TechSpot

Can't start several programs or access some sites

Resolved
By Geoffrey
Nov 11, 2012
Topic Status:
Not open for further replies.
  1. Hello. I'm using windows XP sp3 and something prevents me form starting any anti-virus programs and for some reason Opera. I tried starting in safe mode but that didn't work. Neither can I access the sites of anti-vir programs. I managed to start MBAM via their chameleon tool and run a check. Then it told me to reboot, which I did. But I still couldn't start the same things and after running the search a second time, the same viruses were shown. Also downloaded GMER which worked fine so I have these logs. But when trying to run DDS I get the following Application Error : "The procedure * could not be located in the DLL sfc.dll.". After closing it with task manager, the program only produces the Attach.txt but not the other. I would be very thankful for any help.
    Here are the logs (MBAM and Attach is in polish but I hope that's not a too big inconvenience.) :



    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Wersja bazy: v2012.11.11.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 7.0.5730.13
    :: KOMP [administrator]

    2012-11-11 16:36:36
    mbam-log-2012-11-11 (16-36-36).txt

    Typ skanowania: Szybkie skanowanie
    Zaznaczone opcje skanowania: Pamięć | Rozruch | Rejestr | System plików | Heurystyka/Dodatkowe | Heuristyka/Shuriken | PUP | PUM
    Odznaczone opcje skanowania: P2P
    Przeskanowano obiektów: 253082
    Upłynęło: 3 minut(y), 37 sekund(y)

    Wykrytych procesów w pamięci: 0
    (Nie znaleziono zagrożeń)

    Wykrytych modułów w pamięci: 0
    (Nie znaleziono zagrożeń)

    Wykrytych kluczy rejestru: 2
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Dodanie do kwarantanny I usunięcie pliku zakończyły się powodzeniem.
    HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Dodanie do kwarantanny I usunięcie pliku zakończyły się powodzeniem.

    Wykrytych wartości rejestru: 0
    (Nie znaleziono zagrożeń)

    Wykryte wpisy rejestru systemowego: 3
    HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Złe: (1) Dobre: (0) -> Dodanie do kwarantanny I naprawa pliku zakończyły się powodzeniem.
    HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Złe: (1) Dobre: (0) -> Dodanie do kwarantanny I naprawa pliku zakończyły się powodzeniem.
    HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Złe: (1) Dobre: (0) -> Dodanie do kwarantanny I naprawa pliku zakończyły się powodzeniem.

    wykrytych folderów: 0
    (Nie znaleziono zagrożeń)

    Wykrytych plików: 0
    (Nie znaleziono zagrożeń)

    (zakończone)






    GMER 1.0.15.14966 - http://www.gmer.net
    Rootkit scan 2012-11-11 16:52:12
    Windows 5.1.2600 Dodatek Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAEF92D42]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAEF92BAD]

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 89D5B1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----










    DDS (Ver_2012-11-07.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2009-10-29 13:43:39
    System Uptime: 2012-11-11 16:50:20 (1 hours ago)
    .
    Motherboard: MSI | | MS-7250
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4000+ | CPU 1 | 2100/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 49 GiB total, 5,674 GiB free.
    D: is FIXED (NTFS) - 49 GiB total, 7,477 GiB free.
    E: is FIXED (NTFS) - 135 GiB total, 3,269 GiB free.
    F: is CDROM ()
    G: is CDROM ()
    H: is CDROM ()
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Standardowa klawiatura 101/102 klawisze lub Microsoft Natural Keyboard PS/2
    Device ID: ACPI\PNP0303\4&126B373&0
    Manufacturer: (Klawiatury standardowe)
    Name: Standardowa klawiatura 101/102 klawisze lub Microsoft Natural Keyboard PS/2
    PNP Device ID: ACPI\PNP0303\4&126B373&0
    Service: i8042prt
    .
    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: Mysz Microsoft PS/2
    Device ID: ACPI\PNP0F03\4&126B373&0
    Manufacturer: Microsoft
    Name: Mysz Microsoft PS/2
    PNP Device ID: ACPI\PNP0F03\4&126B373&0
    Service: i8042prt
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: NVIDIA nForce Networking Controller
    Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&B24231D&0&00
    Manufacturer: NVIDIA
    Name: NVIDIA nForce Networking Controller
    PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&B24231D&0&00
    Service: NVENETFD
    .
    ==== System Restore Points ===================
    .
    RP367: 2012-10-27 13:53:31 - Punkt kontrolny systemu
    RP368: 2012-10-28 21:18:33 - Punkt kontrolny systemu
    RP369: 2012-11-01 14:04:57 - Punkt kontrolny systemu
    RP370: 2012-11-06 15:48:58 - Punkt kontrolny systemu
    RP371: 2012-11-09 15:34:23 - Punkt kontrolny systemu
    RP372: 2012-11-10 12:03:48 - Operacja przywracania
    RP373: 2012-11-10 12:08:36 - Operacja przywracania
    RP374: 2012-11-10 23:06:53 - Instalacja avast! Free Antivirus
    .
    ==== Image File Execution Options =============
    .
    IFEO: Your Image File Name Here without a path - ntsd -d
    .
    ==== Installed Programs ======================
    .
    7-Zip 9.20
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Fonts All
    Adobe Linguistics CS4
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Reader 9.3 - Deutsch
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Shockwave Player 11.6
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    AMD APP SDK Runtime
    AMD Catalyst Install Manager
    Amnesia - The Dark Descent
    Arcanum Of Steamworks and Magick Obscura
    Audiograbber 1.83 SE
    Audiograbber MP3 Plugin
    avast! Free Antivirus
    Bandisoft MPEG-1 Decoder
    Borland Delphi 7
    calibre
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    Chess 0.9
    Connect
    Crusader Kings II
    Deep Fritz 13
    Diablo III
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Plus Web Player
    Dropbox
    Dungeons of Dredmor
    F.lux
    Faster Than Light
    FastStone Image Viewer 4.3
    FlatOut2
    Freelancer 1.5
    GIMP 2.8.2
    Google Chrome
    Google Earth
    Hi-Rez Studios Authenticate and Update Service
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB954550-v5)
    Hotline Miami
    JADE (Java-based Ancient Domains Engine)
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 24
    K-Lite Codec Pack 5.3.0 (Full)
    kuler
    League of Legends
    Left 4 Dead 2
    Legend of Grimrock
    LIMBO
    LOLReplay
    Malwarebytes Anti-Malware version 1.65.1.1000
    Mass Effect™ 3
    MatheAss 8.2
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PLK
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PLK
    Microsoft .NET Framework 3.5 Language Pack SP1 - plk
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Client Profile PLK Language Pack
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Extended PLK Language Pack
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft WSE 3.0 Runtime
    Microsoft XNA Framework Redistributable 3.0
    Microsoft XNA Framework Redistributable 3.1
    Microsoft XNA Framework Redistributable 4.0
    MotioninJoy ds3 driver version 0.4.0002
    Mozilla Firefox 14.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB925673)
    MTX
    Nexon Game Manager
    OpenAL
    OpenOffice.org 3.3
    Opera 12.10
    Origin
    Paint.NET v3.5.10
    Pakiet językowy programu Microsoft .NET Framework 3.5 z dodatkiem SP1 — PLK
    Pakiet sterowników systemu Windows - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Pando Media Booster
    PDF Settings CS4
    Photoshop Camera Raw
    Planescape Torment
    Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile
    Polski pakiet językowy dla programu Microsoft .NET Framework 4 Extended
    Poprawka dla systemu Windows XP (KB938759)
    PuTTY version 0.61
    Quake Live Mozilla Plugin
    Real Alternative 2.0.2
    Realtek High Definition Audio Driver
    SAMSUNG USB Driver for Mobile Phones
    Security Task Manager 1.7h
    Skype™ 5.10
    Smite
    Solium Infernum
    Source SDK Base 2007
    Spybot - Search & Destroy
    StarCraft II
    Stay Secure
    Steam
    Suite Shared Configuration CS4
    swMSM
    Sword of Damocles: Warlords 3.92
    System Requirements Lab CYRI
    The Sims™ 3
    TmNationsForever
    TRON
    TuneUp Utilities 2011
    TuneUp Utilities Language Pack (en-US)
    Unity Web Player
    VC80CRTRedist - 8.0.50727.4053
    Ventrilo Client
    Visual C++ 9.0 CRT (x86) WinSXS MSM
    WebFldrs XP
    Winamp
    Winamp Detector Plug-in
    Windows Presentation Foundation
    XML Paper Specification Shared Components Language Pack 1.0
    XML Paper Specification Shared Components Pack 1.0
    Zeus and Poseidon
    .
    ==== End Of File ===========================
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  3. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    Thanks for the response. I've got Combofix per USB stick from another computer. It starts (after renaming it from Combofix) but when Installing it, somewhere around the middle the same Error as at the DDS check pops up : "The procedure * could not be located in the DLL sfc.dll.". It happens a bunch of times and then when it's finished it gives me a warning about running Combofix but the program isn't installed anywhere. I also tried to run it in safe mode but the same thing happens. I'm guessing something is missing in the registry but I didn't want to mess anything up by tinkering in it.
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    RogueKiller Scan

