Resolved Can't start several programs or access some sites

Geoffrey · Nov 11, 2012

Hello. I'm using windows XP sp3 and something prevents me form starting any anti-virus programs and for some reason Opera. I tried starting in safe mode but that didn't work. Neither can I access the sites of anti-vir programs. I managed to start MBAM via their chameleon tool and run a check. Then it told me to reboot, which I did. But I still couldn't start the same things and after running the search a second time, the same viruses were shown. Also downloaded GMER which worked fine so I have these logs. But when trying to run DDS I get the following Application Error : "The procedure * could not be located in the DLL sfc.dll.". After closing it with task manager, the program only produces the Attach.txt but not the other. I would be very thankful for any help.
Here are the logs (MBAM and Attach is in polish but I hope that's not a too big inconvenience.) :

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Wersja bazy: v2012.11.11.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
:: KOMP [administrator]

2012-11-11 16:36:36
mbam-log-2012-11-11 (16-36-36).txt

Typ skanowania: Szybkie skanowanie
Zaznaczone opcje skanowania: Pamięć | Rozruch | Rejestr | System plików | Heurystyka/Dodatkowe | Heuristyka/Shuriken | PUP | PUM
Odznaczone opcje skanowania: P2P
Przeskanowano obiektów: 253082
Upłynęło: 3 minut(y), 37 sekund(y)

Wykrytych procesów w pamięci: 0
(Nie znaleziono zagrożeń)

Wykrytych modułów w pamięci: 0
(Nie znaleziono zagrożeń)

Wykrytych kluczy rejestru: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Dodanie do kwarantanny I usunięcie pliku zakończyły się powodzeniem.
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Dodanie do kwarantanny I usunięcie pliku zakończyły się powodzeniem.

Wykrytych wartości rejestru: 0
(Nie znaleziono zagrożeń)

Wykryte wpisy rejestru systemowego: 3
HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Złe: (1) Dobre: (0) -> Dodanie do kwarantanny I naprawa pliku zakończyły się powodzeniem.
HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Złe: (1) Dobre: (0) -> Dodanie do kwarantanny I naprawa pliku zakończyły się powodzeniem.
HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Złe: (1) Dobre: (0) -> Dodanie do kwarantanny I naprawa pliku zakończyły się powodzeniem.

wykrytych folderów: 0
(Nie znaleziono zagrożeń)

Wykrytych plików: 0
(Nie znaleziono zagrożeń)

(zakończone)

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2012-11-11 16:52:12
Windows 5.1.2600 Dodatek Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAEF92D42]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAEF92BAD]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89D5B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

DDS (Ver_2012-11-07.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2009-10-29 13:43:39
System Uptime: 2012-11-11 16:50:20 (1 hours ago)
.
Motherboard: MSI | | MS-7250
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4000+ | CPU 1 | 2100/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 49 GiB total, 5,674 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 7,477 GiB free.
E: is FIXED (NTFS) - 135 GiB total, 3,269 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is CDROM ()
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standardowa klawiatura 101/102 klawisze lub Microsoft Natural Keyboard PS/2
Device ID: ACPI\PNP0303\4&126B373&0
Manufacturer: (Klawiatury standardowe)
Name: Standardowa klawiatura 101/102 klawisze lub Microsoft Natural Keyboard PS/2
PNP Device ID: ACPI\PNP0303\4&126B373&0
Service: i8042prt
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Mysz Microsoft PS/2
Device ID: ACPI\PNP0F03\4&126B373&0
Manufacturer: Microsoft
Name: Mysz Microsoft PS/2
PNP Device ID: ACPI\PNP0F03\4&126B373&0
Service: i8042prt
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&B24231D&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&B24231D&0&00
Service: NVENETFD
.
==== System Restore Points ===================
.
RP367: 2012-10-27 13:53:31 - Punkt kontrolny systemu
RP368: 2012-10-28 21:18:33 - Punkt kontrolny systemu
RP369: 2012-11-01 14:04:57 - Punkt kontrolny systemu
RP370: 2012-11-06 15:48:58 - Punkt kontrolny systemu
RP371: 2012-11-09 15:34:23 - Punkt kontrolny systemu
RP372: 2012-11-10 12:03:48 - Operacja przywracania
RP373: 2012-11-10 12:08:36 - Operacja przywracania
RP374: 2012-11-10 23:06:53 - Instalacja avast! Free Antivirus
.
==== Image File Execution Options =============
.
IFEO: Your Image File Name Here without a path - ntsd -d
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.3 - Deutsch
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.6
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AMD APP SDK Runtime
AMD Catalyst Install Manager
Amnesia - The Dark Descent
Arcanum Of Steamworks and Magick Obscura
Audiograbber 1.83 SE
Audiograbber MP3 Plugin
avast! Free Antivirus
Bandisoft MPEG-1 Decoder
Borland Delphi 7
calibre
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Chess 0.9
Connect
Crusader Kings II
Deep Fritz 13
Diablo III
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
Dropbox
Dungeons of Dredmor
F.lux
Faster Than Light
FastStone Image Viewer 4.3
FlatOut2
Freelancer 1.5
GIMP 2.8.2
Google Chrome
Google Earth
Hi-Rez Studios Authenticate and Update Service
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
Hotline Miami
JADE (Java-based Ancient Domains Engine)
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 24
K-Lite Codec Pack 5.3.0 (Full)
kuler
League of Legends
Left 4 Dead 2
Legend of Grimrock
LIMBO
LOLReplay
Malwarebytes Anti-Malware version 1.65.1.1000
Mass Effect™ 3
MatheAss 8.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PLK
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PLK
Microsoft .NET Framework 3.5 Language Pack SP1 - plk
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile PLK Language Pack
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended PLK Language Pack
Microsoft Games for Windows - LIVE Redistributable
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Microsoft XNA Framework Redistributable 3.0
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
MotioninJoy ds3 driver version 0.4.0002
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
MTX
Nexon Game Manager
OpenAL
OpenOffice.org 3.3
Opera 12.10
Origin
Paint.NET v3.5.10
Pakiet językowy programu Microsoft .NET Framework 3.5 z dodatkiem SP1 — PLK
Pakiet sterowników systemu Windows - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Pando Media Booster
PDF Settings CS4
Photoshop Camera Raw
Planescape Torment
Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile
Polski pakiet językowy dla programu Microsoft .NET Framework 4 Extended
Poprawka dla systemu Windows XP (KB938759)
PuTTY version 0.61
Quake Live Mozilla Plugin
Real Alternative 2.0.2
Realtek High Definition Audio Driver
SAMSUNG USB Driver for Mobile Phones
Security Task Manager 1.7h
Skype™ 5.10
Smite
Solium Infernum
Source SDK Base 2007
Spybot - Search & Destroy
StarCraft II
Stay Secure
Steam
Suite Shared Configuration CS4
swMSM
Sword of Damocles: Warlords 3.92
System Requirements Lab CYRI
The Sims™ 3
TmNationsForever
TRON
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
Unity Web Player
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Visual C++ 9.0 CRT (x86) WinSXS MSM
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Presentation Foundation
XML Paper Specification Shared Components Language Pack 1.0
XML Paper Specification Shared Components Pack 1.0
Zeus and Poseidon
.
==== End Of File ===========================

