Conhost.exe, PING.exe and redirects

[Siluvatar]

Hello MB community,

A few weeks ago I had to format and reinstall my whole system because of a "malware" causing PING.exe to run numerous times simultaniously (along with conhost.exe) and there for slowing my system and possibly doing things I don't want to know to my personnel data. I also had many redirects , mainly to Google and Ebay. Surfing the net was becomming impossible.

I looked for answers on the net but couldn't really find any.

I ran MB, Search and destroy, AVG.... no threats found.

When i tried reinstalling Win 7 after format, it would not reinstall, I hade to use a tool to completely erase my HDD, with a tool whose name i forgot, from my other winXP system. It worked afterwards.

I now have the same problems todays. it started yesterday as a matter of fact.

The only changes I can remember are: downloading a trainer for a game, (which I didn't download in previous version of the same problem), and adobe flash player updating.

Following this thread, (have the same problems) , I have DL and run FRST64.exe off a USB key at windows startup (pressed F8).

Here is the log:

Scan result of Farbar Recovery Scan Tool Version: 15-06-2012 01

Ran by SYSTEM at 16-06-2012 10:15:11

Running from I:\

Microsoft Windows XP (X64) OS Language: English(US)

The current controlset is ControlSet001

ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Alcmtr] ALCMTR.EXE [x]

HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]

HKLM\...\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE [221184 2004-10-08] (Logitech Inc.)

HKU\Default User\...\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE [15360 2008-04-14] (Microsoft Corporation)

HKU\LocalService\...\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE [15360 2008-04-14] (Microsoft Corporation)

HKU\NetworkService\...\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE [15360 2008-04-14] (Microsoft Corporation)

HKU\siluvatar\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun [691656 2009-04-23] (DT Soft Ltd)

HKU\siluvatar\...\Policies\system: [DisableCMD] 0

HKLM-x32\...\Winlogon: [userinit] [x]

HKLM-x32\...\Winlogon: [shell] [x ] ()

Winlogon\Notify\AtiExtEvent: Ati2evxx.dll (ATI Technologies Inc.)

Winlogon\Notify\avgrsstarter: avgrsstx.dll (AVG Technologies CZ, s.r.o.)

Winlogon\Notify\crypt32chain: crypt32.dll (Microsoft Corporation)

Winlogon\Notify\cryptnet: cryptnet.dll (Microsoft Corporation)

Winlogon\Notify\cscdll: cscdll.dll (Microsoft Corporation)

Winlogon\Notify\dimsntfy: %SystemRoot%\System32\dimsntfy.dll (Microsoft Corporation)

Winlogon\Notify\ScCertProp: wlnotify.dll (Microsoft Corporation)

Winlogon\Notify\Schedule: wlnotify.dll (Microsoft Corporation)

Winlogon\Notify\sclgntfy: sclgntfy.dll (Microsoft Corporation)

Winlogon\Notify\SensLogn: WlNotify.dll (Microsoft Corporation)

Winlogon\Notify\termsrv: wlnotify.dll (Microsoft Corporation)

Winlogon\Notify\wlballoon: wlnotify.dll (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

AppInit_DLLs: prio.dll

HKLM\...\InprocServer32: [Default-shell32] %SystemRoot%\system32\shdocvw.dll ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ======

3 a1uSbh; C:\WINDOWS\system32\edesktop\PCWizard\Data\pcwizntl.exe -s [22016 2009-06-23] (CPUID)

3 Adobe LM Service; "C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe" [72704 2010-06-28] (Adobe Systems)

3 Alerter; C:\Windows\System32\alrsvc.dll [17408 2008-04-14] (Microsoft Corporation)

3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [35160 2010-03-18] (Microsoft Corporation)

2 Ati HotKey Poller; C:\Windows\System32\Ati2evxx.exe [585728 2008-10-28] (ATI Technologies Inc.)

2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2008-10-28] ()

3 avg9wd; "C:\Program Files\AVG\AVG9\avgwdsvc.exe" [308136 2010-07-15] (AVG Technologies CZ, s.r.o.)

