Am I Infected?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
I am currenly ,suddenly experiencing slowdown on my acer aspire 5100
See my specs for additional info.

HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:37 PM, on 4/30/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\taskmgr.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
E:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O3 - Toolbar: &NetWorx Desk Band - {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - C:\PROGRA~1\NetWorx\deskband.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NetWorx] "C:\Program Files\NetWorx\networx.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D1A9575-E548-4ADA-8DD8-4A60E6E3FD53}: NameServer = 202.56.215.54,202.56.215.55
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: BootRacerServ - Greatis Software, LLC - C:\Program Files\BootRacer\BootRacerServ.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7764 bytes




Currently scanning with SAS and MalwareBytes
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
How have you got office 2010 installed

is it a beta version or have you downloaded a "pre-release " version from a non Microsoft site

My first suspiocion would be an infection from a non legit source

Download to Desktop: DDS by sUBs from one of these locations:

http://download.bleepingcomputer.com/sUBs/dds.com
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

double click DDS.scr to run

When complete, DDS.txt will open.

Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt

Attach the contents of both logs back here.

and

download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

It will do a quick scan automatically, when that finishes if it says "rootkit activity detected" then Stop there & press copy & post back the log it makes.
Do NOT allow it to perform a full scan at this time

If there is No warning of rootkit activity then select the rootkit tab & press scan. When it finishes press copy & post back the log it makes


Right click the DDS file & select run as admin
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
How have you got office 2010 installed

is it a beta version or have you downloaded a "pre-release " version from a non Microsoft site

My first suspiocion would be an infection from a non legit source

Download to Desktop: DDS by sUBs from one of these locations:

http://download.bleepingcomputer.com/sUBs/dds.com
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

double click DDS.scr to run

When complete, DDS.txt will open.

Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt

Attach the contents of both logs back here.

and

download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

It will do a quick scan automatically, when that finishes if it says "rootkit activity detected" then Stop there & press copy & post back the log it makes.
Do NOT allow it to perform a full scan at this time

If there is No warning of rootkit activity then select the rootkit tab & press scan. When it finishes press copy & post back the log it makes