Jay Pfoutz · Nov 11, 2012

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
If you have already asked for help somewhere, please post the link to the topic you were helped.
We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

ComboFix scan

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on ComboFix.exe & follow the prompts.
When ComboFix finishes, it will produce a report for you.
Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Geoffrey · Nov 12, 2012

Thanks for the response. I've got Combofix per USB stick from another computer. It starts (after renaming it from Combofix) but when Installing it, somewhere around the middle the same Error as at the DDS check pops up : "The procedure * could not be located in the DLL sfc.dll.". It happens a bunch of times and then when it's finished it gives me a warning about running Combofix but the program isn't installed anywhere. I also tried to run it in safe mode but the same thing happens. I'm guessing something is missing in the registry but I didn't want to mess anything up by tinkering in it.

Jay Pfoutz · Nov 12, 2012

RogueKiller Scan

Download RogueKiller and save it on your desktop.
Quit all programs
Start RogueKiller.exe.
Wait until Prescan has finished ...
Click on Scan

Wait for the end of the scan.
The report has been created on the desktop.
Click on the Delete button.

The report has been created on the desktop.

Next click on the ShortcutsFix
The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Go to Step 4 and under "System Restore" click on Create button:

Go to Start Repairs tab and click Start button.

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

Then, try ComboFix again, as well.

Geoffrey · Nov 12, 2012

I followed the instructions but Combofix still shows the same Error. Anyways here are the logs from RogueKiller :

RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Dodatek Service Pack 3) 32 bits version
Started in : Normal mode
User : Prezes [Admin rights]
Mode : Scan -- Date : 11/12/2012 19:46:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 16 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : GvgAehbg (C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-220523388-362288127-682003330-500[...]\Run : GvgAehbg (C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe) -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : ANTIVIRUSDISABLENOTIFY (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FIREWALLDISABLENOTIFY (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UPDATESDISABLENOTIFY (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x80623786 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B16AC)
SSDT[119] : NtOpenKey @ 0x80624B58 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B1562)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAJS-00VTA0 +++++
--- User ---
[MBR] 0482194ca901016647363fd33026233c
[BSP] 796d5011dbe7c943fd8ffc0cc7f5d59e : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 49999 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102398310 | Size: 188465 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_11122012_02d1946.txt >>
RKreport[1]_S_11122012_02d1946.txt

RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Dodatek Service Pack 3) 32 bits version
Started in : Normal mode
User : Prezes [Admin rights]
Mode : Remove -- Date : 11/12/2012 19:46:17

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 15 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : GvgAehbg (C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe) -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\Security Center : ANTIVIRUSDISABLENOTIFY (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FIREWALLDISABLENOTIFY (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UPDATESDISABLENOTIFY (1) -> REPLACED (0)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x80623786 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B16AC)
SSDT[119] : NtOpenKey @ 0x80624B58 -> HOOKED (\??\C:\TMP\rsjinqaf.sys @ 0xF77B1562)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAJS-00VTA0 +++++
--- User ---
[MBR] 0482194ca901016647363fd33026233c
[BSP] 796d5011dbe7c943fd8ffc0cc7f5d59e : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 49999 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102398310 | Size: 188465 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_11122012_02d1946.txt >>
RKreport[1]_S_11122012_02d1946.txt ; RKreport[2]_D_11122012_02d1946.txt

RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Dodatek Service Pack 3) 32 bits version
Started in : Normal mode
User : Prezes [Admin rights]
Mode : Shortcuts HJfix -- Date : 11/12/2012 19:47:59

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 20 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 65 / Fail 0
My documents: Success 6 / Fail 6
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 1265 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[F:] \Device\CdRom0 -- 0x5 --> Skipped
[G:] \Device\CdRom1 -- 0x5 --> Skipped
[H:] \Device\CdRom2 -- 0x5 --> Skipped

Finished : << RKreport[3]_SC_11122012_02d1947.txt >>
RKreport[1]_S_11122012_02d1946.txt ; RKreport[2]_D_11122012_02d1946.txt ; RKreport[3]_SC_11122012_02d1947.txt

Jay Pfoutz · Nov 13, 2012

Okie dokie...

Kaspersky GetSystemInfo Scan

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.

Set the slider to Maximum.

IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.

On the General tab, make sure all of the boxes are checked.

On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.

Click Create Report to run it.

It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.

Geoffrey · Nov 13, 2012

Okey I got it. I had to upload it manually.

http://www.getsysteminfo.com/read.php?file=9b30e0680eb6a801fc72e134c2f5a5af

Jay Pfoutz · Nov 14, 2012

Too many security programs?

