warehouse

Honorary Members

View Profile See their activity

Posts
24
Joined
April 19, 2011
Last visited
April 28, 2011

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by warehouse

Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Done and done. Can't find anything wrong with my PC currently and hope it stays that way Kenny, thank you again for your awesome help.
- April 28, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Woot. So far so good with no further issues. ComboFix 11-04-26.01 - Vamos Rafa 04/26/2011 21:37:24.15.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1591 [GMT -4:00] Running from: c:\documents and settings\Vamos Rafa\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Vamos Rafa\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Vamos Rafa\Application Data\3027DCEB6FF29DEB4472D78FD4EFABF5 . . ((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 ))))))))))))))))))))))))))))))) . . 2011-04-24 21:26 . 2011-04-24 21:26 122815660 ----a-w- C:\registrybackup.reg 2011-04-24 20:47 . 2011-04-24 20:47 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\BDL+P 2011-04-24 20:43 . 2011-04-26 05:04 -------- d-----w- C:\liquid 2011-04-24 20:33 . 2011-04-24 20:33 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys 2011-04-24 20:33 . 2011-04-24 20:33 -------- d-----w- c:\program files\DAEMON Tools Lite 2011-04-24 20:33 . 2011-04-24 20:35 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\DAEMON Tools Lite 2011-04-24 20:33 . 2011-04-24 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite 2011-04-20 07:32 . 2011-04-20 07:32 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Avira 2011-04-20 02:57 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-20 02:57 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-20 02:57 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\program files\Avira 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-19 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40 . 2011-04-19 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 05:05 . 2011-04-18 05:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-04-18 04:55 . 2011-04-26 06:21 0 ----a-w- c:\windows\Ssexohoqusi.bin . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2008-03-20 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32 . 2009-04-17 06:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 01:40 . 2010-04-26 00:21 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19 . 2009-12-11 22:22 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58 . 2008-03-20 16:30 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2008-03-20 16:30 677888 ----a-w- c:\windows\system32\mstsc.exe 2008-04-08 17:46 . 2008-04-08 17:46 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46 . 2008-04-08 17:44 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46 . 2008-04-08 17:44 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46 . 2008-04-08 17:44 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46 . 2008-04-08 17:44 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46 . 2008-04-08 17:44 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46 . 2008-04-08 17:44 16486 ----a-w- c:\program files\mpc5.reg 2008-02-14 22:23 . 2008-02-14 22:23 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42 . 2007-09-22 03:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49 . 2007-08-22 03:49 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48 . 2007-03-02 12:48 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47 . 2006-11-24 07:47 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40 . 2005-04-28 03:40 6800 ----a-w- c:\program files\W95_HUA.vxd 2011-03-18 17:53 . 2011-03-24 05:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "nwiz"="nwiz.exe" [2009-03-28 1657376] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120] "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-4-23 6144] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"= "c:\\Program Files\\gwflash.exe"= "c:\\WINDOWS\\system32\\dxdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\BIOS_Run.exe"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\ijji\\ENGLISH\\u_gunz.exe"= "c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\ijji\\ijji REACTOR\\REACTOR.exe"= "c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razerofa.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\counter-strike\\hl.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\dark messiah might and magic multi-player\\mm.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\LoaderExe.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\mp.exe"= "c:\\Program Files\\StarCraft II\\StarCraft II.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base17326\\SC2.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base18092\\SC2.exe"= . R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [4/24/2011 4:33 PM 218688] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 10:24 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 10:24 PM 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 10:57 PM 135336] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [3/20/2008 3:15 PM 22784] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [3/20/2008 3:13 PM 651712] S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?] S3 cpuz129;cpuz129;\??\c:\docume~1\VAMOSR~1\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\VAMOSR~1\LOCALS~1\Temp\cpuz_x32.sys [?] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [1/21/2009 2:21 AM 10744] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 10:24 PM 7408] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [9/4/2008 3:53 PM 33400] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/21/2008 2:48 AM 715248] . Contents of the 'Scheduled Tasks' folder . 2011-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003Core1cbff877ea096b4.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . 2011-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003UA.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe FF - ProfilePath - c:\documents and settings\Vamos Rafa\Application Data\Mozilla\Firefox\Profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: network.proxy.type - 0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-26 21:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\controlset004\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1008) c:\program files\SUPERAntiSpyware\SASWINLO.dll . - - - - - - - > 'explorer.exe'(8000) c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\NVIDIA Corporation\nTune\nTuneService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Razer\DeathAdder\razertra.exe c:\program files\Razer\DeathAdder\razerofa.exe c:\windows\system32\RUNDLL32.EXE c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2011-04-26 21:49:13 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-27 01:49 ComboFix2.txt 2011-04-26 21:18 ComboFix3.txt 2011-04-22 17:55 . Pre-Run: 92,119,138,304 bytes free Post-Run: 92,119,826,432 bytes free . Current=4 Default=4 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5 - - End Of File - - 7380E01DF97FA0C05A2265A408E4A3DD
- April 27, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Nice! Looks like Combofix found it this time around and took care of the file. The windows security alert is gone, I can no longer elicit any redirects in google, and I can access the Windows Update site as usual. Hope everything is clean for the time being. Thanks again! Virus Total 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: edejufan.dll Submission date: 2011-04-26 20:54:04 (UTC) Current status: finished Result: 2/ 41 (4.9%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2011.04.27.00 2011.04.26 - AntiVir 7.11.7.7 2011.04.25 - Antiy-AVL 2.0.3.7 2011.04.26 - Avast 4.8.1351.0 2011.04.26 - Avast5 5.0.677.0 2011.04.26 - AVG 10.0.0.1190 2011.04.26 - BitDefender 7.2 2011.04.26 - CAT-QuickHeal 11.00 2011.04.26 - ClamAV 0.97.0.0 2011.04.26 - Commtouch 5.3.2.6 2011.04.26 - Comodo 8486 2011.04.26 MalCrypt.Indus! DrWeb 5.0.2.03300 2011.04.26 - eSafe 7.0.17.0 2011.04.26 - eTrust-Vet 36.1.8293 2011.04.26 - F-Prot 4.6.2.117 2011.04.26 - F-Secure 9.0.16440.0 2011.04.26 - Fortinet 4.2.257.0 2011.04.26 - GData 22 2011.04.26 - Ikarus T3.1.1.103.0 2011.04.26 - Jiangmin 13.0.900 2011.04.26 - K7AntiVirus 9.98.4485 2011.04.26 - Kaspersky 9.0.0.837 2011.04.26 - McAfee 5.400.0.1158 2011.04.26 - McAfee-GW-Edition 2010.1D 2011.04.26 - Microsoft 1.6802 2011.04.26 Trojan:Win32/Podjot.A NOD32 6073 2011.04.26 - Norman 6.07.07 2011.04.26 - Panda 10.0.3.5 2011.04.26 - PCTools 7.0.3.5 2011.04.21 - Prevx 3.0 2011.04.26 - Rising 23.55.01.05 2011.04.26 - Sophos 4.64.0 2011.04.26 - SUPERAntiSpyware4.40.0.1006 2011.04.26 - Symantec 20101.3.2.89 2011.04.26 - TheHacker 6.7.0.1.183 2011.04.26 - TrendMicro 9.200.0.1012 2011.04.26 - TrendMicro-HouseCall 9.200.0.1012 2011.04.26 - VBA32 3.12.16.0 2011.04.26 - VIPRE 9128 2011.04.26 - ViRobot 2011.4.26.4431 2011.04.26 - VirusBuster 13.6.322.0 2011.04.26 - Additional information MD5 : 8f02810637ee8f0b6a79766544c730e1 SHA1 : 6e2d19681afec8b718ed50d126476e84697b5f0a SHA256: d6579bb8d3e8cbc96534f35b02d16625fb355d928e4d4136d45966e27a84dad9 Combofix ComboFix 11-04-26.01 - Vamos Rafa 04/26/2011 17:12:35.14.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1626 [GMT -4:00] Running from: c:\documents and settings\Vamos Rafa\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{EBE0C481-C961-4996-886D-160ED5063E33} c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{EBE0C481-C961-4996-886D-160ED5063E33}\chrome.manifest c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{EBE0C481-C961-4996-886D-160ED5063E33}\chrome\content\_cfg.js c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{EBE0C481-C961-4996-886D-160ED5063E33}\chrome\content\overlay.xul c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{EBE0C481-C961-4996-886D-160ED5063E33}\install.rdf c:\windows\edejufan.dll . . ((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 ))))))))))))))))))))))))))))))) . . 2011-04-24 21:26 . 2011-04-24 21:26 122815660 ----a-w- C:\registrybackup.reg 2011-04-24 20:47 . 2011-04-24 20:47 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\BDL+P 2011-04-24 20:43 . 2011-04-26 05:04 -------- d-----w- C:\liquid 2011-04-24 20:33 . 2011-04-24 20:33 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys 2011-04-24 20:33 . 2011-04-24 20:33 -------- d-----w- c:\program files\DAEMON Tools Lite 2011-04-24 20:33 . 2011-04-24 20:35 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\DAEMON Tools Lite 2011-04-24 20:33 . 2011-04-24 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite 2011-04-20 07:32 . 2011-04-20 07:32 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Avira 2011-04-20 02:57 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-20 02:57 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-20 02:57 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\program files\Avira 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-19 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40 . 2011-04-19 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 05:05 . 2011-04-18 05:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-04-18 04:55 . 2011-04-26 06:21 0 ----a-w- c:\windows\Ssexohoqusi.bin 2011-04-18 04:53 . 2011-04-22 01:19 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\3027DCEB6FF29DEB4472D78FD4EFABF5 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2008-03-20 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32 . 2009-04-17 06:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 01:40 . 2010-04-26 00:21 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19 . 2009-12-11 22:22 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58 . 2008-03-20 16:30 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2008-03-20 16:30 677888 ----a-w- c:\windows\system32\mstsc.exe 2008-04-08 17:46 . 2008-04-08 17:46 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46 . 2008-04-08 17:44 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46 . 2008-04-08 17:44 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46 . 2008-04-08 17:44 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46 . 2008-04-08 17:44 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46 . 2008-04-08 17:44 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46 . 2008-04-08 17:44 16486 ----a-w- c:\program files\mpc5.reg 2008-02-14 22:23 . 2008-02-14 22:23 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42 . 2007-09-22 03:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49 . 2007-08-22 03:49 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48 . 2007-03-02 12:48 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47 . 2006-11-24 07:47 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40 . 