Jump to content

Help: Bad Image Error


El Kabong
 Share

Recommended Posts

Hi all. I'm looking for a little help here. Turned on my PC and received multiple Bad Image Errors. As well, most exe's will not run (icons in start menu are - changed). Not sure what's what.

Ran MBAM - clean. Avast also shows clean scans. Not sure what to do now...

Attempted to uninstall DaemonTools as required... can't!

 

I would really appreciate some advice.

 

Including both MBAM and HJT logs.

Thanks in advance.

ElK

 

 

MBAM log:

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Database version: 7607

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

 

9/2/2011 11:16:23 PM

mbam-log-2011-09-02 (23-16-23).txt

 

Scan type: Full scan (C:\|)

Objects scanned: 524677

Time elapsed: 2 hour(s), 8 minute(s), 34 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

HiJackThis Log:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:37:56 PM, on 9/2/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17099)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\Garmin\ANT Agent\ANT Agent.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Mark\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/defaultf.aspx?lang=fr-ca

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [ANT Agent] C:\Program Files\Garmin\ANT Agent\ANT Agent.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-1390067357-1715567821-839522115-1004\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent (User '?')

O4 - HKUS\S-1-5-21-1390067357-1715567821-839522115-1004\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun (User '?')

O4 - HKUS\S-1-5-21-1390067357-1715567821-839522115-1004\..\Run: [ANT Agent] C:\Program Files\Garmin\ANT Agent\ANT Agent.exe (User '?')

O4 - HKUS\S-1-5-21-1390067357-1715567821-839522115-1004\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')

O4 - HKUS\S-1-5-21-1390067357-1715567821-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe

O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

 

--

End of file - 9869 bytes

Link to comment
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Hello El Kabong and :wp:

 

My name is JonTom

 

  • Malware Logs can sometimes take a lot of time to research and interpret.

  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

As well, most exe's will not run (icons in start menu are - changed)

How are they changed? Are they no longer present?

 

Lets take a closer look at your system with the following:

 

  • DeFogger

     

     

    • Please download DeFogger to your desktop.
    • Click on DeFogger to run the tool.
    • The application window will appear.
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue.
    • A 'Finished!' message will appear.
    • Click OK.
    • DeFogger will now ask to reboot the machine - click OK.

      IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

      Do not re-enable these drivers until otherwise instructed.

  • Please perform the following scan

     

     

    • Please download DDS from here and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
  • Please scan your system with GMER

     

     

    Posted Image

    Download GMER Rootkit Scanner from here or here.

    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

 

Please post the DDS logs and the GMER log in your next reply. If you encounter any problems with the scans come back and let me know.

 

Link to comment
Share on other sites

Good to meet ya, JonTom, and thanks for the help.

 

What I meant about the program icons... The little graphical representation has changed from the 'manufacturer's' icon to a generic 'windows' icon... Does that make sense? As if the shortcut can't find what it's pointing to, or something. If I actually explore the program folders, the icons seem fine (although I still can't run the exe's from there).

 

I ran defogger with no problem. As well as DDS (logs follow).

 

Will attempt GMER, but the last time I tried (I knew I would be asked for this so I wanted to be prepared), I got a BSOD.

 

Here are the DDS logs. Stay tuned for GMER results

 

 

DDS.txt:

 

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.5730.13

Run by Mark at 13:26:02 on 2011-09-03

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\Garmin\ANT Agent\ANT Agent.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Mark\Desktop\dds.scr

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [ANT Agent] c:\program files\garmin\ant agent\ANT Agent.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe

mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

TCP: Interfaces\{752F14E1-309A-4B3D-879C-E7572779E215} : DhcpNameServer = 192.168.2.1 192.168.2.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\mark\application data\mozilla\firefox\profiles\gvk0n3rj.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=

FF - plugin: c:\documents and settings\all users.windows\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll

FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R? acedrv11;acedrv11

R? DAUpdaterSvc;Dragon Age: Origins - Content Updater

R? gupdate;Google Update Service (gupdate)

R? gupdatem;Google Update Service (gupdatem)

R? meika;meika

R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service

R? NeroRegInCDSrv;Nero Registry InCD Service

R? osppsvc;Office Software Protection Platform

S? aswFsBlk;aswFsBlk

S? aswSnx;aswSnx

S? aswSP;aswSP

S? avast! Antivirus;avast! Antivirus

.

=============== Created Last 30 ================

.

2011-09-02 22:45:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 00:48:42 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-08-31 00:47:42 40112 ----a-w- c:\windows\avastSS.scr

2011-08-31 00:47:37 -------- d-----w- c:\program files\AVAST Software

2011-08-31 00:47:37 -------- d-----w- c:\documents and settings\all users.windows\application data\AVAST Software

2011-08-30 02:16:05 -------- d-----w- c:\documents and settings\mark\application data\Malwarebytes

2011-08-30 02:15:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-30 02:15:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-30 02:15:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-30 02:15:50 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes

2011-08-30 00:01:01 -------- d-sha-r- C:\cmdcons

2011-08-29 23:56:54 98816 ----a-w- c:\windows\sed.exe

2011-08-29 23:56:54 518144 ----a-w- c:\windows\SWREG.exe

2011-08-29 23:56:54 256000 ----a-w- c:\windows\PEV.exe

2011-08-29 23:56:54 208896 ----a-w- c:\windows\MBR.exe

2011-08-10 07:26:00 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 07:22:37 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45:57 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45:57 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-11 22:59:10 94208 ----a-w- c:\windows\DIIUnin.exe

2011-06-11 22:59:10 2829 ----a-w- c:\windows\DIIUnin.pif

.

============= FINISH: 13:27:42.21 ===============

 

 

 

Attach.txt:

 

 

.

==== Installed Programs ======================

.