I suspect that you may be running too much realtime protection of security programs. Keep in mind that running too much realtime protection can cause more problems rather than prevent them. Also, can cause system crashes, and even false positives.

Please remove Spybot Search & Destroy.

CCleaner Temporary Files Cleaning

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

Double-click the CCleaner shortcut on the desktop to start the program.
A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
Click Start or wait for the scanner to load.
Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, there are a couple of things to keep in mind:
1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
Open the logfile from wherever you saved it
Copy and paste the contents in your next reply.

Geoffrey · Nov 15, 2012

I couldn't access the site. It just said it were unable to connect just like with several other security sites.

Jay Pfoutz · Nov 15, 2012

OTLPE + Farbar Recovery Scan Tool

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive. (Get the 64 bit version)
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

Insert the flash drive with FRST on it
Locate the flash drive and run FSRT
The tool will start to run.

When the tool opens click Yes to disclaimer.
Press Scan button. It will do its scan and save a log on your flash drive.
Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:

When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
Type exit in the Command Prompt window and reboot the computer normally
FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

Geoffrey · Nov 17, 2012

I made the logs. My windows is 32bit though so I took the matching FRT version. Anyways :

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2012
Ran by SYSTEM at 17-11-2012 19:00:05
Running from F:\
Microsoft Windows XP (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2012-07-03] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software)
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe, [101304 2012-11-09] ()
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\LMIinit: LMIinit.dll (LogMeIn, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

==================== Services (Whitelisted) ===================

2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2009-09-25] ()
2 Eventlog; C:\Windows\System32\services.exe [109056 2008-04-15] (Microsoft Corporation)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115168 2012-11-15] (Mozilla Foundation)
3 npggsvc; C:\WINDOWS\system32\GameMon.des -service [3700176 2010-08-15] (INCA Internet Co., Ltd.)
3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [x]
4 HiPatchService; C:\Program Files\Hi-Rez Studios\HiPatchService.exe [x]
2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

1 Aavmker4; C:\Windows\System32\Drivers\Aavmker4.sys [25256 2012-10-30] (AVAST Software)
1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [43520 2006-07-01] (Advanced Micro Devices)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [738504 2012-10-30] (AVAST Software)
3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [7874560 2012-07-04] (ATI Technologies Inc.)
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdXP3.sys [103040 2012-05-14] (Advanced Micro Devices)
2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [281760 2010-08-16] ()
3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-15] (Windows (R) Server 2003 DDK provider)
3 HssDrv; C:\Windows\System32\DRIVERS\HssDrv.sys [37376 2010-09-22] (AnchorFree Inc.)
3 irsir; C:\Windows\System32\DRIVERS\irsir.sys [18688 2001-08-17] (Microsoft Corporation)
3 libusb0; C:\Windows\System32\drivers\libusb0.sys [33792 2005-03-09] ()
2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [25888 2010-08-16] ()
3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [48640 2010-03-18] (MotioninJoy)
0 nvata; C:\Windows\System32\DRIVERS\nvata.sys [105344 2006-08-21] (NVIDIA Corporation)
3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [57856 2006-09-11] (NVIDIA Corporation)
0 nvgts; C:\Windows\System32\DRIVERS\nvgts5.sys [101888 2008-07-15] (NVIDIA Corporation)
3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [19968 2006-09-11] (NVIDIA Corporation)
3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [101112 2012-05-25] (GFI Software)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2009-12-13] (Duplex Secure Ltd.)
3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-04-06] (AnchorFree Inc)