3 CiSvc; C:\Windows\System32\cisvc.exe [5632 2008-04-14] (Microsoft Corporation)

4 ClipSrv; C:\Windows\System32\clipsrv.exe [33280 2008-04-14] (Microsoft Corporation)

3 dmadmin; C:\Windows\System32\dmadmin.exe /com [225280 2008-04-14] (Microsoft Corp., Veritas Software)

2 dmserver; C:\Windows\System32\dmserver.dll [24576 2008-04-14] (Microsoft Corp.)

2 ERSvc; C:\Windows\System32\ersvc.dll [23040 2008-04-14] (Microsoft Corporation)

2 Eventlog; C:\Windows\System32\services.exe [111104 2009-02-09] (Microsoft Corporation)

3 FastUserSwitchingCompatibility; C:\Windows\System32\shsvcs.dll [135680 2008-04-14] (Microsoft Corporation)

3 FLEXnet Licensing Service; "C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [655624 2010-10-02] (Acresso Software Inc.)

3 FontCache3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [46104 2008-07-29] (Microsoft Corporation)

2 helpsvc; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [38400 2008-04-14] (Microsoft Corporation)

3 HTTPFilter; C:\Windows\System32\w3ssl.dll [15872 2008-04-14] (Microsoft Corporation)

3 idsvc; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [881664 2008-07-29] (Microsoft Corporation)

3 ImapiService; C:\WINDOWS\system32\imapi.exe [150528 2008-04-14] (Microsoft Corporation)

3 LBTServ; C:\Program Files\Fichiers communs\Logishrd\Bluetooth\LBTServ.exe [121360 2009-05-26] (Logitech, Inc.)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [304464 2010-04-29] (Malwarebytes Corporation)

4 Messenger; C:\Windows\System32\msgsvc.dll [33792 2008-04-14] (Microsoft Corporation)

3 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [32768 2008-04-14] (Microsoft Corporation)

4 NetDDE; C:\Windows\System32\netdde.exe [114176 2008-04-14] (Microsoft Corporation)

4 NetDDEdsdm; C:\Windows\System32\netdde.exe [114176 2008-04-14] (Microsoft Corporation)

4 NetTcpPortSharing; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

3 Nla; C:\Windows\System32\mswsock.dll [247808 2009-08-18] (Microsoft Corporation)

3 NMIndexingService; "C:\Program Files\Fichiers communs\Nero\Lib\NMIndexingService.exe" [537896 2008-06-24] (Nero AG)

3 NrlXUf; C:\WINDOWS\system32\edesktop\PCWizard\Data\pcwizntl.exe -s [22016 2009-06-23] (CPUID)

3 NtLmSsp; C:\Windows\System32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)

3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [438272 2008-04-14] (Microsoft Corporation)

3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [36352 2009-11-02] ()

2 PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)

2 PlugPlay; C:\Windows\System32\services.exe [111104 2009-02-09] (Microsoft Corporation)

2 PolicyAgent; C:\Windows\System32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)

3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [142848 2008-04-14] (Microsoft Corporation)

3 RSVP; C:\Windows\System32\rsvp.exe [132608 2008-04-14] (Microsoft Corporation)

3 SCardSvr; C:\Windows\System32\SCardSvr.exe [100352 2008-04-14] (Microsoft Corporation)

4 srservice; C:\WINDOWS\system32\srsvc.dll [171520 2008-04-14] (Microsoft Corporation)

3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{E91917BD-1C7D-4B34-B939-3D9D34BF78ED} [5120 2008-04-14] (Microsoft Corporation)

3 SysmonLog; C:\Windows\System32\smlogsvc.exe [93184 2008-04-14] (Microsoft Corporation)

4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [75264 2008-04-14] (Microsoft Corporation)

3 UPS; C:\Windows\System32\ups.exe [18432 2008-04-14] (Microsoft Corporation)

3 WmdmPmSN; C:\WINDOWS\system32\MsPMSNSv.dll [27136 2006-10-18] (Microsoft Corporation)

3 Wmi; C:\Windows\System32\advapi32.dll [685568 2009-02-09] (Microsoft Corporation)

3 WPFFontCache_v0400; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [753504 2010-03-18] (Microsoft Corporation)

2 wuauserv; C:\WINDOWS\system32\wuauserv.dll [6656 2008-04-14] (Microsoft Corporation)