Right click the DDS file & select run as admin
Office 2010-It is a Beta Version from the Microsoft site.
(Legit source)
AS for GMER and other suggestion ,I will post the logs soon as I am currently on my desktop.(HP Vectra VL 400).
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
DDS LOGS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 21:53:57.42 on Sat 05/01/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_19
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.894.232 [GMT 5.5:30]
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\NetWorx\networx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\taskmgr.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Administrator\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Downloads\dds.com
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.in/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
TB: &NetWorx Desk Band: {feea54b4-d80f-41c7-87b9-dc08e6d3255f} - c:\progra~1\networx\deskband.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
mRun: [NetWorx] "c:\program files\networx\networx.exe" /auto
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office14\GROOVE.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {6D1A9575-E548-4ADA-8DD8-4A60E6E3FD53} = 202.56.215.54,202.56.215.55
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\vlkwye40.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-11-3 21520]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-3-29 38976]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 UsbFltr;WayTech USB Filter Driver1;c:\windows\system32\drivers\UsbFltr.sys [2007-4-9 9600]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 BootRacerServ;BootRacerServ;c:\program files\bootracer\BootRacerServ.exe [2009-9-28 57096]
S3 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-4-2 27192]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-10 1343400]
=============== Created Last 30 ================
2010-04-30 09:22:12 41216 ----a-w- c:\windows\system32\drivers\ativvpxx.vp
2010-04-30 09:22:12 229376 ----a-w- c:\windows\system32\Oemdspif.dll
2010-04-30 09:22:12 2096 ----a-w- c:\windows\system32\drivers\ativpkxx.vp
2010-04-30 09:22:12 2096 ----a-w- c:\windows\system32\drivers\ativokxx.vp
2010-04-30 09:22:12 2096 ----a-w- c:\windows\system32\drivers\ativdkxx.vp
2010-04-30 09:22:08 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-04-30 09:22:05 7389184 ----a-w- c:\windows\system32\atioglxx.dll
2010-04-30 09:22:05 11441 ----a-w- c:\windows\atiogl.xml
2010-04-30 09:22:04 49152 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-04-30 09:22:04 319488 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-04-30 09:22:04 2464768 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-04-30 09:22:04 143676 ----a-w- c:\windows\system32\atiicdxx.dat
2010-04-30 09:21:26 0 d-----w- C:\8.362-070405a-047117C-Acer
2010-04-29 12:32:37 505104 ----a-r- c:\windows\system32\msxml.dll
2010-04-29 12:32:36 115016 ----a-r- c:\windows\system32\MSINET.OCX
2010-04-29 12:32:27 35840 ----a-r- c:\windows\system32\comdlg32.oca
2010-04-29 12:32:27 140488 ----a-r- c:\windows\system32\comdlg32.ocx
2010-04-29 12:32:26 69632 ----a-r- c:\windows\system32\xmltok.dll
2010-04-29 12:32:26 36864 ----a-r- c:\windows\system32\xmlparse.dll
2010-04-29 12:32:26 26096 ----a-r- c:\windows\system32\xmlinst.exe
2010-04-29 12:32:26 24576 ----a-r- c:\windows\system32\msxml3a.dll
2010-04-29 12:32:25 28432 ----a-r- c:\windows\system32\msxmlr.dll
2010-04-29 12:32:24 89360 ----a-r- c:\windows\system32\VB5DB.DLL
2010-04-29 12:32:24 29184 ----a-r- c:\windows\system32\MSINET.oca
2010-04-29 12:32:22 0 d-----w- c:\program files\Ubi Soft
2010-04-29 08:18:29 0 d-----w- c:\users\admini~1\appdata\roaming\Rainmeter
2010-04-29 08:15:21 0 d-----w- c:\program files\Rainmeter
2010-04-29 07:38:05 0 d-----w- c:\programdata\RoboForm
2010-04-29 07:37:48 0 d-----w- c:\program files\Siber Systems
2010-04-28 10:05:08 0 d-----w- c:\program files\BootRacer
2010-04-28 10:05:01 1563 ----a-w- c:\windows\bootracer
2010-04-28 09:51:15 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-04-28 09:51:15 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-04-28 09:45:50 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 09:45:50 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 09:45:15 0 d-----w- c:\program files\uTorrent
2010-04-28 09:10:15 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-27 10:07:48 0 d-----w- c:\users\admini~1\appdata\roaming\BitTorrent
2010-04-27 10:07:40 0 d-----w- c:\program files\BitTorrent
2010-04-25 10:29:41 0 d-----w- c:\program files\COMODO
2010-04-25 10:14:46 0 d-sh--r- C:\bootwiz
2010-04-25 10:08:25 0 d-----w- c:\programdata\Acronis
