TechSpot

BSOD on start up, possibly conhost.exe?, VISTA

By krinkle
Aug 31, 2011
  1. Whenever I boot up my pc I get BSOD.

    Windows comes up with this error message:

    Problemsignatur:
    Navn på problemhændelse: BlueScreen
    OS-version: 6.0.6002.2.2.0.768.3
    Landestandard-id: 1030

    Flere oplysninger om problemet:
    BCCode: 1000007e
    BCP1: C0000005
    BCP2: 870AC720
    BCP3: 8B56FBB8
    BCP4: 8B56F8B4
    OS Version: 6_0_6002
    Service Pack: 2_0
    Product: 768_1

    Filer, der hjælper med til at beskrive problemet:
    C:\Windows\Minidump\Mini083011-25.dmp
    C:\Users\TheFracker\AppData\Local\Temp\WER-100917-0.sysdata.xml
    C:\Users\TheFracker\AppData\Local\Temp\WER1360.tmp.version.txt

    When the BSOD comes up it says IRQL_NOT_LESS_OR_EQUAL.

    I posted in tech support and was asked to go here and follow the 6-step instructions. Route44 who helped me out suspected that conhost.exe is the problem. Conhost.exe is currently running in taskmanager and keeps starting up again when i close the process. Under the description it says bitcoin-miner. I have searched for conhost.exe on my computer and I can't find it.

    All the scans have been done in Safe Mode, because I can't succesfully boot up in normal mode.

    Avast scan didn't find anything.

    Microsoft Security Essentials found Win32/CoinMaker and deleted it. It also found conhost.exe and couldn't verify wether it was harmful or not and therefore didn't do anything about it.

    Microsoft Security Essentials Log:
    ----------------------------------------------------------------------------------
    Command: MpSigStub.exe /program "C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe" ANTIMALWARE /q
    Start time: 30-08-2011 15:10 (version 10.3.1781.0)

    =================================== ProductSearch ==================================

    Microsoft Security Essentials:
    Status: Active
    Product: 3.0.8402.0
    Engine: Not found
    Signatures: Not found
    NIS Engine: Not found
    NIS Signatures: Not found

    ================================ PackageDiscovery ================================

    AM FE: NIS Full:
    Engine: 1.1.7604.0 NIS engine: 2.0.5854.0
    AS base VDM: 1.111.0.0 NIS base VDM: 9.0.0.0
    AV base VDM: 1.111.0.0 NIS full VDM: 9.285.0.0
    AS delta VDM: 1.111.1045.0
    AV delta VDM: 1.111.1045.0

    ================================ PatchApplication ================================

    Patched nisfull.vdm to 9.285.0.0

    ================================= MpUpdateEngine =================================

    Updated from C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs (0x0)

    ================================= ValidateUpdate =================================

    MpSigStub successfully updated Microsoft Security Essentials using the AM FE package.

    Original: Updated to:
    Engine: 0.0.0.0 1.1.7604.0
    AS base VDM: 0.0.0.0 1.111.0.0
    AV base VDM: 0.0.0.0 1.111.0.0
    AS delta VDM: 0.0.0.0 1.111.1045.0
    AV delta VDM: 0.0.0.0 1.111.1045.0

    Set DeltaUpdateFailure to 0
    MpSigStub successfully updated Microsoft Security Essentials using the NIS Full package.

    Original: Updated to:
    NIS engine: 0.0.0.0 2.0.5854.0
    NIS base VDM: 0.0.0.0 9.0.0.0
    NIS full VDM: 0.0.0.0 9.285.0.0

    Set NISDeltaUpdateFailure to 0
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\9.0.0.0_TO_9.285.0.0_NISFULL.VDM_SOURCE_NISBASE.VDM._P
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPASBASE.VDM
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPASDLTA.VDM
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPAVBASE.VDM
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPAVDLTA.VDM
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\NISBASE.VDM
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\nisfull.vdm
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\mpengine.dll
    Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\GAPAENGINE.DLL
    End time: 30-08-2011 15:11
    ----------------------------------------------------------------------------------



    Malwarebytes' Anti-Malware didn't come up with anything. I ran both the quick and full scan.

    Malwarebytes' Anti-Malware Log:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4062

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.19120

    01-09-2011 01:00:47
    mbam-log-2011-09-01 (01-00-47).txt

    Scan type: Quick scan
    Objects scanned: 126315
    Time elapsed: 5 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    I ran GMER.