2005-04-28 03:40 6800 ----a-w- c:\program files\W95_HUA.vxd 2011-03-18 17:53 . 2011-03-24 05:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "nwiz"="nwiz.exe" [2009-03-28 1657376] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120] "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-4-23 6144] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"= "c:\\Program Files\\gwflash.exe"= "c:\\WINDOWS\\system32\\dxdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\BIOS_Run.exe"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\ijji\\ENGLISH\\u_gunz.exe"= "c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\ijji\\ijji REACTOR\\REACTOR.exe"= "c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razerofa.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\counter-strike\\hl.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\dark messiah might and magic multi-player\\mm.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\LoaderExe.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\mp.exe"= "c:\\Program Files\\StarCraft II\\StarCraft II.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base17326\\SC2.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base18092\\SC2.exe"= . R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [4/24/2011 4:33 PM 218688] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 10:24 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 10:24 PM 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 10:57 PM 135336] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [3/20/2008 3:15 PM 22784] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [3/20/2008 3:13 PM 651712] S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?] S3 cpuz129;cpuz129;\??\c:\docume~1\VAMOSR~1\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\VAMOSR~1\LOCALS~1\Temp\cpuz_x32.sys [?] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [1/21/2009 2:21 AM 10744] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 10:24 PM 7408] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [9/4/2008 3:53 PM 33400] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/21/2008 2:48 AM 715248] . --- Other Services/Drivers In Memory --- . *Deregistered* - ALSysIO . Contents of the 'Scheduled Tasks' folder . 2011-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003Core1cbff877ea096b4.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . 2011-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003UA.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe FF - ProfilePath - c:\documents and settings\Vamos Rafa\Application Data\Mozilla\Firefox\Profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-Dpuroxolibugi - c:\windows\edejufan.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-26 17:16 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\controlset004\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1008) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2011-04-26 17:18:23 ComboFix-quarantined-files.txt 2011-04-26 21:18 ComboFix2.txt 2011-04-22 17:55 . Pre-Run: 92,104,036,352 bytes free Post-Run: 92,089,876,480 bytes free . Current=4 Default=4 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5 - - End Of File - - 849EEEF7EE182CE5BF38FA97A99BFE05
- April 26, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Thanks for sticking with me on this. Deleted the file you mentioned, and the GooredFix and ESET logs are below. ESET seems to have found something. I am still getting redirects in google, although they are very hard to elicit. Actually, they only seem to occur in Firefox when I google "windows update" and attempt to access the windows update site. Still getting the Windows Security alert and am unable to access the windows update page with IE. Otherwise, I have having no issues at all and the PC seems much faster. GooredFix GooredFix by jpshortstuff (03.07.10.1) Log created at 17:35 on 25/04/2011 (Vamos Rafa) Firefox version 4.0 (en-US) ========== GooredScan ========== Removing Orphan: "{D69CED78-B9A6-42D9-BB6C-B156110BD0C6}"="C:\Documents and Settings\Vamos Rafa\Local Settings\Application Data\{D69CED78-B9A6-42D9-BB6C-B156110BD0C6}" -> Success! ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [05:58 24/03/2011] {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [22:22 11/12/2009] {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [00:21 26/04/2010] {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [20:27 13/08/2010] {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [20:29 24/04/2011] C:\Documents and Settings\Vamos Rafa\Application Data\Mozilla\Firefox\Profiles\6320ji3r.default\extensions\ {20a82645-c095-46ed-80e3-08825760534b} [03:02 27/04/2010] {DBBB3167-6E81-400f-BBFD-BD8921726F52} [06:21 21/01/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:04 14/08/2009] "{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"="C:\Program Files\AVG\AVG10\Firefox4\" [23:18 29/03/2011] -=E.O.F=- ESET ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=4c58953da5c76a4ea4bce63a264a6b3c # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2011-04-25 10:41:37 # local_time=2011-04-25 06:41:37 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=1026 16777214 0 2 45578509 45578509 0 0 # compatibility_mode=1797 16775141 100 93 0 39364716 0 0 # compatibility_mode=8192 67108863 100 0 41653986 41653986 0 0 # scanned=91214 # found=2 # cleaned=0 # scan_time=3529 C:\WINDOWS\edejufan.dll a variant of Win32/Kryptik.MVM trojan (unable to clean) 00000000000000000000000000000000 I ${Memory} a variant of Win32/Kryptik.MVM trojan 00000000000000000000000000000000 I
- April 25, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Perhaps I spoke too soon. Just a minute ago, I experienced some google redirects in Firefox. I can't seem to reproduce the redirects as frequently as before but they do occur. I really haven't used this computer to do anything besides visit this forum and install Daemon Tools Lite (Hope that wasn't a big mistake!). Still, the PC is running more smoothly. MBAM Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6435 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 4/24/2011 6:01:25 PM mbam-log-2011-04-24 (18-01-25).txt Scan type: Quick scan Objects scanned: 154546 Time elapsed: 5 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS.txt . DDS (Ver_11-03-05.01) - NTFSx86 Run by Vamos Rafa at 18:22:00.28 on Sun 04/24/2011 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1579 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\CTFMON.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Vamos Rafa\My Documents\New2\OC\Core Temp.exe C:\Documents and Settings\Vamos Rafa\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [nwiz] nwiz.exe /install mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [instaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Dpuroxolibugi] rundll32.exe "c:\windows\edejufan.dll",Startup mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951 DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947 DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\vamosr~1\locals~1\temp\ixp000.tmp\InstallerControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\vamosr~1\applic~1\mozilla\firefox\profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: c:\documents and settings\vamos rafa\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-19 11608] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-4-24 218688] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-19 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-19 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-19 61960] R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] R3 ALSysIO;ALSysIO;\??\c:\docume~1\vamosr~1\locals~1\temp\alsysio.sys --> c:\docume~1\vamosr~1\locals~1\temp\ALSysIO.sys [?] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-3-20 22784] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2008-3-20 651712] S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?] S3 cpuz129;cpuz129;\??\c:\docume~1\vamosr~1\locals~1\temp\cpuz_x32.sys --> c:\docume~1\vamosr~1\locals~1\temp\cpuz_x32.sys [?] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-1-21 10744] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2008-9-4 33400] . =============== Created Last 30 ================ . 2011-04-24 21:26:46 122815660 ----a-w- C:\registrybackup.reg 2011-04-24 20:47:53 -------- d-----w- c:\docume~1\vamosr~1\applic~1\BDL+P 2011-04-24 20:43:26 -------- d-----w- C:\liquid 2011-04-24 20:33:59 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys 2011-04-24 20:33:50 -------- d-----w- c:\program files\DAEMON Tools Lite 2011-04-24 20:33:13 -------- d-----w- c:\docume~1\vamosr~1\applic~1\DAEMON Tools Lite 2011-04-24 20:33:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite 2011-04-24 20:30:52 -------- d-s---w- C:\ComboFix 2011-04-22 17:51:14 -------- d-----w- c:\docume~1\vamosr~1\locals~1\applic~1\{D69CED78-B9A6-42D9-BB6C-B156110BD0C6} 2011-04-20 07:32:58 -------- d-----w- c:\docume~1\vamosr~1\applic~1\Avira 2011-04-20 02:57:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57:37 -------- d-----w- c:\program files\Avira 2011-04-20 02:57:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-19 03:40:16 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40:14 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 04:55:09 0 ----a-w- c:\windows\Ssexohoqusi.bin 2011-04-18 04:53:48 -------- d-----w- c:\docume~1\vamosr~1\applic~1\3027DCEB6FF29DEB4472D78FD4EFABF5 . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe 2008-04-08 17:46:28 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46:28 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46:28 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46:28 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46:28 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46:28 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46:28 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46:28 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46:28 16486 ----a-w- c:\program files\mpc5.reg 2008-04-08 17:46:28 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-02-14 22:23:12 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49:28 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48:50 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47:50 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40:26 6800 ----a-w- c:\program files\W95_HUA.vxd . ============= FINISH: 18:22:43.64 =============== Attach.txt . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_11-03-05.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 10/22/2009 12:45:40 AM System Uptime: 4/24/2011 5:50:05 PM (1 hours ago) . Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3L Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 298 GiB total, 83.45 GiB free. D: is CDROM () E: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Audio Device on High Definition Audio Bus Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458E601&REV_1000\4&808A433&0&0201 Manufacturer: Name: Audio Device on High Definition Audio Bus PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458E601&REV_1000\4&808A433&0&0201 Service: . Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0001 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0001 Service: CVirtA . ==== System Restore Points =================== . RP349: 4/24/2011 4:33:03 PM - System Checkpoint . ==== Installed Programs ====================== . ?? @BIOS Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader X (10.0.1) Advertising Center AIM 6 Alarm Clock v1.0 Apple Application Support Apple Mobile Device Support Apple Software Update AutoUpdate Avira AntiVir Personal - Free Antivirus AviSynth 2.5 Belkin Setup and Router Monitor Bonjour CCleaner (remove only) Cisco Systems VPN Client 5.0.04.0300 (ITC) Compatibility Pack for the 2007 Office system Counter-Strike DAEMON Tools Lite DivX Codec DivX Converter DivX Player DivX Web Player FlashGet 1.9.6.1073 Free Mp3 Wma Converter V 1.81 GIMP 2.6.7 Google Talk Plugin Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) ijji - Gunz ijji REACTOR iTunes Jamorama Software Java Auto Updater Java 6 Update 24 K-Lite Codec Pack 7.1.0 (Basic) Logitech QuickCam Logitech QuickCam Driver Package Malwarebytes' Anti-Malware Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft AppLocale Microsoft Kernel-Mode Driver Framework Feature Pack 1.1 Microsoft Office Professional Edition 2003 Microsoft Visual C Runtime Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Windows Application Compatibility Database Microsoft Xbox 360 Accessories 1.1 Mozilla Firefox 4.0 (x86 en-US) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6.0 Parser (KB933579) MSXML4 Parser Nero 9 Lite Nero ControlCenter Nero Installer Nero Online Upgrade Nero StartSmart neroxml NVIDIA nTune Oblivion Oblivion - Horse Armor Pack Oblivion - Knights of the Nine Oblivion - Mehrunes Razor Oblivion - Orrery Oblivion - Spell Tomes Oblivion - Thieves Den Oblivion - Vile Lair Oblivion - Wizard's Tower Oblivion mod manager 1.1.9 PunkBuster Services Quake Live Mozilla Plugin QuickTime Razer DeathAdder Mouse REALTEK GbE & FE Ethernet PCI-E NIC Driver SeaTools for Windows Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player (KB979402) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2183461) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360131) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2412687) Security Update for Windows XP (KB2416400) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2479943) Security Update for Windows XP (KB2481109) Security Update for Windows XP (KB2482017) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB2485663) Security Update for Windows XP (KB2497640) Security Update for Windows XP (KB2503658) Security Update for Windows XP (KB2506212) Security Update for Windows XP (KB2506223) Security Update for Windows XP (KB2507618) Security Update for Windows XP (KB2508272) Security Update for Windows XP (KB2508429) Security Update for Windows XP (KB2509553) Security Update for Windows XP (KB2510581) Security Update for Windows XP (KB2511455) Security Update for Windows XP (KB2524375) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371-v2) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974455) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB976325) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981349) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982381) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Spybot - Search & Destroy StarCraft II Steam SUPERAntiSpyware Free Edition TuxGuitar 1.1 Ultima Online 2D Client Uninstall Dual Mode Camera UnInstall Envy24 Family Audio Device Driver Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971029) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update for Windows XP (KB976749) Update for Windows XP (KB978207) Update for Windows XP (KB980182) Videora iPod Converter 5.04 Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 VLC media player 1.0.3 WebFldrs XP WinAce Archiver Windows Genuine Advantage Notifications (KB905474) Windows XP Service Pack 3 WinRAR archiver Write-N-Cite WX Application XML Paper Specification Shared Components Pack 1.0 . ==== Event Viewer Messages From Past Week ======== . 4/21/2011 6:59:19 PM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s). 4/21/2011 1:36:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 4/21/2011 1:31:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 4/21/2011 1:31:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 4/20/2011 6:51:05 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 4/20/2011 6:50:05 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 4/20/2011 6:45:42 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:. 4/20/2011 3:56:57 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running. 4/20/2011 3:25:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AVGIDSEH TfFsMon TfSysMon 4/20/2011 3:24:40 AM, error: NetBT [4311] - Initialization failed because the driver device could not be created. 4/19/2011 6:07:20 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 4/19/2011 6:05:51 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820} 4/19/2011 12:24:57 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} 4/19/2011 11:04:15 PM, error: Service Control Manager [7000] - The AVGIDSShim service failed to start due to the following error: The system cannot find the file specified. 4/19/2011 10:54:35 PM, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service. 4/19/2011 10:42:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TfSysMon 4/19/2011 10:42:51 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting. 4/19/2011 10:32:25 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 4/19/2011 1:01:53 AM, error: atapi [9] - The device, \Device\Ide\IdePort4, did not respond within the timeout period. 4/18/2011 3:03:09 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NVIDIA Display Driver Service service to connect. 4/18/2011 3:03:09 AM, error: Service Control Manager [7000] - The NVIDIA Display Driver Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 4/18/2011 10:39:30 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126ADB-2166-11D1-B1D0-00805FC1270E} . ==== End Of File ===========================
- April 24, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Not sure if this is related, but I have also have been having trouble updating Avira. I have been going to their website to update manually, which works, but I can't update via Avira itself. Besides these annoying things, the PC is not having any issues.
- April 24, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Hrmm.. I tried both methods but the security alert is till there. It says automatic updates is off. When I hit 'Turn on Automatic Updates' it tells me to do it manually via the Control Panel, which I have already done. Interestingly, when I go to the Microsoft Update site, I click on install Express or Custom and it gives me a "Page cannot be displayed" message. Hope it's nothing serious Thanks.
- April 24, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Can't thank you enough for your outstanding and prompt help, Kenny. No feeling quite like knowing your computer isn't on fire anymore. Will try to keep things clean =] On a last note, any tips on getting rid of that annoying Windows Security alert? Thanks again for everything!
- April 24, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Could not be happier about this Thanks! DDS . DDS (Ver_11-03-05.01) - NTFSx86 Run by Vamos Rafa at 22:59:16.12 on Sat 04/23/2011 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1590 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Vamos Rafa\My Documents\New2\OC\Core Temp.exe C:\Documents and Settings\Vamos Rafa\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [nwiz] nwiz.exe /install mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [instaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Dpuroxolibugi] rundll32.exe "c:\windows\edejufan.dll",Startup StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951 DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947 DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\vamosr~1\locals~1\temp\ixp000.tmp\InstallerControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\vamosr~1\applic~1\mozilla\firefox\profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: c:\documents and settings\vamos rafa\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJPI142_05.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-19 11608] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-19 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-19 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-19 61960] R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] R3 ALSysIO;ALSysIO;\??\c:\docume~1\vamosr~1\locals~1\temp\alsysio.sys --> c:\docume~1\vamosr~1\locals~1\temp\ALSysIO.sys [?] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-3-20 22784] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2008-3-20 651712] S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?] S3 cpuz129;cpuz129;\??\c:\docume~1\vamosr~1\locals~1\temp\cpuz_x32.sys --> c:\docume~1\vamosr~1\locals~1\temp\cpuz_x32.sys [?] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-1-21 10744] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2008-9-4 33400] . =============== Created Last 30 ================ . 2011-04-22 17:51:14 -------- d-----w- c:\docume~1\vamosr~1\locals~1\applic~1\{D69CED78-B9A6-42D9-BB6C-B156110BD0C6} 2011-04-20 22:43:32 89088 ----a-w- c:\windows\MBR.exe 2011-04-20 22:43:32 256512 ----a-w- c:\windows\PEV.exe 2011-04-20 22:43:32 161792 ----a-w- c:\windows\SWREG.exe 2011-04-20 22:43:31 98816 ----a-w- c:\windows\sed.exe 2011-04-20 07:32:58 -------- d-----w- c:\docume~1\vamosr~1\applic~1\Avira 2011-04-20 02:57:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57:37 -------- d-----w- c:\program files\Avira 2011-04-20 02:57:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-19 03:40:16 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40:14 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 04:55:09 0 ----a-w- c:\windows\Ssexohoqusi.bin 2011-04-18 04:53:48 -------- d-----w- c:\docume~1\vamosr~1\applic~1\3027DCEB6FF29DEB4472D78FD4EFABF5 . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe 2008-04-08 17:46:28 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46:28 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46:28 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46:28 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46:28 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46:28 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46:28 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46:28 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46:28 16486 ----a-w- c:\program files\mpc5.reg 2008-04-08 17:46:28 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-02-14 22:23:12 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49:28 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48:50 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47:50 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40:26 6800 ----a-w- c:\program files\W95_HUA.vxd . ============= FINISH: 23:00:09.00 =============== Attach . DDS (Ver_11-03-05.01) - NTFSx86 Run by Vamos Rafa at 22:59:16.12 on Sat 04/23/2011 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1590 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Vamos Rafa\My Documents\New2\OC\Core Temp.exe C:\Documents and Settings\Vamos Rafa\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [nwiz] nwiz.exe /install mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [instaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Dpuroxolibugi] rundll32.exe "c:\windows\edejufan.dll",Startup StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951 DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947 DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\vamosr~1\locals~1\temp\ixp000.tmp\InstallerControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\vamosr~1\applic~1\mozilla\firefox\profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: c:\documents and settings\vamos rafa\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJPI142_05.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-19 11608] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-19 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-19 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-19 61960] R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] R3 ALSysIO;ALSysIO;\??\c:\docume~1\vamosr~1\locals~1\temp\alsysio.sys --> c:\docume~1\vamosr~1\locals~1\temp\ALSysIO.sys [?] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-3-20 22784] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2008-3-20 651712] S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?] S3 cpuz129;cpuz129;\??\c:\docume~1\vamosr~1\locals~1\temp\cpuz_x32.sys --> c:\docume~1\vamosr~1\locals~1\temp\cpuz_x32.sys [?] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-1-21 10744] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2008-9-4 33400] . =============== Created Last 30 ================ . 2011-04-22 17:51:14 -------- d-----w- c:\docume~1\vamosr~1\locals~1\applic~1\{D69CED78-B9A6-42D9-BB6C-B156110BD0C6} 2011-04-20 22:43:32 89088 ----a-w- c:\windows\MBR.exe 2011-04-20 22:43:32 256512 ----a-w- c:\windows\PEV.exe 2011-04-20 22:43:32 161792 ----a-w- c:\windows\SWREG.exe 2011-04-20 22:43:31 98816 ----a-w- c:\windows\sed.exe 2011-04-20 07:32:58 -------- d-----w- c:\docume~1\vamosr~1\applic~1\Avira 2011-04-20 02:57:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57:37 -------- d-----w- c:\program files\Avira 2011-04-20 02:57:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-19 03:40:16 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40:14 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 04:55:09 0 ----a-w- c:\windows\Ssexohoqusi.bin 2011-04-18 04:53:48 -------- d-----w- c:\docume~1\vamosr~1\applic~1\3027DCEB6FF29DEB4472D78FD4EFABF5 . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe 2008-04-08 17:46:28 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46:28 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46:28 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46:28 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46:28 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46:28 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46:28 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46:28 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46:28 16486 ----a-w- c:\program files\mpc5.reg 2008-04-08 17:46:28 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-02-14 22:23:12 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49:28 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48:50 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47:50 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40:26 6800 ----a-w- c:\program files\W95_HUA.vxd . ============= FINISH: 23:00:09.00 ===============