2 WZCSVC; C:\Windows\System32\wzcsvc.dll [483840 2008-04-14] (Microsoft Corporation)

3 xmlprov; C:\Windows\System32\xmlprov.dll [129024 2008-04-14] (Microsoft Corporation)

3 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

4 Nero BackItUp Scheduler 3; C:\Program files 2\Nero\Nero8\Nero BackItUp\NBService.exe [x]

========================== Drivers (Whitelisted) =============

4 ACPIEC; C:\Windows\System32\Drivers\ACPIEC.sys [12032 2008-04-14] (Microsoft Corporation)

3 aec; C:\Windows\System32\Drivers\aec.sys [142592 2008-04-12] (Microsoft Corporation)

3 Arp1394; C:\Windows\System32\Drivers\Arp1394.sys [60800 2008-04-14] (Microsoft Corporation)

1 AsIO; C:\Windows\System32\Drivers\AsIO.sys [12400 2007-12-17] ()

2 ASPI32; C:\Windows\System32\Drivers\ASPI32.sys [25244 1999-09-10] (Adaptec)

3 ati2mtag; C:\Windows\System32\Drivers\ati2mtag.sys [3341824 2008-10-28] (ATI Technologies Inc.)

3 Atmarpc; C:\Windows\System32\Drivers\Atmarpc.sys [59904 2008-04-14] (Microsoft Corporation)

3 audstub; C:\Windows\System32\Drivers\audstub.sys [3072 2001-08-17] (Microsoft Corporation)

1 AvgLdx86; C:\Windows\System32\Drivers\AvgLdx86.sys [216400 2010-07-15] (AVG Technologies CZ, s.r.o.)

1 AvgMfx86; C:\Windows\System32\Drivers\AvgMfx86.sys [29584 2010-06-02] (AVG Technologies CZ, s.r.o.)

4 cbidf2k; C:\Windows\System32\Drivers\cbidf2k.sys [13952 2008-04-14] (Microsoft Corporation)

3 CCDECODE; C:\Windows\System32\Drivers\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)

1 Cdaudio; C:\Windows\System32\Drivers\Cdaudio.sys [18688 2008-04-14] (Microsoft Corporation)

3 cpuz132; \??\C:\WINDOWS\system32\edesktop\PCWizard\pcwiz32.sys [12672 2009-03-07] (Windows ® Codename Longhorn DDK provider)

4 dmboot; C:\Windows\System32\Drivers\dmboot.sys [800256 2008-04-14] (Microsoft Corp., Veritas Software)

0 dmio; C:\Windows\System32\Drivers\dmio.sys [154496 2008-04-14] (Microsoft Corp., Veritas Software)

0 dmload; C:\Windows\System32\Drivers\dmload.sys [5888 2008-04-14] (Microsoft Corp., Veritas Software.)

3 DMusic; C:\Windows\System32\Drivers\DMusic.sys [52864 2008-04-13] (Microsoft Corporation)

1 Fips; C:\Windows\System32\Drivers\Fips.sys [44672 2008-04-14] (Microsoft Corporation)

0 Ftdisk; C:\Windows\System32\Drivers\Ftdisk.sys [126080 2008-04-14] (Microsoft Corporation)

3 Gpc; C:\Windows\System32\DRIVERS\msgpc.sys [35072 2008-04-14] (Microsoft Corporation)

3 HDAudBus; C:\Windows\System32\Drivers\HDAudBus.sys [144384 2008-04-14] (Windows ® Server 2003 DDK provider)

1 Imapi; C:\Windows\System32\Drivers\Imapi.sys [42112 2008-04-14] (Microsoft Corporation)

3 IntcAzAudAddService; C:\Windows\System32\drivers\RtkHDAud.sys [4800000 2008-05-20] (Realtek Semiconductor Corp.)

3 Ip6Fw; C:\Windows\System32\Drivers\Ip6Fw.sys [36608 2008-04-14] (Microsoft Corporation)

3 IpInIp; C:\Windows\System32\Drivers\IpInIp.sys [20864 2008-04-14] (Microsoft Corporation)

1 IPSec; C:\Windows\System32\Drivers\IPSec.sys [75264 2008-04-14] (Microsoft Corporation)

3 kmixer; C:\Windows\System32\Drivers\kmixer.sys [172416 2008-04-13] (Microsoft Corporation)