    GMER Log:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-09-01 04:08:01
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000032 WDC_WD50 rev.01.0
    Running: fn87dlu3.exe; Driver: C:\Users\THEFRA~1\AppData\Local\Temp\uwdiipog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8FE7C884]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8FE9DFA8]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8FE97E42]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8FE9826A]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8FEA26FE]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8FE7D5B4]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8FE9FA50]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8FE9F346]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8FE96C26]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8FEA041A]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8FEA0658]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8FEA0B0A]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8FE7D16C]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x8FE9A358]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0x8FE99F46]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8FEA14E0]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8FEA0DD4]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8FEA1F40]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8FE83292]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8FE7D9BE]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x8FEA1A68]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8FE9EA6A]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8FE98F66]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x8FE98C96]
    SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8FE986DE]

    INT 0x51 ? 84F64BF8
    INT 0x52 ? 8645DF00
    INT 0x82 ? 84F63BF8
    INT 0x92 ? 84F64BF8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 1D9 824E795C 4 Bytes [84, C8, E7, 8F] {TEST AL, CL; OUT 0x8f, EAX}
    .text ntkrnlpa.exe!KeSetEvent + 1E9 824E796C 4 Bytes [A8, DF, E9, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 209 824E798C 8 Bytes [42, 7E, E9, 8F, 6A, 82, E9, ...]
    .text ntkrnlpa.exe!KeSetEvent + 215 824E7998 4 Bytes [FE, 26, EA, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 2D1 824E7A54 8 Bytes [B4, D5, E7, 8F, 50, FA, E9, ...]
    .text ...
    ? System32\Drivers\spjj.sys Den angivne sti blev ikke fundet. !
    .text USBPORT.SYS!DllUnload 82F9A41B 5 Bytes JMP 8645D4E0
    .text aaaq9zd8.SYS 8F1B5000 22 Bytes [82, F3, 40, 82, 6C, F2, 40, ...]
    .text aaaq9zd8.SYS 8F1B5017 137 Bytes [00, 32, 37, 7A, 80, 3D, 35, ...]
    .text aaaq9zd8.SYS 8F1B50A1 43 Bytes [40, 4E, 82, 74, 36, 48, 82, ...]
    .text aaaq9zd8.SYS 8F1B50CE 10 Bytes [00, 00, 00, 00, 00, 00, 66, ...]
    .text aaaq9zd8.SYS 8F1B50DA 12 Bytes [00, 00, 02, 00, 00, 00, 25, ...]
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 77484B84 5 Bytes JMP 00DB000A
    .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 774854C4 5 Bytes JMP 00DC000A
    .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 77485BF8 5 Bytes JMP 004C000A
    .text C:\Windows\Explorer.EXE[1792] ntdll.dll!NtProtectVirtualMemory 77484B84 5 Bytes JMP 01F7000A
    .text C:\Windows\Explorer.EXE[1792] ntdll.dll!NtWriteVirtualMemory 774854C4 5 Bytes JMP 0208000A
    .text C:\Windows\Explorer.EXE[1792] ntdll.dll!KiUserExceptionDispatcher 77485BF8 5 Bytes JMP 01F6000A

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8069A6D2] \SystemRoot\System32\Drivers\spjj.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8069A040] \SystemRoot\System32\Drivers\spjj.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8069A7FC] \SystemRoot\System32\Drivers\spjj.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8069A0BE] \SystemRoot\System32\Drivers\spjj.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069A13C] \SystemRoot\System32\Drivers\spjj.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806AA048] \SystemRoot\System32\Drivers\spjj.sys
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortNotification] 24488B66
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortUchar] E84D8966
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortUlong] 83E84D8B
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 896602C1
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 488BEA4D
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetScatterGatherList] 8DC80320
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortUchar] 57500845
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortStallExecution] F0458D57
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetParentBusType] 00006850
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortRequestCallback] 458DB002
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 35FF50E8
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetUnCachedExtension] [8F1DAFBC] \SystemRoot\System32\Drivers\aaaq9zd8.SYS (ATAPI IDE Miniport Driver/Microsoft Corporation)
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortCompleteRequest] 57EC4D89
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortMoveMemory] 01F045C7
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] E8000000
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 0001E4E4
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 4675C73B
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortUshort] 1DAFC8A1
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 8D526A8F
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortInitialize] 00009A88
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetDeviceBase] 48C08300
    IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortDeviceStateChange] 8D076A50

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 85D3A1F8
    Device \FileSystem\fastfat \FatCdrom 876231F8
    Device \Driver\netbt \Device\NetBT_Tcpip_{7BE1BC0C-7A11-4BFA-9F7A-5F5AD244094F} 8652B1F8
    Device \Driver\volmgr \Device\VolMgrControl 85D351F8
    Device \Driver\usbohci \Device\USBPDO-0 86478488
    Device \Driver\usbehci \Device\USBPDO-1 864791F8