2010-04-25 10:04:52 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2010-04-25 10:04:49 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-04-25 09:19:49 0 d-----w- c:\users\admini~1\appdata\roaming\Auslogics
2010-04-25 08:45:28 27672 ----a-r- c:\windows\system32\drivers\Entech.sys
2010-04-25 08:45:28 0 d-----w- c:\windows\system32\Futuremark
2010-04-23 10:37:04 0 d-----w- c:\programdata\Adobe
2010-04-23 09:25:37 0 d-----w- C:\TurboC3
2010-04-23 09:22:01 0 d-----w- c:\program files\DOSBox-0.73
2010-04-22 12:47:45 0 d-----w- c:\program files\Trend Micro
2010-04-22 09:26:01 0 d-----w- c:\program files\The Game Creators
2010-04-20 12:14:18 0 d-----w- c:\program files\Games By GG releases
2010-04-18 11:40:16 1086 ----a-w- c:\windows\HELP.ICO
2010-04-18 11:40:12 0 d--h--w- c:\windows\PIF
2010-04-18 11:40:10 87 ----a-w- c:\windows\TDW.INI
2010-04-18 11:40:10 290 ----a-w- c:\windows\WINHELP.INI
2010-04-18 11:40:10 180 ----a-w- c:\windows\BCW.INI
2010-04-18 11:40:09 19568 ----a-w- c:\windows\system\CTL3D.DLL
2010-04-18 11:40:09 1410 ----a-w- c:\windows\openhelp.ini
2010-04-18 11:40:01 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2010-04-18 11:38:58 200 ----a-w- c:\windows\OWL.INI
2010-04-18 09:36:35 0 d-----w- c:\program files\Microsoft SQL Server
2010-04-18 09:29:21 0 d-----w- c:\program files\common files\Merge Modules
2010-04-16 11:10:38 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2010-04-16 09:43:03 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-16 09:42:25 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-16 09:42:24 0 d-----w- c:\users\admini~1\appdata\roaming\SUPERAntiSpyware.com
2010-04-16 09:41:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-16 09:37:37 0 d-----w- c:\programdata\Startup Manager
2010-04-16 09:37:37 0 d-----w- c:\program files\Startup Manager
2010-04-16 09:30:58 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-04-16 09:30:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-16 09:30:41 0 d-----w- c:\programdata\Malwarebytes
2010-04-16 09:30:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 09:30:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 09:06:21 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 09:06:19 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 09:06:17 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 09:06:16 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 09:06:16 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 09:06:16 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 08:29:56 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 08:29:55 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 14:03:31 0 d-----w- c:\users\administrator\Shared
2010-04-13 14:03:31 0 d-----w- c:\users\administrator\Incomplete
2010-04-13 13:59:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-13 12:44:30 0 d-----w- c:\programdata\Sun
2010-04-13 12:24:18 0 d-----w- c:\users\admini~1\appdata\roaming\CBS Interactive
2010-04-13 12:22:05 0 d-----w- c:\users\admini~1\appdata\roaming\SkyDownloader
2010-04-13 12:10:49 0 d-----w- c:\programdata\ZapShares
2010-04-11 07:20:02 0 d-----w- c:\program files\MSECACHE
2010-04-11 07:08:56 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-04-11 07:08:43 0 d-----w- c:\program files\Microsoft Analysis Services
2010-04-11 07:07:48 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-11 07:07:47 0 d-----w- c:\windows\PCHEALTH
2010-04-11 07:07:47 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-04-11 06:36:22 0 d-sh--w- C:\found.000
2010-04-11 05:48:54 0 d-----w- c:\program files\Auslogics
2010-04-10 17:58:18 0 d-----w- c:\programdata\Microsoft Help
2010-04-10 13:51:54 310690 --sh--r- C:\EDTYP
2010-04-10 13:51:54 20 --sh--r- C:\winx.ld
2010-04-08 13:12:07 0 d-----w- c:\users\admini~1\appdata\roaming\Actual Tools
2010-04-08 13:11:59 0 d-----w- c:\program files\Actual Transparent Window
2010-04-02 05:25:21 0 d-----w- c:\program files\MSXML 4.0
2010-04-02 05:19:13 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-04-02 05:19:11 0 d-----w- c:\program files\VS Revo Group
2010-04-02 05:09:45 0 d-----w- c:\users\admini~1\appdata\roaming\KeePass
==================== Find3M ====================
2010-04-28 15:09:07 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-28 15:09:07 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-01 08:29:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_GeosenseSensor_01_09_00.Wdf
2010-03-29 09:31:58 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2010-03-26 06:10:06 74752 ----a-w- c:\windows\ST6UNST.EXE
2010-03-26 06:10:06 253952 ------w- c:\windows\Setup1.exe
2010-03-24 12:02:37 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-17 13:50:01 64512 ---ha-w- c:\users\admini~1\appdata\roaming\dach100.dll
2010-03-15 23:34:59 36734 ----a-w- c:\windows\system32\OggDSuninst.exe