3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [61984 2009-11-24] (Microsoft Corporation)
4 Abiosdsk; [x]
4 abp480n5; [x]
4 adpu160m; [x]
4 Aha154x; [x]
4 aic78u2; [x]
4 aic78xx; [x]
3 Alerter; [x]
4 AliIde; [x]
4 amsint; [x]
4 asc; [x]
4 asc3350p; [x]
4 asc3550; [x]
4 Atdisk; [x]
4 cd20xrnt; [x]
1 Changer; [x]
4 cisvc; [x]
4 CmdIde; [x]
4 Cpqarray; [x]
4 dac2w2k; [x]
4 dac960nt; [x]
3 dgderdrv; C:\Windows\System32\drivers\dgderdrv.sys [x]
4 dpti2o; [x]
3 EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys [x]
3 EagleXNt; \??\C:\WINDOWS\system32\drivers\EagleXNt.sys [x]
4 ERSvc; [x]
3 FastUserSwitchingCompatibility; [x]
3 GMSIPCI; \??\F:\INSTALL\GMSIPCI.SYS [x]
3 helpsvc; [x]
4 hpn; [x]
1 i2omgmt; [x]
4 i2omp; [x]
3 ImapiService; [x]
4 ini910u; [x]
4 IntelIde; [x]
3 KoneFltr; C:\Windows\System32\drivers\Kone.sys [x]
1 lbrtfdc; [x]
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [x]
4 LMIRfsClientNP; [x]
4 Messenger; [x]
4 Micorsoft Windows Service; \??\C:\TMP\rsjinqaf.sys [x]
4 mnmsrvc; [x]
4 mraid35x; [x]
3 Nbdrv; C:\Windows\System32\DRIVERS\nbdrv.sys [x]
3 NTACCESS; \??\F:\NTACCESS.sys [x]
1 PCIDump; [x]
4 perc2; [x]
4 perc2hib; [x]
3 pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [x]
4 ql1080; [x]
4 Ql10wnt; [x]
4 ql12160; [x]
4 ql1240; [x]
4 ql1280; [x]
4 RDSessMgr; [x]
4 RemoteRegistry; [x]
1 SASDIFSV; \??\C:\TMP\SAS_SelfExtract\SASDIFSV.SYS [x]
1 SASKUTIL; \??\C:\TMP\SAS_SelfExtract\SASKUTIL.SYS [x]
4 SCardDrv; [x]
3 SetupNTGLM7X; \??\F:\NTGLM7X.sys [x]
4 Simbad; [x]
4 Sparrow; [x]
4 symc810; [x]
4 symc8xx; [x]
4 sym_hi; [x]
4 sym_u3; [x]
4 TermService; [x]
4 TosIde; [x]
4 ultra; [x]
4 uploadmgr; [x]
4 ViaIde; [x]
4 WmdmPmSp; [x]
3 XDva296; \??\C:\WINDOWS\system32\XDva296.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2012-11-17 18:59 - 2012-11-17 18:59 - 00000000 ____D C:\FRST
2012-11-15 09:32 - 2012-11-17 07:07 - 00007109 ____A C:\Windows\setupapi.log
2012-11-14 16:06 - 2012-11-17 11:32 - 00003823 ____A C:\Windows\WindowsUpdate.log
2012-11-14 15:10 - 2012-11-14 15:10 - 00000000 ____D C:\Program Files\ESET
2012-11-12 14:20 - 2012-11-12 14:20 - 00008286 ____A C:\Windows\System32\reset.log
2012-11-12 14:17 - 2004-06-11 19:33 - 00290304 ____A (Microsoft Corporation) C:\subinacl.exe
2012-11-12 14:02 - 2012-11-12 14:20 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2012-11-12 14:01 - 2012-11-12 14:01 - 00000000 ____D C:\Program Files\Tweaking.com
2012-11-12 09:01 - 2012-11-12 09:01 - 00000000 ____D C:\Windows\erdnt
2012-11-12 09:00 - 2012-11-12 14:36 - 00000000 ___SD C:\32788R22FWJFW
2012-11-10 17:07 - 2012-11-17 08:27 - 00000316 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-11-10 17:07 - 2012-10-30 17:51 - 00738504 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-11-10 17:07 - 2012-10-30 17:51 - 00361032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-11-10 17:07 - 2012-10-30 17:51 - 00097608 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon2.sys
2012-11-10 17:07 - 2012-10-30 17:51 - 00089752 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon.sys
2012-11-10 17:07 - 2012-10-30 17:51 - 00054232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-11-10 17:07 - 2012-10-30 17:51 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-11-10 17:07 - 2012-10-30 17:51 - 00035928 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-11-10 17:07 - 2012-10-30 17:51 - 00025256 ____A (AVAST Software) C:\Windows\System32\Drivers\aavmker4.sys
2012-11-10 17:07 - 2012-10-30 17:51 - 00021256 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-11-10 17:07 - 2012-10-30 17:50 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-11-10 17:06 - 2012-11-10 17:06 - 00000000 ____D C:\Program Files\AVAST Software
2012-11-10 15:33 - 2012-11-10 15:33 - 00001881 ____A C:\AdwCleaner[S1].txt
2012-11-10 11:34 - 2012-09-29 13:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-10 11:33 - 2012-11-10 12:17 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-10 07:27 - 2012-11-10 10:39 - 00000000 ____D C:\VIPRERESCUE
2012-11-10 07:27 - 2012-05-25 06:14 - 00101112 ____A (GFI Software) C:\Windows\System32\Drivers\SBREDrv.sys
2012-11-10 07:27 - 2012-05-25 06:14 - 00042864 ____A (GFI Software) C:\Windows\System32\sbbd.exe
2012-10-28 06:40 - 2012-11-02 13:16 - 00000000 ____D C:\Program Files\1812 - Serce Zimy
2012-10-27 06:02 - 2012-11-17 11:32 - 00012422 ____A C:\Windows\SchedLgU.Txt
2012-10-19 11:31 - 2012-10-19 17:11 - 00000000 ____D C:\Program Files\LogMeIn Hamachi