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\volmgr \Device\HarddiskVolume1 85D351F8
    Device \Driver\volmgr \Device\HarddiskVolume2 85D351F8
    Device \Driver\cdrom \Device\CdRom0 864831F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D371F8
    Device \Driver\atapi \Device\Ide\IdePort0 85D371F8
    Device \Driver\atapi \Device\Ide\IdePort1 85D371F8
    Device \Driver\cdrom \Device\CdRom1 864831F8
    Device \Driver\volmgr \Device\HarddiskVolume3 85D351F8
    Device \Driver\cdrom \Device\CdRom2 864831F8
    Device \Driver\volmgr \Device\HarddiskVolume4 85D351F8
    Device \Driver\cdrom \Device\CdRom3 864831F8
    Device \Driver\volmgr \Device\HarddiskVolume5 85D351F8
    Device \Driver\cdrom \Device\CdRom4 864831F8
    Device \Driver\volmgr \Device\HarddiskVolume6 85D351F8
    Device \Driver\netbt \Device\NetBt_Wins_Export 8652B1F8
    Device \Driver\Smb \Device\NetbiosSmb 873C41F8
    Device \Driver\USBSTOR \Device\00000079 875EA1F8
    Device \Driver\nvstor32 \Device\RaidPort0 85D391F8
    Device \Driver\PCI_PNP1416 \Device\0000005c spjj.sys

    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\iScsiPrt \Device\RaidPort1 864A5500

    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\netbt \Device\NetBT_Tcpip_{65AA5710-5DE1-44FD-88B4-76FAC213BF3E} 8652B1F8
    Device \Driver\usbohci \Device\USBFDO-0 86478488
    Device \Driver\nvstor32 \Device\0000006c 85D391F8
    Device \Driver\USBSTOR \Device\0000007a 875EA1F8
    Device \Driver\usbehci \Device\USBFDO-1 864791F8
    Device \Driver\USBSTOR \Device\0000007b 875EA1F8
    Device \Driver\USBSTOR \Device\0000007c 875EA1F8
    Device \Driver\sptd \Device\2506129424 spjj.sys
    Device \Driver\USBSTOR \Device\0000007d 875EA1F8
    Device \Driver\USBSTOR \Device\0000007e 875EA1F8
    Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target3Lun0 864A31F8
    Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target1Lun0 864A31F8
    Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81 864A31F8
    Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target2Lun0 864A31F8
    Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target0Lun0 864A31F8
    Device \FileSystem\fastfat \Fat 876231F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filsystem Filterstyring/Microsoft Corporation)

    Device \FileSystem\cdfs \Cdfs 87BF31F8
    Device \Device\0000006a -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AACS-00ZUB#4&2caa503b&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 MBR read error
    Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

    ---- Files - GMER 1.0.15 ----

    File C:\Minidumps.zip 102526 bytes
    File C:\MpSigStub.log 5818 bytes

    ---- EOF - GMER 1.0.15 ----


    I ran Windows Memory Diagnostic to test if there was something wrong with my RAM. It didn't find anything.

    I have included a zip with the 5 latest dump files from Windows.

    Here's the link to the tech support post: http://www.techspot.com/vb/topic170141.html

    I use Windows Vista. I would appreciate any help, please tell me if you additional details.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. krinkle

    krinkle TS Rookie Topic Starter

    I didn't complete step 4 because when I downloaded DDS it was downloaded as a screen saver file, .scr, and when I ran it nothing happened.
    I attached the mini dump files because Route44 in the tech forum told me to attach them as a zip file when he was helping me, so I thought they might be of use.

    EDIT: ADDITIONAL INFO:
    I just booted up my computer and I got BSOD. It said: aswSP.SYS and Technical Information: STOP: 0x000000D4 (0x9070E2D0, 0x000000FF, 0x00000001, 0x824635CD)

    EDIT2:
    I think that conhost.exe is causing some problems. It keeps running under processes even when I shut it down, and when i go into C:\Windows\Temp and delete it, it keeps reappearing. Microsoft Security Essentials can't remove it either.
    I can't get DDS.scr to run. Every time I open it, it pops up momentarily and shuts down. No logs or anything.

    I would appreciate any help that you can lend me.

