Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP infected 3 messages Trojan.zbot, BLoodhound.exploint, W32.sillyFDC


  • This topic is locked This topic is locked
26 replies to this topic

#1 jsyerxa

jsyerxa

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 22 November 2013 - 08:15 AM

A message window titled Messenger Service started popping up on the screen yesterday afternoon. It shows the following 3 items when you click to close it: 

Trojan. Zbot in ssetup50045.fon

W32.sillyFDC.BDP1.link Myporno.avi.lnk

Bloodhound.exploit.363

 

It pops up every couple of minutes. the system was running overnight and this morning I closed at least 50 windows and they were still popping up so rebooted the system.

 

Tried:

Ran Ccleaner then Malwarebytes -

Ran SuperAntiSpyware -

Did a search for the 3 items and deleted a number of them.

 

Tried to start in Safe Mode and get the BSOD 0x0000007B

 

Anyone have any suggestions?

 

Thanks

John

 

 



BC AdBot (Login to Remove)

 


#2 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 22 November 2013 - 08:58 AM

Marius - here is the original post I made this morning before I contacted you .

 

A message window titled Messenger Service started popping up on the screen yesterday afternoon. It shows the following 3 items when you click to close it: 

Trojan. Zbot in ssetup50045.fon

W32.sillyFDC.BDP1.link Myporno.avi.lnk

Bloodhound.exploit.363

 

It pops up every couple of minutes. the system was running overnight and this morning I closed at least 50 windows and they were still popping up so rebooted the system.

 

Tried:

Ran Ccleaner then Malwarebytes -

Ran SuperAntiSpyware -

Did a search for the 3 items and deleted a number of them.

 

Tried to start in Safe Mode and get the BSOD 0x0000007B

 

Anyone have any suggestions?

 

Thanks

John



#3 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 22 November 2013 - 09:20 AM

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#4 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 22 November 2013 - 10:05 AM

Marius - there were 2 .txt files FRST.txt and Addition.txt. Putting them both here

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-11-2013
Ran by Administrator (administrator) on WTFIERY01 on 22-11-2013 08:47:18
Running from G:\11-13 Bleepingcomputer files
Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 6
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Symantec Corporation) D:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Mediafour Corporation) D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
() E:\efi\server\system\tbicon.exe
(Adobe Systems Inc.) D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
(Symantec Corporation) D:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Oracle Corporation) D:\Program Files\Common Files\Java\Java Update\jusched.exe
(Google Inc.) D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Electronics for Imaging, Inc.) d:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
(Electronics for Imaging, Inc.) d:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
() e:\efi\server\system\Fiery.exe
(Electronics for Imaging, Inc.) D:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Notifier.exe
(Electronics for Imaging, Inc) D:\Program Files\Fiery\HotFolder\hffw.exe
() e:\efi\server\system\srvany.exe
(McAfee, Inc.) D:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
() D:\sysupdates\systemupdates.exe
(Electronics For Imaging, Inc.) D:\sysupdates\fuService.exe
() e:\efi\server\system\mydocs.exe
(Electronics for Imaging, Inc) D:\PROGRA~1\Fiery\HOTFOL~1\HFPS.exe
() e:\efi\server\system\explorerhook.exe
(The Firebird Project) e:\efi\server\firebird\bin\fbguard.exe
(Oracle Corporation) D:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) D:\WINDOWS\System32\SCardSvr.exe
(Symantec Corporation) D:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
() E:\EFI\SERVER\SYSTEM\wpasvc.exe
(Macrovision Europe Ltd.) D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(The Firebird Project) e:\efi\server\firebird\bin\fbserver.exe
(Symantec Corporation) D:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
() e:\efi\server\system\ThumbDriveDetect.exe
() e:\efi\server\system\commonlcd.exe
() e:\efi\server\system\commonlcd2.exe
() e:\efi\server\system\ipfilter.exe
(Microsoft Corporation) D:\WINDOWS\system32\cmd.exe
() e:\efi\server\eficamx_runtime\eficamx.exe
() e:\efi\server\system\doccon_server.exe
() e:\efi\server\system\efislp.exe
(Microsoft Corporation) D:\WINDOWS\system32\cmd.exe
() e:\efi\server\system\slpd.exe
(Apache Software Foundation) E:\efi\server\httpd\bin\httpd.exe
() e:\efi\server\system\ipp.exe
(Apache Software Foundation) E:\efi\server\httpd\bin\httpd.exe
() e:\efi\server\system\winsnmpd.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IMJPMIG8.1] - D:\WINDOWS\IME\IMJP8_1\imjpmig.exe [208952 2007-11-28] (Microsoft Corporation)
HKLM\...\Run: [Mediafour Mac Volume Notifications] - D:\Program Files\Common Files\Mediafour\MACVNTFY.EXE [57344 2007-11-28] (Mediafour Corporation)
HKLM\...\Run: [Fiery Bar] - E:\efi\server\system\tbicon.exe [432128 2007-04-05] ()
HKLM\...\Run: [Acrobat Assistant 8.0] - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe [624248 2007-05-10] (Adobe Systems Inc.)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [ccApp] - D:\Program Files\Common Files\Symantec Shared\ccApp.exe [115560 2011-01-27] (Symantec Corporation)
HKLM\...\Run: [SunJavaUpdateSched] - D:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM\...\Winlogon: [Userinit] D:\WINDOWS\system32\userinit.exe
Winlogon\Notify\AtiExtEvent: D:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\SSOExec: %windir%\temp\sso\ssoexec.dll [X]
HKCU\...\Run: [swg] - D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2008-04-22] (Google Inc.)
HKCU\...\Policies\Explorer: [NoWindowsUpdate] 1
HKCU\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKCU\...\Policies\Explorer: [LockTaskbar] 1
MountPoints2: {ae703656-8b4e-11e1-afea-00e081497c85} - RUNDlL32.ExE seTup50045.fon,438F88
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\CalibrationLoader.lnk
ShortcutTarget: CalibrationLoader.lnk -> D:\Program Files\EFI\EFI Color Profiler Suite\Monitor\CalibrationLoader.exe (LOGO Kommunikations- und Drucktechnik GmbH & Co. KG)
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\EFI ES-1000.lnk
ShortcutTarget: EFI ES-1000.lnk -> D:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Notifier.exe (Electronics for Imaging, Inc.)
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\EFI Hot Folders.lnk
ShortcutTarget: EFI Hot Folders.lnk -> D:\Program Files\Fiery\HotFolder\hffw.exe (Electronics for Imaging, Inc)
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Fiery Command WorkStation 5.lnk
ShortcutTarget: Fiery Command WorkStation 5.lnk -> D:\Program Files\Fiery\Applications3\Command WorkStation 5\Contents\WinOS\cws.exe ()
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
ShortcutTarget: Getting Started with MacDrive 5.lnk -> D:\WINDOWS\Installer\{9F02AE6F-7980-496A-856F-7A6A705137DA}\IconC76F88591.exe ()
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> D:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\System Updates.lnk
ShortcutTarget: System Updates.lnk -> D:\sysupdates\systemupdates.exe ()
BootExecute:
AlternateShell:

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.51/qqest/login/login.asp
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - D:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - D:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - &Google - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - D:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - G:\SUPERAntiSpyware\SASSEH.DLL [113024 2011-07-18] (SuperAdBlocker.com)
Tcpip\..\Interfaces\{B1120339-7389-4C88-92B3-47CC0AF7CE5C}: [NameServer]172.25.4.21,172.25.75.27

========================== Services (Whitelisted) =================

R2 6to4; D:\Windows\System32\6to4svc.dll [100864 2010-02-11] (Microsoft Corporation)
R2 Apache; E:\efi\server\httpd\bin\httpd.exe [15872 2008-10-29] (Apache Software Foundation)
R2 ccEvtMgr; D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-01-27] (Symantec Corporation)
S4 CcmExec; D:\WINDOWS\system32\CCM\CcmExec.exe [571904 2007-11-28] (Microsoft Corporation)
R2 ccSetMgr; D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-01-27] (Symantec Corporation)
R2 EFI ES1000; d:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe [11776 2009-10-19] (Electronics for Imaging, Inc.)
S2 EFI_BOOTPC; e:\efi\server\system\bootpc.exe [47616 2007-04-05] ()
R2 efi_fiery; e:\efi\server\system\Fiery.exe [4096 2007-04-05] ()
R3 efi_ipp; e:\efi\server\system\ipp.exe [360448 2008-01-21] ()
R2 EFI_MyDocs; e:\efi\server\system\srvany.exe [8192 2005-10-07] ()
S2 EFI_RARPC; e:\efi\server\system\rarpc.exe [43008 2007-04-05] ()
R3 EFI_SNMP; e:\efi\server\system\winsnmpd.exe [874496 2007-04-05] ()
R2 efi_update; D:\sysupdates\fuService.exe [208896 2006-12-14] (Electronics For Imaging, Inc.)
R2 ExplorerHook; e:\efi\server\system\explorerhook.exe [47104 2007-04-05] ()
R2 FirebirdGuardianDefaultInstance; e:\efi\server\firebird\bin\fbguard.exe [65536 2006-01-17] (The Firebird Project)
R3 FirebirdServerDefaultInstance; e:\efi\server\firebird\bin\fbserver.exe [1527895 2006-01-17] (The Firebird Project)
S3 LiveUpdate; D:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2010-02-17] (Symantec Corporation)
S3 LPDSVC; D:\Windows\System32\tcpsvcs.exe [19456 2007-11-28] (Microsoft Corporation)
S3 McComponentHostService; D:\Program Files\McAfee Security Scan\2.1.121\McCHSvc.exe [227232 2010-09-03] (McAfee, Inc.)
S3 MSMQ; D:\Windows\System32\mqsvc.exe [4608 2009-06-22] (Microsoft Corporation)
R3 slpd; e:\efi\server\system\slpd.exe [147546 2007-02-14] ()
R2 SmcService; D:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1881368 2011-01-27] (Symantec Corporation)
S4 SNAC; D:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [349512 2011-01-27] (Symantec Corporation)
S2 srv7E8; \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp [58368 2011-03-25] ()
R2 Symantec AntiVirus; D:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1831024 2011-01-27] (Symantec Corporation)
S2 uploadmgr; D:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [38912 2007-11-28] (Microsoft Corporation)
R2 wpasvc; E:\EFI\SERVER\SYSTEM\wpasvc.exe [1003520 2006-10-02] ()
S4 Alerter; %SystemRoot%\system32\alrsvc.dll [x]
S3 Ati HotKey Poller; %SystemRoot%\system32\Ati2evxx.exe [x]
R3 EFI_IPFILTER; e:\efi\server\system\ipfilter.exe -start /scsi0/persist/oemports.lst [x]
R2 JavaQuickStarterService; "D:\Program Files\Java\jre7\bin\jqs.exe" -service -config "D:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S3 RSVP; %SystemRoot%\system32\rsvp.exe [x]
S2 srvD68; \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp [x]
S3 Tssdis; %SystemRoot%\System32\tssdis.exe [x]