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.



    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.


    Then, try ComboFix again, as well.
  5. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    I followed the instructions but Combofix still shows the same Error. Anyways here are the logs from RogueKiller :

    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Dodatek Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Prezes [Admin rights]
    Mode : Scan -- Date : 11/12/2012 19:46:09

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 16 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : GvgAehbg (C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-220523388-362288127-682003330-500[...]\Run : GvgAehbg (C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\Security Center : ANTIVIRUSDISABLENOTIFY (1) -> FOUND
    [HJ] HKLM\[...]\Security Center : FIREWALLDISABLENOTIFY (1) -> FOUND
    [HJ] HKLM\[...]\Security Center : UPDATESDISABLENOTIFY (1) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    SSDT[41] : NtCreateKey @ 0x80623786 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B16AC)
    SSDT[119] : NtOpenKey @ 0x80624B58 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B1562)

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost
    127.0.0.1 activate.adobe.com
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500AAJS-00VTA0 +++++
    --- User ---
    [MBR] 0482194ca901016647363fd33026233c
    [BSP] 796d5011dbe7c943fd8ffc0cc7f5d59e : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 49999 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102398310 | Size: 188465 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1]_S_11122012_02d1946.txt >>
    RKreport[1]_S_11122012_02d1946.txt



    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Dodatek Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Prezes [Admin rights]
    Mode : Remove -- Date : 11/12/2012 19:46:17

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 15 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : GvgAehbg (C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe) -> DELETED
    [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJPOL] HKCU\[...]\System : DisableCMD (0) -> DELETED
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJPOL] HKLM\[...]\System : DisableCMD (0) -> DELETED
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ] HKLM\[...]\Security Center : ANTIVIRUSDISABLENOTIFY (1) -> REPLACED (0)
    [HJ] HKLM\[...]\Security Center : FIREWALLDISABLENOTIFY (1) -> REPLACED (0)
    [HJ] HKLM\[...]\Security Center : UPDATESDISABLENOTIFY (1) -> REPLACED (0)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    SSDT[41] : NtCreateKey @ 0x80623786 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B16AC)
    SSDT[119] : NtOpenKey @ 0x80624B58 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B1562)

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost
    127.0.0.1 activate.adobe.com
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500AAJS-00VTA0 +++++
    --- User ---
    [MBR] 0482194ca901016647363fd33026233c
    [BSP] 796d5011dbe7c943fd8ffc0cc7f5d59e : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 49999 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102398310 | Size: 188465 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2]_D_11122012_02d1946.txt >>
    RKreport[1]_S_11122012_02d1946.txt ; RKreport[2]_D_11122012_02d1946.txt



    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Dodatek Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Prezes [Admin rights]
    Mode : Shortcuts HJfix -- Date : 11/12/2012 19:47:59

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 0 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 20 / Fail 0
    Start menu: Success 0 / Fail 0
    User folder: Success 65 / Fail 0
    My documents: Success 6 / Fail 6
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 1265 / Fail 0
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [E:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [F:] \Device\CdRom0 -- 0x5 --> Skipped
    [G:] \Device\CdRom1 -- 0x5 --> Skipped
    [H:] \Device\CdRom2 -- 0x5 --> Skipped

    Finished : << RKreport[3]_SC_11122012_02d1947.txt >>
    RKreport[1]_S_11122012_02d1946.txt ; RKreport[2]_D_11122012_02d1946.txt ; RKreport[3]_SC_11122012_02d1947.txt
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okie dokie...