    EDIT3: I ran RSIT.exe and here's the log:

    Logfile of random's system information tool 1.09 (written by random/random)
    Run by TheFracker at 2011-09-01 15:28:23
    Microsoft® Windows Vista™ Home Premium Service Pack 2
    System drive C: has 71 GB (16%) free of 456 GB
    Total RAM: 3071 MB (65% free)

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 15:28:33, on 01-09-2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.19120)
    Boot mode: Safe mode with network support

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Users\TheFracker\Downloads\RSIT.exe
    C:\Program Files\trend micro\TheFracker.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNjY3NjE1NTMxLUZMMTArMS1ERFQrNDgyNjgtREQxMEYrMQ"&"prod=90"&"ver=10.0.1392
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Users\TheFracker\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETVÆRKSTJENESTE')
    O15 - Trusted Zone: http://*.danid.dk
    O15 - Trusted Zone: http://*.danid.dk (HKLM)
    O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.64.0.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
    O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

    --
    End of file - 4853 bytes

    ======Scheduled tasks folder======

    C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1634227405-2453312934-4266423901-1000Core.job
    C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1634227405-2453312934-4266423901-1000UA.job

    =========Mozilla firefox=========

    ProfilePath - C:\Users\TheFracker\AppData\Roaming\Mozilla\Firefox\Profiles\avjnnam4.default

    prefs.js - "browser.startup.homepage" - "http://www.google.com/"
    prefs.js - "extensions.enabledItems" - "{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.8, {20a82645-c095-46ed-80e3-08825760534b}:1.2.1, {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.0.5, {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1374, {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.3, {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25, {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.17, david@dkjensen.com:0.0.5"

    "{20a82645-c095-46ed-80e3-08825760534b}"=c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\


    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
    "Description"=Adobe® Flash® Player 10.1 Plugin
    "Path"=C:\Windows\system32\Macromed\Flash\NPSWF32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0]
    "Description"=
    "Path"=

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@idsoftware.com/QuakeLive]
    "Description"=
    "Path"=C:\ProgramData\id Software\QuakeLive\npquakezero.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin]
    "Description"=Oracle® Next Generation Java™ Plug-In
    "Path"=C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
    "Description"=Ag Player Plugin
    "Path"=c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
    "Description"=Windows Presentation Foundation plug-in for Mozilla browsers
    "Path"=c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@pandonetworks.com/PandoWebPlugin]
    "Description"=This plugin detects and launches Pando Media Booster
    "Path"=C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2897]
    "Description"=RealPlayer(tm) LiveConnect-Enabled Plug-In
    "Path"=C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2955]
    "Description"=RealJukebox Netscape Plugin
    "Path"=C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1675]
    "Description"=6.0.12.1675
    "Path"=C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=]
    "Description"=
    "Path"=

    [HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\Adobe Reader]
    "Description"=Handles PDFs in-place in Firefox
    "Path"=C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

    C:\Program Files\Mozilla Firefox\extensions\
    {972ce4c6-7e08-4474-a285-3208198ce6fd}
    {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

    C:\Program Files\Mozilla Firefox\components\
    binary.manifest
    browsercomps.dll
    nsIQTScriptablePlugin.xpt

    C:\Program Files\Mozilla Firefox\plugins\
    npdeployJava1.dll
    nppdf32.dll
    npwachk.dll

    C:\Program Files\Mozilla Firefox\searchplugins\
    amazon-en-GB.xml
    answers.xml
    bing.xml
    chambers-en-GB.xml
    creativecommons.xml
    eBay-en-GB.xml
    google.xml
    wikipedia.xml
    yahoo-en-GB.xml

    C:\Users\TheFracker\AppData\Roaming\Mozilla\Firefox\Profiles\avjnnam4.default\extensions\
    david@dkjensen.com
    staged
    {20a82645-c095-46ed-80e3-08825760534b}

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
    Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD79A59-37B1-459B-9097-09F9FAB8A523}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-04-14 41760]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2011-03-18 1043968]
    "TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-08-18 185896]
    "SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2011-01-07 253672]
    "MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2011-06-15 997920]
    "LogMeIn Hamachi Ui"=C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe [2011-08-04 1955208]
    "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-06-08 37296]
    "Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2011-03-30 937920]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=cmd.exe /c start http://www.avg.com/ww.special-unins...ERFQrNDgyNjgtREQxMEYrMQ&prod=90&ver=10.0.1392 []

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
    "msnmsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2010-04-16 3872080]
    "Google Update"=C:\Users\TheFracker\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-05 136176]
    "ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
    "DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"=credssp.dll, mpqaital.dll, merdmfgf.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Hamachi2Svc]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableLUA"=0
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1
    "EnableUIADesktopToggle"=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "BindDirectlyToPropertySetStorage"=0