3 L1e; C:\Windows\System32\DRIVERS\l1e51x86.sys [36864 2008-06-25] (Atheros Communications, Inc.)

3 L8042Kbd; C:\Windows\System32\Drivers\L8042Kbd.sys [20240 2009-06-17] (Logitech, Inc.)

2 LBeepKE; C:\Windows\System32\Drivers\LBeepKE.sys [10384 2008-09-25] (Logitech, Inc.)

3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.sys [40720 2009-06-17] (Logitech, Inc.)

3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.sys [10384 2009-06-17] (Logitech, Inc.)

3 LVUSBSta; C:\Windows\System32\Drivers\LVUSBSta.sys [22016 2005-01-31] (Logitech Inc.)

3 MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys [20952 2010-04-29] (Malwarebytes Corporation)

1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [4224 2008-04-14] (Microsoft Corporation)

3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()

3 NABTSFEC; C:\Windows\System32\Drivers\NABTSFEC.sys [85248 2008-04-13] (Microsoft Corporation)

3 NdisIP; C:\Windows\System32\Drivers\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)

3 NIC1394; C:\Windows\System32\Drivers\NIC1394.sys [61824 2008-04-14] (Microsoft Corporation)

3 NwlnkFlt; C:\Windows\System32\Drivers\NwlnkFlt.sys [12416 2008-04-14] (Microsoft Corporation)

3 NwlnkFwd; C:\Windows\System32\Drivers\NwlnkFwd.sys [32512 2008-04-14] (Microsoft Corporation)

3 pepifilter; C:\Windows\System32\DRIVERS\lv302af.sys [7104 2005-01-31] (Logitech Inc.)

3 PID_08A0; C:\Windows\System32\DRIVERS\LV302AV.SYS [912768 2005-01-31] (Logitech Inc.)

1 PQNTDrv; C:\Windows\System32\Drivers\PQNTDrv.sys [4228 2002-09-16] (PowerQuest Corporation)

3 PSched; C:\Windows\System32\Drivers\PSched.sys [69120 2008-04-14] (Microsoft Corporation)

3 Ptilink; C:\Windows\System32\Drivers\Ptilink.sys [17792 2008-04-14] (Parallel Technologies, Inc.)

0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [20016 2010-06-28] (Sonic Solutions)

3 Raspti; C:\Windows\System32\Drivers\Raspti.sys [16512 2008-04-14] (Microsoft Corporation)

1 redbook; C:\Windows\System32\Drivers\redbook.sys [58752 2008-04-13] (Microsoft Corporation)

3 SLIP; C:\Windows\System32\Drivers\SLIP.sys [11136 2008-04-13] (Microsoft Corporation)

3 splitter; C:\Windows\System32\Drivers\splitter.sys [6272 2008-04-13] (Microsoft Corporation)

0 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2010-05-16] (Duplex Secure Ltd.)

0 sr; C:\Windows\System32\Drivers\sr.sys [73600 2008-04-14] (Microsoft Corporation)

3 streamip; C:\Windows\System32\Drivers\streamip.sys [15232 2008-04-13] (Microsoft Corporation)

3 swmidi; C:\Windows\System32\Drivers\swmidi.sys [56576 2008-04-13] (Microsoft Corporation)

3 sysaudio; C:\Windows\System32\Drivers\sysaudio.sys [60800 2008-04-13] (Microsoft Corporation)

3 tap0901; C:\Windows\System32\Drivers\tap0901.sys [25984 2009-11-03] (The OpenVPN Project)