- April 24, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Here are the logs. TDSS 2011/04/23 17:06:27.0687 0720 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28 2011/04/23 17:06:27.0906 0720 ================================================================================ 2011/04/23 17:06:27.0906 0720 SystemInfo: 2011/04/23 17:06:27.0906 0720 2011/04/23 17:06:27.0906 0720 OS Version: 5.1.2600 ServicePack: 3.0 2011/04/23 17:06:27.0906 0720 Product type: Workstation 2011/04/23 17:06:27.0906 0720 ComputerName: HIEU 2011/04/23 17:06:27.0906 0720 UserName: Vamos Rafa 2011/04/23 17:06:27.0906 0720 Windows directory: C:\WINDOWS 2011/04/23 17:06:27.0906 0720 System windows directory: C:\WINDOWS 2011/04/23 17:06:27.0906 0720 Processor architecture: Intel x86 2011/04/23 17:06:27.0906 0720 Number of processors: 4 2011/04/23 17:06:27.0906 0720 Page size: 0x1000 2011/04/23 17:06:27.0906 0720 Boot type: Normal boot 2011/04/23 17:06:27.0906 0720 ================================================================================ 2011/04/23 17:06:28.0140 0720 Initialize success 2011/04/23 17:06:45.0281 2832 ================================================================================ 2011/04/23 17:06:45.0281 2832 Scan started 2011/04/23 17:06:45.0281 2832 Mode: Manual; 2011/04/23 17:06:45.0281 2832 ================================================================================ 2011/04/23 17:06:45.0609 2832 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/04/23 17:06:45.0640 2832 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/04/23 17:06:45.0734 2832 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/04/23 17:06:45.0812 2832 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys 2011/04/23 17:06:45.0875 2832 AFGSp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\AFGSp50.sys 2011/04/23 17:06:46.0171 2832 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/04/23 17:06:46.0203 2832 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/04/23 17:06:46.0265 2832 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/04/23 17:06:46.0296 2832 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/04/23 17:06:46.0437 2832 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys 2011/04/23 17:06:46.0468 2832 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys 2011/04/23 17:06:46.0500 2832 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys 2011/04/23 17:06:46.0531 2832 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/04/23 17:06:46.0593 2832 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/04/23 17:06:46.0640 2832 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/04/23 17:06:46.0734 2832 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/04/23 17:06:46.0796 2832 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/04/23 17:06:46.0843 2832 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/04/23 17:06:47.0093 2832 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys 2011/04/23 17:06:47.0156 2832 CVPNDRVA (720482888c3778f26eeb83d286a6cdc3) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 2011/04/23 17:06:47.0281 2832 DAdderFltr (cb90f77e21109ccfd114a17bd87a42a7) C:\WINDOWS\system32\drivers\dadder.sys 2011/04/23 17:06:47.0343 2832 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/04/23 17:06:47.0390 2832 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/04/23 17:06:47.0437 2832 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys 2011/04/23 17:06:47.0468 2832 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/04/23 17:06:47.0500 2832 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/04/23 17:06:47.0546 2832 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys 2011/04/23 17:06:47.0578 2832 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/04/23 17:06:47.0640 2832 Envy24HFS (ac913b7ab3a8c69a7b341d9f69fe1d04) C:\WINDOWS\system32\drivers\Envy24HF.sys 2011/04/23 17:06:47.0718 2832 f5ipfw (6fd59b5c1e64780111fb3cdd385bee2f) C:\WINDOWS\system32\drivers\urfltw2k.sys 2011/04/23 17:06:47.0750 2832 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/04/23 17:06:47.0796 2832 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/04/23 17:06:47.0843 2832 FilterService (bcef16e3aedd1b44bca45f748d975d73) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys 2011/04/23 17:06:47.0859 2832 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/04/23 17:06:47.0937 2832 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/04/23 17:06:47.0984 2832 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/04/23 17:06:48.0046 2832 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys 2011/04/23 17:06:48.0078 2832 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/04/23 17:06:48.0109 2832 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/04/23 17:06:48.0140 2832 gdrv (b6bfec7542730e9a376bf2408423d493) C:\WINDOWS\gdrv.sys 2011/04/23 17:06:49.0265 2832 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 2011/04/23 17:06:49.0312 2832 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/04/23 17:06:49.0359 2832 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/04/23 17:06:49.0390 2832 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/04/23 17:06:49.0468 2832 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/04/23 17:06:49.0578 2832 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/04/23 17:06:49.0640 2832 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/04/23 17:06:49.0781 2832 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/04/23 17:06:49.0796 2832 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/04/23 17:06:49.0859 2832 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/04/23 17:06:49.0906 2832 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/04/23 17:06:49.0953 2832 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/04/23 17:06:49.0984 2832 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/04/23 17:06:50.0015 2832 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/04/23 17:06:50.0062 2832 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/04/23 17:06:50.0109 2832 JL2005C (637898b8ee8c0cc3342c61a49e3ff088) C:\WINDOWS\system32\Drivers\jl2005c.sys 2011/04/23 17:06:50.0125 2832 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/04/23 17:06:50.0156 2832 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/04/23 17:06:50.0187 2832 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/04/23 17:06:50.0312 2832 LVcKap (8113133ec42dd6c566908008ce913edd) C:\WINDOWS\system32\DRIVERS\LVcKap.sys 2011/04/23 17:06:50.0421 2832 LVMVDrv (0dd5b8af4917a2821047450195c511b3) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys 2011/04/23 17:06:50.0515 2832 lvpopflt (e1158b0cb852db0573922c92e6e564de) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys 2011/04/23 17:06:50.0562 2832 LVPr2Mon (406b1d186f75b4b4832d6237859e1b00) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 2011/04/23 17:06:50.0593 2832 LVUSBSta (be5e104be263921d6842c555db6a5c23) C:\WINDOWS\system32\drivers\LVUSBSta.sys 2011/04/23 17:06:50.0671 2832 LVUVC (eacd1eb2d82ed2adc753afeee1d4d660) C:\WINDOWS\system32\DRIVERS\lvuvc.sys 2011/04/23 17:06:50.0750 2832 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/04/23 17:06:50.0812 2832 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/04/23 17:06:50.0843 2832 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/04/23 17:06:50.0890 2832 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/04/23 17:06:50.0921 2832 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/04/23 17:06:50.0984 2832 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/04/23 17:06:51.0046 2832 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/04/23 17:06:51.0093 2832 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/04/23 17:06:51.0140 2832 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/04/23 17:06:51.0187 2832 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/04/23 17:06:51.0234 2832 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/04/23 17:06:51.0281 2832 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/04/23 17:06:51.0312 2832 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/04/23 17:06:51.0343 2832 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/04/23 17:06:51.0390 2832 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/04/23 17:06:51.0437 2832 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/04/23 17:06:51.0484 2832 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/04/23 17:06:51.0515 2832 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/04/23 17:06:51.0562 2832 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/04/23 17:06:51.0593 2832 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/04/23 17:06:51.0625 2832 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/04/23 17:06:51.0656 2832 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/04/23 17:06:51.0687 2832 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/04/23 17:06:51.0750 2832 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/04/23 17:06:51.0796 2832 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/04/23 17:06:51.0890 2832 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/04/23 17:06:52.0062 2832 nv (23b95a09677e62ec8d1641ecf39b9bfb) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/04/23 17:06:52.0156 2832 NVR0Dev (61d6b1c71ad94f8485e966bebc36d092) C:\WINDOWS\nvoclock.sys 2011/04/23 17:06:52.0218 2832 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/04/23 17:06:52.0250 2832 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/04/23 17:06:52.0312 2832 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/04/23 17:06:52.0328 2832 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/04/23 17:06:52.0359 2832 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/04/23 17:06:52.0375 2832 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/04/23 17:06:52.0437 2832 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/04/23 17:06:52.0484 2832 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/04/23 17:06:52.0734 2832 PnkBstrK (335070925fce12af4341bf0b71d8a4b6) C:\WINDOWS\system32\drivers\PnkBstrK.sys 2011/04/23 17:06:52.0796 2832 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/04/23 17:06:52.0812 2832 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/04/23 17:06:52.0843 2832 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/04/23 17:06:52.0890 2832 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/04/23 17:06:53.0046 2832 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/04/23 17:06:53.0078 2832 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/04/23 17:06:53.0109 2832 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/04/23 17:06:53.0125 2832 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/04/23 17:06:53.0156 2832 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/04/23 17:06:53.0171 2832 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/04/23 17:06:53.0203 2832 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/04/23 17:06:53.0234 2832 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/04/23 17:06:53.0281 2832 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/04/23 17:06:53.0343 2832 RTLE8023xp (a1ad65718870dbf2bcb81e3c1406469e) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 2011/04/23 17:06:53.0421 2832 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 2011/04/23 17:06:53.0468 2832 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS 2011/04/23 17:06:53.0500 2832 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 2011/04/23 17:06:53.0562 2832 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/04/23 17:06:53.0609 2832 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/04/23 17:06:53.0640 2832 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/04/23 17:06:53.0703 2832 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/04/23 17:06:53.0796 2832 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/04/23 17:06:53.0875 2832 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/04/23 17:06:53.0937 2832 sptd (0c1dad75274cb6e31f053ce3e08bf9c3) C:\WINDOWS\system32\Drivers\sptd.sys 2011/04/23 17:06:54.0015 2832 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/04/23 17:06:54.0062 2832 