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
    "vidc.mrle"=msrle32.dll
    "vidc.msvc"=msvidc32.dll
    "msacm.imaadpcm"=imaadp32.acm
    "msacm.msg711"=msg711.acm
    "msacm.msgsm610"=msgsm32.acm
    "msacm.msadpcm"=msadp32.acm
    "midimapper"=midimap.dll
    "wavemapper"=msacm32.drv
    "VIDC.UYVY"=msyuv.dll
    "VIDC.YUY2"=msyuv.dll
    "VIDC.YVYU"=msyuv.dll
    "VIDC.IYUV"=iyuv_32.dll
    "vidc.i420"=iyuv_32.dll
    "VIDC.YVU9"=tsbyuv.dll
    "msacm.l3acm"=C:\Windows\System32\l3codeca.acm
    "vidc.cvid"=iccvid.dll
    "msacm.siren"=sirenacm.dll
    "vidc.XVID"=xvidvfw.dll
    "MSVideo8"=VfWWDM32.dll
    "vidc.VP60"=C:\Windows\system32\vp6vfw.dll
    "vidc.VP61"=C:\Windows\system32\vp6vfw.dll
    "wave"=wdmaud.drv
    "midi"=wdmaud.drv
    "mixer"=wdmaud.drv
    "aux"=wdmaud.drv
    "wave1"=wdmaud.drv
    "mixer1"=wdmaud.drv
    "wave5"=wdmaud.drv
    "midi4"=wdmaud.drv
    "mixer5"=wdmaud.drv
    "aux4"=wdmaud.drv
    "wave2"=wdmaud.drv
    "midi1"=wdmaud.drv
    "mixer2"=wdmaud.drv
    "aux1"=wdmaud.drv
    "wave3"=wdmaud.drv
    "midi2"=wdmaud.drv
    "mixer3"=wdmaud.drv
    "aux2"=wdmaud.drv
    "wave4"=wdmaud.drv
    "midi3"=wdmaud.drv
    "mixer4"=wdmaud.drv
    "aux3"=wdmaud.drv
    "wave6"=wdmaud.drv
    "midi5"=wdmaud.drv
    "mixer6"=wdmaud.drv
    "aux5"=wdmaud.drv
    "VIDC.XFR1"=xfcodec.dll
    "msacm.divxa32"=msaud32_divx.acm

    ======File associations======

    .js - edit - C:\Windows\System32\Notepad.exe %1
    .js - open - C:\Windows\System32\WScript.exe "%1" %*