==================== One Month Modified Files and Folders ========

2012-11-17 18:59 - 2012-11-17 18:59 - 00000000 ____D C:\FRST
2012-11-17 11:32 - 2012-11-14 16:06 - 00003823 ____A C:\Windows\WindowsUpdate.log
2012-11-17 11:32 - 2012-10-27 06:02 - 00012422 ____A C:\Windows\SchedLgU.Txt
2012-11-17 11:32 - 2011-09-07 10:34 - 00000216 ____A C:\Windows\wiadebug.log
2012-11-17 11:32 - 2010-09-12 09:06 - 00196608 ____A C:\Windows\System32\config\TuneUp.evt
2012-11-17 11:32 - 2009-10-29 09:17 - 00458752 ____A C:\Windows\System32\config\ACEEvent.evt
2012-11-17 11:32 - 2009-10-29 07:44 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-17 11:29 - 2009-10-29 07:43 - 00000000 ____D C:\TMP
2012-11-17 08:27 - 2012-11-10 17:07 - 00000316 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-11-17 07:07 - 2012-11-15 09:32 - 00007109 ____A C:\Windows\setupapi.log
2012-11-17 07:06 - 2011-09-07 10:34 - 00000050 ____A C:\Windows\wiaservc.log
2012-11-16 11:13 - 2008-04-15 07:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
2012-11-16 10:20 - 2012-06-16 13:16 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-11-15 13:52 - 2009-10-30 08:17 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-11-15 10:28 - 2009-10-29 08:19 - 00000000 ____D C:\Program Files\Opera
2012-11-14 15:10 - 2012-11-14 15:10 - 00000000 ____D C:\Program Files\ESET
2012-11-14 14:44 - 2009-12-07 14:10 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-11-12 14:36 - 2012-11-12 09:00 - 00000000 ___SD C:\32788R22FWJFW
2012-11-12 14:32 - 2009-10-29 08:34 - 01230856 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-12 14:32 - 2008-04-15 07:00 - 00544586 ____A C:\Windows\System32\perfh015.dat
2012-11-12 14:32 - 2008-04-15 07:00 - 00102946 ____A C:\Windows\System32\perfc015.dat
2012-11-12 14:20 - 2012-11-12 14:20 - 00008286 ____A C:\Windows\System32\reset.log
2012-11-12 14:20 - 2012-11-12 14:02 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2012-11-12 14:19 - 2009-10-29 07:43 - 00023392 ____A C:\Windows\System32\nscompat.tlb
2012-11-12 14:19 - 2009-10-29 07:43 - 00016832 ____A C:\Windows\System32\amcompat.tlb
2012-11-12 14:01 - 2012-11-12 14:01 - 00000000 ____D C:\Program Files\Tweaking.com
2012-11-12 09:01 - 2012-11-12 09:01 - 00000000 ____D C:\Windows\erdnt
2012-11-11 10:50 - 2010-06-05 10:46 - 00000000 ____D C:\Windows\1C4551A64743409391E41477CD655043.TMP
2012-11-10 17:57 - 2009-10-29 08:26 - 00000000 ____D C:\Windows\security
2012-11-10 17:07 - 2009-10-29 07:43 - 00002657 ____A C:\Windows\System32\CONFIG.NT
2012-11-10 17:06 - 2012-11-10 17:06 - 00000000 ____D C:\Program Files\AVAST Software
2012-11-10 15:33 - 2012-11-10 15:33 - 00001881 ____A C:\AdwCleaner[S1].txt
2012-11-10 14:34 - 2010-05-08 09:15 - 00000000 __HDC C:\Windows\$NtUninstallXPSEPSCLP$
2012-11-10 12:17 - 2012-11-10 11:33 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-10 12:08 - 2009-10-29 08:26 - 00000000 ____D C:\Windows\L2Schemas
2012-11-10 10:43 - 2009-10-29 10:28 - 00000000 ____D C:\Program Files\Hotspot Shield
2012-11-10 10:39 - 2012-11-10 07:27 - 00000000 ____D C:\VIPRERESCUE
2012-11-02 13:16 - 2012-10-28 06:40 - 00000000 ____D C:\Program Files\1812 - Serce Zimy
2012-10-30 17:51 - 2012-11-10 17:07 - 00738504 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-10-30 17:51 - 2012-11-10 17:07 - 00361032 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-10-30 17:51 - 2012-11-10 17:07 - 00097608 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon2.sys
2012-10-30 17:51 - 2012-11-10 17:07 - 00089752 ____A (AVAST Software) C:\Windows\System32\Drivers\aswmon.sys
2012-10-30 17:51 - 2012-11-10 17:07 - 00054232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-10-30 17:51 - 2012-11-10 17:07 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-10-30 17:51 - 2012-11-10 17:07 - 00035928 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-10-30 17:51 - 2012-11-10 17:07 - 00025256 ____A (AVAST Software) C:\Windows\System32\Drivers\aavmker4.sys
2012-10-30 17:51 - 2012-11-10 17:07 - 00021256 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-10-30 17:50 - 2012-11-10 17:07 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-10-22 13:09 - 2012-02-07 12:42 - 00000000 ____D C:\Program Files\Battle for Wesnoth 1.10.0
2012-10-20 10:18 - 2009-11-06 16:12 - 00000000 ____D C:\Windows\System32\DirectX
2012-10-19 17:12 - 2009-10-29 07:41 - 00000000 ____D C:\Windows\Registration
2012-10-19 17:11 - 2012-10-19 11:31 - 00000000 ____D C:\Program Files\LogMeIn Hamachi
2012-10-19 17:11 - 2009-10-29 07:42 - 00000000 ____D C:\Windows\System32\Restore
2012-10-19 17:03 - 2009-10-29 08:33 - 00000000 ____D C:\D & S
2012-10-19 14:44 - 2009-10-29 08:26 - 00000000 ____D C:\Windows\java
2012-10-19 11:30 - 2012-10-14 08:36 - 00000000 ____D C:\Program Files\LogMeIn

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2008-06-20 08:02] - [2008-06-20 08:02] - 2263040 ____A (Microsoft Corporation) 331f366a4b20c610a7eac4790f94467a

C:\Windows\System32\winlogon.exe
[2008-04-15 07:00] - [2008-04-15 07:00] - 0510464 ____A (Microsoft Corporation) 51fd2e13d723857b9ca239ae77150f48

C:\Windows\System32\svchost.exe
[2008-04-15 07:00] - [2008-04-15 07:00] - 0014336 ____A (Microsoft Corporation) 8607d35d92528e2df386f19a960d23ce

C:\Windows\System32\services.exe
[2008-04-15 07:00] - [2008-04-15 07:00] - 0109056 ____A (Microsoft Corporation) 3e3ae424e27c4cefe4cab368c7b570ea

C:\Windows\System32\User32.dll
[2008-04-15 07:00] - [2008-04-15 07:00] - 0580096 ____A (Microsoft Corporation) a435c5c069afd901751ac323ad238793

C:\Windows\System32\userinit.exe
[2008-04-15 07:00] - [2008-04-15 07:00] - 0026624 ____A (Microsoft Corporation) 2a5b37d520508be6570a3ea79695f5b5

C:\Windows\System32\Drivers\volsnap.sys
[2008-04-15 07:00] - [2008-04-15 07:00] - 0052864 ____A (Microsoft Corporation) 56b191ac5fc0df219949c95a6c87afe7

c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2012-11-16 14:57 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP378

RP: -> 2012-11-15 14:38 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP377

RP: -> 2012-11-14 14:30 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP376

RP: -> 2012-11-12 14:15 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP375

RP: -> 2012-11-10 17:06 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP374

RP: -> 2012-11-09 09:34 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP371

RP: -> 2012-11-06 09:48 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP370

RP: -> 2012-11-01 08:04 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP369

RP: -> 2012-10-28 15:18 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP368

RP: -> 2012-10-27 06:53 - 024576 _restore{AB416992-93E4-4364-8477-580FDEE36B27}\RP367