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/04/23 17:06:54.0125 2832 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 2011/04/23 17:06:54.0187 2832 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/04/23 17:06:54.0218 2832 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/04/23 17:06:54.0250 2832 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/04/23 17:06:54.0390 2832 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/04/23 17:06:54.0468 2832 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/04/23 17:06:54.0515 2832 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/04/23 17:06:54.0562 2832 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/04/23 17:06:54.0609 2832 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/04/23 17:06:54.0781 2832 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/04/23 17:06:54.0859 2832 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/04/23 17:06:54.0921 2832 urvpndrv (0f3efed5f759e0b8fe052546c5155ed5) C:\WINDOWS\system32\DRIVERS\covpndrv.sys 2011/04/23 17:06:54.0984 2832 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys 2011/04/23 17:06:55.0031 2832 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/04/23 17:06:55.0062 2832 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/04/23 17:06:55.0093 2832 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/04/23 17:06:55.0140 2832 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/04/23 17:06:55.0203 2832 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/04/23 17:06:55.0250 2832 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/04/23 17:06:55.0296 2832 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/04/23 17:06:55.0328 2832 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/04/23 17:06:55.0375 2832 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/04/23 17:06:55.0437 2832 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys 2011/04/23 17:06:55.0546 2832 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/04/23 17:06:55.0609 2832 Wdf01000 (060e8cb99cc0a6751db5810c042b0d45) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2011/04/23 17:06:55.0687 2832 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/04/23 17:06:55.0765 2832 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/04/23 17:06:55.0812 2832 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/04/23 17:06:55.0875 2832 xusb21 (ee9144207ee0211eb5656ba6808ac4a0) C:\WINDOWS\system32\DRIVERS\xusb21.sys 2011/04/23 17:06:55.0984 2832 ================================================================================ 2011/04/23 17:06:55.0984 2832 Scan finished 2011/04/23 17:06:55.0984 2832 ================================================================================ RKU RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 3) Number of processors #4 ============================================== >Drivers ============================================== 0xB92F2000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6283264 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 182.50 ) 0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 6189056 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 182.50 ) 0xB6600000 C:\WINDOWS\system32\DRIVERS\lvuvc.sys 3641344 bytes (Logitech Inc., Logitech USB Video Class Driver) 0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System) 0x804D7000 PnpManager 2265088 bytes 0x804D7000 RAW 2265088 bytes 0x804D7000 WMIxWDM 2265088 bytes 0xB6979000 C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys 2138112 bytes (Logitech Inc., Logitech Machine Vision Engine Loader) 0xB622A000 C:\WINDOWS\system32\DRIVERS\LVcKap.sys 2105344 bytes (Logitech Inc., Logitech Kernel Audio Processing Filter Driver) 0xB642C000 C:\WINDOWS\system32\DRIVERS\lvpopflt.sys 1916928 bytes (Logitech Inc., Logitech AudioProcessing Filter Driver) 0xBF800000 Win32k 1859584 bytes 0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver) 0xB919B000 C:\WINDOWS\system32\drivers\Envy24HF.sys 655360 bytes (VIA - IC Ensemble, Inc., Envy24 Family Audio Controller WDM) 0xB5A2E000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver) 0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver) 0xB6C71000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr) 0xB57BE000 C:\WINDOWS\system32\vsdatant.sys 393216 bytes (Zone Labs, LLC, TrueVector Device Driver) 0xB8FCD000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver) 0xB6DF1000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver) 0xB590E000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver) 0xBF5F9000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver) 0xB50F8000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack) 0xB923B000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 212992 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver ) 0xB9053000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector) 0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT) 0xB5BD6000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr) 0xF7424000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver) 0xB4365000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer) 0xB6CE1000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver) 0xB9292000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a) 0xB6DA3000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver) 0xB6C4B000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement) 0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver) 0xB6DCB000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator) 0xB6D5C000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 151552 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS) 0xB9177000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices)) 0xB92BA000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver) 0xB926F000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library) 0xB6D81000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock) 0x80700000 ACPI_HAL 134400 bytes 0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL) 0xF747A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager) 0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver) 0xB90BF000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 122880 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer) 0xF740A000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver) 0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver) 0xB6212000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes 0xF7451000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface) 0xB9094000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption)) 0xB5E5B000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver) 0xB55F1000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper) 0xB9163000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver) 0xB92DE000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver) 0xB6E4A000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver) 0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver) 0xF7468000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver) 0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator) 0xB9083000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler) 0xF7527000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver) 0xBA716000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver) 0xF76B7000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver) 0xF7687000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter) 0xBA706000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver) 0xB569E000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter) 0xBA796000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver) 0xF7587000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB) 0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll) 0xF76C7000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver) 0xB9940000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver) 0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver) 0xB9920000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol) 0xF7547000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver) 0xBA726000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver) 0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager) 0xB9930000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver) 0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver) 0xB98F0000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy) 0xB9900000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver) 0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver) 0xF7517000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library) 0xBA736000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver) 0xF74F7000 C:\WINDOWS\system32\drivers\LVUSBSta.sys 36864 bytes (Logitech Inc., USB Statistic Driver) 0xB9910000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier) 0xF7557000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver) 0xB4484000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver) 0xF7647000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP) 0xF7567000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver) 0xF7787000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver) 0xB6D34000 C:\WINDOWS\nvoclock.sys 32768 bytes (NVidia Corp., NVidia System Utility Driver) 0xF77BF000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver) 0xF77D7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver) 0xB6D2C000 C:\DOCUME~1\VAMOSR~1\LOCALS~1\Temp\ALSysIO.sys 28672 bytes 0xF77E7000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver) 0xF77A7000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library) 0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension) 0xF779F000 C:\WINDOWS\system32\drivers\dadder.sys 24576 bytes (Razer (Asia-Pacific) Pte Ltd, Razer Habu USB Optical Mouse Driver) 0xF77DF000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter) 0xF77EF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver) 0xF7817000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver) 0xF7797000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS) 0xF778F000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver) 0xF77CF000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver) 0xF7777000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver) 0xF772F000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver) 0xF77B7000 C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -) 0xF777F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver) 0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager) 0xF7807000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library) 0xF780F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver) 0xF77FF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper) 0xF77C7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver) 0xBA7AE000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver) 0xB5E3B000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver) 0xBA7D6000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator) 0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver) 0xB6E89000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver) 0xBA7D2000 C:\WINDOWS\system32\DRIVERS\fsvga.sys 12288 bytes (Microsoft Corporation, Full Screen Video Driver) 0xB9037000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices) 0xB7EC1000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver) 0xBA7C6000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver) 0xBA7F2000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver) 0xF7A05000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter) 0xF79FD000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver) 0xF798B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver) 0xF79A1000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes 0xF79FB000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver) 0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL) 0xF79FF000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator) 0xF7A09000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver) 0xF7A01000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport) 0xF79CD000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator) 0xF79E7000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver) 0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll) 0xBA3B3000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver) 0xBA240000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk) 0xF7A76000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver) 0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver) ============================================== >Stealth ==============================================
- April 23, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