2010-03-14 16:00:28 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-12 15:25:54 4304384 ----a-w- c:\windows\system32\drivers\RtkHDAud.Sys
2010-03-12 15:25:48 16248320 ----a-w- c:\windows\RTHDCPL.exe
2010-02-24 04:46:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 21:55:00.71 ===============
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
LOG 2:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume4
Install Date: 3/11/2010 10:05:52 AM
System Uptime: 5/1/2010 4:38:48 PM (5 hours ago)
Motherboard: Acer | | Navarro
Processor: AMD Turion(tm) 64 Mobile Technology MK-36 | Socket M2/S1G1 | 2000/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 22 GiB total, 4.79 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 11.104 GiB free.
E: is FIXED (NTFS) - 35 GiB total, 4.529 GiB free.
F: is FIXED (NTFS) - 35 GiB total, 18.95 GiB free.
G: is CDROM (CDFS)
H: is CDROM ()
I: is CDROM (CDFS)
J: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: Unknown Device
Device ID: USB\VID_0000&PID_0000\5&610DAD3&0&4
Manufacturer: (Standard USB Host Controller)
Name: Unknown Device
PNP Device ID: USB\VID_0000&PID_0000\5&610DAD3&0&4
Service:
==== System Restore Points ===================
RP111: 4/28/2010 3:05:54 PM - Removed EASEUS Data Recovery Wizard Professional 4.3.6
RP112: 4/28/2010 3:07:09 PM - Removed Acronis True Image Home
RP113: 4/28/2010 3:20:06 PM - Windows Update
RP114: 4/28/2010 3:34:31 PM - Installed BootRacer
RP115: 4/29/2010 1:45:37 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
RP116: 4/29/2010 3:00:26 PM - Installed Windows SideShow Managed Runtime 1.0
RP118: 4/29/2010 5:40:03 PM - Installed Tom Clancy's Splinter Cell
RP120: 4/30/2010 1:32:05 PM - Installed Acer OrbiCam
RP121: 4/30/2010 1:39:22 PM - Windows Update
RP122: 4/30/2010 2:51:19 PM - ATI Chipset Driver Installation
==== Installed Programs ======================
µTorrent
Acer OrbiCam
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AI RoboForm (All Users)
ATI Catalyst Install Manager
Auslogics Disk Defrag
BitTorrent
BootRacer
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CCleaner
CNET TechTracker
Construction - Destruction
DH Mobility Modder.NET
Direct Show Ogg Vorbis Filter (remove only)
Euro Truck Simulator 1.3
FLV Player 2.0 (build 25)
Geosense for Windows
Google Chrome
Google Talk (remove only)
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Java Auto Updater
Java(TM) 6 Update 19
Kaspersky Internet Security 2010
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft SharedView
Microsoft Silverlight
Microsoft SQL Server 2008 Management Objects
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Need for Speed™ Carbon
NetWorx 5.1.1
PlayReady PC Runtime x86
Rainmeter (remove only)
Realtek High Definition Audio Driver
Revo Uninstaller Pro 2.2.0
Skins
Skype Toolbars
Skype™ 4.2
Snail Mail
SpeedFan (remove only)
SQL Server System CLR Types
Startup Manager 2.4.2
SUPERAntiSpyware Professional
System Requirements Lab
Tom Clancy's Splinter Cell
VC 9.0 Runtime
Windows Internet Explorer Platform Preview
Windows SideShow Managed Runtime 1.0
WinRAR archiver
World of Warcraft FREE Trial
==== Event Viewer Messages From Past Week ========
5/1/2010 4:39:28 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ATITool
5/1/2010 4:39:21 PM, Error: Service Control Manager [7000] - The Acronis Scheduler2 Service service failed to start due to the following error: The system cannot find the file specified.
4/30/2010 7:52:08 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: [email protected]
4/30/2010 6:55:22 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR3.
4/30/2010 6:54:50 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
4/30/2010 6:03:16 PM, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
4/30/2010 3:09:53 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR13.
4/30/2010 3:09:52 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
4/30/2010 3:00:16 PM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom1.
4/29/2010 6:44:27 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
4/28/2010 3:38:17 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR33.
4/28/2010 3:36:01 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR32.
4/28/2010 3:35:11 PM, Error: Service Control Manager [7030] - The BootRacerServ service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
4/28/2010 3:34:58 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR28.
4/28/2010 2:13:26 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
4/28/2010 2:13:26 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
==== End Of File ===========================
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
GMER LOG:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-01 21:56:38
Windows 6.1.7600
Running: dg58shhe.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwlcrpow.sys