==================== Drivers (Whitelisted) ====================

R3 akshasp; D:\Windows\System32\DRIVERS\akshasp.sys [327808 2005-07-20] (Aladdin Knowledge Systems Ltd.)
R3 aksusb; D:\Windows\System32\DRIVERS\aksusb.sys [100096 2005-07-20] (Aladdin Knowledge Systems Ltd.)
S3 Dlc; D:\Windows\System32\DRIVERS\dlc.sys [56080 2007-11-28] (Microsoft Corporation)
R1 eeCtrl; D:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-11-20] (Symantec Corporation)
R2 EfiAtalk; D:\Windows\System32\drivers\efiatalk.sys [15232 2007-11-28] (Electronics For Imaging, Inc)
R3 EfiAutoIP; D:\Windows\System32\drivers\efiautoip.sys [15488 2007-11-28] (Windows ® 2000 DDK provider)
R3 Efipktfltr; D:\Windows\System32\DRIVERS\efipktfltr.sys [46592 2007-01-24] (Windows ® 2000 DDK provider)
S3 EfiUsbUib; D:\Windows\System32\drivers\EfiUsbUib.sys [23936 2006-03-08] (Electronics for Imaging, Inc.)
R3 EfiUsbUib240_128; D:\Windows\System32\drivers\EfiUsbUib240_128.sys [27648 2007-11-28] (Electronics for Imaging, Inc.)
R1 efi_memory; D:\Windows\System32\Drivers\efi_memory.sys [7936 2007-11-28] ()
R3 EraserUtilRebootDrv; D:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-11-20] (Symantec Corporation)
R2 fillbk; D:\Windows\System32\Drivers\fillbk.sys [435372 1999-07-22] (Vireo Software)
R2 fillsm; D:\Windows\System32\Drivers\fillsm.sys [430800 1999-07-22] (Vireo Software)
S1 FsVga; D:\Windows\System32\drivers\fsvga.sys [12160 2007-11-28] (Microsoft Corporation)
R2 Hardlock; D:\WINDOWS\system32\drivers\hardlock.sys [685056 2005-07-28] (Aladdin Knowledge Systems Ltd.)
R3 i1; D:\Windows\System32\drivers\i1.sys [26045 2003-11-27] (GretagMacbeth)
S3 MDFSYSNT; D:\Windows\System32\Drivers\MDFSYSNT.sys [220240 2007-11-28] (Mediafour Corporation)
R0 MDPMGRNT; D:\Windows\System32\Drivers\MDPMGRNT.sys [24320 2007-11-28] (Mediafour Corporation)
R2 memmap; D:\Windows\System32\drivers\memmap.sys [497096 1999-07-12] (Vireo Software)
S3 MQAC; D:\Windows\System32\drivers\mqac.sys [91776 2009-06-22] (Microsoft Corporation)
R3 NAVENG; D:\Program Files\Common Files\Symantec Shared\VirusDefs\20131121.023\NAVENG.SYS [93272 2013-09-12] (Symantec Corporation)
R3 NAVEX15; D:\Program Files\Common Files\Symantec Shared\VirusDefs\20131121.023\NAVEX15.SYS [1612376 2013-09-12] (Symantec Corporation)
R3 NPF; D:\Windows\System32\drivers\npf.sys [34944 2006-08-15] (CACE Technologies)
R2 NwlnkIpx; D:\Windows\System32\DRIVERS\nwlnkipx.sys [88448 2007-11-28] (Microsoft Corporation)
R2 NwlnkNb; D:\Windows\System32\DRIVERS\nwlnknb.sys [63232 2007-11-28] (Microsoft Corporation)
R2 NwlnkSpx; D:\Windows\System32\DRIVERS\nwlnkspx.sys [55936 2007-11-28] (Microsoft Corporation)
S2 PDIHWCTL; D:\WINDOWS\System32\Drivers\PDIHWCTL.SYS [14416 2004-07-16] (Portrait Displays, Inc.)
S3 prepdrvr; D:\WINDOWS\system32\CCM\prepdrv.sys [13824 2007-11-28] (Microsoft Corporation)
S1 SASDIFSV; G:\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; G:\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SPBBCDrv; D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-01-27] (Symantec Corporation)
S3 SRTSP; D:\Windows\System32\Drivers\SRTSP.SYS [283184 2011-01-27] (Symantec Corporation)
R3 SRTSPL; D:\Windows\System32\Drivers\SRTSPL.SYS [320944 2011-01-27] (Symantec Corporation)
R1 SRTSPX; D:\Windows\System32\Drivers\SRTSPX.SYS [43696 2011-01-27] (Symantec Corporation)
R3 SymEvent; D:\WINDOWS\system32\Drivers\SYMEVENT.SYS [124976 2012-04-23] (Symantec Corporation)
R3 SYMREDRV; D:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2011-01-27] (Symantec Corporation)
R1 SYMTDI; D:\Windows\System32\Drivers\SYMTDI.SYS [188080 2011-01-27] (Symantec Corporation)
R1 Tcpip6; D:\Windows\System32\DRIVERS\tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
S3 TDASYNC; D:\Windows\System32\Drivers\TDASYNC.sys [13192 2007-11-28] (Microsoft Corporation)
S3 TDIPX; D:\Windows\System32\Drivers\TDIPX.sys [21896 2007-11-28] (Microsoft Corporation)
S3 TDSPX; D:\Windows\System32\Drivers\TDSPX.sys [19464 2007-11-28] (Microsoft Corporation)
R3 VFabLite; D:\WINDOWS\system32\drivers\VFabLite.sys [60928 2006-09-12] (Aurora III Inc.)
R1 vx500; D:\Windows\System32\DRIVERS\vx500.sys [49920 2007-03-14] ()
S3 Atmarpc; system32\DRIVERS\atmarpc.sys [x]
U1 RCHelp;

==================== NetSvcs (Whitelisted) ===================

NETSVC: srv7E8 -> \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp ()
NETSVC: srvD68 -> \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp ==> No File.

==================== One Month Created Files and Folders ========

2013-11-22 08:47 - 2013-11-22 08:47 - 00000000 ____D D:\FRST
2013-11-21 14:01 - 2013-11-21 14:01 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2013-11-21 14:01 - 2013-11-21 14:01 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2013-11-21 13:32 - 2013-11-22 08:44 - 00001647 _____ D:\WINDOWS\slpd.log
2013-11-21 13:29 - 2013-11-22 08:43 - 00000698 _____ D:\WINDOWS\WindowsUpdate.log
2013-11-21 13:29 - 2013-11-22 08:14 - 00000784 _____ D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-21 13:23 - 2013-11-21 13:23 - 00000682 _____ D:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2013-11-21 13:23 - 2013-11-21 13:23 - 00000000 ____D D:\Program Files\CCleaner

==================== One Month Modified Files and Folders =======

2013-11-22 08:47 - 2013-11-22 08:47 - 00000000 ____D D:\FRST
2013-11-22 08:44 - 2013-11-21 13:32 - 00001647 _____ D:\WINDOWS\slpd.log
2013-11-22 08:44 - 2007-11-28 18:57 - 00000270 _____ D:\WINDOWS\slp.conf
2013-11-22 08:43 - 2013-11-21 13:29 - 00000698 _____ D:\WINDOWS\WindowsUpdate.log
2013-11-22 08:43 - 2007-11-28 18:52 - 00001065 _____ D:\WINDOWS\efi_app_version.txt
2013-11-22 08:42 - 2007-11-28 18:15 - 08405015 _____ D:\WINDOWS\TempFile
2013-11-22 08:42 - 2007-11-28 18:15 - 00000128 _____ D:\WINDOWS\efinl.ini
2013-11-22 08:42 - 2007-11-28 18:14 - 00000426 _____ D:\WINDOWS\system32\services.txt
2013-11-22 08:42 - 2007-11-28 17:48 - 00000006 ____H D:\WINDOWS\Tasks\SA.DAT
2013-11-22 08:39 - 2007-11-28 17:47 - 00032592 _____ D:\WINDOWS\SchedLgU.Txt
2013-11-22 08:38 - 2007-11-28 17:56 - 00000178 ___SH D:\Documents and Settings\Administrator\ntuser.ini
2013-11-22 08:14 - 2013-11-21 13:29 - 00000784 _____ D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-22 08:14 - 2012-04-20 20:39 - 00000000 ____D D:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-11-22 08:14 - 2012-04-20 20:38 - 00000000 ____D D:\Program Files\Malwarebytes' Anti-Malware
2013-11-22 06:56 - 2007-11-28 17:47 - 00000000 ____D D:\WINDOWS\security
2013-11-22 06:50 - 2011-04-25 11:45 - 00000008 __RSH D:\Documents and Settings\All Users\ntuser.pol
2013-11-21 15:09 - 2011-04-25 11:43 - 00001024 _____ D:\WINDOWS\system32\config\netlogon.ftl
2013-11-21 14:03 - 2013-09-04 14:20 - 00000000 ____D D:\Input
2013-11-21 14:01 - 2013-11-21 14:01 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2013-11-21 14:01 - 2013-11-21 14:01 - 00000000 ____D D:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2013-11-21 13:24 - 2007-11-28 17:56 - 00000000 ____D D:\Documents and Settings\Administrator
2013-11-21 13:23 - 2013-11-21 13:23 - 00000682 _____ D:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2013-11-21 13:23 - 2013-11-21 13:23 - 00000000 ____D D:\Program Files\CCleaner
2013-11-21 13:20 - 2007-11-28 17:48 - 00002206 _____ D:\WINDOWS\system32\wpa.dbl
2013-11-21 12:03 - 2007-11-29 13:24 - 00001480 _____ D:\WINDOWS\ColorWisePro.pref
2013-11-17 18:10 - 2011-04-25 11:59 - 00001324 _____ D:\WINDOWS\system32\d3d9caps.dat
2013-11-04 14:58 - 2007-11-28 17:48 - 00409802 _____ D:\WINDOWS\system32\PerfStringBackup.INI
2013-10-25 07:36 - 2007-11-28 17:04 - 00000000 ____D D:\Documents and Settings\All Users\Application Data\FLEXnet