    Kaspersky GetSystemInfo Scan

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

    Note: please close all other applications running on your system.

    Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

    Click the Settings button.[​IMG]

    [​IMG]

    Set the slider to Maximum.

    [​IMG]

    IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    [​IMG]

    On the General tab, make sure all of the boxes are checked.


    [​IMG]

    On the Misc tab, make sure all the checkboxes are checked.

    Then, click OK on the windows that you launched.


    [​IMG]
    Click Create Report to run it.

    [​IMG]
    It will begin scanning.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

    It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

    It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
  7. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Too many security programs?

    I suspect that you may be running too much realtime protection of security programs. Keep in mind that running too much realtime protection can cause more problems rather than prevent them. Also, can cause system crashes, and even false positives.

    Please remove Spybot Search & Destroy.


    CCleaner Temporary Files Cleaning

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.


    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  9. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    I couldn't access the site. It just said it were unable to connect just like with several other security sites.
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTLPE + Farbar Recovery Scan Tool

    • Download OTLPENet.exe to your desktop
    • Download Farbar Recovery Scan Tool and save it to a flash drive. (Get the 64 bit version)
    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
    • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
    • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads [​IMG]
    • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
    • Insert the flash drive with FRST on it
    • Locate the flash drive and run FSRT
    • The tool will start to run.
    [​IMG]
    • When the tool opens click Yes to disclaimer.
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
  11. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    I made the logs. My windows is 32bit though so I took the matching FRT version. Anyways :


    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2012
    Ran by SYSTEM at 17-11-2012 19:00:05
    Running from F:\
    Microsoft Windows XP (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
    HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2012-07-03] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software)
    HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe, [101304 2012-11-09] ()
    Winlogon\Notify\AtiExtEvent: Ati2evxx.dll (ATI Technologies Inc.)
    Winlogon\Notify\LMIinit: LMIinit.dll (LogMeIn, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

    ==================== Services (Whitelisted) ===================

    2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2009-09-25] ()
    2 Eventlog; C:\Windows\System32\services.exe [109056 2008-04-15] (Microsoft Corporation)
    3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115168 2012-11-15] (Mozilla Foundation)
    3 npggsvc; C:\WINDOWS\system32\GameMon.des -service [3700176 2010-08-15] (INCA Internet Co., Ltd.)
    3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [x]
    4 HiPatchService; C:\Program Files\Hi-Rez Studios\HiPatchService.exe [x]
    2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