    ======List of files/folders created in the last 1 month======

    2011-09-01 15:28:25 ----D---- C:\Program Files\trend micro
    2011-09-01 15:28:23 ----D---- C:\rsit
    2011-09-01 14:47:04 ----D---- C:\Windows\system32\MpEngineStore
    2011-09-01 14:15:12 ----SHD---- C:\Config.Msi
    2011-09-01 04:14:02 ----A---- C:\mbam-log-2011-09-01 (01-00-47).txt
    2011-09-01 01:31:00 ----A---- C:\fn87dlu3.exe
    2011-09-01 01:30:41 ----A---- C:\techspot.txt
    2011-09-01 01:01:30 ----D---- C:\ProgramData\AVAST Software
    2011-09-01 01:01:30 ----D---- C:\Program Files\AVAST Software
    2011-08-31 19:06:00 ----A---- C:\Windows\system32\avgrep.txt
    2011-08-30 23:35:14 ----A---- C:\mtinst.exe
    2011-08-30 20:00:51 ----A---- C:\Windows\ntbtlog.txt
    2011-08-30 17:40:10 ----A---- C:\check.txt
    2011-08-30 15:09:25 ----A---- C:\Windows\system32\vsregexp.dll
    2011-08-30 15:09:10 ----A---- C:\Windows\system32\zlcommdb.dll
    2011-08-30 15:09:10 ----A---- C:\Windows\system32\zlcomm.dll
    2011-08-30 15:09:06 ----A---- C:\Windows\system32\vswmi.dll
    2011-08-30 15:09:05 ----A---- C:\Windows\system32\zpeng25.dll
    2011-08-30 15:09:05 ----A---- C:\Windows\system32\vsxml.dll
    2011-08-30 15:09:05 ----A---- C:\Windows\system32\vspubapi.dll
    2011-08-30 15:09:05 ----A---- C:\Windows\system32\vsmonapi.dll
    2011-08-30 15:09:04 ----A---- C:\Windows\system32\vsdata.dll
    2011-08-30 15:08:58 ----D---- C:\Windows\system32\ZoneLabs
    2011-08-30 15:08:58 ----A---- C:\Windows\system32\drivers\vsdatant.sys
    2011-08-30 15:08:54 ----D---- C:\Program Files\Zone Labs
    2011-08-30 15:08:13 ----A---- C:\Windows\system32\vsutil.dll
    2011-08-30 15:08:13 ----A---- C:\Windows\system32\vsinit.dll
    2011-08-30 15:06:47 ----D---- C:\Program Files\Microsoft Security Client
    2011-08-24 17:04:37 ----A---- C:\Windows\system32\tzres.dll
    2011-08-24 16:55:38 ----D---- C:\Program Files\LogMeIn Hamachi
    2011-08-17 18:43:21 ----D---- C:\Users\TheFracker\AppData\Roaming\LolClient
    2011-08-17 17:38:58 ----D---- C:\Riot Games
    2011-08-17 15:16:27 ----D---- C:\Program Files\LoL
    2011-08-17 14:30:32 ----D---- C:\Users\TheFracker\AppData\Roaming\GRETECH
    2011-08-17 14:29:19 ----D---- C:\Program Files\GRETECH
    2011-08-10 02:47:11 ----A---- C:\Windows\system32\winsrv.dll
    2011-08-10 02:46:07 ----A---- C:\Windows\system32\drivers\mrxsmb10.sys
    2011-08-10 02:41:12 ----A---- C:\Windows\system32\wininet.dll
    2011-08-10 02:41:12 ----A---- C:\Windows\system32\urlmon.dll
    2011-08-10 02:41:12 ----A---- C:\Windows\system32\iertutil.dll
    2011-08-10 02:41:11 ----A---- C:\Windows\system32\jsproxy.dll
    2011-08-10 02:41:10 ----A---- C:\Windows\system32\mshtml.dll
    2011-08-10 02:41:09 ----A---- C:\Windows\system32\ieframe.dll
    2011-08-10 02:41:09 ----A---- C:\Windows\system32\ie4uinit.exe
    2011-08-10 02:41:08 ----A---- C:\Windows\system32\url.dll
    2011-08-10 02:41:08 ----A---- C:\Windows\system32\msfeeds.dll
    2011-08-10 02:41:07 ----A---- C:\Windows\system32\occache.dll
    2011-08-10 02:41:07 ----A---- C:\Windows\system32\mstime.dll
    2011-08-10 02:41:07 ----A---- C:\Windows\system32\ieui.dll
    2011-08-10 02:41:07 ----A---- C:\Windows\system32\iesysprep.dll
    2011-08-10 02:41:07 ----A---- C:\Windows\system32\iepeers.dll
    2011-08-10 02:41:07 ----A---- C:\Windows\system32\iedkcs32.dll
    2011-08-10 02:41:06 ----A---- C:\Windows\system32\mshtmled.dll
    2011-08-10 02:41:06 ----A---- C:\Windows\system32\msfeedssync.exe
    2011-08-10 02:41:06 ----A---- C:\Windows\system32\msfeedsbs.dll
    2011-08-10 02:41:06 ----A---- C:\Windows\system32\licmgr10.dll
    2011-08-10 02:41:06 ----A---- C:\Windows\system32\ieUnatt.exe
    2011-08-10 02:41:06 ----A---- C:\Windows\system32\iesetup.dll
    2011-08-10 02:41:06 ----A---- C:\Windows\system32\iernonce.dll
    2011-08-10 02:33:49 ----A---- C:\Windows\system32\ntoskrnl.exe
    2011-08-10 02:33:49 ----A---- C:\Windows\system32\ntkrnlpa.exe
    2011-08-10 02:32:52 ----A---- C:\Windows\system32\drivers\tcpipreg.sys
    2011-08-10 02:32:52 ----A---- C:\Windows\system32\drivers\tcpip.sys
    2011-08-04 23:29:31 ----D---- C:\Users\TheFracker\AppData\Roaming\FOG Downloader
    2011-08-04 23:29:22 ----D---- C:\Program Files\Runes of Magic
    2011-08-02 22:08:15 ----D---- C:\Windows\system32\Updates
    2011-08-02 22:08:12 ----D---- C:\Windows\system32\Data