==================== Bamital & volsnap Check =================

D:\Windows\explorer.exe
[2007-11-28 17:46] - [2007-11-28 17:46] - 1032192 ____A (Microsoft Corporation) a0732187050030ae399b241436565e64

D:\Windows\System32\winlogon.exe
[2007-11-28 17:48] - [2007-11-28 17:48] - 0502272 ____A (Microsoft Corporation) 01c3346c241652f43aed8e2149881bfe

D:\Windows\System32\svchost.exe
[2007-11-28 17:48] - [2007-11-28 17:48] - 0014336 ____A (Microsoft Corporation) 8f078ae4ed187aaabc0a305146de6716

D:\Windows\System32\services.exe
[2007-11-28 17:48] - [2009-02-06 04:22] - 0110592 ____A (Microsoft Corporation) 4712531ab7a01b7ee059853ca17d39bd

D:\Windows\System32\User32.dll
[2007-11-28 17:48] - [2007-03-08 09:48] - 0578048 ____A (Microsoft Corporation) 7aa4f6c00405dfc4b70ed4214e7d687b

D:\Windows\System32\userinit.exe
[2007-11-28 17:48] - [2007-11-28 17:48] - 0024576 ____A (Microsoft Corporation) 39b1ffb03c2296323832acbae50d2aff

D:\Windows\System32\Drivers\volsnap.sys
[2007-11-28 17:47] - [2007-11-28 17:47] - 0052352 ____A (Microsoft Corporation) ee4660083deba849ff6c485d944b379b

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 22-11-2013
Ran by Administrator at 2013-11-22 08:47:52
Running from G:\11-13 Bleepingcomputer files
Boot Mode: Normal
==========================================================

==================== Security Center ========================

==================== Installed Programs ======================

7-Zip 4.57
Adobe Acrobat  8 Standard - English, Français, Deutsch (Version: 8.1.0)
Adobe Acrobat 8.1.0 Standard (Version: 8.1.0)
Adobe Flash Player 10 Plugin (Version: 10.1.82.76)
ATI Display Driver (Version: 8.15.3-050615a-025015C-Tyan)
CCleaner (Version: 4.07)
EFI Color Profiler Suite (Version: 2.0)
Enfocus PitStop Professional (Version: 7.03)
ESET Online Scanner v3
Fiery Command WorkStation 5.2.0.46 (Version: 5.2.0.46)
Fiery for falcon Version 2.0
Fiery User Software-3.6.0.15b (Version: 2.0.0.11)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer (Version: 4.0.0.002)
Intel® PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 1 (Version: 1.5.0.10)
J2SE Runtime Environment 5.0 Update 10 (Version: 1.5.0.100)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Java™ 6 Update 3 (Version: 1.6.0.30)
Java™ 6 Update 5 (Version: 1.6.0.50)
LiveUpdate 3.3 (Symantec Corporation) (Version: 3.3.0.96)
MacDrive 5 (Version: 5.0.8.2)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
McAfee Security Scan Plus (Version: 2.1.121.2)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft SOAP Toolkit 3.0 (Version: 3.0.1325.4)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Symantec Endpoint Protection (Version: 11.0.6005.562)
Update for Windows XP (KB931836) (Version: 1)
Update for Windows XP (KB980182) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873333 (Version: 20050113.210436)
Windows XP Hotfix - KB873339 (Version: 20041117.092422)
Windows XP Hotfix - KB885250 (Version: 20050118.204356)
Windows XP Hotfix - KB885835 (Version: 20041027.181736)
Windows XP Hotfix - KB885836 (Version: 20041028.160538)
Windows XP Hotfix - KB888113 (Version: 20041116.131007)
Windows XP Hotfix - KB888302 (Version: 20041207.111356)
Windows XP Hotfix - KB890859 (Version: 1)
Windows XP Hotfix - KB891781 (Version: 20050110.170221)
Windows XP Hotfix - KB893066 (Version: 1)
Windows XP Hotfix - KB893086 (Version: 1)

==================== Restore Points  =========================

Could not list Restore Points. Check WMI.

==================== Hosts content: ==========================

2007-11-28 17:47 - 2007-11-28 17:47 - 00000734 ____A D:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