3 Update; C:\Windows\System32\Drivers\Update.sys [384768 2008-04-14] (Microsoft Corporation)

3 wdmaud; C:\Windows\System32\Drivers\wdmaud.sys [83072 2008-04-13] (Microsoft Corporation)

3 WSTCODEC; C:\Windows\System32\Drivers\WSTCODEC.sys [19200 2008-04-13] (Microsoft Corporation)

4 Abiosdsk; [x]

4 abp480n5; [x]

4 adpu160m; [x]

4 Aha154x; [x]

4 aic78u2; [x]

4 aic78xx; [x]

4 AliIde; [x]

4 amsint; [x]

4 asc; [x]

4 asc3350p; [x]

4 asc3550; [x]

4 Atdisk; [x]

4 cd20xrnt; [x]

1 Changer; [x]

4 CmdIde; [x]

4 Cpqarray; [x]

4 dac2w2k; [x]

4 dac960nt; [x]

4 dpti2o; [x]

4 hpn; [x]

1 i2omgmt; [x]

4 i2omp; [x]

4 ini910u; [x]

4 IntelIde; [x]

1 lbrtfdc; [x]

3 MagicTune; C:\Windows\System32\drivers\MTiCtwl.sys [x]

1 MemAlloc; C:\Windows\System32\DRIVERS\memalloc.sys [x]

4 mraid35x; [x]

4 NVSvc; [x]

1 PCIDump; [x]

3 PDCOMP; [x]

3 PDFRAME; [x]

3 PDRELI; [x]

3 PDRFRAME; [x]

4 perc2; [x]

4 perc2hib; [x]

4 ql1080; [x]

4 Ql10wnt; [x]

4 ql12160; [x]

4 ql1240; [x]

4 ql1280; [x]

4 Simbad; [x]

4 Sparrow; [x]

4 symc810; [x]

4 symc8xx; [x]

4 sym_hi; [x]

4 sym_u3; [x]

4 TosIde; [x]

4 ultra; [x]

4 ViaIde; [x]

3 WDICA; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-15 23:54 - 2012-06-16 10:15 - 00000000 ____D C:\FRST

2012-05-23 14:52 - 2012-05-23 14:52 - 00001890 ____A C:\Windows\diagwrn.xml

2012-05-23 14:52 - 2012-05-23 14:52 - 00001890 ____A C:\Windows\diagerr.xml

============ 3 Months Modified Files and Folders =============

2012-06-16 10:15 - 2012-06-15 23:54 - 00000000 ____D C:\FRST

2012-06-05 11:26 - 2010-05-12 23:58 - 00000275 ____A C:\Windows\wiadebug.log

2012-06-05 11:26 - 2010-05-09 06:33 - 00000184 __ASH C:\Documents and Settings\siluvatar\ntuser.ini

2012-06-05 11:26 - 2010-05-09 06:31 - 00032364 ____A C:\Windows\SchedLgU.Txt

2012-06-05 11:26 - 2010-05-09 06:31 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-06-05 11:26 - 2010-05-09 06:27 - 01176182 ____A C:\Windows\WindowsUpdate.log

2012-06-05 11:00 - 2010-05-13 08:18 - 00000000 ____D C:\Program Files\Mozilla Firefox

2012-06-05 11:00 - 2010-05-10 03:56 - 00000000 ____D C:\Documents and Settings\siluvatar\Application Data\Macromedia

2012-06-05 10:59 - 2010-05-09 08:19 - 01286862 ____A C:\Windows\System32\PerfStringBackup.INI

2012-06-05 10:59 - 2008-04-14 04:00 - 00575188 ____A C:\Windows\System32\perfh00C.dat

2012-06-05 10:59 - 2008-04-14 04:00 - 00103792 ____A C:\Windows\System32\perfc00C.dat

2012-06-05 10:55 - 2010-05-12 23:58 - 00000050 ____A C:\Windows\wiaservc.log

2012-06-05 10:55 - 2010-05-09 07:09 - 00000000 ____A C:\Windows\0.log

2012-06-05 10:55 - 2010-05-09 06:33 - 00000062 __ASH C:\Documents and Settings\siluvatar\Local Settings\desktop.ini