    ======List of files/folders modified in the last 1 month======

    2011-09-01 15:28:25 ----RD---- C:\Program Files
    2011-09-01 15:28:13 ----D---- C:\Windows\Temp
    2011-09-01 15:27:14 ----D---- C:\Windows\Internet Logs
    2011-09-01 14:47:04 ----D---- C:\Windows\System32
    2011-09-01 14:28:30 ----D---- C:\Program Files\Mozilla Firefox
    2011-09-01 14:24:22 ----D---- C:\Program Files\Steam
    2011-09-01 14:16:15 ----D---- C:\ProgramData\MFAData
    2011-09-01 14:16:11 ----SHD---- C:\Windows\Installer
    2011-09-01 14:16:01 ----D---- C:\ProgramData\AVG10
    2011-09-01 14:15:39 ----D---- C:\Windows\system32\drivers\AVG
    2011-09-01 14:15:29 ----D---- C:\Windows\system32\drivers
    2011-09-01 14:12:35 ----D---- C:\Windows
    2011-09-01 14:08:01 ----D---- C:\Windows\Minidump
    2011-09-01 01:01:37 ----D---- C:\Program Files\Windows Sidebar
    2011-09-01 01:01:30 ----HD---- C:\ProgramData
    2011-08-31 18:28:51 ----D---- C:\Program Files\PS3 Media Server
    2011-08-30 22:25:02 ----D---- C:\Windows\system32\LogFiles
    2011-08-30 20:10:52 ----D---- C:\Windows\Prefetch
    2011-08-30 19:53:00 ----D---- C:\Windows\system32\catroot2
    2011-08-30 17:43:00 ----D---- C:\Users\TheFracker\AppData\Roaming\vlc
    2011-08-30 17:29:55 ----RSD---- C:\Windows\assembly
    2011-08-30 17:29:55 ----D---- C:\Windows\Microsoft.NET
    2011-08-30 16:59:41 ----D---- C:\Windows\rescache
    2011-08-30 16:57:11 ----D---- C:\Windows\winsxs
    2011-08-30 16:34:59 ----D---- C:\Windows\system32\catroot
    2011-08-30 16:29:13 ----D---- C:\Windows\system32\da-DK
    2011-08-30 16:29:12 ----D---- C:\Windows\system32\migration
    2011-08-30 16:29:12 ----D---- C:\Program Files\Internet Explorer
    2011-08-30 16:28:54 ----D---- C:\Windows\inf
    2011-08-30 16:08:49 ----A---- C:\Windows\system32\PerfStringBackup.INI
    2011-08-30 03:39:02 ----D---- C:\Users\TheFracker\AppData\Roaming\uTorrent
    2011-08-30 00:04:14 ----D---- C:\Program Files\World of Warcraft
    2011-08-29 18:49:42 ----D---- C:\Musik
    2011-08-26 16:54:06 ----D---- C:\Users\TheFracker\AppData\Roaming\Skype
    2011-08-17 21:13:52 ----D---- C:\ProgramData\PMB Files
    2011-08-17 17:38:58 ----HD---- C:\Program Files\InstallShield Installation Information
    2011-08-16 21:11:36 ----D---- C:\Program Files\Heroes of Newerth
    2011-08-16 19:59:51 ----D---- C:\Windows\system32\directx
    2011-08-16 19:59:46 ----HD---- C:\Windows\msdownld.tmp