    ==================== Drivers (Whitelisted) ====================

    1 Aavmker4; C:\Windows\System32\Drivers\Aavmker4.sys [25256 2012-10-30] (AVAST Software)
    1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [43520 2006-07-01] (Advanced Micro Devices)
    1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [738504 2012-10-30] (AVAST Software)
    3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [7874560 2012-07-04] (ATI Technologies Inc.)
    3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdXP3.sys [103040 2012-05-14] (Advanced Micro Devices)
    2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [281760 2010-08-16] ()
    3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
    3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-15] (Windows (R) Server 2003 DDK provider)
    3 HssDrv; C:\Windows\System32\DRIVERS\HssDrv.sys [37376 2010-09-22] (AnchorFree Inc.)
    3 irsir; C:\Windows\System32\DRIVERS\irsir.sys [18688 2001-08-17] (Microsoft Corporation)
    3 libusb0; C:\Windows\System32\drivers\libusb0.sys [33792 2005-03-09] ()
    2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [25888 2010-08-16] ()
    3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [48640 2010-03-18] (MotioninJoy)
    0 nvata; C:\Windows\System32\DRIVERS\nvata.sys [105344 2006-08-21] (NVIDIA Corporation)
    3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [57856 2006-09-11] (NVIDIA Corporation)
    0 nvgts; C:\Windows\System32\DRIVERS\nvgts5.sys [101888 2008-07-15] (NVIDIA Corporation)
    3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [19968 2006-09-11] (NVIDIA Corporation)
    3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
    1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [101112 2012-05-25] (GFI Software)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2009-12-13] (Duplex Secure Ltd.)
    3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-04-06] (AnchorFree Inc)
    3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [61984 2009-11-24] (Microsoft Corporation)
    4 Abiosdsk; [x]
    4 abp480n5; [x]
    4 adpu160m; [x]
    4 Aha154x; [x]
    4 aic78u2; [x]
    4 aic78xx; [x]
    3 Alerter; [x]
    4 AliIde; [x]
    4 amsint; [x]
    4 asc; [x]
    4 asc3350p; [x]
    4 asc3550; [x]
    4 Atdisk; [x]
    4 cd20xrnt; [x]
    1 Changer; [x]
    4 cisvc; [x]
    4 CmdIde; [x]
    4 Cpqarray; [x]
    4 dac2w2k; [x]
    4 dac960nt; [x]
    3 dgderdrv; C:\Windows\System32\drivers\dgderdrv.sys [x]
    4 dpti2o; [x]
    3 EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys [x]
    3 EagleXNt; \??\C:\WINDOWS\system32\drivers\EagleXNt.sys [x]
    4 ERSvc; [x]
    3 FastUserSwitchingCompatibility; [x]
    3 GMSIPCI; \??\F:\INSTALL\GMSIPCI.SYS [x]
    3 helpsvc; [x]
    4 hpn; [x]
    1 i2omgmt; [x]
    4 i2omp; [x]
    3 ImapiService; [x]
    4 ini910u; [x]
    4 IntelIde; [x]
    3 KoneFltr; C:\Windows\System32\drivers\Kone.sys [x]
    1 lbrtfdc; [x]
    2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [x]
    4 LMIRfsClientNP; [x]
    4 Messenger; [x]
    4 Micorsoft Windows Service; \??\C:\TMP\rsjinqaf.sys [x]
    4 mnmsrvc; [x]
    4 mraid35x; [x]
    3 Nbdrv; C:\Windows\System32\DRIVERS\nbdrv.sys [x]
    3 NTACCESS; \??\F:\NTACCESS.sys [x]
    1 PCIDump; [x]
    4 perc2; [x]
    4 perc2hib; [x]
    3 pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [x]
    4 ql1080; [x]
    4 Ql10wnt; [x]
    4 ql12160; [x]
    4 ql1240; [x]
    4 ql1280; [x]
    4 RDSessMgr; [x]
    4 RemoteRegistry; [x]
    1 SASDIFSV; \??\C:\TMP\SAS_SelfExtract\SASDIFSV.SYS [x]
    1 SASKUTIL; \??\C:\TMP\SAS_SelfExtract\SASKUTIL.SYS [x]
    4 SCardDrv; [x]
    3 SetupNTGLM7X; \??\F:\NTGLM7X.sys [x]
    4 Simbad; [x]
    4 Sparrow; [x]
    4 symc810; [x]
    4 symc8xx; [x]
    4 sym_hi; [x]
    4 sym_u3; [x]
    4 TermService; [x]
    4 TosIde; [x]
    4 ultra; [x]
    4 uploadmgr; [x]
    4 ViaIde; [x]
    4 WmdmPmSp; [x]
    3 XDva296; \??\C:\WINDOWS\system32\XDva296.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2012-11-17 18:59 - 2012-11-17 18:59 - 00000000 ____D C:\FRST
    2012-11-15 09:32 - 2012-11-17 07:07 - 00007109 ____A C:\Windows\setupapi.log
    2012-11-14 16:06 - 2012-11-17 11:32 - 00003823 ____A C:\Windows\WindowsUpdate.log
    2012-11-14 15:10 - 2012-11-14 15:10 - 00000000 ____D C:\Program Files\ESET
    2012-11-12 14:20 - 2012-11-12 14:20 - 00008286 ____A C:\Windows\System32\reset.log
    2012-11-12 14:17 - 2004-06-11 19:33 - 00290304 ____A (Microsoft Corporation) C:\subinacl.exe
    2012-11-12 14:02 - 2012-11-12 14:20 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
    2012-11-12 14:01 - 2012-11-12 14:01 - 00000000 ____D C:\Program Files\Tweaking.com
    2012-11-12 09:01 - 2012-11-12 09:01 - 00000000 ____D C:\Windows\erdnt
    2012-11-12 09:00 - 2012-11-12 14:36 - 00000000 ___SD C:\32788R22FWJFW
    2012-11-10 17:07 - 2012-11-17 08:27 - 00000316 ___AH C:\Windows\Tasks\avast! Emergency Update.job
    2012-11-10 17:07 - 2012-10-30 17:51 - 00738504 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2012-11-10 17:07 - 2012-10-30 17:51 - 00361032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2012-11-10 17:07 - 2012-10-30 17:51 - 00097608 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon2.sys
    2012-11-10 17:07 - 2012-10-30 17:51 - 00089752 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon.sys
    2012-11-10 17:07 - 2012-10-30 17:51 - 00054232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2012-11-10 17:07 - 2012-10-30 17:51 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
    2012-11-10 17:07 - 2012-10-30 17:51 - 00035928 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
    2012-11-10 17:07 - 2012-10-30 17:51 - 00025256 ____A (AVAST Software) C:\Windows\System32\Drivers\aavmker4.sys
    2012-11-10 17:07 - 2012-10-30 17:51 - 00021256 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2012-11-10 17:07 - 2012-10-30 17:50 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-11-10 17:06 - 2012-11-10 17:06 - 00000000 ____D C:\Program Files\AVAST Software
    2012-11-10 15:33 - 2012-11-10 15:33 - 00001881 ____A C:\AdwCleaner[S1].txt
    2012-11-10 11:34 - 2012-09-29 13:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-11-10 11:33 - 2012-11-10 12:17 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-11-10 07:27 - 2012-11-10 10:39 - 00000000 ____D C:\VIPRERESCUE
    2012-11-10 07:27 - 2012-05-25 06:14 - 00101112 ____A (GFI Software) C:\Windows\System32\Drivers\SBREDrv.sys
    2012-11-10 07:27 - 2012-05-25 06:14 - 00042864 ____A (GFI Software) C:\Windows\System32\sbbd.exe
    2012-10-28 06:40 - 2012-11-02 13:16 - 00000000 ____D C:\Program Files\1812 - Serce Zimy
    2012-10-27 06:02 - 2012-11-17 11:32 - 00012422 ____A C:\Windows\SchedLgU.Txt
    2012-10-19 11:31 - 2012-10-19 17:11 - 00000000 ____D C:\Program Files\LogMeIn Hamachi