---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8488B1F8
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \Driver\tdx \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- EOF - GMER 1.0.15 ----
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
run a full scan with gmer please & post that

it looks like a rootkit, possibly a MBR rootkit
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
Oh,
Forgot to tell you that I recently uninstalled Comodo Time Machine ,Comodo Backup and Acronis True Image.
I was just testing their compatibility
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
Sorry but I was in a hurry when I posted the logs and I forgot to include the GMER Full log.
Did the Suspected rootkit somehow affected my USB Port's?
I guess it hooked up some drivers.
Something like the "sphj.sys" has popped up.
Whats sppx.sys?
I could'nt find it anywhere online.
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
Heres the Full log dvk:
Is it the FULL LOG?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-02 20:44:32
Windows 6.1.7600
Running: dg58shhe.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwlcrpow.sys

---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x87B0ABD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x87B0C52C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x87B0C782]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x87B0C9FC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x87B0B450]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x87B0BB32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x87B0BF3C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateFile [0x87B0B5F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x87B0BE14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0x87B0A7D6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x87B0BCD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x87B0A992]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x87B0C06E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0x87B0DCB0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x87B0B0EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThreadEx [0x87B0B1EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x87B0BD72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x87B0D6A2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x87B0E672]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwFsControlFile [0x87B0B752]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x87B0D734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x87B0DD64]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x87B0BFDE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenFile [0x87B0B4D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x87B0BEAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x87B0ADD6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x87B0DCDA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x87B0C110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x87B0ACFA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x87B0CC3E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x87B0E07C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x87B0D9CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x87B0C49A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x87B0C360]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x87B0D442]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x87B0E554]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x87B0B86C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x87B0B30C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x87B0CCF2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSecurityObject [0x87B0D82E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x87B0E1BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x87B0E2A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x87B0E3C8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x87B0D5CE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x87B0AF4E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x87B0AEA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x87B0DF32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x87B0B02E]
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C14FB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2D1A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C8C599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB0F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 220 82CB8730 4 Bytes [D0, AB, B0, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82CB8758 8 Bytes [2C, C5, B0, 87, 82, C7, B0, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 28C 82CB879C 4 Bytes [FC, C9, B0, 87] {CLD ; LEAVE ; MOV AL, 0x87}
.text ntkrnlpa.exe!RtlSidHashLookup + 2B8 82CB87C8 4 Bytes [50, B4, B0, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 2DC 82CB87EC 4 Bytes [32, BB, B0, 87]
.text ...
? System32\Drivers\sphj.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8FE24CA0 5 Bytes JMP 85C0D1D8
.text aww1og5a.SYS 90216000 12 Bytes [44, 78, C1, 82, EE, 76, C1, ...]
.text aww1og5a.SYS 9021600D 9 Bytes [57, C1, 82, 48, 7B, C1, 82, ...]
.text aww1og5a.SYS 90216017 170 Bytes [00, DE, 97, 31, 87, E6, 95, ...]
.text aww1og5a.SYS 902160C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text aww1og5a.SYS 902160CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text peauth.sys 97A2CC9D 28 Bytes [4F, A6, 55, B4, 28, 52, 4A, ...]
.text peauth.sys 97A2CCC1 28 Bytes [4F, A6, 55, B4, 28, 52, 4A, ...]
PAGE peauth.sys 97A32E20 101 Bytes [A4, 74, E2, 32, C4, BA, 5D, ...]