7-Zip 4.65

Acrobat.com

Across Canada Trails 5.02 105.02

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.4.5

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Assassin's Creed II

avast! Free Antivirus

Bonjour

Borderlands

Definition update for Microsoft Office 2010 (KB982726)

Diablo II

Disciples III

DivX Converter

DivX Plus DirectShow Filters

DivX Setup

DivX Version Checker

Dragon Age: Origins

DVD Flick 1.3.0.7

DVD Suite

EA Download Manager

EasyGPS 2.7.5

EVGA Precision 1.4.0

Fallout 3

Fallout 3 - Unofficial Fallout 3 Patch

Fallout Mod Manager 0.13.21

Fallout Mod Manager 0.9.15

Fallout New Vegas

Fraps

Garmin MapSource

Garmin POI Loader

Garmin Training Center

Garmin USB Drivers

GATES TO AESGAARD - Episode 1

Google Chrome

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB938759)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Ivellon 1.5 English

IZArc 4.0 beta 1

jZip

Malwarebytes' Anti-Malware

Mass Effect 2

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft National Language Support Downlevel APIs

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 14

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft WSE 3.0 Runtime

Mirror's Edge™

Morrowind

Mozilla Firefox 4.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

Nero 7 Essentials

neroxml

NVIDIA Drivers

NVIDIA ForceWare Network Access Manager

NVIDIA nView Desktop Manager

NVIDIA PhysX

Oblivion

Oblivion mod manager 1.1.11

PowerDVD

PowerProducer

ProtectDisc Driver, Version 11

QuickTime

Realtek High Definition Audio Driver

SecurDisc Viewer

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2497640)

Security Update for Windows Internet Explorer 7 (KB2530548)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2559049)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

TES Construction Set

The Sims™ 3

Ubisoft Game Launcher

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

VC80CRTRedist - 8.0.50727.4053

Web Games Player Plugin

WebFldrs XP

Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)

Windows Driver Package - Dynastream Innovations (libusb0) LibUsbDevices (07/07/2009 1.12.2)

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)

Windows Imaging Component

Windows Internet Explorer 7

Windows Live ID Sign-in Assistant

Windows Media Format Runtime

Windows Presentation Foundation

Windows XP Service Pack 3

XML Paper Specification Shared Components Pack 1.0

.

==== End Of File ===========================

Link to comment
Share on other sites

Hello El Kabong

 

Will attempt GMER, but the last time I tried (I knew I would be asked for this so I wanted to be prepared), I got a BSOD

It is known to happen from time to time. If you do get a BSOD come back and let me know :)
Link to comment
Share on other sites

Hello El Kabong

 

 

  • GMER

     

     

    • If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
    • If GMER does not produce a log please try running it from Safe Mode.

    • How to use the F8 method to Start Your Computer in Safe Mode

    • Restart your computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
    • Use the arrow keys to select the Safe mode menu item.
    • Press Enter.

    • If GMER in safe mode does not work, please try Rootkit Unhooker:

  • Rootkit Unhooker

     

     

    • Please Download Rootkit Unhooker and Save it to your desktop.
    • Now double-click on RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Check (Tick) Drivers, Stealth. Uncheck the rest, then Click OK.
    • Wait till the scanner has finished and then click File, Save Report.
    • Save the report somewhere where you can find it. Click Close.

    Copy the entire contents of the report and paste it in your next reply here.

    Note: You may get the following warning, just click OK and continue.

     

    "Rootkit Unhooker has detected a parasite inside itself!

    It is recommended to remove parasite, okay?"

     

    I can also see that ComboFix has been run on this machine quite recently.

     

    While you may see ComboFix being used quite often and without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool)

     

    Why we don't ask you to run ComboFix from the onset

     

    As stated by the author of ComboFix:

     

    ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

     

    We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

     

    With these logs we can determine the infections present & decide whether to deploy ComboFix.

    That being said, the log produced by ComboFix contains important information for us. Kindly post the contents of the C:\ComboFix.txt

     

     

    Please provide the ComboFix log and the GMER/Rootkit Unhooker log in your next reply. If you are still having trouble, come back and let me know.

Link to comment
Share on other sites

Thanks, JonTom.

 

Got GMER to work. Log Follows, as does the Combofix Log

 

 

GMER:

 

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-09-03 18:44:36

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Mark\LOCALS~1\Temp\pxtdypow.sys

 

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!ZwCallbackReturn + 2F14 805047B0 4 Bytes [E8, 76, 45, AC]

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64A8 4 Bytes CALL AC435335 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC556 5 Bytes JMP AC4ABD4C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject 805C2FDA 5 Bytes JMP AC4AD7F2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP AC4B039C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xAEEC4380, 0x3DF545, 0xE8000020]

.text win32k.sys!EngFreeUserMem + 674 BF809962 4 Bytes JMP AC437CA2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngDeleteSurface + 45 BF813956 4 Bytes JMP AC437BAE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngSetLastError + 79A8 BF824309 4 Bytes JMP AC436F34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateBitmap + F9C BF828C73 4 Bytes JMP AC437E0C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngUnmapFontFileFD + 2C50 BF8316BE 4 Bytes JMP AC438014 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngUnmapFontFileFD + B68E BF83A0FC 5 Bytes JMP AC437B1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!FONTOBJ_pxoGetXform + 84ED BF8519C5 5 Bytes JMP AC436E70 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E554 4 Bytes JMP AC437180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!XLATEOBJ_iXlate + 360C BF85E5DF 5 Bytes JMP AC437326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreatePalette + 88 BF85F852 4 Bytes JMP AC436E58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreatePalette + 5454 BF864C1E 4 Bytes JMP AC437BD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGetCurrentCodePage + 411E BF873F63 4 Bytes JMP AC4372FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGradientFill + 26EE BF8947C0 4 Bytes JMP AC437D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngStretchBltROP + 583 BF895298 4 Bytes JMP AC437F72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCopyBits + 4DEC BF89DBD8 4 Bytes JMP AC436FA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngEraseSurface + A9E0 BF8C2150 5 Bytes JMP AC43703E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngFillPath + 1517 BF8CA5B2 4 Bytes JMP AC4370AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngFillPath + 1797 BF8CA832 5 Bytes JMP AC4370E8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngDeleteSemaphore + 3B3E BF8EC2A7 4 Bytes JMP AC436D8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 19DF BF9133E5 5 Bytes JMP AC436EF0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 25B3 BF913FB9 4 Bytes JMP AC437008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 4F12 BF916918 5 Bytes JMP AC437440 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngPlgBlt + 18FC BF94638A 5 Bytes JMP AC437ECA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text ntdll.dll!LdrLoadDll 7C91632D 5 Bytes [E9, C6, 9E, 84, 83] {JMP 0xffffffff83849ecb}