==================== Loaded Modules (whitelisted) =============

2013-11-21 12:23 - 2011-03-25 11:23 - 00058368 ___SH () \\?\globalroot\device\harddiskvolume3\docume~1\admini~1\locals~1\temp\srv7e8.tmp
2007-11-28 18:14 - 2007-04-05 00:38 - 00146944 _____ () D:\WINDOWS\system32\DLAPI.dll
2007-11-28 18:14 - 2007-04-05 00:36 - 00018944 _____ () D:\WINDOWS\system32\reghook.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00529920 _____ () E:\efi\server\system\brain.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00234496 _____ () E:\efi\server\system\eticket.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00095744 _____ () E:\efi\server\system\efi_basics.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00018944 _____ () E:\efi\server\system\shlogdll.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00011776 _____ () E:\efi\server\system\osdll.dll
2007-11-28 18:14 - 2005-10-26 16:37 - 00028672 _____ () E:\efi\server\system\memmap.dll
2007-11-28 18:14 - 2007-04-05 00:07 - 00044544 _____ () E:\efi\server\system\fieryps.dll
2007-11-28 18:14 - 2007-04-05 00:32 - 01844736 _____ () E:\efi\server\system\tbiconr.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00529920 _____ () e:\efi\server\system\brain.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00234496 _____ () e:\efi\server\system\eticket.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00095744 _____ () e:\efi\server\system\efi_basics.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00018944 _____ () e:\efi\server\system\shlogdll.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00011776 _____ () e:\efi\server\system\osdll.dll
2007-11-28 18:14 - 2005-10-26 16:37 - 00028672 _____ () e:\efi\server\system\memmap.dll
2007-11-28 18:14 - 2007-04-05 00:19 - 00306176 _____ () e:\efi\server\system\sp.dll
2007-11-28 18:14 - 2009-09-22 16:36 - 04839424 _____ () e:\efi\server\system\pdl.dll
2007-11-28 18:14 - 2009-09-22 16:36 - 02587648 _____ () e:\efi\server\system\cpsi.dll
2007-11-28 18:14 - 2009-02-25 18:21 - 00392192 _____ () e:\efi\server\system\alib.dll
2007-11-28 18:14 - 2009-09-22 16:21 - 01019392 _____ () e:\efi\server\system\dlc.dll
2007-11-28 18:14 - 2009-02-25 18:12 - 01702400 _____ () e:\efi\server\system\flamingo.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00068608 _____ () e:\efi\server\system\PDL_UNZIP.dll
2007-11-28 18:14 - 2009-02-25 19:17 - 00183808 _____ () e:\efi\server\system\pageman.dll
2007-11-28 18:14 - 2007-04-05 00:15 - 00360960 _____ () e:\efi\server\system\vfwrap.dll
2007-11-28 18:14 - 2009-02-25 18:38 - 00119808 _____ () e:\efi\server\system\pqm.dll
2007-11-28 18:14 - 2009-09-22 15:58 - 01469952 _____ () e:\efi\server\system\translib.dll
2007-11-28 18:14 - 2003-11-04 17:44 - 00143360 _____ () e:\efi\server\system\LIBEXPAT.dll
2007-11-28 18:14 - 2007-01-11 21:29 - 00073728 _____ () e:\efi\server\system\libefizlibd.dll
2007-11-28 18:14 - 2007-04-05 00:03 - 00006656 _____ () e:\efi\server\system\cron.dll
2007-11-28 18:14 - 2007-04-05 00:03 - 00016384 _____ () e:\efi\server\system\bcm.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00202240 _____ () e:\efi\server\system\SYSQUERIES.dll
2007-11-28 18:14 - 2009-02-25 19:27 - 00673280 _____ () e:\efi\server\system\lcd.dll
2007-11-28 18:14 - 2007-04-05 00:08 - 00141312 _____ () e:\efi\server\system\scanlib.dll
2007-11-28 18:14 - 2007-04-04 23:49 - 00770048 _____ () e:\efi\server\system\network.dll
2007-11-28 18:14 - 2007-04-04 23:46 - 00014336 _____ () e:\efi\server\system\nethelper.dll
2007-11-28 18:14 - 2007-04-04 23:47 - 00074752 _____ () e:\efi\server\system\trpcserver.dll
2007-11-28 18:14 - 2007-04-05 00:43 - 00221696 _____ () e:\efi\server\system\doccon_api.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00034304 _____ () e:\efi\server\system\joblog.dll
2007-11-28 18:14 - 2007-04-05 00:12 - 00032256 _____ () e:\efi\server\system\updatemgr.dll
2007-11-28 18:14 - 2007-04-05 00:12 - 00046080 _____ () e:\efi\server\system\efi_config.dll
2007-11-28 18:14 - 2007-04-05 00:12 - 00007168 _____ () e:\efi\server\system\PDL_PAGEINFO.dll
2007-11-28 18:14 - 2007-04-05 00:08 - 00256000 _____ () e:\efi\server\system\csl.dll
2007-11-28 18:14 - 2007-04-05 00:08 - 00028672 _____ () e:\efi\server\system\smbcli.dll
2007-11-28 18:14 - 2007-04-04 23:52 - 00033792 _____ () e:\efi\server\system\gasetup.dll
2007-11-28 18:14 - 2007-04-04 23:52 - 00029184 _____ () e:\efi\server\system\basicobj.dll
2007-11-28 18:14 - 2007-04-04 23:52 - 00094720 _____ () e:\efi\server\system\halftone.dll
2007-11-28 18:14 - 2007-04-05 00:07 - 00044544 _____ () e:\efi\server\system\fieryps.dll
2007-11-28 18:14 - 2007-04-04 23:54 - 00069120 _____ () e:\efi\server\system\PDL_AUTOSENSE.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00027136 _____ () e:\efi\server\system\archiveLib.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00145408 _____ () e:\efi\server\system\trpc_auth.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00044032 _____ () e:\efi\server\system\trpc_dev.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00024064 _____ () e:\efi\server\system\trpc_bfm.dll
2007-11-28 18:14 - 2007-04-04 23:51 - 00024576 _____ () e:\efi\server\system\cryptlib.dll
2007-11-28 18:14 - 2007-04-04 23:54 - 00044544 _____ () e:\efi\server\system\PDL_BASIS.dll
2007-11-28 18:14 - 2007-04-05 00:18 - 00005120 _____ () e:\efi\server\system\vdp_restoremnt.dll
2007-11-28 18:14 - 2007-04-04 23:54 - 00392192 _____ () e:\efi\server\system\VPC_SDK.dll
2007-11-28 18:14 - 2009-09-22 16:12 - 00246784 _____ () e:\efi\server\system\dequeue.dll
2007-11-28 18:14 - 2007-04-05 00:03 - 00007680 _____ () e:\efi\server\system\resmgr.dll
2007-11-28 18:14 - 2007-04-05 00:26 - 00060416 _____ () e:\efi\server\system\cpp_abstraction.dll
2007-11-28 18:14 - 2007-04-05 00:06 - 00113152 _____ () e:\efi\server\system\anytype.dll
2007-11-28 18:14 - 2007-04-05 00:06 - 00344576 _____ () e:\efi\server\system\pc_fiery_api.dll
2007-11-28 18:14 - 2007-01-11 21:43 - 00155648 _____ () e:\efi\server\system\pdfwind.dll
2007-11-28 18:14 - 2007-01-11 21:43 - 01097728 _____ () e:\efi\server\system\pdfeye.dll
2007-11-28 18:14 - 2007-04-04 23:43 - 00006656 _____ () e:\efi\server\system\nsm.dll
2007-11-28 18:14 - 2007-04-05 00:08 - 00234496 _____ () e:\efi\server\system\FIERYQUERY.dll
2007-11-28 18:14 - 2007-04-05 00:15 - 00026624 _____ () e:\efi\server\system\userauth.dll