PAGE peauth.sys 97A3302C 102 Bytes [07, 71, E2, 9A, 35, 37, 05, ...]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!CreateWindowExW 75AD0E51 5 Bytes JMP 670480F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxIndirectParamW 75AF4AA7 5 Bytes JMP 6716F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxParamW 75AF564A 5 Bytes JMP 66F64B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxParamA 75B0CF6A 5 Bytes JMP 6716F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxIndirectParamA 75B0D29C 5 Bytes JMP 6716F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxIndirectA 75B1E8C9 5 Bytes JMP 6716F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxIndirectW 75B1E9C3 5 Bytes JMP 6716F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxExA 75B1EA29 5 Bytes JMP 6716F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxExW 75B1EA4D 5 Bytes JMP 6716F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!UnhookWindowsHookEx 75ACCC7B 5 Bytes JMP 670582FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!CallNextHookEx 75ACCC8F 5 Bytes JMP 67039D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!CreateWindowExW 75AD0E51 5 Bytes JMP 670480F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!SetWindowsHookExW 75AD210A 5 Bytes JMP 66FF45DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!DialogBoxIndirectParamW 75AF4AA7 5 Bytes JMP 6716F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!DialogBoxParamW 75AF564A 5 Bytes JMP 66F64B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!DialogBoxParamA 75B0CF6A 5 Bytes JMP 6716F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!DialogBoxIndirectParamA 75B0D29C 5 Bytes JMP 6716F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!MessageBoxIndirectA 75B1E8C9 5 Bytes JMP 6716F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!MessageBoxIndirectW 75B1E9C3 5 Bytes JMP 6716F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!MessageBoxExA 75B1EA29 5 Bytes JMP 6716F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] USER32.dll!MessageBoxExW 75B1EA4D 5 Bytes JMP 6716F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] ole32.dll!OleLoadFromStream 75565B88 5 Bytes JMP 6716F576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3364] ole32.dll!CoCreateInstance 755B57FC 5 Bytes JMP 67048BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8721D042] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8721D6D6] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8721D800] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8721D13E] \SystemRoot\System32\Drivers\sphj.sys
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\aww1og5a.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E62494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E45624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E456E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E6250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E58573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E54D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E550CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E551A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E566D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E582CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E58819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E5907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E5E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E54C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8488B1F8
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
Device \Driver\volmgr \Device\VolMgrControl 848861F8
Device \Driver\usbohci \Device\USBPDO-0 85C65500
Device \Driver\usbohci \Device\USBPDO-1 85C65500
Device \Driver\usbehci \Device\USBPDO-2 85C64500
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\PCI_PNP8896 \Device\00000062 sphj.sys
Device \Driver\volmgr \Device\HarddiskVolume1 848861F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume2 848861F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 85A641F8
Device \Driver\volmgr \Device\HarddiskVolume3 848861F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom1 85A641F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 848881F8
Device \Driver\atapi \Device\Ide\IdePort0 848881F8
Device \Driver\atapi \Device\Ide\IdePort1 848881F8
Device \Driver\volmgr \Device\HarddiskVolume4 848861F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom2 85A641F8
Device \Driver\cdrom \Device\CdRom3 85A641F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 85AB9500
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D1A9575-E548-4ADA-8DD8-4A60E6E3FD53} 85AB9500
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\NetBT \Device\NetBT_Tcpip_{032BF9FF-79E2-425C-908B-36624A1CDAF6} 85AB9500
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\sptd \Device\919286396 sphj.sys
Device \Driver\usbohci \Device\USBFDO-0 85C65500
Device \Driver\usbohci \Device\USBFDO-1 85C65500
Device \Driver\usbehci \Device\USBFDO-2 85C64500
Device \Driver\SI3112 \Device\Scsi\SI31121 848891F8
Device \Driver\SI3112 \Device\Scsi\SI31121Port2Path1TargetffLun0 848891F8
Device \Driver\aww1og5a \Device\Scsi\aww1og5a1 85C901F8
Device \Driver\aww1og5a \Device\Scsi\aww1og5a1Port4Path0Target1Lun0 85C901F8
Device \Driver\SI3112 \Device\Scsi\SI31121Port2Path0Target0Lun0 848891F8
Device \Driver\aww1og5a \Device\Scsi\aww1og5a1Port4Path0Target0Lun0 85C901F8
Device \FileSystem\cdfs \Cdfs 864961F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0x62 0xDB 0x54 0x76 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xC6 0x50 0x24 0x87 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0x11 0x32 0xF2 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0x02 0x49 0xC3 0x46 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0x62 0xDB 0x54 0x76 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xC6 0x50 0x24 0x87 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0x11 0x32 0xF2 0x21 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0x02 0x49 0xC3 0x46 ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
---- EOF - GMER 1.0.15 ----