.text ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes [E9, 2A, 92, 84, 83] {JMP 0xffffffff8384922f}

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Program Files\AVAST Software\Avast\avastUI.exe[156] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\avastUI.exe[156] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\ctfmon.exe[472] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8

.text C:\WINDOWS\system32\ctfmon.exe[472] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\ctfmon.exe[472] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC

.text C:\WINDOWS\system32\ctfmon.exe[472] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\ctfmon.exe[472] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\ctfmon.exe[472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804

.text C:\WINDOWS\system32\ctfmon.exe[472] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08

.text C:\WINDOWS\system32\ctfmon.exe[472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600

.text C:\WINDOWS\system32\ctfmon.exe[472] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8

.text C:\WINDOWS\system32\ctfmon.exe[472] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[656] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\WINDOWS\System32\smss.exe[660] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8

.text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC

.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\services.exe[780] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\services.exe[780] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\services.exe[780] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\services.exe[780] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\services.exe[780] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\nvsvc32.exe[976] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8

.text C:\WINDOWS\system32\nvsvc32.exe[976] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\nvsvc32.exe[976] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC

.text C:\WINDOWS\system32\nvsvc32.exe[976] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\nvsvc32.exe[976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804

.text C:\WINDOWS\system32\nvsvc32.exe[976] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08

.text C:\WINDOWS\system32\nvsvc32.exe[976] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600

.text C:\WINDOWS\system32\nvsvc32.exe[976] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8

.text C:\WINDOWS\system32\nvsvc32.exe[976] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\WINDOWS\system32\nvsvc32.exe[976] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1056] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1056] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1056] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\System32\svchost.exe[1156] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\System32\svchost.exe[1156] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\System32\svchost.exe[1156] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\System32\svchost.exe[1156] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\System32\svchost.exe[1156] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\System32\svchost.exe[1156] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\System32\svchost.exe[1156] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\System32\svchost.exe[1156] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\Explorer.EXE[1684] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\Explorer.EXE[1684] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\Explorer.EXE[1684] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\Explorer.EXE[1684] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC

.text C:\WINDOWS\Explorer.EXE[1684] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600

.text C:\WINDOWS\Explorer.EXE[1684] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804

.text C:\WINDOWS\Explorer.EXE[1684] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08

.text C:\WINDOWS\Explorer.EXE[1684] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600

.text C:\WINDOWS\Explorer.EXE[1684] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8

.text C:\WINDOWS\Explorer.EXE[1684] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8

.text C:\Program Files\Garmin\ANT Agent\ANT Agent.exe[1784] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 007D1014

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 007D0804

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 007D0A08

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 007D0C0C

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 007D0E10

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 007D01F8

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 007D03FC

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 007D0600

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 007E0804

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 007E0A08

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 007E0600

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 007E01F8

.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 007E03FC

.text C:\WINDOWS\RTHDCPL.EXE[1820] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8

.text C:\WINDOWS\RTHDCPL.EXE[1820] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\RTHDCPL.EXE[1820] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC

.text C:\WINDOWS\RTHDCPL.EXE[1820] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC

.text C:\WINDOWS\RTHDCPL.EXE[1820] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600

.text C:\WINDOWS\RTHDCPL.EXE[1820] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804

.text C:\WINDOWS\RTHDCPL.EXE[1820] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08

.text C:\WINDOWS\RTHDCPL.EXE[1820] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600

.text C:\WINDOWS\RTHDCPL.EXE[1820] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8

.text C:\WINDOWS\RTHDCPL.EXE[1820] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1828] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC

.text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1856] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC

.text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[1872] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] USER32.dll!SetWinEventHook

Link to comment
Share on other sites

Hello El Kabong

 

Thank you for the log.

 

Lets proceed as follows. If ComboFix is still installed on your machine, please drag it to the Recycle Bin. Once there, empty the bin then download and run a fresh copy using the instructions provided below:

 

  • Combofix

     

     

    • Download ComboFix from one of the following locations:

       

      Link 1

      Link 2

    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image

     

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

     

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
    • Should there be issues with internet afterward:

       

      In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

       

      In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

  • Please scan the following files

     

     

     

    • On the page you'll find a "Browse" button.
    • Click on the Browse button.
    • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

     

    c:\windows\system32\cryptsvc.dll

     

     

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.
    • Please repeat this procedure for the following files:

     

    c:\windows\system32\netman.dll

    c:\windows\system32\srsvc.dll

     

     

    Please post the ComboFix log and the links to the Virus Total results pages in your next reply.

Link to comment
Share on other sites

Thanks for all this, JonTom.

 

Here are the links and logs... Looked like something was found in cryptsrc?

VirusTotal links:

cryptsrc.dll

http://www.virustotal.com/file-scan/report.html?id=0bcc01d2f40aab7a487f429825cfe987fd4726e6c6e12487b19f2c8da3e951ca-1315155063

 

netman.dll

http://www.virustotal.com/file-scan/report.html?id=39485d369fb2edef241f4996a66b9850ad0de76548ea15e877fed9b6bebaf756-1315154814

 

srsvc.dll

http://www.virustotal.com/file-scan/report.html?id=ba8330cb84ac7749c202b8072a59397fdd9259508af72951266bb84ef3ac79b7-1315154913

ComboFix Log:

 

 

ComboFix 11-09-03.01 - Mark 09/04/2011 11:22:38.3.4 - x86

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\cryptsvc.dll . . . is infected!!

.

c:\windows\system32\netman.dll . . . is infected!!

.

c:\windows\system32\srsvc.dll . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))

.

.