That seemed to do the trick! Computer is noticeably faster in starting up, opening windows, etc. I can't elicit any pop-ups/redirects on google, svchost.exe is being quiet, and my sound is working so far. I will update you if anything changes. Only remaining issue is that there is a Windows Security alert saying automatic update is turned off when it is turned on. Annoying, but nothing too troubling. You the man, Kenny.
- April 23, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

I reset the router and flushed the DNS but still having pop-ups/redirects. Svchost.exe hasn't been acting up since the reset, but I'll keep an eye on it. Sound is still messed up. Thanks!
- April 23, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

The log from Kaspersky Virus Remover Tool is below. An update on my computer symptoms: I am still getting google redirects and pop-ups. Svchost.exe also goes active randomly, consuming CPU/memory usage. I also get the same problem with a "generic host process" error that seems to mess with my audio drivers/codecs. When I restart my computer, my sound is working fine, but within 20-30 minutes, an error message pops saying "Generic host process for Win32 services has encounterd a problem and needs to close" and my sound no longer works for video files. There also seems to be some issue with the Nvidia control panel detecting my GPU. In general the computer is very slow to shut down, restart, etc. Thanks for your help! Autoscan: completed 1 minute ago (events: 6, objects: 240615, time: 01:49:01) 4/23/2011 12:52:58 PM Task started 4/23/2011 1:03:25 PM Detected: Trojan.Win32.Menti.ggwd C:\Documents and Settings\Vamos Rafa\Application Data\Sun\Java\Deployment\cache\6.0\37\34981665-719c6878 4/23/2011 1:04:12 PM Deleted: Trojan.Win32.Menti.ggwd C:\Documents and Settings\Vamos Rafa\Application Data\Sun\Java\Deployment\cache\6.0\37\34981665-719c6878 4/23/2011 2:18:58 PM Detected: Trojan.Win32.Menti.ggwd C:\Qoobox\Quarantine\C\Documents and Settings\Vamos Rafa\Local Settings\Application Data\gfx.exe.vir 4/23/2011 2:19:53 PM Deleted: Trojan.Win32.Menti.ggwd C:\Qoobox\Quarantine\C\Documents and Settings\Vamos Rafa\Local Settings\Application Data\gfx.exe.vir 4/23/2011 2:41:59 PM Task completed
- April 23, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Ah. Sorry, false alarm. After about an hour or so, the install finished. Will post back with an update. Thanks
- April 23, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

The installation halts at "Extracting files" and does not progress any further than that. Occasionally, a message pops ups reading: "The software you are installing for this hardware: ActivityMonitor has not passed Windows Logo testing to verify its compatibility with Windows XP" I hit "Continue Anyway," but the install is still stuck at "Extracting files."
- April 23, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Combofix and MBAM ran without issue. Logs are below. ComboFix 11-04-21.02 - Vamos Rafa 04/22/2011 13:20:46.13.4 - x86 Running from: c:\documents and settings\Vamos Rafa\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Vamos Rafa\Desktop\CFScript.txt . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Vamos Rafa\Application Data\Adobe\plugs c:\documents and settings\Vamos Rafa\Application Data\Adobe\shed c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76} c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\chrome.manifest c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\chrome\content\_cfg.js c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\chrome\content\overlay.xul c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\install.rdf c:\documents and settings\Vamos Rafa\Local Settings\Application Data\gfx.exe c:\windows\psdponc.dll . . ((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 ))))))))))))))))))))))))))))))) . . 2011-04-22 17:51 . 2011-04-22 17:51 -------- d-----w- c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{D69CED78-B9A6-42D9-BB6C-B156110BD0C6} 2011-04-20 07:32 . 2011-04-20 07:32 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Avira 2011-04-20 02:57 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-20 02:57 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-20 02:57 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\program files\Avira 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-19 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40 . 2011-04-19 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 05:05 . 2011-04-18 05:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-04-18 04:55 . 2011-04-22 17:09 0 ----a-w- c:\windows\Ssexohoqusi.bin 2011-04-18 04:53 . 2011-04-22 01:19 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\3027DCEB6FF29DEB4472D78FD4EFABF5 2011-03-27 01:13 . 2011-03-27 01:13 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Leadertech 2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-03-24 05:58 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-03-24 05:58 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-03-24 05:58 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-03-24 05:58 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-03-24 05:58 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-03-24 05:58 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2008-03-20 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32 . 2009-04-17 06:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 07:58 . 2008-03-20 16:30 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2008-03-20 16:30 677888 ----a-w- c:\windows\system32\mstsc.exe 2008-04-08 17:46 . 2008-04-08 17:46 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46 . 2008-04-08 17:44 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46 . 2008-04-08 17:44 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46 . 2008-04-08 17:44 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46 . 2008-04-08 17:44 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46 . 2008-04-08 17:44 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46 . 2008-04-08 17:44 16486 ----a-w- c:\program files\mpc5.reg 2008-02-14 22:23 . 2008-02-14 22:23 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42 . 2007-09-22 03:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49 . 2007-08-22 03:49 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48 . 2007-03-02 12:48 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47 . 2006-11-24 07:47 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40 . 2005-04-28 03:40 6800 ----a-w- c:\program files\W95_HUA.vxd 2011-03-18 17:53 . 2011-03-24 05:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot_2011-04-21_23.07.19 ))))))))))))))))))))))))))))))))))))))))) . + 2011-04-22 17:49 . 2011-04-22 17:49 16384 c:\windows\temp\Perflib_Perfdata_5d0.dat + 2011-04-22 17:50 . 2011-04-22 17:50 16384 c:\windows\temp\Perflib_Perfdata_138.dat + 2004-08-04 12:00 . 2008-04-14 00:12 394240 c:\windows\edejufan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "nwiz"="nwiz.exe" [2009-03-28 1657376] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120] "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] "Dpuroxolibugi"="c:\windows\edejufan.dll" [2008-04-14 394240] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-4-23 6144] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"= "c:\\Program Files\\gwflash.exe"= "c:\\WINDOWS\\system32\\dxdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\BIOS_Run.exe"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\ijji\\ENGLISH\\u_gunz.exe"= "c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\ijji\\ijji REACTOR\\REACTOR.exe"= "c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razerofa.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\counter-strike\\hl.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\dark messiah might and magic multi-player\\mm.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\LoaderExe.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\mp.exe"= "c:\\Program Files\\StarCraft II\\StarCraft II.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base17326\\SC2.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base18092\\SC2.exe"= . R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 10:24 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 10:24 PM 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 10:57 PM 135336] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [3/20/2008 3:15 PM 22784] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [3/20/2008 3:13 PM 651712] S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 ALSysIO;ALSysIO;\??\c:\docume~1\VAMOSR~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\VAMOSR~1\LOCALS~1\Temp\ALSysIO.sys [?] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [1/21/2009 2:21 AM 10744] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 10:24 PM 7408] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [9/4/2008 3:53 PM 33400] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/21/2008 2:48 AM 715248] . Contents of the 'Scheduled Tasks' folder . 2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003Core1cbff877ea096b4.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . 2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003UA.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe FF - ProfilePath - c:\documents and settings\Vamos Rafa\Application Data\Mozilla\Firefox\Profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - google.com FF - prefs.js: network.proxy.type - 0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-22 13:50 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12 . device: opened successfully user: MBR read successfully error: Read A device attached to the system is not functioning. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x89AFF33B user & kernel MBR OK . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\controlset004\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1004) c:\program files\SUPERAntiSpyware\SASWINLO.dll . - - - - - - - > 'explorer.exe'(1552) c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\NVIDIA Corporation\nTune\nTuneService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\windows\system32\wscntfy.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Razer\DeathAdder\razertra.exe c:\program files\Razer\DeathAdder\razerofa.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2011-04-22 13:55:01 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-22 17:54 ComboFix2.txt 2011-04-21 23:09 ComboFix3.txt 2011-04-20 23:30 . Pre-Run: 94,439,514,112 bytes free Post-Run: 94,426,279,936 bytes free . Current=4 Default=4 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5 - - End Of File - - 5A9A28D7C5E103D4E6CD9297C4F53D1F Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6420 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 4/22/2011 2:02:09 PM mbam-log-2011-04-22 (14-02-09).txt Scan type: Quick scan Objects scanned: 155859 Time elapsed: 3 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Vamos Rafa\Local Settings\Application Data\gfx.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
- April 22, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Just a brief update: Unfortunately, XP Security 2011 just popped up on my computer. I have not taken any action against it. Not sure what brought on this seemingly new infection, but I will limit my use of this computer as much as possible from now on. Thanks.
- April 22, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Both TFC and ComboFix ran without any issues. Apologies for attaching the ComboFix log, but the post was over the limit. ComboFix 4-21-11.txt
- April 21, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

