory [0xB44A664A]

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                  aswTdi.sys
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                  aswNdis2.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                 aswTdi.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                 aswNdis2.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                 aswTdi.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                 aswNdis2.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                               aswTdi.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                               aswNdis2.sys

---- Registry - GMER 2.1 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Control\Video\{48228A63-1276-47A5-9888-1462DF720DF6}\0000@D3D_\x3332\x3331  2089309684
Reg             HKLM\SYSTEM\ControlSet002\Control\Video\{48228A63-1276-47A5-9888-1462DF720DF6}\0000@D3D_\x3332\x3331      2089309684
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed                              185

---- EOF - GMER 2.1 ----

 

 

 

//------------------------------------------------------------------------------------------------------------

Please note that I choosed 'Take no action' for subsequent failures option in BITS service properties (in it's recovery tab) because my startup items load forever and scvhost consumes 100% usage. I also uninstall Malwarebytes. And both were done even before I started this thread.

 

 

Btw there's no files in _OTL\MovedFiles\11122013_215858. I don't remember I delete anything there though.

 


Edited by reversiblean, 14 November 2013 - 05:30 AM.


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 14 November 2013 - 05:44 AM

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the StartBtn.gif button
  • Click My Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.


A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

  • Click the StartBtn.gif button
  • Click Run.
  • Type "eventvwr" without the quotes and press the key.
  • The Event Viewer window will open.
  • In the left pane, expand "Event Viewer (local)" then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Winlogon", with an entry corresponding to the date and time of the disk check.
  • Click on that Winlogon entry to select it.
  • In the box below "Description", Copy all of the contents.
  • Paste the contents into your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 reversiblean

reversiblean
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 14 November 2013 - 06:37 AM

CHKDSK struck at 0% on stage 4 of 5 where it says verifying file data. Ouch it just changed to 1% : D

I'll let it continue. I replaced one of my hardisk recently. The disk now I'm using is old aswell.

#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 14 November 2013 - 07:07 AM

I think the HD drive is dead ord dying...let CHKDSK proceed if you want


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 reversiblean

reversiblean
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 14 November 2013 - 10:28 AM

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         
Cleaning up minor inconsistencies on the drive.
Cleaning up 296 unused index entries from index $SII of file 0x9.
Cleaning up 296 unused index entries from index $SDH of file 0x9.
Cleaning up 296 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

  15732328 KB total disk space.
   7879260 KB in 38038 files.
      9504 KB in 7325 indexes.
         0 KB in bad sectors.
    121328 KB in use by the system.
     65536 KB occupied by the log file.
   7722236 KB available on disk.

      4096 bytes in each allocation unit.
   3933082 total allocation units on disk.
   1930559 allocation units available on disk.

Internal Info:
80 b1 00 00 3f b1 00 00 56 dd 00 00 00 00 00 00  ....?...V.......
81 00 00 00 04 00 00 00 4c 02 00 00 00 00 00 00  ........L.......
b0 bb 21 1d 00 00 00 00 5a 91 6a 59 00 00 00 00  ..!.....Z.jY....
88 e5 ed 26 00 00 00 00 74 49 6e f4 11 00 00 00  ...&....tIn.....
be e7 1b 61 00 00 00 00 72 c6 07 2a 13 00 00 00  ...a....r..*....
99 9e 36 00 00 00 00 00 10 3a 07 00 96 94 00 00  ..6......:......
00 00 00 00 00 70 e9 e0 01 00 00 00 9d 1c 00 00  .....p..........

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

//-------------------------------------------------------------

 

Computer has become completely unstable after the completion of CHKDSK. Cpu usage gets stuck over the 90% mark while processing the avastsvc.exe and won't go down. I had to force restart into Safe Mode, disable few non-trivial services including Avast and Flash / Nvidia / Java  update services, unless I won't be able to logon to normal mode.



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 15 November 2013 - 03:17 AM

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the StartBtn.gif button
  • Click My Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.


A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

  • Click the StartBtn.gif button
  • Click Run.
  • Type "eventvwr" without the quotes and press the key.
  • The Event Viewer window will open.
  • In the left pane, expand "Event Viewer (local)" then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Winlogon", with an entry corresponding to the date and time of the disk check.
  • Click on that Winlogon entry to select it.
  • In the box below "Description", Copy all of the contents.
  • Paste the contents into your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 reversiblean

reversiblean
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 15 November 2013 - 04:16 AM

Please see my previous post.

#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 15 November 2013 - 04:17 AM

Sorry, wrong button hit... :-(

 

 

System File Check

For Windows XP:

  • Press the Windows- and the R-key simultanously.
  • Within the text box that jus opened, write cmd and hit Enter.


For Windows Vista/7:

  • Press the Windows key to open the start menu.
  • Don´t highlight anything, just write cmd.
  • The start menu will offer you an entry named cmd.
  • Right click it and select "run as administrator"



Within the opening window, write the following:

sfc /scannow
(See the blank within).


  • Hit enter. Your system will be checked for damaged system files.
  • Tell me the result of that scan in here (as the tool produces no log).

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 reversiblean

reversiblean
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 15 November 2013 - 12:43 PM

I had to slipstream SP3 into my installation disk, that's the reason for my delay in replying. SFC completed but that didn't make any difference at all. Btw how do I confirm if my hard drive is dying? I ran a utility from the disk manufacturer but it says the drive is OK.

Edited by reversiblean, 15 November 2013 - 12:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users