2011-09-02 22:45 . 2011-09-02 22:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 00:48 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-08-31 00:48 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-08-31 00:48 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-08-31 00:48 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-08-31 00:48 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-08-31 00:48 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-08-31 00:48 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-08-31 00:48 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-08-31 00:47 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-08-31 00:47 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\program files\AVAST Software

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software

2011-08-30 02:16 . 2011-08-30 02:16 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-10 07:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 07:22 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2009-03-14 02:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45 . 2004-08-12 13:58 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47 . 2004-08-12 13:57 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-11 22:59 . 2011-06-11 22:59 2829 ----a-w- c:\windows\DIIUnin.pif

2011-04-14 16:26 . 2011-06-11 20:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((( SnapShot@2011-08-30_01.59.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-31 00:50 . 2011-08-31 00:50 24064 c:\windows\Installer\3a4b2d3.msi

+ 2010-09-21 04:07 . 2010-09-21 04:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll

+ 2011-09-02 22:45 . 2011-09-02 22:45 243360 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe

+ 2011-09-02 22:45 . 2011-09-02 22:45 328864 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.dll

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe

+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\38383.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2010-05-20 12026216]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-31 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R0 meika;meika;c:\windows\System32\drivers\ogig.sys [x]

R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - pxtdypow

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-04 12:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1390067357-1715567821-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:ff,36,9c,25,70,b3,59,1f,32,bd,ad,4b,46,78,10,58,0e,73,1e,a5,13,

33,06,e2,82,ea,e7,db,8c,40,a9,70,c8,cf,eb,13,ed,9e,43,74,d6,25,02,98,df,ef,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3976)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2011-09-04 12:37:59

ComboFix-quarantined-files.txt 2011-09-04 16:37

ComboFix2.txt 2011-09-03 22:54

ComboFix3.txt 2011-08-30 02:08

.

Pre-Run: 219,825,950,720 bytes free

Post-Run: 219,808,321,536 bytes free

.

- - End Of File - - F7C1A362527E0302A0CD2525A779C519

Link to comment
Share on other sites

Hello El Kabong

 

Thank you for the log and scan results.

 

Please let me know exactly what the bad image error message actually says in your next post, and also if you have your XP installation disk.

 

 

  • Please download SystemLook by JPShortstuff

     

     

  • Please download SystemLook by JPShortstuff by clicking here or here and save the file (called SystemLook.exe) to your desktop.
  • Double click SystemLook.exe to run the program.
  • Copy the content of the following codebox into the main textfield:

:filefind
*cryptsvc.dll*
*netman.dll*
*srsvc.dll*

:service
CryptSvc

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt
Link to comment
Share on other sites

HI JonTom.

 

I don't have my XP CD handy. However, I will keep looking for it.

 

The EXACT message...

 

The application or DLL C:\WINDOWSsystem32\d3d9.dll is not a valid Windows image. Please check this against your installation diskette.

 

The XXXXXXXX.dll part has not always been the same

 

 

SystemLook log:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 13:57 on 04/09/2011 by Mark

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "*cryptsvc.dll*"

C:\WINDOWS\$NtServicePackUninstall$\cryptsvc.dll -----c- 60416 bytes [01:32 04/06/2010] [13:56 12/08/2004] 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll ------- 62464 bytes [00:11 14/04/2008] [00:11 14/04/2008] 3D4E199942E29207970E04315D02AD3B

C:\WINDOWS\system32\cryptsvc.dll --a---- 62464 bytes [13:56 12/08/2004] [00:11 14/04/2008] AFDEAC1C02176AAE1D9E135FE8E360A0

 

Searching for "*netman.dll*"

C:\WINDOWS\$NtServicePackUninstall$\netman.dll -----c- 198144 bytes [01:32 04/06/2010] [14:02 12/08/2004] DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\ServicePackFiles\i386\netman.dll ------- 198144 bytes [00:12 14/04/2008] [00:12 14/04/2008] 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE

C:\WINDOWS\system32\netman.dll --a---- 198144 bytes [14:02 12/08/2004] [00:12 14/04/2008] 16CCED3F6488A8F30ED118F8373FE804

 

Searching for "*srsvc.dll*"

C:\WINDOWS\$NtServicePackUninstall$\srsvc.dll -----c- 170496 bytes [01:32 04/06/2010] [14:06 12/08/2004] 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\ServicePackFiles\i386\srsvc.dll ------- 171008 bytes [00:12 14/04/2008] [00:12 14/04/2008] 3805DF0AC4296A34BA4BF93B346CC378

C:\WINDOWS\system32\srsvc.dll --a---- 171008 bytes [02:02 14/03/2009] [00:12 14/04/2008] F1D245D99A0682F4AB15721A07740007

 

========== service ==========

 

CryptSvc

CryptSvc

"Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."

Current Status: Stopped

Startup Type: Automatic

Error Control: Severe

Binary: C:\WINDOWS\system32\svchost.exe -k netsvcs

Group: (none)

SafeBoot: Minimal Network

Dependencies:

->RpcSs

Dependant Services:

(none)

 

-= EOF =-

Link to comment
Share on other sites

Hello El Kabong

 

I don't have my XP CD handy. However, I will keep looking for it.

:tup:

 

Your CryptSvc is presently stopped. Lets see if we can get it started:

 

  • Please run the following command

     

     

  • Click on "Start" and then on "Run"
  • Type cmd then press OK or hit Enter.
  • A command prompt will appear.
  • At the command prompt, type or copy/paste the following: NET START CRYPTSVC
  • Hit Enter.
  • Type exit to close the command window.
  • Please post any errors or messages you receive in your next reply.
Link to comment
Share on other sites

Hello El Kabong

 

'The Cryptsvc service is starting'

Okay, thats good :)

 

I would like to see another ComboFix log now that Cryptsvc is running. Please run ComboFix as you did before and post the log created in your next reply.

 

Also, please scan the following files with Virus Total using the instructions I provided previously:

 

C:\WINDOWS\$NtServicePackUninstall$\cryptsvc.dll

 

C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll

 

 

Please post the ComboFix log and the VT result links in your next reply.

Link to comment
Share on other sites

Sounds like progress. Fingers crossed.

 

Good news! Found my XP install CD.

 

Here are the links and logs...

 

VirusTotal links:

For C:\WINDOWS\$NtServicePackUninstall$\cryptsvc.dll

http://www.virustotal.com/file-scan/report.html?id=4eeaf6523941228fc440e9ea758545e2f2a2dd98565f90b5351ef2c9b82139ed-1315172744

 

For C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll

http://www.virustotal.com/file-scan/report.html?id=0825960894cf9c86cc8775bdd2a262948a09ca495aa7fe9f210faf49e7086383-1315172985

 

 

ComboFix log:

 

ComboFix 11-09-03.01 - Mark 09/04/2011 16:36:22.4.4 - x86

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\cryptsvc.dll . . . is infected!!