I have also tried renaming the TDSSKiller file to no avail. Thanks, Kenny.
- April 21, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

The same problem occurs when I boot in safe mode. It initializes to 80%, error message pops out, and the program never starts.
- April 21, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Kenny, TDSSKiller initializes to 80%, then an error message pops up saying that it has encountered a problem and needs to close. I have restarted my computer but still cannot get it to run. Thanks.
- April 21, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Kenny, Find below my Combofix log. Not sure if this is helpful or relevant, but a few things I noticed: 1) When Combofix was starting up, a message came up saying I was not using Windows XP (which I am) and that Combofix only works with Windows XP/2000 2) An error message came up while Combofix was running saying that my Malwarebytes "Quarantine" folder was corrupt and that I need to run ChkDsk 3) ChkDsk ran when my computer was rebooted. I don't think any errors were found, and Windows started up normally. 4) Still getting pop-ups. Also, it seems that I can no longer hit the "enter" key in the Firefox address bar. Rather, I need to click the "go" button to go to web pages. The enter key appears to be working fine everywhere else. Thanks for your help. ComboFix 11-04-20.01 - Vamos Rafa 04/20/2011 18:48:32.11.4 - x86 Running from: c:\documents and settings\Vamos Rafa\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Vamos Rafa\Application Data\Adobe\plugs c:\documents and settings\Vamos Rafa\Application Data\Adobe\shed c:\documents and settings\Vamos Rafa\Application Data\FFSJ c:\documents and settings\Vamos Rafa\Application Data\FFSJ\FFSJ.cfg c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2} c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\chrome.manifest c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\chrome\content\_cfg.js c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\chrome\content\overlay.xul c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\install.rdf c:\hijackthis\HijackThis.exe c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\pthreadVC.dll . . ((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 ))))))))))))))))))))))))))))))) . . 2011-04-20 07:32 . 2011-04-20 07:32 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Avira 2011-04-20 02:57 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-20 02:57 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-20 02:57 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\program files\Avira 2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-19 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40 . 2011-04-19 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 05:05 . 2011-04-18 05:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-04-18 04:55 . 2011-04-18 04:55 0 ----a-w- c:\windows\Ssexohoqusi.bin 2011-04-18 04:53 . 2011-04-18 04:54 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\3027DCEB6FF29DEB4472D78FD4EFABF5 2011-03-27 01:13 . 2011-03-27 01:13 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Leadertech 2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-03-24 05:58 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-03-24 05:58 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-03-24 05:58 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-03-24 05:58 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-03-24 05:58 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-03-24 05:58 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll 2011-03-23 15:57 . 2011-03-23 15:57 -------- d-----w-gram Files C:\POGRAM~1 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2008-03-20 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32 . 2009-04-17 06:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 07:58 . 2008-03-20 16:30 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2008-03-20 16:30 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2008-04-08 17:46 . 2008-04-08 17:46 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46 . 2008-04-08 17:44 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46 . 2008-04-08 17:44 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46 . 2008-04-08 17:44 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46 . 2008-04-08 17:44 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46 . 2008-04-08 17:44 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46 . 2008-04-08 17:44 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46 . 2008-04-08 17:44 16486 ----a-w- c:\program files\mpc5.reg 2008-02-14 22:23 . 2008-02-14 22:23 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42 . 2007-09-22 03:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49 . 2007-08-22 03:49 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48 . 2007-03-02 12:48 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47 . 2006-11-24 07:47 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40 . 2005-04-28 03:40 6800 ----a-w- c:\program files\W95_HUA.vxd 2011-03-18 17:53 . 2011-03-24 05:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- . Cryptography Services Error !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "nwiz"="nwiz.exe" [2009-03-28 1657376] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120] "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-4-23 6144] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"= "c:\\Program Files\\gwflash.exe"= "c:\\WINDOWS\\system32\\dxdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\GIGABYTE\\@BIOS\\BIOS_Run.exe"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\ijji\\ENGLISH\\u_gunz.exe"= "c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\ijji\\ijji REACTOR\\REACTOR.exe"= "c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"= "c:\\Program Files\\Razer\\DeathAdder\\razerofa.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\counter-strike\\hl.exe"= "c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\dark messiah might and magic multi-player\\mm.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\LoaderExe.exe"= "c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\mp.exe"= "c:\\Program Files\\StarCraft II\\StarCraft II.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base17326\\SC2.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\StarCraft II\\Versions\\Base18092\\SC2.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "17327:TCP"= 17327:TCP:utorrent "38511:TCP"= 38511:TCP:utorrent "2104:TCP"= 2104:TCP:Kodak DirectView Port 2104 "2105:TCP"= 2105:TCP:Kodak DirectView Port 2105 . R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x] R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2008-09-04 10744] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-04-27 2870429] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-10-13 7408] R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x] R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys [2008-09-04 33400] R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-03-21 715248] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-10-13 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-10-13 74480] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336] S3 ALSysIO;ALSysIO;c:\docume~1\VAMOSR~1\LOCALS~1\Temp\ALSysIO.sys [x] S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-03 22784] S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-12-01 651712] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - ALSYSIO *NewlyCreated* - ASWMBR *Deregistered* - aswMBR *Deregistered* - pxtdipob . Contents of the 'Scheduled Tasks' folder . 2011-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003Core1cbff877ea096b4.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . 2011-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003UA.job - c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe FF - ProfilePath - c:\documents and settings\Vamos Rafa\Application Data\Mozilla\Firefox\Profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - google.com FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . AddRemove-HijackThis - c:\hijackthis\HijackThis.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-20 19:21 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.13245 81 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.13596 80 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.14272 118 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.14341 121 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.16326 118 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.16637 117 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.16909 83 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.17175 79 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.17740 112 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.18149 85 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.18481 123 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.19242 70 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.20580 83 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.20893 80 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.21522 97 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.22031 78 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.22638 155 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.23124 120 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.24051 66 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.25760 84 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.11174 173 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.11393 129 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.16421 167 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.24170 169 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.24611 280 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.28474 210 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.28738 166 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.28878 178 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.30290 119 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.34847 166 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.34918 156 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.43906 171 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.44883 191 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.47514 215 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.47629 190 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.59695 125 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.60216 234 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.60772 126 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.61274 150 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.61960 180 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.65952 201 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.68802 167 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.68915 122 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.80609 62 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.80686 217 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.81433 1390 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.81848 243 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.85718 149 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.86571 227 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.86818 193 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.91933 155 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.92536 149 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.97945 1124 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.98691 1458 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.99392 356 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.99541 64 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.86179 10240 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.86727 32768 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.90256 0 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.91528 67584 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.91629 110592 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92196 93696 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92879 181105 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92907 100864 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.93066 134656 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95756 0 bytes c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.98802 9728 bytes . scan completed successfully hidden files: 67 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12 . device: opened successfully user: MBR read successfully error: Read A device attached to the system is not functioning. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x89B4433B user & kernel MBR OK . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\controlset004\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1004) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\System32\dimsntfy.dll . Completion time: 2011-04-20 19:29:39 ComboFix-quarantined-files.txt 2011-04-20 23:29 . Pre-Run: 95,919,706,112 bytes free Post-Run: 96,015,224,832 bytes free . Current=4 Default=4 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5 - - End Of File - - 5F10CAAB2BE8DFC0382BB3E7A96B3FC5
- April 20, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse replied to warehouse's topic in Resolved Malware Removal Logs