2007-11-28 18:14 - 2007-04-05 00:18 - 00037376 _____ () e:\efi\server\system\spooler.dll
2007-11-28 18:14 - 2007-04-05 00:18 - 00016896 _____ () e:\efi\server\system\ripmgr.dll
2007-11-28 18:14 - 2007-04-05 00:09 - 00165376 _____ () e:\efi\server\system\snmp.dll
2007-11-28 18:14 - 2009-09-22 16:43 - 00674304 _____ () e:\efi\server\system\falcon.dll
2007-11-28 18:14 - 2007-04-05 00:21 - 00195584 _____ () e:\efi\server\system\trpc_attr.dll
2007-11-28 18:14 - 2007-04-05 00:21 - 00037376 _____ () e:\efi\server\system\trpc_locl.dll
2007-11-28 18:14 - 2007-04-05 00:21 - 00107008 _____ () e:\efi\server\system\trpc_netcfg.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00034816 _____ () e:\efi\server\system\trpc_sftp.dll
2007-11-28 18:14 - 2007-04-05 00:18 - 00012288 _____ () e:\efi\server\system\trpc_pmap.dll
2007-11-28 18:14 - 2007-04-05 00:25 - 00022016 _____ () e:\efi\server\system\trpc_corp.dll
2007-11-28 18:14 - 2007-04-05 00:25 - 00034816 _____ () e:\efi\server\system\corpapi.dll
2007-11-28 18:14 - 2007-04-05 00:26 - 00007680 _____ () e:\efi\server\system\sntpc.dll
2007-11-28 18:14 - 2007-04-05 00:26 - 00005120 _____ () e:\efi\server\system\libefiipv6proxy.dll
2007-11-28 18:14 - 2007-04-05 00:26 - 00070144 _____ () e:\efi\server\system\efi_ipv6proxy.dll
2007-11-28 18:14 - 2007-04-05 00:26 - 00006656 _____ () e:\efi\server\system\trpc_con.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00037888 _____ () e:\efi\server\system\trpc_ft.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00035840 _____ () e:\efi\server\system\trpc_server.dll
2007-11-28 18:14 - 2007-04-05 00:29 - 00076288 _____ () e:\efi\server\system\trpc_colorapi.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00010240 _____ () e:\efi\server\system\trpc_l10n.dll
2007-11-28 18:14 - 2007-04-05 00:29 - 00026112 _____ () e:\efi\server\system\trpc_cldf.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00031232 _____ () e:\efi\server\system\trpc_lp.dll
2007-11-28 18:14 - 2007-04-05 00:26 - 00034304 _____ () e:\efi\server\system\trpc_acct.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00059392 _____ () e:\efi\server\system\trpc_scan.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00227328 _____ () e:\efi\server\system\trpc_jobm.dll
2007-11-28 18:14 - 2007-04-05 00:03 - 00025088 _____ () e:\efi\server\system\bdmap.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00018432 _____ () e:\efi\server\system\trpc_dl.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00018944 _____ () e:\efi\server\system\trpc_feat.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00015360 _____ () e:\efi\server\system\trpc_font.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00065536 _____ () e:\efi\server\system\trpc_efim.dll
2007-11-28 18:14 - 2004-09-13 16:38 - 00028672 _____ () e:\efi\server\system\OutlineLib.dll
2007-11-28 18:14 - 2007-04-05 00:29 - 00009216 _____ () e:\efi\server\system\trpc_tree.dll
2007-11-28 18:14 - 2007-04-05 00:25 - 00029696 _____ () e:\efi\server\system\trpc_address.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00512000 _____ () e:\efi\server\system\trpc_mail.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00029696 _____ () e:\efi\server\system\trpc_globobj.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00011264 _____ () e:\efi\server\system\trpc_pageman.dll
2007-11-28 18:14 - 2007-04-05 00:27 - 00018432 _____ () e:\efi\server\system\trpc_gasetup.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00022016 _____ () e:\efi\server\system\trpc_pserver.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00019968 _____ () e:\efi\server\system\trpc_ipsec.dll
2007-11-28 18:14 - 2007-04-05 00:26 - 00037888 _____ () e:\efi\server\system\trpc_cert.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00018432 _____ () e:\efi\server\system\trpc_pcat.dll
2007-11-28 18:14 - 2007-04-05 00:28 - 00071168 _____ () e:\efi\server\system\trpc_preview.dll
2007-11-28 18:14 - 2007-04-05 00:09 - 00031232 _____ () e:\efi\server\system\hrmib.dll
2007-11-28 18:14 - 2007-04-05 00:09 - 00075264 _____ () e:\efi\server\system\prtmib.dll
2007-11-28 18:14 - 2007-04-05 00:11 - 00006144 _____ () e:\efi\server\system\tringmib.dll
2007-11-28 18:14 - 2007-04-05 00:10 - 00018432 _____ () e:\efi\server\system\efigenmib.dll
2007-11-28 18:14 - 2007-04-05 00:10 - 00067584 _____ () e:\efi\server\system\efinetmib.dll
2007-11-28 18:14 - 2007-04-05 00:10 - 00020480 _____ () e:\efi\server\system\efiprtmib.dll
2007-11-28 18:14 - 2007-04-05 00:10 - 00027648 _____ () e:\efi\server\system\efijobmib.dll
2007-11-28 18:14 - 2007-04-05 00:10 - 00017920 _____ () e:\efi\server\system\efinotemib.dll
2007-11-28 18:14 - 2007-04-05 00:36 - 00193536 _____ () e:\efi\server\system\xcmimib.dll
2007-11-28 18:14 - 2007-04-05 00:35 - 00095232 _____ () e:\efi\server\system\finishermib.dll
2007-11-28 18:47 - 2007-02-14 03:37 - 00032768 _____ () D:\Program Files\Fiery\HotFolder\hfhrm.dll
2007-11-28 18:47 - 2005-09-20 22:06 - 00536576 _____ () D:\Program Files\Fiery\HotFolder\IWL.dll
2007-11-28 18:47 - 2005-09-20 22:06 - 00719300 _____ () D:\Program Files\Fiery\HotFolder\LIBEXPAT.dll
2007-11-28 18:15 - 2006-12-14 18:34 - 00471040 _____ () D:\sysupdates\su_en.dll
2007-11-28 18:14 - 2007-04-05 00:42 - 00481280 _____ () e:\efi\server\system\cl.dll
2007-11-28 18:14 - 2007-04-05 00:42 - 00034816 _____ () e:\efi\server\system\co.dll
2007-11-28 18:14 - 2007-04-05 00:42 - 00071680 _____ () e:\efi\server\system\ci.dll
2007-11-28 18:14 - 2007-04-05 00:42 - 00097792 _____ () e:\efi\server\system\web.dll
2007-11-28 18:14 - 2007-04-05 00:19 - 00306176 _____ () e:\efi\server\system\SP.DLL
2007-11-28 18:14 - 2007-04-05 00:43 - 00034816 _____ () e:\efi\server\system\libfsniffer_api.dll
2007-11-28 18:14 - 2006-07-26 17:00 - 00127067 _____ () e:\efi\server\system\slp.dll
2007-11-28 18:14 - 2008-01-21 10:02 - 00045056 _____ () e:\efi\server\system\mapper.dll
2007-11-28 18:14 - 2007-04-05 00:11 - 00014848 _____ () e:\efi\server\system\efiagent.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys => ""="FSFilter Undelete"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv7E8 => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srvD68 => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys => ""="FSFilter Undelete"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== Faulty Device Manager Devices =============

Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Class Guid: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/22/2013 08:44:03 AM) (Source: Service Control Manager) (User: )
Description: SRTSPFltMgr

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager) (User: )
Description: i8042prt
SASDIFSV
SASKUTIL

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager) (User: )
Description: Upload Manager%%1079

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager) (User: )
Description: srvD68%%126

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager) (User: )
Description: srv7E8%%998

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager) (User: )
Description: PDIHWCTL%%123

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager) (User: )
Description: Apache1 (0x1)

Error: (11/22/2013 08:43:12 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Error: (11/22/2013 08:42:55 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (11/22/2013 08:42:41 AM) (Source: Apache Service) (User: )
Description: The Apache service named  reported the following error:
>>> Unable to open logs     .

System errors:
=============
Error: (11/22/2013 08:43:03 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (11/22/2013 08:43:03 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'nist1.columbiacountyga.gov,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (11/22/2013 08:43:03 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/22/2013 08:43:03 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'nist1.columbiacountyga.gov,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (11/22/2013 08:42:55 AM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain CORP due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (11/22/2013 06:50:44 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/22/2013 06:50:44 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'nist1.columbiacountyga.gov,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

Error: (11/22/2013 06:50:38 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/22/2013 06:50:38 AM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain CORP due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (11/22/2013 06:50:31 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'nist1.columbiacountyga.gov,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

Microsoft Office Sessions:
=========================
Error: (11/22/2013 08:44:03 AM) (Source: Service Control Manager)(User: )
Description: SRTSPFltMgr

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager)(User: )
Description: i8042prt
SASDIFSV
SASKUTIL

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager)(User: )
Description: Upload Manager%%1079

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager)(User: )
Description: srvD68%%126

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager)(User: )
Description: srv7E8%%998

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager)(User: )
Description: PDIHWCTL%%123

Error: (11/22/2013 08:43:19 AM) (Source: Service Control Manager)(User: )
Description: Apache1 (0x1)

Error: (11/22/2013 08:43:12 AM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (11/22/2013 08:42:55 AM) (Source: Userenv)(User: NT AUTHORITY)
Description: The specified domain either does not exist or could not be contacted.

Error: (11/22/2013 08:42:41 AM) (Source: Apache Service)(User: )
Description: The Apache service namedreported the following error:
>>>Unable to open logs

==================== Memory info ===========================

Percentage of memory in use: 88%
Total physical RAM: 495.54 MB
Available physical RAM: 56.17 MB
Total Pagefile: 1448.66 MB
Available Pagefile: 626.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1961.95 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:2 GB) (Free:0.74 GB) FAT ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:15.01 GB) (Free:7.14 GB) NTFS
Drive e: (Fiery) (Fixed) (Total:136.34 GB) (Free:126.5 GB) NTFS
Drive g: () (Removable) (Total:14.9 GB) (Free:12.92 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 153 GB) (Disk ID: D6BD27D1)
Partition 1: (Not Active) - (Size=39 MB) - (Type=83)
Partition 2: (Active) - (Size=2 GB) - (Type=0C)
Partition 3: (Not Active) - (Size=151 GB) - (Type=05)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 943C943C)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)

==================== End Of Log ============================



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 22 November 2013 - 10:41 AM

Make sure to have the data of this productive system backed up!

 

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    MountPoints2: {ae703656-8b4e-11e1-afea-00e081497c85} - RUNDlL32.ExE seTup50045.fon,438F88
    Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\System Updates.lnk
    ShortcutTarget: System Updates.lnk -> D:\sysupdates\systemupdates.exe ()
    
    S2 srv7E8; \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp [58368 2011-03-25] ()
    S2 srvD68; \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp [x]
    
    NETSVC: srv7E8 -> \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp ()
    NETSVC: srvD68 -> \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp ==> No File.
    
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv7E8 => ""="service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srvD68 => ""="service"
    
    D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp
    D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp
    D:\sysupdates
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Scan with RogueKiller

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • You´ll find the log as RKreport[1].txt on your desktop also.
  • Exit/Close RogueKiller.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 22 November 2013 - 11:07 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-11-2013
Ran by Administrator at 2013-11-22 09:57:38 Run:1
Running from G:\11-13 Bleepingcomputer files
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
MountPoints2: {ae703656-8b4e-11e1-afea-00e081497c85} - RUNDlL32.ExE seTup50045.fon,438F88
Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\System Updates.lnk
ShortcutTarget: System Updates.lnk -> D:\sysupdates\systemupdates.exe ()

S2 srv7E8; \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp [58368 2011-03-25] ()
S2 srvD68; \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp [x]

NETSVC: srv7E8 -> \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp ()
NETSVC: srvD68 -> \\?\globalroot\Device\HarddiskVolume3\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp ==> No File.

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv7E8 => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srvD68 => ""="service"

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp
D:\sysupdates
*****************

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ae703656-8b4e-11e1-afea-00e081497c85} => Key deleted successfully.
HKCR\CLSID\{ae703656-8b4e-11e1-afea-00e081497c85} => Key not found.
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\System Updates.lnk => Moved successfully.
D:\sysupdates\systemupdates.exe => Moved successfully.
srv7E8 => Service deleted successfully.
srvD68 => Service deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs srv7E8 => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs srvD68 => Value deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\srv7E8 => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\srvD68 => Key deleted successfully.
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srv7E8.tmp => Moved successfully.
"D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\srvD68.tmp" => File/Directory not found.

"D:\sysupdates" directory move:

Could not move "D:\sysupdates" directory. => Scheduled to move on reboot.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2013-11-22 10:00:10)<=

D:\sysupdates => Is moved successfully.

==== End of Fixlog ====

 

RogueKiller V8.7.8 [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 11/22/2013 10:05:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[DNS][PUM] HKLM\[...]\CCSet\[...]\{B1120339-7389-4C88-92B3-47CC0AF7CE5C} : NameServer (172.25.4.21,172.25.75.27) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{B1120339-7389-4C88-92B3-47CC0AF7CE5C} : NameServer (172.25.4.21,172.25.75.27) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{B1120339-7389-4C88-92B3-47CC0AF7CE5C} : NameServer (172.25.4.21,172.25.75.27) -> FOUND
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80637572 -> HOOKED (Unknown @ 0x846F2240)
[Address] SSDT[13] : NtAlertThread @ 0x805854BF -> HOOKED (Unknown @ 0x846F2320)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x80570BDC -> HOOKED (Unknown @ 0x846F2D00)
[Address] SSDT[31] : NtConnectPort @ 0x80593B6F -> HOOKED (Unknown @ 0x84734800)
[Address] SSDT[43] : NtCreateMutant @ 0x8057BF9B -> HOOKED (Unknown @ 0x846F1F80)
[Address] SSDT[53] : NtCreateThread @ 0x8058600E -> HOOKED (Unknown @ 0x84706590)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805710D6 -> HOOKED (Unknown @ 0x846F2B60)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805A063D -> HOOKED (Unknown @ 0x846F2080)
[Address] SSDT[91] : NtImpersonateThread @ 0x8058808A -> HOOKED (Unknown @ 0x846F2160)
[Address] SSDT[108] : NtMapViewOfSection @ 0x805818BD -> HOOKED (Unknown @ 0x846F2A80)
[Address] SSDT[114] : NtOpenEvent @ 0x8058B387 -> HOOKED (Unknown @ 0x846F1EA0)
[Address] SSDT[123] : NtOpenProcessToken @ 0x8057833A -> HOOKED (Unknown @ 0x846F2DD0)
[Address] SSDT[129] : NtOpenThreadToken @ 0x80574B8A -> HOOKED (Unknown @ 0x846F2820)
[Address] SSDT[206] : NtResumeThread @ 0x80586685 -> HOOKED (Unknown @ 0x84732080)
[Address] SSDT[213] : NtSetContextThread @ 0x8063571B -> HOOKED (Unknown @ 0x846F2740)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80574FD7 -> HOOKED (Unknown @ 0x846F28F0)
[Address] SSDT[229] : NtSetInformationThread @ 0x8057371C -> HOOKED (Unknown @ 0x846F2650)
[Address] SSDT[253] : NtSuspendProcess @ 0x806374B7 -> HOOKED (Unknown @ 0x846F1DC0)
[Address] SSDT[254] : NtSuspendThread @ 0x806373D3 -> HOOKED (Unknown @ 0x846F2468)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058F7FD -> HOOKED (Unknown @ 0x846FEB50)
[Address] SSDT[258] : NtTerminateThread @ 0x80585C4A -> HOOKED (Unknown @ 0x846F2570)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x80581445 -> HOOKED (Unknown @ 0x846F29C0)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x80587F99 -> HOOKED (Unknown @ 0x846F2C30)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721616PLA380 +++++
--- User ---
[MBR] 70aa362d0b038105b6010bbf92bc1aa3
[BSP] f7c5d8ad209dac6f9204eaf827844931 : MBR Code unknown
Partition table:
0 - [XXXXXX] LINUX (0x83) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 80325 | Size: 2047 Mo
2 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 4273290 | Size: 154978 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk Cruzer USB Device +++++
--- User ---
[MBR] c2fdae14f9e03829572de4b7eb0dd235
[BSP] 35d991d2fd45ec634475395c010abe62 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 52 | Size: 15275 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_11222013_100505.txt >>
 