.

c:\windows\system32\netman.dll . . . is infected!!

.

c:\windows\system32\srsvc.dll . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))

.

.

2011-09-02 22:45 . 2011-09-02 22:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 00:48 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-08-31 00:48 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-08-31 00:48 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-08-31 00:48 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-08-31 00:48 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-08-31 00:48 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-08-31 00:48 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-08-31 00:48 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-08-31 00:47 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-08-31 00:47 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\program files\AVAST Software

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software

2011-08-30 02:16 . 2011-08-30 02:16 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-10 07:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 07:22 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2009-03-14 02:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45 . 2004-08-12 13:58 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47 . 2004-08-12 13:57 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-11 22:59 . 2011-06-11 22:59 2829 ----a-w- c:\windows\DIIUnin.pif

2011-04-14 16:26 . 2011-06-11 20:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((( SnapShot@2011-08-30_01.59.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-31 00:50 . 2011-08-31 00:50 24064 c:\windows\Installer\3a4b2d3.msi

+ 2010-09-21 04:07 . 2010-09-21 04:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll

+ 2011-09-02 22:45 . 2011-09-02 22:45 243360 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe

+ 2011-09-02 22:45 . 2011-09-02 22:45 328864 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.dll

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe

+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\38383.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2010-05-20 12026216]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-31 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R0 meika;meika;c:\windows\System32\drivers\ogig.sys [x]

R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - pxtdypow

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-04 17:44

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1390067357-1715567821-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:ff,36,9c,25,70,b3,59,1f,32,bd,ad,4b,46,78,10,58,0e,73,1e,a5,13,

33,06,e2,82,ea,e7,db,8c,40,a9,70,c8,cf,eb,13,ed,9e,43,74,d6,25,02,98,df,ef,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3884)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2011-09-04 17:48:26

ComboFix-quarantined-files.txt 2011-09-04 21:48

ComboFix2.txt 2011-09-04 16:38

ComboFix3.txt 2011-09-03 22:54

ComboFix4.txt 2011-08-30 02:08

.

Pre-Run: 219,770,228,736 bytes free

Post-Run: 219,754,635,264 bytes free

.

- - End Of File - - 9CDF7224AB73C32E58327FBDF3892242

Link to comment
Share on other sites

Hello El Kabong

 

I can see that you are using AVAST! as your anti virus but can also see traces of AVG on your machine too. If you no longer use AVG products let me know and I will provide you with a removal tool later.

 

Lets proceed as follows:

 

  • Please work through the following steps

     

     

  • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").

  • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

  • Copy and Paste the text in the quotebox below into the open Notepad window:

     

    FCopy::

    C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll | c:\windows\system32\cryptsvc.dll

     

    File::

    c:\windows\System32\drivers\ogig.sys

     

    Driver::

    meika

     

     

  • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

  • Close any open browsers.

  • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Refering to the picture below, drag CFScript.txt into ComboFix.exe

     

    Posted Image

     

     

  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  • Once the log is produced, re-engage your resident anti virus.

Please post the ComboFix log in your next reply.

 

 

 

Link to comment
Share on other sites

Hi JonTom. Yes, I did have AVG installed on this machine for awhile. Getting rid of it has proved to be a pain. I would appreciate the help on that as well... eventually :)

 

New Combofix log:

 

 

ComboFix 11-09-03.01 - Mark 09/05/2011 16:55:33.5.4 - x86

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt

.

FILE ::

"c:\windows\System32\drivers\ogig.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\netman.dll . . . is infected!!

.

c:\windows\system32\srsvc.dll . . . is infected!!

.

.

--------------- FCopy ---------------

.

c:\windows\ServicePackFiles\i386\cryptsvc.dll --> c:\windows\system32\cryptsvc.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_meika

.

.

((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))

.

.

2011-09-02 22:45 . 2011-09-02 22:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 00:48 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-08-31 00:48 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-08-31 00:48 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-08-31 00:48 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-08-31 00:48 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-08-31 00:48 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-08-31 00:48 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-08-31 00:48 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-08-31 00:47 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-08-31 00:47 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\program files\AVAST Software

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software

2011-08-30 02:16 . 2011-08-30 02:16 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-10 07:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 07:22 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2009-03-14 02:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45 . 2004-08-12 13:58 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47 . 2004-08-12 13:57 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-11 22:59 . 2011-06-11 22:59 2829 ----a-w- c:\windows\DIIUnin.pif

2011-04-14 16:26 . 2011-06-11 20:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((( SnapShot@2011-08-30_01.59.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-31 00:50 . 2011-08-31 00:50 24064 c:\windows\Installer\3a4b2d3.msi

+ 2010-09-21 04:07 . 2010-09-21 04:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll

+ 2011-09-02 22:45 . 2011-09-02 22:45 243360 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe

+ 2011-09-02 22:45 . 2011-09-02 22:45 328864 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.dll

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe

+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\38383.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2010-05-20 12026216]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-31 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

2011-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-05 18:12

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

C:\## aswSnx private storage

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1390067357-1715567821-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:ff,36,9c,25,70,b3,59,1f,32,bd,ad,4b,46,78,10,58,0e,73,1e,a5,13,

33,06,e2,82,ea,e7,db,8c,40,a9,70,c8,cf,eb,13,ed,9e,43,74,d6,25,02,98,df,ef,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3904)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Completion time: 2011-09-05 18:19:51 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-05 22:19

ComboFix2.txt 2011-09-04 21:48

ComboFix3.txt 2011-09-04 16:38

ComboFix4.txt 2011-09-03 22:54

ComboFix5.txt 2011-09-05 20:52

.

Pre-Run: 219,688,271,872 bytes free

Post-Run: 219,518,636,032 bytes free

.

- - End Of File - - AEC31DFDA88BD88732AA01D2D059BEF2

Link to comment
Share on other sites

Hello El Kabong

 

Before we continue I would like to see a log from the following tool.