Hi Kenny, Thanks for the quick reply. Below is the log from aswMBR. aswMBR version 0.9.4 Copyright© 2011 AVAST Software Run date: 2011-04-20 17:53:33 ----------------------------- 17:53:33.046 OS Version: Windows 5.1.2600 Service Pack 3 17:53:33.046 Number of processors: 4 586 0xF0B 17:53:33.046 ComputerName: HIEU UserName: 17:53:33.765 Initialize success 17:53:37.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12 17:53:37.203 Disk 0 Vendor: ST3320620AS 3.AAE Size: 305244MB BusType: 3 17:53:37.203 Device \Driver\atapi -> DriverStartIo 89b4433b 17:53:37.203 Disk 0 MBR read error 17:53:37.203 Disk 0 MBR scan 17:53:37.218 MBR BIOS signature not found 0 17:53:37.218 Disk 0 scanning sectors +625121280 17:53:37.218 Disk 0 scanning C:\WINDOWS\system32\drivers 17:53:52.671 Service scanning 17:53:53.562 Disk 0 trace - called modules: 17:53:53.562 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89b444f0]<< 17:53:53.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ba6ab8] 17:53:53.562 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000081[0x89bba9e8] 17:53:53.562 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89bab940] 17:53:53.578 \Driver\atapi[0x89b74b40] -> IRP_MJ_CREATE -> 0x89b444f0 17:53:53.578 Scan finished successfully
- April 20, 2011
- 43 replies
Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse posted a topic in Resolved Malware Removal Logs

Hey all, I have been experiencing google redirects, pop-ups, and an annoying "generic host process" error that seems to shut down my audio a few minutes after windows starts. During the first few runs of MBAM, Trojan Hiloti was found, but my symptoms keep worsening. Recent few scans with MBAM have been clean. I also recently uninstalled AVG and am now running Avira. A million thanks for your help. It is unbelievable what you guys do here. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6404 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 4/20/2011 6:08:55 AM mbam-log-2011-04-20 (06-08-55).txt Scan type: Quick scan Objects scanned: 159550 Time elapsed: 6 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) . DDS (Ver_11-03-05.01) - NTFSx86 Run by Vamos Rafa at 6:11:32.10 on Wed 04/20/2011 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21 . ============== Running Processes =============== . C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Documents and Settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Vamos Rafa\My Documents\New2\OC\Core Temp.exe C:\Documents and Settings\Vamos Rafa\Desktop\dds.scr C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\svchost.exe -k netsvcs . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear uRun: [Google Update] "c:\documents and settings\vamos rafa\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [nwiz] nwiz.exe /install mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [instaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951 DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947 DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\vamosr~1\locals~1\temp\ixp000.tmp\InstallerControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\vamosr~1\applic~1\mozilla\firefox\profiles\6320ji3r.default\ FF - prefs.js: browser.startup.homepage - google.com FF - prefs.js: network.proxy.type - 0 FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: c:\documents and settings\vamos rafa\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJPI142_05.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll . ============= SERVICES / DRIVERS =============== . R? AVGIDSDriver;AVGIDSDriver R? AVGIDSEH;AVGIDSEH R? AVGIDSFilter;AVGIDSFilter R? AVGIDSShim;AVGIDSShim R? f5ipfw;F5 Networks StoneWall Filter R? npggsvc;nProtect GameGuard Service R? SASENUM;SASENUM R? TfFsMon;TfFsMon R? TfNetMon;TfNetMon R? TfSysMon;TfSysMon R? urvpndrv;F5 Networks VPN Adapter S? ALSysIO;ALSysIO S? AntiVirSchedulerService;Avira AntiVir Scheduler S? AntiVirService;Avira AntiVir Guard S? avgio;avgio S? avgntflt;avgntflt S? DAdderFltr;DeathAdder Mouse S? Envy24HFS;ICE Envy24 Family Audio Controller WDM S? SASDIFSV;SASDIFSV S? SASKUTIL;SASKUTIL S? vsdatant;vsdatant . =============== Created Last 30 ================ . 2011-04-20 07:32:58 -------- d-----w- c:\docume~1\vamosr~1\applic~1\Avira 2011-04-20 02:57:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-20 02:57:37 -------- d-----w- c:\program files\Avira 2011-04-20 02:57:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-19 03:40:16 175616 ----a-w- c:\windows\system32\unrar.dll 2011-04-19 03:40:14 -------- d-----w- c:\program files\K-Lite Codec Pack 2011-04-18 04:55:09 0 ----a-w- c:\windows\Ssexohoqusi.bin 2011-04-18 04:55:08 -------- d-----w- c:\docume~1\vamosr~1\locals~1\applic~1\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2} 2011-04-18 04:53:48 -------- d-----w- c:\docume~1\vamosr~1\applic~1\3027DCEB6FF29DEB4472D78FD4EFABF5 2011-03-24 05:58:23 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll 2011-03-24 05:58:23 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll 2011-03-24 05:58:23 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll 2011-03-24 05:58:23 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll 2011-03-24 05:58:23 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll 2011-03-24 05:58:23 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll 2011-03-24 05:58:23 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll 2011-03-24 05:58:23 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2011-03-23 15:57:31 -------- d-----w- C:\P?ogram Files . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2008-04-08 17:46:28 680 ----a-w- c:\program files\mpc2.reg 2008-04-08 17:46:28 596 ----a-w- c:\program files\mpc1.reg 2008-04-08 17:46:28 4608 ----a-w- c:\program files\mpc4.reg 2008-04-08 17:46:28 3476 ----a-w- c:\program files\mpc7.reg 2008-04-08 17:46:28 3026 ----a-w- c:\program files\mpc3.reg 2008-04-08 17:46:28 27260 ----a-w- c:\program files\ffdssetts.reg 2008-04-08 17:46:28 24316 ----a-w- c:\program files\ffdsvsetts.reg 2008-04-08 17:46:28 18156 ----a-w- c:\program files\mpc6.reg 2008-04-08 17:46:28 16486 ----a-w- c:\program files\mpc5.reg 2008-04-08 17:46:28 1292 ----a-w- c:\program files\ffdsasetts.reg 2008-02-14 22:23:12 231944 ----a-w- c:\program files\gwflash.exe 2007-09-22 03:42:42 19008 ----a-w- c:\program files\markfun.a64 2007-08-22 03:49:28 17912 ----a-w- c:\program files\markfun.w32 2007-03-02 12:48:50 240448 ----a-w- c:\program files\gwf32.exe 2006-11-24 07:47:50 207680 ----a-w- c:\program files\BIOS_Run.exe 2005-04-28 03:40:26 6800 ----a-w- c:\program files\W95_HUA.vxd . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89B444F0]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b4a7d0]; MOV EAX, [0x89b4a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89BA6AB8] 3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000081[0x89BBA9E8] 5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x89BAB940] \Driver\atapi[0x89B74B40] -> IRP_MJ_CREATE -> 0x89B444F0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x89B4433B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 6:15:11.96 =============== attach.zip
- April 20, 2011
- 43 replies

Events

Profiles

Forums

Everything posted by warehouse

Important Information