    ==================== One Month Modified Files and Folders ========

    2012-11-17 18:59 - 2012-11-17 18:59 - 00000000 ____D C:\FRST
    2012-11-17 11:32 - 2012-11-14 16:06 - 00003823 ____A C:\Windows\WindowsUpdate.log
    2012-11-17 11:32 - 2012-10-27 06:02 - 00012422 ____A C:\Windows\SchedLgU.Txt
    2012-11-17 11:32 - 2011-09-07 10:34 - 00000216 ____A C:\Windows\wiadebug.log
    2012-11-17 11:32 - 2010-09-12 09:06 - 00196608 ____A C:\Windows\System32\config\TuneUp.evt
    2012-11-17 11:32 - 2009-10-29 09:17 - 00458752 ____A C:\Windows\System32\config\ACEEvent.evt
    2012-11-17 11:32 - 2009-10-29 07:44 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-11-17 11:29 - 2009-10-29 07:43 - 00000000 ____D C:\TMP
    2012-11-17 08:27 - 2012-11-10 17:07 - 00000316 ___AH C:\Windows\Tasks\avast! Emergency Update.job
    2012-11-17 07:07 - 2012-11-15 09:32 - 00007109 ____A C:\Windows\setupapi.log
    2012-11-17 07:06 - 2011-09-07 10:34 - 00000050 ____A C:\Windows\wiaservc.log
    2012-11-16 11:13 - 2008-04-15 07:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
    2012-11-16 10:20 - 2012-06-16 13:16 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
    2012-11-15 13:52 - 2009-10-30 08:17 - 00000000 ____D C:\Program Files\Mozilla Firefox
    2012-11-15 10:28 - 2009-10-29 08:19 - 00000000 ____D C:\Program Files\Opera
    2012-11-14 15:10 - 2012-11-14 15:10 - 00000000 ____D C:\Program Files\ESET
    2012-11-14 14:44 - 2009-12-07 14:10 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
    2012-11-12 14:36 - 2012-11-12 09:00 - 00000000 ___SD C:\32788R22FWJFW
    2012-11-12 14:32 - 2009-10-29 08:34 - 01230856 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-11-12 14:32 - 2008-04-15 07:00 - 00544586 ____A C:\Windows\System32\perfh015.dat
    2012-11-12 14:32 - 2008-04-15 07:00 - 00102946 ____A C:\Windows\System32\perfc015.dat
    2012-11-12 14:20 - 2012-11-12 14:20 - 00008286 ____A C:\Windows\System32\reset.log
    2012-11-12 14:20 - 2012-11-12 14:02 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
    2012-11-12 14:19 - 2009-10-29 07:43 - 00023392 ____A C:\Windows\System32\nscompat.tlb
    2012-11-12 14:19 - 2009-10-29 07:43 - 00016832 ____A C:\Windows\System32\amcompat.tlb
    2012-11-12 14:01 - 2012-11-12 14:01 - 00000000 ____D C:\Program Files\Tweaking.com
    2012-11-12 09:01 - 2012-11-12 09:01 - 00000000 ____D C:\Windows\erdnt
    2012-11-11 10:50 - 2010-06-05 10:46 - 00000000 ____D C:\Windows\1C4551A64743409391E41477CD655043.TMP
    2012-11-10 17:57 - 2009-10-29 08:26 - 00000000 ____D C:\Windows\security
    2012-11-10 17:07 - 2009-10-29 07:43 - 00002657 ____A C:\Windows\System32\CONFIG.NT
    2012-11-10 17:06 - 2012-11-10 17:06 - 00000000 ____D C:\Program Files\AVAST Software
    2012-11-10 15:33 - 2012-11-10 15:33 - 00001881 ____A C:\AdwCleaner[S1].txt
    2012-11-10 14:34 - 2010-05-08 09:15 - 00000000 __HDC C:\Windows\$NtUninstallXPSEPSCLP$
    2012-11-10 12:17 - 2012-11-10 11:33 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-11-10 12:08 - 2009-10-29 08:26 - 00000000 ____D C:\Windows\L2Schemas
    2012-11-10 10:43 - 2009-10-29 10:28 - 00000000 ____D C:\Program Files\Hotspot Shield
    2012-11-10 10:39 - 2012-11-10 07:27 - 00000000 ____D C:\VIPRERESCUE
    2012-11-02 13:16 - 2012-10-28 06:40 - 00000000 ____D C:\Program Files\1812 - Serce Zimy
    2012-10-30 17:51 - 2012-11-10 17:07 - 00738504 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2012-10-30 17:51 - 2012-11-10 17:07 - 00361032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2012-10-30 17:51 - 2012-11-10 17:07 - 00097608 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon2.sys
    2012-10-30 17:51 - 2012-11-10 17:07 - 00089752 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon.sys
    2012-10-30 17:51 - 2012-11-10 17:07 - 00054232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2012-10-30 17:51 - 2012-11-10 17:07 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
    2012-10-30 17:51 - 2012-11-10 17:07 - 00035928 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
    2012-10-30 17:51 - 2012-11-10 17:07 - 00025256 ____A (AVAST Software) C:\Windows\System32\Drivers\aavmker4.sys
    2012-10-30 17:51 - 2012-11-10 17:07 - 00021256 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2012-10-30 17:50 - 2012-11-10 17:07 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-10-22 13:09 - 2012-02-07 12:42 - 00000000 ____D C:\Program Files\Battle for Wesnoth 1.10.0
    2012-10-20 10:18 - 2009-11-06 16:12 - 00000000 ____D C:\Windows\System32\DirectX
    2012-10-19 17:12 - 2009-10-29 07:41 - 00000000 ____D C:\Windows\Registration
    2012-10-19 17:11 - 2012-10-19 11:31 - 00000000 ____D C:\Program Files\LogMeIn Hamachi
    2012-10-19 17:11 - 2009-10-29 07:42 - 00000000 ____D C:\Windows\System32\Restore
    2012-10-19 17:03 - 2009-10-29 08:33 - 00000000 ____D C:\D & S
    2012-10-19 14:44 - 2009-10-29 08:26 - 00000000 ____D C:\Windows\java
    2012-10-19 11:30 - 2012-10-14 08:36 - 00000000 ____D C:\Program Files\LogMeIn

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe
    [2008-06-20 08:02] - [2008-06-20 08:02] - 2263040 ____A (Microsoft Corporation) 331f366a4b20c610a7eac4790f94467a

    C:\Windows\System32\winlogon.exe
    [2008-04-15 07:00] - [2008-04-15 07:00] - 0510464 ____A (Microsoft Corporation) 51fd2e13d723857b9ca239ae77150f48

    C:\Windows\System32\svchost.exe
    [2008-04-15 07:00] - [2008-04-15 07:00] - 0014336 ____A (Microsoft Corporation) 8607d35d92528e2df386f19a960d23ce

    C:\Windows\System32\services.exe
    [2008-04-15 07:00] - [2008-04-15 07:00] - 0109056 ____A (Microsoft Corporation) 3e3ae424e27c4cefe4cab368c7b570ea

    C:\Windows\System32\User32.dll
    [2008-04-15 07:00] - [2008-04-15 07:00] - 0580096 ____A (Microsoft Corporation) a435c5c069afd901751ac323ad238793

    C:\Windows\System32\userinit.exe
    [2008-04-15 07:00] - [2008-04-15 07:00] - 0026624 ____A (Microsoft Corporation) 2a5b37d520508be6570a3ea79695f5b5

    C:\Windows\System32\Drivers\volsnap.sys
    [2008-04-15 07:00] - [2008-04-15 07:00] - 0052864 ____A (Microsoft Corporation) 56b191ac5fc0df219949c95a6c87afe7

    c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points (XP) =====================