 

Please do not allow the tool to cure/fix anything at the moment, I only want to see the log generated for the time being.

 

 

  • TDSS Killer

     

     

  • Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and double click on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, please select Skip.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".

     

    Please copy and paste the contents of that file here.

Link to comment
Share on other sites

HI JonTom.

 

No reboot was required.

 

TDSSKILLER Report:

 

2011/09/06 05:05:35.0281 0540 TDSS rootkit removing tool 2.5.18.0 Sep 5 2011 09:53:09

2011/09/06 05:05:35.0578 0540 ================================================================================

2011/09/06 05:05:35.0578 0540 SystemInfo:

2011/09/06 05:05:35.0578 0540

2011/09/06 05:05:35.0578 0540 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/06 05:05:35.0578 0540 Product type: Workstation

2011/09/06 05:05:35.0578 0540 ComputerName: MARKC

2011/09/06 05:05:35.0578 0540 UserName: Mark

2011/09/06 05:05:35.0578 0540 Windows directory: C:\WINDOWS

2011/09/06 05:05:35.0578 0540 System windows directory: C:\WINDOWS

2011/09/06 05:05:35.0578 0540 Processor architecture: Intel x86

2011/09/06 05:05:35.0578 0540 Number of processors: 4

2011/09/06 05:05:35.0578 0540 Page size: 0x1000

2011/09/06 05:05:35.0578 0540 Boot type: Normal boot

2011/09/06 05:05:35.0578 0540 ================================================================================

2011/09/06 05:05:35.0812 0540 Initialize success

2011/09/06 05:05:39.0468 0988 ================================================================================

2011/09/06 05:05:39.0468 0988 Scan started

2011/09/06 05:05:39.0468 0988 Mode: Manual;

2011/09/06 05:05:39.0468 0988 ================================================================================

2011/09/06 05:05:39.0734 0988 Aavmker4 (dfcdd5936cad0138775d5a105d4c7716) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/09/06 05:05:39.0796 0988 acedrv11 (e42161fa083e1b64122da38d2aba64e4) C:\WINDOWS\system32\drivers\acedrv11.sys

2011/09/06 05:05:39.0828 0988 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/06 05:05:39.0843 0988 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/06 05:05:39.0890 0988 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/09/06 05:05:39.0921 0988 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/09/06 05:05:40.0000 0988 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/09/06 05:05:40.0062 0988 aswFsBlk (861cb512e4e850e87dd2316f88d69330) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2011/09/06 05:05:40.0078 0988 aswMon2 (7857e0b4c817f69ff463eea2c63e56f9) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/09/06 05:05:40.0093 0988 aswRdr (8db043bf96bb6d334e5b4888e709e1c7) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/09/06 05:05:40.0109 0988 aswSnx (17230708a2028cd995656df455f2e303) C:\WINDOWS\system32\drivers\aswSnx.sys

2011/09/06 05:05:40.0125 0988 aswSP (dbedd9d43b00630966ef05d2d8d04cee) C:\WINDOWS\system32\drivers\aswSP.sys

2011/09/06 05:05:40.0156 0988 aswTdi (984cfce2168286c2511695c2f9621475) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/09/06 05:05:40.0187 0988 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/06 05:05:40.0203 0988 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/06 05:05:40.0234 0988 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/06 05:05:40.0265 0988 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/06 05:05:40.0312 0988 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/06 05:05:40.0343 0988 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/06 05:05:40.0375 0988 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/06 05:05:40.0406 0988 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/06 05:05:40.0437 0988 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/06 05:05:40.0515 0988 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/06 05:05:40.0546 0988 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/06 05:05:40.0593 0988 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/06 05:05:40.0609 0988 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/06 05:05:40.0625 0988 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/06 05:05:40.0640 0988 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/06 05:05:40.0687 0988 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/06 05:05:40.0703 0988 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/09/06 05:05:40.0718 0988 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/06 05:05:40.0734 0988 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/09/06 05:05:40.0781 0988 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/06 05:05:40.0796 0988 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/06 05:05:40.0812 0988 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/06 05:05:40.0843 0988 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/06 05:05:40.0875 0988 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/09/06 05:05:40.0875 0988 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/06 05:05:40.0921 0988 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/06 05:05:40.0953 0988 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/06 05:05:40.0968 0988 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/06 05:05:40.0984 0988 InCDfs (98e96b6f095e6289c3293b99d0f926b2) C:\WINDOWS\system32\drivers\InCDFs.sys

2011/09/06 05:05:41.0000 0988 InCDPass (0b3e2517cf826020688650d46adf5b05) C:\WINDOWS\system32\drivers\InCDPass.sys

2011/09/06 05:05:41.0015 0988 InCDrec (00ee363ea793a9d8dab5254acbd7d8e6) C:\WINDOWS\system32\drivers\InCDRec.sys

2011/09/06 05:05:41.0031 0988 incdrm (d41ab5be8861aff53851594de58dddfa) C:\WINDOWS\system32\drivers\InCDRm.sys

2011/09/06 05:05:41.0171 0988 IntcAzAudAddService (f7f3328544e1ac2e97caea9b39d9b9de) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/09/06 05:05:41.0218 0988 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/09/06 05:05:41.0250 0988 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/06 05:05:41.0265 0988 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/06 05:05:41.0281 0988 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/06 05:05:41.0296 0988 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/06 05:05:41.0312 0988 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/06 05:05:41.0328 0988 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/06 05:05:41.0343 0988 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/06 05:05:41.0359 0988 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/06 05:05:41.0375 0988 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/06 05:05:41.0390 0988 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/06 05:05:41.0453 0988 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/06 05:05:41.0484 0988 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/06 05:05:41.0484 0988 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/06 05:05:41.0515 0988 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/06 05:05:41.0515 0988 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/06 05:05:41.0546 0988 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/06 05:05:41.0578 0988 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/06 05:05:41.0609 0988 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/06 05:05:41.0625 0988 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/06 05:05:41.0656 0988 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/06 05:05:41.0671 0988 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/06 05:05:41.0687 0988 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/06 05:05:41.0718 0988 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/06 05:05:41.0734 0988 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/06 05:05:41.0750 0988 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/06 05:05:41.0781 0988 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/06 05:05:41.0796 0988 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/06 05:05:41.0812 0988 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/06 05:05:41.0843 0988 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/06 05:05:41.0843 0988 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/06 05:05:41.0890 0988 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/09/06 05:05:41.0906 0988 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/06 05:05:41.0921 0988 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/06 05:05:41.0953 0988 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/06 05:05:42.0109 0988 nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/09/06 05:05:42.0250 0988 NVENETFD (d314fe034d68c09d412727886e24f5fb) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2011/09/06 05:05:42.0265 0988 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\WINDOWS\system32\DRIVERS\nvgts.sys