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 25 November 2013 - 02:51 AM

Fix anything Roguekiller found EXCEPT the SSDT messages.

Then run MBAR:

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 November 2013 - 08:48 AM

Marius,

Well they want to dump the system and replace it so don't have to do anything more on this one - thanks for you help up to this point.

I am going to donate for you help on this one.

 

One of the guys just brought me his Dell Vostro 220 and said it is his wifes computer and it won't start.  Powered it up and you get the BSOD. Try to boot up in safe mode and get BSOD 0x00000024.

 

Thanks

John



#9 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 November 2013 - 09:15 AM

Marius,

Just sent off a paypal and noticed that you are in Germany. Where abouts are you? Loved Germany when I was over there.

 

Danke nochmal (I think)



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 26 November 2013 - 09:19 AM

Thank you! :)

 

Which windows version is running on the dell vostro? Or is this the machine we just worked on?

 

I live near cologne.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 November 2013 - 09:46 AM

The other system is getting replaced - he says it is too old to mess with.

The Vostros has Windows XP Home Edition. not sure what service pack it might have installed. I am running all the diagnostics on it right now.

 

I never got to Cologne, I went to school in Erlangen, I worked for Seimens and that is where I had 3 months training on the Seimens CAT Scanners. Was there during the summer so it was really beautiful, lived in Buckenbach (sp).



#12 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 November 2013 - 09:48 AM

Opps - Siemens - forgot i before the e.



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 26 November 2013 - 09:49 AM

Scan with FRST (using UBCD4Win)

We need to try and boot your computer using the Ultimate Boot CD for Windows (UBCD4win)

Please print this guide for future reference!

You will need: a blank CD, a Windows XP CD, a clean computer, and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

Step 1 - creating the ISO file

1. Please select a mirror and download the Ultimate Boot CD for Windows to your Desktop

  • Double-Click on the UBCD4Win.exe that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up
  • Note: Do not install to a folder with spaces in it's name, it is best to use the default C:\UBCD4Win
  • Note: Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read here for information regarding the files that normally trigger AV software.
  • At the very end, uncheck "Run UBCD4WinBuilder.exe when installation is complete", then click Finish


2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

  • Open My Computer, navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Click No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, then press Ok
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)
    Note: you can leave the default file name and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso), but if you do change it make sure it is a folder without spaces in the name
  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

    Click on each option, then click Enable/Disable so the correct value is displayed.

    Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
    Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]
  • Note: If you have a Dell XP install disc you will need to follow the instructions here: http://www.ubcd4win.com/faq.htm#dell


3. Click on the "Build" button

  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run its course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD



==========

Step 2 - downloading Farbar's Recovery Scan Tool (FRST)

Next, from your clean computer, download Farbar Recovery Scan Tool and save it to your flash drive.

note: you will need the 32-bit version to run with UBCD4Win

Now plug your flash drive back into your sick computer and move on to the next step.

==========

Step 3 - booting to the UBCD4Win CD

Restart Your sick Computer Using the UBCD4Win Disc That You Have Created

  • Insert the UBCD4Win disc in to one of your CD/DVD drives
  • Restart your computer, the computer should choose to boot from the UBCD4Win CD automatically
  • If it doesn't and you are asked if you want to boot from CD, then choose that option
    note: more information on booting from CD can be obtained here
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter
  • It may take a little longer for the desktop to appear than it does when you start your computer normally, just let the process run itself until the desktop appears
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?, click Yes
  • You should now have a desktop that looks like this:
    Main.jpg


==========

Step 4 - running the FRST scan

  • Single click My computer from your UBCD4Win desktop to navigate to the Farbar Recovery Scan Tool (FRST.exe) you saved to your flash drive.
  • Double click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer
    note: if prompted to download the latest version, please do so from the link in Step 2
  • Click on the Scan button
  • It will make a log (FRST.txt) on the flash drive, close it and safely remove the USB drive
  • Insert the USB drive into your clean computer and post the log in your next reply

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 jsyerxa

jsyerxa
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 November 2013 - 11:04 AM

FRST Log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-11-2013 01
Ran by SYSTEM on BARTPE-21924 on 26-11-2013 04:59:43
Running from D:\
WIN_XP Service Pack 2 (X86) OS Language: Georgian
Boot Mode: Recovery
Attention: Could not load system hive.
Attention: System hive is missing.

==================== Registry (Whitelisted) ==================

ATTENTION: Software hive is missing.

ATTENTION: Software hive is not loaded.

========================== Services (Whitelisted) =================

==================== Drivers (Whitelisted) ====================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

==================== One Month Modified Files and Folders =======

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!

==================== Restore Points (XP) =====================

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 2037.11 MB
Available physical RAM: 1760.6 MB
Total Pagefile: 1869.3 MB
Available Pagefile: 1753.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.61 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.09 GB) (Free:0.09 GB) FAT
Drive d: () (Removable) (Total:14.9 GB) (Free:12.91 GB) FAT32
Drive x: (UBCD4Windows) (CDROM) (Total:0.62 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: D0F4738C)
Partition 1: (Not Active) - (Size=47 MB) - (Type=DE)
Partition 2: (Active) - (Size=74 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 943C943C)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)

==================== End Of Log ============================



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 26 November 2013 - 11:29 AM

Please follow these steps to do a repair installation of XP:

 

http://www.wikihow.com/Do-a-Windows-XP-%22Repair-Install%22

 

Tell me if that worked for you.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users