2012-06-05 10:55 - 2010-05-09 06:31 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini

2012-06-05 10:55 - 2010-05-09 06:30 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini

2012-06-05 10:55 - 2008-10-28 17:40 - 00060452 ____A C:\Windows\System32\ativvaxx.cap

2012-06-05 10:55 - 2008-04-14 04:00 - 00002206 ____A C:\Windows\System32\wpa.dbl

2012-05-24 01:16 - 2010-10-06 15:26 - 00008192 _RASH C:\BOOTSECT.BAK

2012-05-24 01:16 - 2010-05-09 08:15 - 00000942 __RSH C:\boot.ini

2012-05-23 14:58 - 2010-05-09 07:20 - 00000947 ____A C:\Windows\setupact.log

2012-05-23 14:52 - 2012-05-23 14:52 - 00001890 ____A C:\Windows\diagwrn.xml

2012-05-23 14:52 - 2012-05-23 14:52 - 00001890 ____A C:\Windows\diagerr.xml

2012-05-23 14:52 - 2010-05-09 07:20 - 00000000 ____A C:\Windows\setuperr.log

2012-05-23 13:40 - 2007-12-06 14:39 - 00010371 ____A C:\Windows\System32\NOTEPAD.ini

2012-05-23 13:36 - 2010-05-09 07:24 - 00000067 ____A C:\Windows\DVDRegionFree.INI

2012-05-23 13:34 - 2010-05-09 06:33 - 00000000 ____D C:\Documents and Settings\siluvatar\Bureau

2012-05-23 13:25 - 2010-05-09 07:03 - 00949332 ____A C:\Windows\setupapi.log

========================= Known DLLs (Whitelisted) ============

C:\Windows\SysWOW64\advapi32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\comdlg32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\gdi32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\imagehlp.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\lz32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\ole32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\oleaut32.dll IS MISSING <==== ATTENTION!

[2008-04-14 04:00] - [2008-04-14 04:00] - 0075264 ____A (Microsoft Corporation) C:\Windows\System32\olecli32.dll

C:\Windows\SysWOW64\olecli32.dll IS MISSING <==== ATTENTION!

[2008-04-14 04:00] - [2008-04-14 04:00] - 0037376 ____A (Microsoft Corporation) C:\Windows\System32\olecnv32.dll

C:\Windows\SysWOW64\olecnv32.dll IS MISSING <==== ATTENTION!

[2008-04-14 04:00] - [2008-04-14 04:00] - 0022016 ____A (Microsoft Corporation) C:\Windows\System32\olesvr32.dll

C:\Windows\SysWOW64\olesvr32.dll IS MISSING <==== ATTENTION!

[2008-04-14 04:00] - [2008-04-14 04:00] - 0069120 ____A (Microsoft Corporation) C:\Windows\System32\olethk32.dll

C:\Windows\SysWOW64\olethk32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\rpcrt4.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\shell32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\url.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\urlmon.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\user32.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\version.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\wininet.dll IS MISSING <==== ATTENTION!

C:\Windows\SysWOW64\wldap32.dll IS MISSING <==== ATTENTION!

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe

[2008-04-14 04:00] - [2008-04-14 04:00] - 0512000 ____A (Microsoft Corporation) DD73D6B9F6B4CB630CF35B438B540174

C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\explorer.exe

[2009-04-26 10:58] - [2009-04-26 10:58] - 1048576 ____A (Microsoft Corporation) F704B2BFB467235A0E0A5E313E239554

C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\svchost.exe

[2008-04-14 04:00] - [2008-04-14 04:00] - 0014336 ____A (Microsoft Corporation) E4BDF223CD75478BF44567B4D5C2634D

C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\services.exe

[2008-04-14 04:00] - [2009-02-09 03:23] - 0111104 ____A (Microsoft Corporation) C3FB1D70CB88722267949694BA51759E