2011/09/06 05:05:42.0281 0988 nvnetbus (f99fbb623ed78367574ee461b5b32c2c) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2011/09/06 05:05:42.0296 0988 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/06 05:05:42.0312 0988 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/06 05:05:42.0328 0988 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/09/06 05:05:42.0359 0988 Parport (b172efb7437c55797d59bb9ff33e6995) C:\WINDOWS\system32\drivers\Parport.sys

2011/09/06 05:05:42.0359 0988 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/06 05:05:42.0390 0988 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/06 05:05:42.0390 0988 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/06 05:05:42.0421 0988 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/06 05:05:42.0468 0988 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/06 05:05:42.0562 0988 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/06 05:05:42.0562 0988 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/06 05:05:42.0593 0988 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/06 05:05:42.0609 0988 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/09/06 05:05:42.0671 0988 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/06 05:05:42.0687 0988 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/06 05:05:42.0687 0988 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/06 05:05:42.0703 0988 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/06 05:05:42.0734 0988 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/06 05:05:42.0750 0988 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/06 05:05:42.0796 0988 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/06 05:05:42.0812 0988 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/06 05:05:42.0859 0988 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/06 05:05:42.0875 0988 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/06 05:05:42.0875 0988 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/06 05:05:42.0890 0988 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/09/06 05:05:42.0937 0988 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/06 05:05:42.0968 0988 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\System32\Drivers\sptd.sys

2011/09/06 05:05:42.0984 0988 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/06 05:05:43.0015 0988 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/06 05:05:43.0031 0988 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/06 05:05:43.0046 0988 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/06 05:05:43.0109 0988 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/06 05:05:43.0140 0988 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/06 05:05:43.0156 0988 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/06 05:05:43.0187 0988 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/06 05:05:43.0187 0988 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/06 05:05:43.0234 0988 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/06 05:05:43.0265 0988 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/06 05:05:43.0281 0988 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/06 05:05:43.0296 0988 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/06 05:05:43.0296 0988 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/09/06 05:05:43.0343 0988 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/06 05:05:43.0359 0988 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys

2011/09/06 05:05:43.0375 0988 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/09/06 05:05:43.0390 0988 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/06 05:05:43.0406 0988 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/06 05:05:43.0468 0988 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys

2011/09/06 05:05:43.0500 0988 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/06 05:05:43.0546 0988 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/09/06 05:05:43.0593 0988 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys

2011/09/06 05:05:43.0609 0988 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/09/06 05:05:43.0750 0988 Boot (0x1200) (dc9150ee9fc65287cdb35df35cc8baf6) \Device\Harddisk0\DR0\Partition0

2011/09/06 05:05:43.0750 0988 ================================================================================

2011/09/06 05:05:43.0750 0988 Scan finished

2011/09/06 05:05:43.0750 0988 ================================================================================

2011/09/06 05:05:43.0750 2656 Detected object count: 0

2011/09/06 05:05:43.0750 2656 Actual detected object count: 0

Link to comment
Share on other sites

Hello El Kabong

 

The TDSSKiller log is clean.

 

 

It appears that when you ran ComboFix unsupervised, you ran it more than once.

 

I would like to review the very first log that was produced when you ran the tool.

 

 

Please navigate to C:\Qoobox\ComboFix#.txt

 

The "#" symbol will correspond to a number. The log I would like to review will have the earliest date (it may very well be the following 2011-08-30 02:08).

 

Please let me know if you can locate that log and post it in your next reply.

Link to comment
Share on other sites

Hi JonTom,

 

This looks like the older log you're looking for.

 

 

Old ComboFix Log:

 

ComboFix 11-08-29.03 - Mark 08/29/2011 20:08:05.1.4 - x86

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

c:\program files\INSTALL.LOG

c:\program files\Steam\Steam.exe

.

c:\windows\system32\cryptsvc.dll . . . is infected!!

.

c:\windows\system32\netman.dll . . . is infected!!

.

c:\windows\system32\ksuser.dll . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

.

c:\windows\system32\srsvc.dll . . . is infected!!

.

c:\windows\pchealth\helpctr\binaries\pchsvc.dll . . . is infected!!

.

Infected copy of c:\windows\system32\ksuser.dll was found and disinfected

Restored copy from - c:\system volume information\_restore{6DB2D010-E188-48A6-A25F-B6F6112F95C1}\RP6\A0005383.dll

.

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-30 )))))))))))))))))))))))))))))))

.

.

2011-08-10 07:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 07:22 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2009-03-14 02:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45 . 2004-08-12 13:58 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47 . 2004-08-12 13:57 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-11 22:59 . 2011-06-11 22:59 2829 ----a-w- c:\windows\DIIUnin.pif

2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll

2011-06-02 14:02 . 2004-08-12 14:09 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-04-14 16:26 . 2011-06-11 20:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]

.

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2010-05-20 12026216]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-04-18 7398752]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-04-15 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 27216]

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]

S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]

S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Steam - c:\program files\Steam\Steam.exe

SafeBoot-Wdf01000.sys

AddRemove-Steam App 500 - c:\program files\Steam\steam.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-29 22:00

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1390067357-1715567821-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:ff,36,9c,25,70,b3,59,1f,32,bd,ad,4b,46,78,10,58,0e,73,1e,a5,13,

33,06,e2,82,ea,e7,db,8c,40,a9,70,c8,cf,eb,13,ed,9e,43,74,d6,25,02,98,df,ef,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3120)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\AVG\AVG10\avgchsvx.exe

c:\progra~1\AVG\AVG10\avgrsx.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-08-29 22:08:40 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-30 02:08

.