    RP: -> 2012-11-16 14:57 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP378

    RP: -> 2012-11-15 14:38 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP377

    RP: -> 2012-11-14 14:30 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP376

    RP: -> 2012-11-12 14:15 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP375

    RP: -> 2012-11-10 17:06 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP374

    RP: -> 2012-11-09 09:34 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP371

    RP: -> 2012-11-06 09:48 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP370

    RP: -> 2012-11-01 08:04 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP369

    RP: -> 2012-10-28 15:18 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP368

    RP: -> 2012-10-27 06:53 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP367


    ==================== Memory info ===========================

    Percentage of memory in use: 12%
    Total physical RAM: 2047.36 MB
    Available physical RAM: 1798.31 MB
    Total Pagefile: 1878.03 MB
    Available Pagefile: 1818.66 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2002.18 MB

    ==================== Partitions =============================

    1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    2 Drive c: () (Fixed) (Total:48.83 GB) (Free:4.9 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive d: () (Fixed) (Total:48.83 GB) (Free:7.48 GB) NTFS
    4 Drive e: () (Fixed) (Total:135.22 GB) (Free:3.28 GB) NTFS
    5 Drive f: (UDISK) (Removable) (Total:1.87 GB) (Free:0.62 GB) FAT
    6 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 49 GB 32 KB
    Partition 2 Extended 184 GB 49 GB
    Partition 3 Logical 49 GB 49 GB
    Partition 4 Logical 135 GB 98 GB
    =========================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 49 GB Healthy
    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D NTFS Partition 49 GB Healthy
    =========================================================

    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 135 GB Healthy
    =========================================================
    ==================== End Of Log ============================


    Farbar Recovery Scan Tool (x86) Version: 12-11-2012
    Ran by SYSTEM at 2012-11-17 19:01:17
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\WINDOWS\system32\services.exe
    [2008-04-15 07:00] - [2008-04-15 07:00] - 0109056 ____A (Microsoft Corporation) 3e3ae424e27c4cefe4cab368c7b570ea

    === End Of Search ===
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter OTLPE like before...

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  13. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    Well the windows boots as usual. Here are the contents of the Fixlog.txt :

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-11-2012
    Ran by SYSTEM at 2012-11-19 16:08:14 Run:1
    Running from F:\

    ==============================================

    Micorsoft Windows Service service deleted successfully.
    c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!. not found.

    ==== End of Fixlog ====
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I'm talking with a couple of people about this line in your logs: c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

    Give me a bit of time to chat with them about it. I should be back with a fix in the next couple days.
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi again. Back to Normal Mode now, and let's do the following, please:

    We need to first disable CD emulators, and other related burning programs...To disable CD Emulation programs using DeFogger please perform these steps:
    • Please download DeFogger to your desktop.
    • Once downloaded, double-click on the DeFogger icon to start the tool.
    • The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
    • When it prompts you whether or not you want to continue, please click on the Yes button to continue
    • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.


    Malwarebytes' Anti-Rootkit

    Please download Malwarebytes' Anti-Rootkit and save it to your desktop.
    • Be sure to print out and follow the instructions provided on that same page for performing a scan.
    • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
    • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
    • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
    • Copy and paste the contents of these two log files in your next reply.
  16. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    It didn't exactly work. I will include the logs so you will see what it found. But after removing them and re-booting, another scan showed exactly the same results. I run the scan three times overall but that didn't remove them. Also I still can't enable the windows firewall even after running fixdamage. Here are both logs :

    Malwarebytes Anti-Rootkit 1.1.0.1009
    www.malwarebytes.org

    Database version: v2012.11.20.04

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 7.0.5730.13
    Prezes :: KOMP [administrator]

    2012-11-20 19:23:40
    mbar-log-2012-11-20 (19-23-40).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled: PUP | PUM | P2P
    Objects scanned: 26400
    Time elapsed: 7 minute(s), 11 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot. [156c8b2eea7300362f6fde96ef137d83]
    HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Delete on reboot. [b9c8e5d4b4a915216d30da9a37cb54ac]

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [95ec8f2aa7b678be3f54b0740afa6e92]
    HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [0b76fbbe3a23f73fdfb579ab976d46ba]
    HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [4f3213a6e57859dd385d0f15c93bb64a]

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1009

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 7.0.5730.13

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
    CPU speed: 2.099000 GHz
    Memory total: 2146807808, free: 1581289472

    ------------ Kernel report ------------
    11/20/2012 19:16:13
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    MountMgr.sys
    ftdisk.sys
    dmload.sys
    dmio.sys
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    nvgts5.sys
    \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    nvata.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    PxHelp20.sys
    KSecDD.sys
    WudfPf.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    \SystemRoot\system32\DRIVERS\AmdK8.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\irsir.sys
    \SystemRoot\system32\DRIVERS\irenum.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\usbohci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\nvnetbus.sys
    \SystemRoot\system32\DRIVERS\NVNRM.SYS
    \SystemRoot\system32\DRIVERS\ati2mtag.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\lmimirr.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\HssDrv.sys
    \SystemRoot\system32\DRIVERS\rasirda.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\tapvpn.sys
    \SystemRoot\system32\DRIVERS\taphss.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\drivers\AtihdXP3.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\RtkHDAud.sys
    \SystemRoot\system32\DRIVERS\NVENETFD.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\System32\Drivers\aswSnx.SYS
    \SystemRoot\System32\Drivers\Aavmker4.SYS
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_nvata.sys
    \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\ati2dvag.dll
    \SystemRoot\System32\ati2cqag.dll
    \SystemRoot\System32\atikvmag.dll
    \SystemRoot\System32\atiok3x2.dll
    \SystemRoot\System32\ati3duag.dll
    \SystemRoot\System32\ativvaxx.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\irda.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\System32\Drivers\ParVdm.SYS
    \SystemRoot\system32\DRIVERS\atksgt.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\lirsgt.sys
    \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \??\C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys
    \??\C:\TMP\rsjinqaf.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff89d1eab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000007d\
    Lower Device Object: 0xffffffff89d1e030
    Lower Device Driver Name: \Driver\nvata\
    Driver name found: nvata
    DriverEntry returned 0x0
    Function returned 0x0
    Initializing...
    Done!
    Scanning directory: C:\WINDOWS\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff89d1eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff89d43ce8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff89d1eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff89d9a1e0, DeviceName: \Device\0000007e\, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff89d1e030, DeviceName: \Device\0000007d\, DriverName: \Driver\nvata\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe40ca980, 0xffffffff89d1eab8, 0xffffffff8839e8d8
    Lower DeviceData: 0xffffffffe3eb19f0, 0xffffffff89d1e030, 0xffffffff883adf18
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: DD95DD95