C:\Windows\System32\User32.dll

[2008-04-14 04:00] - [2008-04-14 04:00] - 0579584 ____A (Microsoft Corporation) E853F84D3CE2FAA2A802E33CF89AC023

C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\System32\userinit.exe

[2008-04-14 04:00] - [2008-04-14 04:00] - 0026624 ____A (Microsoft Corporation) E74DDB12188C2FF57A78624DBF7332FC

C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\Drivers\volsnap.sys

[2008-04-14 04:00] - [2008-04-14 04:00] - 0053376 ____A (Microsoft Corporation) 46DE1126684369BACE4849E4FC8C43CA

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%

Total physical RAM: 4095.05 MB

Available physical RAM: 3571.91 MB

Total Pagefile: 4093.2 MB

Available Pagefile: 3554.23 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:34.18 GB) (Free:14.74 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive d: (sauvegarde famille) (Fixed) (Total:149.04 GB) (Free:100.29 GB) NTFS

4 Drive e: () (Fixed) (Total:198.7 GB) (Free:178.77 GB) NTFS

5 Drive f: () (Fixed) (Total:97.67 GB) (Free:54.36 GB) NTFS

6 Drive g: (win7) (Fixed) (Total:136.08 GB) (Free:88.27 GB) NTFS

8 Drive i: (ESD-USB) (Removable) (Total:7.51 GB) (Free:7.51 GB) FAT32

9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 9 MB

Disk 1 Online 233 GB 9 MB

Disk 2 Online 149 GB 7168 KB

Disk 3 Online 7712 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 34 GB 31 KB

Partition 0 Extended 198 GB 34 GB

Partition 2 Logical 198 GB 34 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 34 GB Healthy

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E NTFS Partition 198 GB Healthy

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 0 Extended 233 GB 8032 KB

Partition 1 Logical 97 GB 8064 KB

Partition 2 Logical 136 GB 97 GB

======================================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F NTFS Partition 97 GB Healthy

======================================================================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G win7 NTFS Partition 136 GB Healthy

======================================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 149 GB 31 KB

======================================================================================================

Disk: 2

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 D sauvegarde NTFS Partition 149 GB Healthy

======================================================================================================

Partitions of Disk 3:

===============

======================================================================================================

======================= End Of Log ==========================

If anyone can help me, I would very much apreciate the help since i really have to work, and don't have time to reinstall a whole system and software suits.

Thankfully, Siluvatar.

[Maniac]

Hello Siluvatar and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

You are wrong a lot by watching other threads and you proceed on them. This tool is for 32 bit operating system such as yours, but you use the 64 bit version. However, from the log file shows the following:

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please follow the instructions here and post both log files in your next reply:

http://forums.malwarebytes.org/index.php?showtopic=9573

[Siluvatar]

Hello Maniac,

Thank you for your reply!!

Could you please copy / paste, or tell me the log entries that point to the infection(s) please?

I have manualy deleted some files that I had installed the last couple of days, searched the registry for any occurations of files / folders / etc related to those files, cleaned them out, AND cleaned the registry.

I ran MB and found (after the steps above) 3 infected files. 1 false positive, 2 infected.

Removed them, rebooted, and it seems the problem is gone. I have been running the computer since then (since your message), openned and ran different applications especially web browser on sites that require java / flash / etc... games, office software etc...

No unusual behavior is detected in the services and tasks that are running.

I agree though, that once infected, the system is potentialy unsafe, even if cleaned. Therefore I will schedule a foramt / reinstall after My work is done.

If you could, once again, point out the entries in the log posted above that you have recognized as being potentially infected, it would satisfy my own curiosity and knowledge

Have a great day, and thank you once again.

Siluvatar

:excl: :excl: :excl:

Something just caught my attention, this scan from FRST64.exe has scanned my c:/ drive which is my non infected XP system... !

My Windows 7 system is on my F:/ drive, therefore, entire log is out of subject...

How do I scan my F:/ drive on startup please ......

[Maniac]

If you want to proceed, follow my instructions.

Please follow the instructions here and post both log files in your next reply:

http://forums.malwarebytes.org/index.php?showtopic=9573

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!