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 2047.36 MB
Available physical RAM: 1798.31 MB
Total Pagefile: 1878.03 MB
Available Pagefile: 1818.66 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.18 MB

==================== Partitions =============================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: () (Fixed) (Total:48.83 GB) (Free:4.9 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: () (Fixed) (Total:48.83 GB) (Free:7.48 GB) NTFS
4 Drive e: () (Fixed) (Total:135.22 GB) (Free:3.28 GB) NTFS
5 Drive f: (UDISK) (Removable) (Total:1.87 GB) (Free:0.62 GB) FAT
6 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 49 GB 32 KB
Partition 2 Extended 184 GB 49 GB
Partition 3 Logical 49 GB 49 GB
Partition 4 Logical 135 GB 98 GB
=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 49 GB Healthy
=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 49 GB Healthy
=========================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E NTFS Partition 135 GB Healthy
=========================================================
==================== End Of Log ============================

Farbar Recovery Scan Tool (x86) Version: 12-11-2012
Ran by SYSTEM at 2012-11-17 19:01:17
Running from F:\

================== Search: "services.exe" ===================

C:\WINDOWS\system32\services.exe
[2008-04-15 07:00] - [2008-04-15 07:00] - 0109056 ____A (Microsoft Corporation) 3e3ae424e27c4cefe4cab368c7b570ea

=== End Of Search ===

Jay Pfoutz · Nov 18, 2012

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
4 Micorsoft Windows Service; \??\C:\TMP\rsjinqaf.sys [x]
c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter OTLPE like before...

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

Geoffrey · Nov 19, 2012

Well the windows boots as usual. Here are the contents of the Fixlog.txt :

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-11-2012
Ran by SYSTEM at 2012-11-19 16:08:14 Run:1
Running from F:\

==============================================

Micorsoft Windows Service service deleted successfully.
c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!. not found.

==== End of Fixlog ====

Jay Pfoutz · Nov 19, 2012

I'm talking with a couple of people about this line in your logs: c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

Give me a bit of time to chat with them about it. I should be back with a fix in the next couple days.

Jay Pfoutz · Nov 20, 2012

Hi again. Back to Normal Mode now, and let's do the following, please:

We need to first disable CD emulators, and other related burning programs...To disable CD Emulation programs using DeFogger please perform these steps:

Please download DeFogger to your desktop.
Once downloaded, double-click on the DeFogger icon to start the tool.
The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
When it prompts you whether or not you want to continue, please click on the Yes button to continue
When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page for performing a scan.
Caution: This is a beta version so also read the disclaimer and back up all your data before using.
When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.

Geoffrey · Nov 20, 2012

It didn't exactly work. I will include the logs so you will see what it found. But after removing them and re-booting, another scan showed exactly the same results. I run the scan three times overall but that didn't remove them. Also I still can't enable the windows firewall even after running fixdamage. Here are both logs :

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.20.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Prezes :: KOMP [administrator]

2012-11-20 19:23:40
mbar-log-2012-11-20 (19-23-40).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 26400
Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot. [156c8b2eea7300362f6fde96ef137d83]
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Delete on reboot. [b9c8e5d4b4a915216d30da9a37cb54ac]

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [95ec8f2aa7b678be3f54b0740afa6e92]
HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [0b76fbbe3a23f73fdfb579ab976d46ba]
HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [4f3213a6e57859dd385d0f15c93bb64a]

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 7.0.5730.13

Java version: 1.6.0_24

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.099000 GHz
Memory total: 2146807808, free: 1581289472

------------ Kernel report ------------
11/20/2012 19:16:13
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
nvgts5.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
nvata.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\AmdK8.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\irsir.sys
\SystemRoot\system32\DRIVERS\irenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\nvnetbus.sys
\SystemRoot\system32\DRIVERS\NVNRM.SYS
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\HssDrv.sys
\SystemRoot\system32\DRIVERS\rasirda.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\tapvpn.sys
\SystemRoot\system32\DRIVERS\taphss.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\drivers\AtihdXP3.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\DRIVERS\NVENETFD.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\??\C:\WINDOWS\system32\drivers\SBREdrv.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\aswSnx.SYS
\SystemRoot\System32\Drivers\Aavmker4.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_nvata.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\atiok3x2.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\irda.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys
\??\C:\TMP\rsjinqaf.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89d1eab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007d\
Lower Device Object: 0xffffffff89d1e030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89d1eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89d43ce8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89d1eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89d9a1e0, DeviceName: \Device\0000007e\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff89d1e030, DeviceName: \Device\0000007d\, DriverName: \Driver\nvata\
------------ End ----------
Upper DeviceData: 0xffffffffe40ca980, 0xffffffff89d1eab8, 0xffffffff8839e8d8
Lower DeviceData: 0xffffffffe3eb19f0, 0xffffffff89d1e030, 0xffffffff883adf18
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: DD95DD95

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 102398247
Partition file system is NTFS
Partition is bootable

Partition 1 type is Extended with LBA (0xf)
Partition is NOT ACTIVE.
Partition starts at LBA: 102398310 Numsec = 385977690

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Performing system, memory and registry scan...
Infected: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE --> [Trojan.Agent]
Infected: HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY --> [PUM.Disabled.SecurityCenter]
Infected: HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY --> [PUM.Disabled.SecurityCenter]
Infected: HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY --> [PUM.Disabled.SecurityCenter]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occured
=======================================

Jay Pfoutz · Nov 21, 2012

GMER

Note about this tool:

This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
No matter what is in the log, please post all the information/contents of the log.
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT"