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R0 Lbd;Lbd; C:\Windows\system32\DRIVERS\Lbd.sys [2010-07-09 64288]
    R0 nvstor32;nvstor32; C:\Windows\system32\DRIVERS\nvstor32.sys [2007-10-31 115744]
    R0 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2009-03-13 717296]
    R1 Vsdatant;Zone Alarm Firewall Driver; C:\Windows\system32\DRIVERS\vsdatant.sys [2010-05-15 457304]
    R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-01-15 23848]
    R3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2010-02-03 26176]
    R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-11-18 1040544]
    R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2007-07-07 12032]
    R3 X10Hid;X10 Hid Device; C:\Windows\System32\Drivers\x10hid.sys [2006-11-17 13976]
    R3 XUIF;X10 USB Wireless Transceiver; C:\Windows\System32\Drivers\x10ufx2.sys [2006-11-30 27416]
    R4 AVGIDSEH;AVGIDSEH; C:\Windows\system32\DRIVERS\AVGIDSEH.Sys []
    R4 Avgrkx86;AVG Anti-Rootkit Driver; C:\Windows\system32\DRIVERS\avgrkx86.sys []
    R4 Avgtdix;AVG TDI Driver; C:\Windows\system32\DRIVERS\avgtdix.sys []
    S1 jhqlgxpg;jhqlgxpg; \??\C:\Windows\system32\drivers\jhqlgxpg.sys []
    S1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2011-04-18 165648]
    S1 MpKsl033028ab;MpKsl033028ab; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsl033028ab.sys [2011-08-30 28752]
    S1 MpKsl095d3fc7;MpKsl095d3fc7; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsl095d3fc7.sys [2011-08-30 28752]
    S1 MpKsl3d105157;MpKsl3d105157; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E0EF5E96-8297-4D80-9FD5-3DB6319C266D}\MpKsl3d105157.sys []
    S1 MpKsl55c019c8;MpKsl55c019c8; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C2976BEB-1ADB-4473-8E4E-CC6C54CC07E0}\MpKsl55c019c8.sys []
    S1 MpKsl58a1a83e;MpKsl58a1a83e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsl58a1a83e.sys [2011-08-31 28752]
    S1 MpKsl6849a32a;MpKsl6849a32a; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsl6849a32a.sys [2011-08-30 28752]
    S1 MpKsl81616e7e;MpKsl81616e7e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsl81616e7e.sys []
    S1 MpKsl997801e2;MpKsl997801e2; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsl997801e2.sys [2011-08-30 28752]
    S1 MpKslbd378a8f;MpKslbd378a8f; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKslbd378a8f.sys [2011-08-30 28752]
    S1 MpKslcbfb3f94;MpKslcbfb3f94; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKslcbfb3f94.sys [2011-08-30 28752]
    S1 MpKslcdb7aa43;MpKslcdb7aa43; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKslcdb7aa43.sys [2011-08-31 28752]
    S1 MpKsld1861ecb;MpKsld1861ecb; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsld1861ecb.sys [2011-08-31 28752]
    S1 MpKsld3d46160;MpKsld3d46160; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDB5D89C-FAF4-427E-A9D0-0C7CBCBAE65F}\MpKsld3d46160.sys []
    S1 unjybqhl;unjybqhl; \??\C:\Windows\system32\drivers\unjybqhl.sys []
    S2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
    S2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [2010-05-31 47640]
    S3 afj5qeok;afj5qeok; C:\Windows\system32\drivers\afj5qeok.sys []
    S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
    S3 FETNDIS;Tjenesten VIA Rhine-Family Fast Ethernet-netværkskortdriver; C:\Windows\system32\DRIVERS\fetnd5.sys [2006-11-02 45568]
    S3 GarenaPEngine;GarenaPEngine; \??\C:\Users\THEFRA~1\AppData\Local\Temp\YKF18BB.tmp []
    S3 GGSAFERDriver;GGSAFER Driver; \??\C:\Program Files\Garena\safedrv.sys []
    S3 HdAudAddService;Microsoft 1.1 UAA-funktionsdriver til High Definition Audio-tjeneste; C:\Windows\system32\drivers\HdAudio.sys [2009-04-11 236544]
    S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2009-09-28 102912]
    S3 hwusbdev;Huawei DataCard USB PNP Device; C:\Windows\system32\DRIVERS\ewusbdev.sys [2009-09-28 101248]
    S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-11-14 2016920]
    S3 lmimirr;lmimirr; C:\Windows\system32\DRIVERS\lmimirr.sys [2010-05-31 10144]
    S3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
    S3 MSKSSRV;Serviceproxy til Microsoft Streaming; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
    S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
    S3 MSPQM;Kvalitetsstyringsproxy til Microsoft Streaming; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
    S3 MSTEE;Tee/Sink-to-Sink-konverteringsprogram til Microsoft Streaming; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista; C:\Windows\system32\DRIVERS\netr28u.sys []
    S3 Netaapl;Apple Mobile Device Ethernet Service; C:\Windows\system32\DRIVERS\netaapl.sys []
    S3 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
    S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-12-14 8244320]
    S3 Ph3xIB32;Philips 713x Inbox PCI TV Card; C:\Windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
    S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
    S3 usbaudio;USB-lyddriver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-11 73216]
    S3 usbscan;USB-scannerdriver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
    S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys []
    S3 vsdatant7;vsdatant7; C:\Windows\System32\drivers\vsdatant.win7.sys []
    S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
    S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
    S4 LMIRfsClientNP;LMIRfsClientNP; C:\Windows\system32\drivers\LMIRfsClientNP.sys []

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine; C:\Program Files\LogMeIn Hamachi\hamachi-2.exe [2011-08-04 1361288]
    R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [2011-04-27 11736]
    R2 vsmon;TrueVector Internet Monitor; C:\Windows\System32\ZoneLabs\vsmon.exe [2011-03-18 2435592]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-20 1355968]
    S2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2011-01-18 75136]
    S2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-08-18 1529728]
    S2 x10nets;X10 Device Network Service; C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe [2001-11-12 20480]
    S3 aspnet_state;ASP.NET-tilstandstjeneste; C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [2010-03-18 35160]
    S3 getPlusHelper;@C:\Program Files\NOS\bin\getPlus_Helper.dll,-101; C:\Windows\System32\svchost.exe [2008-01-19 21504]
    S3 NisSrv;@c:\Program Files\Microsoft Security Client\Antimalware\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
    S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2011-06-02 403240]
    S3 WPFFontCache_v0400;@c:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S4 NetMsmqActivator;@c:\Windows\Microsoft.NET\Framework\v4.0.30319\\ServiceModelInstallRC.dll,-8195; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
    S4 NetPipeActivator;@c:\Windows\Microsoft.NET\Framework\v4.0.30319\\ServiceModelInstallRC.dll,-8197; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
    S4 NetTcpActivator;@c:\Windows\Microsoft.NET\Framework\v4.0.30319\\ServiceModelInstallRC.dll,-8199; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]

    -----------------EOF-----------------
     
  4. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...