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 102398247
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 102398310 Numsec = 385977690

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 250059350016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
    Done!
    Performing system, memory and registry scan...
    Infected: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE --> [Trojan.Agent]
    Infected: HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service --> [Trojan.Agent]
    Infected: HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY --> [PUM.Disabled.SecurityCenter]
    Infected: HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY --> [PUM.Disabled.SecurityCenter]
    Infected: HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY --> [PUM.Disabled.SecurityCenter]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal scheduling successful. System shutdown needed.
    System shutdown occured
    =======================================
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    GMER

    Note about this tool:
    • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
    • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
    • No matter what is in the log, please post all the information/contents of the log.
    • These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT"

    Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.
    Post the contents of GMER.txt in your next reply.
  18. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    The scan took quite some time. Although I only had my main partition checked (C:/). I assumed that would be enough. If not, I only need a wave of your hand and I will be off scanning stuff. Anyways here is the scan:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-11-22 21:46:18
    Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000007e WDC_WD2500AAJS-00VTA0 rev.01.01B01
    Running: gmer.exe; Driver: C:\TMP\pxtdqpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\TMP\rsjinqaf.sys ZwCreateKey [0xF77A16AC]
    SSDT \??\C:\TMP\rsjinqaf.sys ZwOpenKey [0xF77A1562]

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL AEF85A77 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6786000, 0x1E2E6E, 0xE8000020]
    .text win32k.sys!EngFreeUserMem + 674 BF809FDF 5 Bytes JMP AEF89B4C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFreeUserMem + 3625 BF80CF90 5 Bytes JMP AEF89A3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSurface + 45 BF8138FE 5 Bytes JMP AEF899F6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E743 5 Bytes JMP AEF88688 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngMulDiv + 199A BF820E6C 5 Bytes JMP AEF890A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngSetLastError + 7657 BF82868B 5 Bytes JMP AEF887C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + 698 BF838560 5 Bytes JMP AEF89CB6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + BB6 BF838A7E 5 Bytes JMP AEF898FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + 3605 BF83B4CD 5 Bytes JMP AEF89EBE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + D9AB BF845873 5 Bytes JMP AEF88834 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + 113C6 BF84928E 5 Bytes JMP AEF89090 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngMultiByteToWideChar + 2E60 BF852720 5 Bytes JMP AEF8916A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngMultiByteToWideChar + 2F20 BF8527E0 5 Bytes JMP AEF88670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngMultiByteToWideChar + 84B4 BF857D74 5 Bytes JMP AEF89E1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 23AD BF873983 5 Bytes JMP AEF89BFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBlt + 37BB BF87882D 5 Bytes JMP AEF89A86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 3617 BF88FFB6 5 Bytes JMP AEF88CDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 413A BF890AD9 5 Bytes JMP AEF88E9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetLastError + 1606 BF8ADD61 5 Bytes JMP AEF89182 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGradientFill + 4B52 BF8B3770 5 Bytes JMP AEF88C1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGradientFill + 4BDD BF8B37FB 5 Bytes JMP AEF88EE4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngAlphaBlend + 9286 BF8C31E7 5 Bytes JMP AEF88944 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!PATHOBJ_bCloseFigure + 19CE BF8ED991 5 Bytes JMP AEF8856A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!PATHOBJ_bCloseFigure + 9006 BF8F4FC9 5 Bytes JMP AEF890C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!PATHOBJ_bCloseFigure + D4C6 BF8F9489 5 Bytes JMP AEF88A1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!PATHOBJ_bCloseFigure + D746 BF8F9709 5 Bytes JMP AEF88B48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 1994 BF912612 5 Bytes JMP AEF88760 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 2568 BF9131E6 5 Bytes JMP AEF888F0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 4F29 BF915BA7 5 Bytes JMP AEF88FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngPlgBlt + 1931 BF9438F8 5 Bytes JMP AEF89D74 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xABDCD300, 0x3B6D8, 0xE8000020]
    .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF7847300, 0x1BEE, 0xE8000020]
    ? C:\TMP\rsjinqaf.sys Nie można odnaleźć określonego pliku. !