Pre-Run: 207,370,731,520 bytes free

Post-Run: 213,285,609,472 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

.

- - End Of File - - D2B1F4D5222571EED18D9AE3ACD844C3

Link to comment
Share on other sites

Hello El Kabong

 

Thank you for retrieving that first ComboFix log :tup:

 

Your system is certainly having its fair share of problems. Do you use the program "steam" at all? The reason I ask is that it appears it may have been mistakenly removed from your machine as a result of a false positive detection. If you do use it let me know and we can try and get it back for you.

 

Lets continue as follows:

 

 

  • Please run the following command

     

     

    • Click on "Start" and then on "Run"
    • Type cmd then press OK or hit Enter.
    • A command prompt will appear.
    • At the command prompt, type or copy/paste the following: NET START CRYPTSVC
    • Hit Enter.
    • Type exit to close the command window.
    • Please post any errors or messages you receive in your next reply.

  • Please work through the following steps

     

     

    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

       

      FCopy::

      C:\WINDOWS\ServicePackFiles\i386\netman.dll | C:\WINDOWS\system32\netman.dll

      C:\WINDOWS\ServicePackFiles\i386\srsvc.dll | C:\WINDOWS\system32\srsvc.dll

       

       

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

       

      Posted Image

       

    • If ComboFix informs you that an update is available, allow it to install.
    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

    Please post the ComboFix log in your next reply.

Link to comment
Share on other sites

Hi JonTom.

 

I do in fact use Steam. It would be great to recover it at some point, thank you. I had thought to simply re-install it... after. lol

 

Starting cryptsvc we off without a problem. No errors of messages.

 

 

Here is the Combofix log:

 

ComboFix 11-09-07.04 - Mark 09/07/2011 19:36:28.6.4 - x86

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\ServicePackFiles\i386\netman.dll --> c:\windows\system32\netman.dll

c:\windows\ServicePackFiles\i386\srsvc.dll --> c:\windows\system32\srsvc.dll

.

((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))

.

.

2011-09-02 22:45 . 2011-09-02 22:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 00:48 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-08-31 00:48 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-08-31 00:48 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-08-31 00:48 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-08-31 00:48 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-08-31 00:48 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-08-31 00:48 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-08-31 00:48 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-08-31 00:47 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-08-31 00:47 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\program files\AVAST Software

2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software

2011-08-30 02:16 . 2011-08-30 02:16 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2011-08-30 02:15 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-10 07:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 07:22 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2009-03-14 02:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45 . 2004-08-12 13:58 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll

2011-06-21 11:47 . 2004-08-12 13:57 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-11 22:59 . 2011-06-11 22:59 2829 ----a-w- c:\windows\DIIUnin.pif

2011-04-14 16:26 . 2011-06-11 20:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((( SnapShot@2011-08-30_01.59.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-31 00:50 . 2011-08-31 00:50 24064 c:\windows\Installer\3a4b2d3.msi

+ 2010-09-21 04:07 . 2010-09-21 04:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll

+ 2011-09-02 22:45 . 2011-09-02 22:45 243360 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe

+ 2011-09-02 22:45 . 2011-09-02 22:45 328864 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.dll

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe

+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe

+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\38383.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2010-05-20 12026216]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-31 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=

"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 34178558

*Deregistered* - 34178558

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

2011-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-07 20:42

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

C:\## aswSnx private storage

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1390067357-1715567821-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:ff,36,9c,25,70,b3,59,1f,32,bd,ad,4b,46,78,10,58,0e,73,1e,a5,13,

33,06,e2,82,ea,e7,db,8c,40,a9,70,c8,cf,eb,13,ed,9e,43,74,d6,25,02,98,df,ef,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3672)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2011-09-07 20:46:23

ComboFix-quarantined-files.txt 2011-09-08 00:46

ComboFix2.txt 2011-09-05 22:19

ComboFix3.txt 2011-09-04 21:48

ComboFix4.txt 2011-09-04 16:38

ComboFix5.txt 2011-09-07 23:33

.

Pre-Run: 219,249,684,480 bytes free

Post-Run: 219,272,200,192 bytes free

.

- - End Of File - - 7A9E198DFF5E6785CF37513E8887FFBF

Link to comment
Share on other sites

Hello El Kabong

 

I do in fact use Steam

Lets see if we can find it and get it restored.

 

Please navigate to the following location and post the log in your next reply.

 

C:\Qoobox\ComboFix-quarantined-files.txt

Link to comment
Share on other sites

Hi JonTom.

 

 

Here sis the ComboFix quarantined log;

 

2011-09-05 21:06:11 . 2011-09-05 21:06:11 1,010 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_meika.reg.dat

2011-09-05 20:55:05 . 2011-09-07 23:35:57 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt

2011-09-01 01:44:32 . 2011-09-01 01:44:32 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat

2011-08-30 02:08:11 . 2011-08-30 02:08:11 1,174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7B63B2922B174135AFC0E1377DD81EC2}.reg.dat

2011-08-30 02:08:11 . 2011-08-30 02:08:11 1,166 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 500.reg.dat

2011-08-30 02:08:03 . 2011-08-30 02:08:03 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Wdf01000.sys.reg.dat

2011-08-30 02:07:57 . 2011-08-30 02:07:57 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat

2011-08-30 00:11:39 . 2011-09-07 23:48:13 5,930 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-08-29 23:56:46 . 2011-09-07 23:33:16 408 ----a-w- C:\Qoobox\Quarantine\catchme.log

2009-09-14 16:57:44 . 2011-08-13 22:48:23 1,242,448 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Steam\Steam.exe.vir

2009-03-14 02:10:33 . 2008-04-14 00:11:56 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ksuser.dll.vir

2009-03-14 02:02:06 . 2008-04-14 00:12:07 171,008 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\srsvc.dll.vir

2009-03-13 10:14:53 . 2009-03-14 02:54:42 1,334 ----a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir

2007-11-07 12:03:18 . 2007-11-07 12:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\Install.exe.vir

2004-08-12 14:02:01 . 2008-04-14 00:12:01 198,144 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\netman.dll.vir

2004-08-12 13:56:36 . 2008-04-14 00:11:51 62,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cryptsvc.dll.vir

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share


×
×
  • Create New...