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Geoffrey · Nov 22, 2012

The scan took quite some time. Although I only had my main partition checked (C:/). I assumed that would be enough. If not, I only need a wave of your hand and I will be off scanning stuff. Anyways here is the scan:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-11-22 21:46:18
Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000007e WDC_WD2500AAJS-00VTA0 rev.01.01B01
Running: gmer.exe; Driver: C:\TMP\pxtdqpoc.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\TMP\rsjinqaf.sys ZwCreateKey [0xF77A16AC]
SSDT \??\C:\TMP\rsjinqaf.sys ZwOpenKey [0xF77A1562]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL AEF85A77 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6786000, 0x1E2E6E, 0xE8000020]
.text win32k.sys!EngFreeUserMem + 674 BF809FDF 5 Bytes JMP AEF89B4C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 3625 BF80CF90 5 Bytes JMP AEF89A3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF8138FE 5 Bytes JMP AEF899F6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E743 5 Bytes JMP AEF88688 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + 199A BF820E6C 5 Bytes JMP AEF890A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 7657 BF82868B 5 Bytes JMP AEF887C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 698 BF838560 5 Bytes JMP AEF89CB6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + BB6 BF838A7E 5 Bytes JMP AEF898FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 3605 BF83B4CD 5 Bytes JMP AEF89EBE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + D9AB BF845873 5 Bytes JMP AEF88834 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 113C6 BF84928E 5 Bytes JMP AEF89090 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMultiByteToWideChar + 2E60 BF852720 5 Bytes JMP AEF8916A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMultiByteToWideChar + 2F20 BF8527E0 5 Bytes JMP AEF88670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMultiByteToWideChar + 84B4 BF857D74 5 Bytes JMP AEF89E1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 23AD BF873983 5 Bytes JMP AEF89BFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 37BB BF87882D 5 Bytes JMP AEF89A86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 3617 BF88FFB6 5 Bytes JMP AEF88CDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 413A BF890AD9 5 Bytes JMP AEF88E9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetLastError + 1606 BF8ADD61 5 Bytes JMP AEF89182 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4B52 BF8B3770 5 Bytes JMP AEF88C1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4BDD BF8B37FB 5 Bytes JMP AEF88EE4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAlphaBlend + 9286 BF8C31E7 5 Bytes JMP AEF88944 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + 19CE BF8ED991 5 Bytes JMP AEF8856A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + 9006 BF8F4FC9 5 Bytes JMP AEF890C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + D4C6 BF8F9489 5 Bytes JMP AEF88A1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + D746 BF8F9709 5 Bytes JMP AEF88B48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1994 BF912612 5 Bytes JMP AEF88760 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2568 BF9131E6 5 Bytes JMP AEF888F0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4F29 BF915BA7 5 Bytes JMP AEF88FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1931 BF9438F8 5 Bytes JMP AEF89D74 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xABDCD300, 0x3B6D8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF7847300, 0x1BEE, 0xE8000020]
? C:\TMP\rsjinqaf.sys Nie można odnaleźć określonego pliku. !

_______________________________________________ I hit the max char.

Geoffrey · Nov 22, 2012

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\services.exe[752] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\services.exe[752] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\lsass.exe[764] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
.text C:\WINDOWS\system32\Ati2evxx.exe[912] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\Ati2evxx.exe[912] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\Ati2evxx.exe[912] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\Ati2evxx.exe[912] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
? C:\WINDOWS\system32\svchost.exe[932] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
? C:\WINDOWS\system32\svchost.exe[984] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
? C:\WINDOWS\System32\svchost.exe[1080] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
? C:\WINDOWS\System32\svchost.exe[1116] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetCloseHandle 771BE85D 5 Bytes JMP 20184052
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpOpenRequestA 771C160A 5 Bytes JMP 20184482
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpOpenRequestW 771C2F0F 5 Bytes JMP 201844AF
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetReadFile 771C5BAA 5 Bytes JMP 201843C7
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestA 771C7519 5 Bytes JMP 20183859
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 201844DC
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetQueryDataAvailable 771D14D7 5 Bytes JMP 201840A8
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestExW 771D2676 5 Bytes JMP 20183703
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetWriteFile 771D27A3 5 Bytes JMP 2018391B
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestW 771DDB8E 5 Bytes JMP 201838BA
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetReadFileExW 771E26AD 5 Bytes JMP 201842AC
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetReadFileExA 771E26E5 5 Bytes JMP 20184205
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 20184503
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!HttpSendRequestExA 77228EA6 5 Bytes JMP 201837AE
? C:\WINDOWS\system32\svchost.exe[1160] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
? C:\WINDOWS\system32\svchost.exe[1284] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\svchost.exe[1284] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
.text C:\WINDOWS\system32\Ati2evxx.exe[1376] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\Ati2evxx.exe[1376] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\Ati2evxx.exe[1376] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\Ati2evxx.exe[1376] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\D & S\Prezes\Pulpit\gmer.exe[1404] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\D & S\Prezes\Pulpit\gmer.exe[1404] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\D & S\Prezes\Pulpit\gmer.exe[1404] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\D & S\Prezes\Pulpit\gmer.exe[1404] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
? C:\WINDOWS\Explorer.EXE[1732] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\Explorer.EXE[1732] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetCloseHandle 771BE85D 5 Bytes JMP 20184052
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpOpenRequestA 771C160A 5 Bytes JMP 20184482
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpOpenRequestW 771C2F0F 5 Bytes JMP 201844AF
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetReadFile 771C5BAA 5 Bytes JMP 201843C7
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestA 771C7519 5 Bytes JMP 20183859
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 201844DC
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetQueryDataAvailable 771D14D7 5 Bytes JMP 201840A8
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestExW 771D2676 5 Bytes JMP 20183703
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetWriteFile 771D27A3 5 Bytes JMP 2018391B
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestW 771DDB8E 5 Bytes JMP 201838BA
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetReadFileExW 771E26AD 5 Bytes JMP 201842AC
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetReadFileExA 771E26E5 5 Bytes JMP 20184205
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 20184503
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!HttpSendRequestExA 77228EA6 5 Bytes JMP 201837AE
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtCreateThread 7C90D190 5 Bytes JMP 20151610
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 201568E0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 20156860
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 201568A0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 20156050
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 20156110
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 20155FF0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 20157DF0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 20157EB0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 20157A80
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 20157B00
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 20157BA0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 201560B0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 20157F10
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 20157B20
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 20156750
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 201567C0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 20155DA0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 20155D70
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 20157D20
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 20156170
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 20156920
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 20157D60
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 20157B60
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 20155E30
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 20155F40
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 20156800
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 20157E50
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 201569C0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 20157C20
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 20157CA0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 20157BE0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 20157C60
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 20157CE0
.text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 20155DF0
? C:\WINDOWS\system32\svchost.exe[1776] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20187958
.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2017AD3C
.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 201877D4
.text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2018165E
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!sendto 71A52F51 5 Bytes JMP 2018251E
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20182848
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20182B61
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!send 71A54C27 5 Bytes JMP 201824D0
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 201829A5
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!recv 71A5676F 5 Bytes JMP 201827D9
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 201828BD
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20182A80
.text C:\WINDOWS\system32\svchost.exe[1776] ws2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2018292E
.text C:\WINDOWS\RTHDCPL.EXE[2056] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\WINDOWS\RTHDCPL.EXE[2056] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\WINDOWS\RTHDCPL.EXE[2056] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\WINDOWS\RTHDCPL.EXE[2056] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
? C:\WINDOWS\system32\svchost.exe[2212] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[2212] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\WINDOWS\system32\svchost.exe[2212] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\WINDOWS\system32\svchost.exe[2212] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\WINDOWS\system32\svchost.exe[2212] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
.text C:\WINDOWS\system32\svchost.exe[2212] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E
? C:\WINDOWS\system32\svchost.exe[2312] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[2312] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\WINDOWS\system32\svchost.exe[2312] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\WINDOWS\system32\svchost.exe[2312] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\WINDOWS\system32\svchost.exe[2312] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20067958
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2005AD3C
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200677D4
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2416] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2006165E
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2560] WS2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 20027958
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 2001AD3C
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 200277D4
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 2002165E
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!sendto 71A52F51 5 Bytes JMP 2002251E
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!recvfrom 71A52FF7 5 Bytes JMP 20022848
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!closesocket 71A53E2B 5 Bytes JMP 20022B61
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!send 71A54C27 5 Bytes JMP 200224D0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 200229A5
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!recv 71A5676F 5 Bytes JMP 200227D9
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 200228BD
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSARecvFrom 71A5F66A 5 Bytes JMP 20022A80
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3480] ws2_32.dll!WSASendTo 71A60AAD 5 Bytes JMP 2002292E