    _______________________________________________ I hit the max char.
  19. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    ---- User code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\system32\services.exe[752] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
    .text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\services.exe[752] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\services.exe[752] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
    .text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
    .text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\lsass.exe[764] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
    .text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
    .text C:\WINDOWS\system32\Ati2evxx.exe[912] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\Ati2evxx.exe[912] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\Ati2evxx.exe[912] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\Ati2evxx.exe[912] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    ? C:\WINDOWS\system32\svchost.exe[932] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
    .text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
    ? C:\WINDOWS\system32\svchost.exe[984] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
    .text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
    ? C:\WINDOWS\System32\svchost.exe[1080] time/date stamp mismatch;
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    ? C:\WINDOWS\System32\svchost.exe[1116] time/date stamp mismatch;
    .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetCloseHandle 771BE85D 5 Bytes JMP 20184052
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpOpenRequestA 771C160A 5 Bytes JMP 20184482
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpOpenRequestW 771C2F0F 5 Bytes JMP 201844AF
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetReadFile 771C5BAA 5 Bytes JMP 201843C7
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestA 771C7519 5 Bytes JMP 20183859
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 201844DC
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetQueryDataAvailable 771D14D7 5 Bytes JMP 201840A8
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestExW 771D2676 5 Bytes JMP 20183703
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetWriteFile 771D27A3 5 Bytes JMP 2018391B
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestW 771DDB8E 5 Bytes JMP 201838BA
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetReadFileExW 771E26AD 5 Bytes JMP 201842AC
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetReadFileExA 771E26E5 5 Bytes JMP 20184205
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 20184503
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestExA 77228EA6 5 Bytes JMP 201837AE
    ? C:\WINDOWS\system32\svchost.exe[1160] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1224] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    ? C:\WINDOWS\system32\svchost.exe[1284] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\svchost.exe[1284] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
    .text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
    .text C:\WINDOWS\system32\Ati2evxx.exe[1376] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\Ati2evxx.exe[1376] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1376] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1376] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\D & S\Prezes\Pulpit\gmer.exe[1404] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\D & S\Prezes\Pulpit\gmer.exe[1404] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\D & S\Prezes\Pulpit\gmer.exe[1404] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\D & S\Prezes\Pulpit\gmer.exe[1404] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    ? C:\WINDOWS\Explorer.EXE[1732] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
    .text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\Explorer.EXE[1732] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetCloseHandle 771BE85D 5 Bytes JMP 20184052
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpOpenRequestA 771C160A 5 Bytes JMP 20184482
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpOpenRequestW 771C2F0F 5 Bytes JMP 201844AF
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetReadFile 771C5BAA 5 Bytes JMP 201843C7
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestA 771C7519 5 Bytes JMP 20183859
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 201844DC
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetQueryDataAvailable 771D14D7 5 Bytes JMP 201840A8
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestExW 771D2676 5 Bytes JMP 20183703
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetWriteFile 771D27A3 5 Bytes JMP 2018391B
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestW 771DDB8E 5 Bytes JMP 201838BA
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetReadFileExW 771E26AD 5 Bytes JMP 201842AC
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetReadFileExA 771E26E5 5 Bytes JMP 20184205
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 20184503
    .text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestExA 77228EA6 5 Bytes JMP 201837AE
    .text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtCreateThread 7C90D190 5 Bytes JMP 20151610
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 201568E0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 20156860
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 201568A0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 20156050
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 20156110
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 20155FF0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 20157DF0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 20157EB0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 20157A80
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 20157B00
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 20157BA0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 201560B0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 20157F10
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 20157B20
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 20156750
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 201567C0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 20155DA0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 20155D70
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 20157D20
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 20156170
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 20156920
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 20157D60
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 20157B60
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 20155E30
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 20155F40
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 20156800
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 20157E50
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 201569C0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 20157C20
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 20157CA0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 20157BE0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 20157C60
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 20157CE0
    .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 20155DF0
    ? C:\WINDOWS\system32\svchost.exe[1776] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
    .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
    .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
    .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
    .text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
    .text C:\WINDOWS\RTHDCPL.EXE[2056] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\WINDOWS\RTHDCPL.EXE[2056] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\WINDOWS\RTHDCPL.EXE[2056] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\WINDOWS\RTHDCPL.EXE[2056] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    ? C:\WINDOWS\system32\svchost.exe[2212] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[2212] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\WINDOWS\system32\svchost.exe[2212] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\WINDOWS\system32\svchost.exe[2212] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\WINDOWS\system32\svchost.exe[2212] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
    .text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E
    ? C:\WINDOWS\system32\svchost.exe[2312] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[2312] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\WINDOWS\system32\svchost.exe[2312] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\WINDOWS\system32\svchost.exe[2312] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\WINDOWS\system32\svchost.exe[2312] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20067958
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2005AD3C
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200677D4
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2006165E
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
    .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
    .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0xAE 0xEE 0xBF ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0x7C 0x54 0x16 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0x30 0xA0 0x55 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x23 0x8D 0x5C 0xEC ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0xAE 0xEE 0xBF ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0x7C 0x54 0x16 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0x30 0xA0 0x55 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x23 0x8D 0x5C 0xEC ...

    ---- Files - GMER 1.0.15 ----

    File C:\D & S\Prezes\Menu Start\Programy\Autostart\gvgaehbg.exe 101304 bytes executable
    File C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc 0 bytes
    File C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe 101304 bytes executable
    File C:\TMP\gvgaehbg.exe 101304 bytes executable

    ---- EOF - GMER 1.0.15 ----
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download BlitzBlank and save it to your desktop.

    • Double-click BlitzBlank.exe to run it.
    • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
    • Click the Script tab and copy/paste the following text there:
    • Click Execute Now. Your computer will need to reboot in order to kill the files.
    • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\
  21. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    I'm getting a Syntax error : 'Syntax error in line 2, Invalid file path.' In the TMP folder was a suspiciously looking xbeujjdm file though.
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Double-click BlitzBlank.exe to run it.
    • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
    • Click the Script tab and copy/paste the following text there:
    • Click Execute Now. Your computer will need to reboot in order to kill the files.
    • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\
  23. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    Still no luck. I get the same error as above.
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please open Malwarebytes' Anti-Malware, and click More Tools tab. Under FileASSASSIN, click Run Tool.

    For each file listed below (this process only handles one file at a time), find its location, and you will see the name of the file in the Filename box, then click Open.

    Files to delete using FileASSASSIN:
    C:\TMP\rsjinqaf.sys
    C:\TMP\gvgaehbg.exe
    C:\D & S\Prezes\Menu Start\Programy\Autostart\gvgaehbg.exe


    The FileASSASSIN will then delete the file, or ask you to reboot your computer in order to delete it. Please allow it to reboot, if necessary.

    Run Malwarebytes' Anti-Rootkit again and post a log please.
  25. Geoffrey

    Geoffrey TS Rookie Topic Starter Posts: 18

    I couldn't find the mentioned files with FA. Neither of them. I've run the the scan though :

    Malwarebytes Anti-Rootkit 1.1.0.1009
    www.malwarebytes.org

    Database version: v2012.11.25.06

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 7.0.5730.13
    Prezes :: KOMP [administrator]

    2012-11-25 22:00:21
    mbar-log-2012-11-25 (22-00-21).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled: PUP | PUM | P2P
    Objects scanned: 26355
    Time elapsed: 4 minute(s), 25 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot. [562bc5f414493bfb413c1a5df909b050]
    HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Delete on reboot. [ed940dac62fb0c2a1f5d067138ca857b]

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [077a3188c39a999d03f454d4eb19c739]
    HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [463bdfda5c01221464947cac8c780ff1]
    HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [7b068f2a75e872c433c664c4719356aa]

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.