Sorry but I am acting like a Novice
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
sp**.sys are daemon tools & they always affect all rootkit scansd as daemon uses rootkit technioques to work & bypass windows protections

I am fairly sure all your problems are abad uninstall of comodo time machine & when it has happened in teh past, the only cure was format & reinstall of OS
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
sp**.sys are daemon tools & they always affect all rootkit scansd as daemon uses rootkit technioques to work & bypass windows protections

I am fairly sure all your problems are abad uninstall of comodo time machine & when it has happened in teh past, the only cure was format & reinstall of OS
No, I just fix the MBR using the windows 7 disk and it seemed to fix the problem.
Are there any sign of infections?
I had a Modified WinXP disk
(Modified using nLite)
The problem aapeared after some days of installing Win Xp using that disk.
USB Ports started to stop working.
BTW,
I dont know why Daemon tools would hook up some USB Drivers?
The file seems to be in use since I got the XP Disk.
And,one more thing to note:
I scanned using RADIX and didnt fix anything.
Daemon tools was NOT INSTALLED then.
Still RADIX found that some drivers were hooked up by sppx.sys!
That's Strange.............
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
those mbr entries in gmer look like backups made by either ati or comodo or even EASEUS Data Recovery Wizard Professional 4.3.6 and don't look like normal malware related mbr entries

how many different OS have you got on this computer

nlite is not an approved operating system and depending where you downloaded it from, it might have been infected

We only support/help with fully legitimate versions of windows using full windows media. in view oif your statement about Nlite before going any further yhou ned to satisfy us that you have alegitimate operating system

  • Please go here using Internet Explorer.
  • Click on "Windows Validation Assistant"
  • Click on the "Validate Now" button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click "continue"
  • When it says "Validation Complete" please click "Continue to return to your previous activity"
  • Copy what it says and paste it here.

Do that on ALL OS you have installed on this computer

I find it strange that you have W7 Ultimate on a fairly low spec system

Daemon tools hooks all disk drivers & most other OS drivers on the system
 

antech

Thread Starter
Banned
Joined
Feb 23, 2010
Messages
1,427
It just automatically redirected me to the page containing this:
(I am using a 30 day trial of windows 7):

Windows validation did not successfully complete

This Update to Windows Activation Technologies (KB971033) is not able to validate Windows running on your PC at this time. Please try again later. If the problem persists, you may need to uninstall and then reinstall the update by returning to http://www.microsoft.com/genuine , clicking on Validate Now, and following the installation instructions.

To uninstall an update:

  1. Click Start.
  2. Select Control Panel.
  3. Click on the Programs icon.
  4. Click on View Installed Updates under Programs and Features.
  5. Select the update you wish to uninstall.
  6. Click Uninstall.
Some days ago ,I removed Win XP as it had crashed during a Beta testing of a software


Sorry for the Big font.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top