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0xAE 0xEE 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0x7C 0x54 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0x30 0xA0 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x23 0x8D 0x5C 0xEC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0xAE 0xEE 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0x7C 0x54 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0x30 0xA0 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x23 0x8D 0x5C 0xEC ...

---- Files - GMER 1.0.15 ----

File C:\D & S\Prezes\Menu Start\Programy\Autostart\gvgaehbg.exe 101304 bytes executable
File C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc 0 bytes
File C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc\gvgaehbg.exe 101304 bytes executable
File C:\TMP\gvgaehbg.exe 101304 bytes executable

---- EOF - GMER 1.0.15 ----

Jay Pfoutz · Nov 23, 2012

Download BlitzBlank and save it to your desktop.

Double-click BlitzBlank.exe to run it.
Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:

DeleteFile:
C:\TMP\rsjinqaf.sys
C:\TMP\gvgaehbg.exe
C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc
C:\D & S\Prezes\Menu Start\Programy\Autostart\gvgaehbg.exe

Click Execute Now. Your computer will need to reboot in order to kill the files.
When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

Geoffrey · Nov 23, 2012

I'm getting a Syntax error : 'Syntax error in line 2, Invalid file path.' In the TMP folder was a suspiciously looking xbeujjdm file though.

Jay Pfoutz · Nov 24, 2012

Double-click BlitzBlank.exe to run it.
Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:

DeleteFile:
C:\TMP\rsjinqaf.sys
C:\TMP\gvgaehbg.exe
C:\D & S\Prezes\Menu Start\Programy\Autostart\gvgaehbg.exe

DeleteFolder:
C:\D & S\Prezes\Ustawienia lokalne\Dane aplikacji\cbqlaqxc

Click Execute Now. Your computer will need to reboot in order to kill the files.
When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

Geoffrey · Nov 24, 2012

Still no luck. I get the same error as above.

Jay Pfoutz · Nov 25, 2012

Please open Malwarebytes' Anti-Malware, and click More Tools tab. Under FileASSASSIN, click Run Tool.

For each file listed below (this process only handles one file at a time), find its location, and you will see the name of the file in the Filename box, then click Open.

Files to delete using FileASSASSIN:
C:\TMP\rsjinqaf.sys
C:\TMP\gvgaehbg.exe
C:\D & S\Prezes\Menu Start\Programy\Autostart\gvgaehbg.exe

The FileASSASSIN will then delete the file, or ask you to reboot your computer in order to delete it. Please allow it to reboot, if necessary.

Run Malwarebytes' Anti-Rootkit again and post a log please.

Geoffrey · Nov 25, 2012

I couldn't find the mentioned files with FA. Neither of them. I've run the the scan though :

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.25.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Prezes :: KOMP [administrator]

2012-11-25 22:00:21
mbar-log-2012-11-25 (22-00-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 26355
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot. [562bc5f414493bfb413c1a5df909b050]
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Delete on reboot. [ed940dac62fb0c2a1f5d067138ca857b]

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [077a3188c39a999d03f454d4eb19c739]
HKLM\SOFTWARE\Microsoft\Security Center|FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [463bdfda5c01221464947cac8c780ff1]
HKLM\SOFTWARE\Microsoft\Security Center|UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. [7b068f2a75e872c433c664c4719356aa]

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Resolved Can't start several programs or access some sites

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Posts: 4,279 +49

Posts: 18 +0

Similar threads