Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Plug and Play Causes Services to run 100%

This is a discussion on Plug and Play Causes Services to run 100% within the Resolved HJT Threads forums, part of the Tech Support Forum category. About i week ago I booted my computer and noticed that it was running extremly slow. I opened task manager


 
 
Thread Tools Search this Thread
Old 01-14-2011, 12:15 PM   #1
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



About i week ago I booted my computer and noticed that it was running extremly slow. I opened task manager and found that services.exe was running up my CPU. After going through msconfig and using trial and error, i found that it wouldn't drive it up if i had Plug and Play unchecked.

So my problem is that Plug and Play is causing services.exe to run up to 100% CPU.

I have tried multiple scans and all of which have no affect on the problem.

Help is much appreciated.



Logs


DDS (Ver_10-12-12.02) - NTFSx86
Run by john at 14:58:46.71 on Fri 01/14/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.943 [GMT -5:00]

============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\john\Desktop\dds.scr
C:\Documents and Settings\john\Local Settings\Temp\6.tmp\MBR.DAT
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\L5GGMRY3\dds[1].com
============== Pseudo HJT Report ===============
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {07c1460c-727e-4938-8111-77ec98f4501c} - c:\windows\system32\atipdlx.dll
BHO: {149F11BC-D5BF-4491-B94E-C72FB081F35D} - No File
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {6656C0B0-7069-45BE-868B-449B4BFC9C2B} - No File
BHO: {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: {c1f9ebfa-dfd0-43f0-977a-13b8ef72cf72} - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mExplorerRun: [SBRHNRSafJ] c:\documents and settings\all users\application data\jgfgpqfq\rwjghexa.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\motion~1.lnk - c:\program files\panasonic\motionsd studio\sd_browser\AutoLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb100\WUSB100.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: yayvWpmJ - yayvWpmJ.dll
AppInit_DLLs: xpskug.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {149F11BC-D5BF-4491-B94E-C72FB081F35D} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJcaXQJ
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\i5un9u0l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\pricegong\2.1.0\ff\components\PriceGongFF.dll
FF - plugin: c:\documents and settings\john\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Shop to Win: {46d606b0-a645-11df-981c-0800200c9a66} - %profile%\extensions\{46d606b0-a645-11df-981c-0800200c9a66}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: PriceGong: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} - c:\program files\pricegong\2.1.0\FF
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-1-5 98392]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S0 ahogseyj;ahogseyj;c:\windows\system32\drivers\jlexcsln.dat --> c:\windows\system32\drivers\jlexcsln.dat [?]
S1 qhskraho;qhskraho;\??\c:\windows\system32\drivers\qhskraho.sys --> c:\windows\system32\drivers\qhskraho.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-1-11 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-11 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-1-11 23680]
=============== Created Last 30 ================
2011-01-12 23:18:17 -------- d-----w- C:\.jagex_cache_32
2011-01-06 22:57:31 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iKernel.dll
2011-01-06 22:57:31 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\ctor.dll
2011-01-06 22:57:31 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\DotNetInstaller.exe
2011-01-06 22:57:31 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iscript.dll
2011-01-06 22:57:31 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iGdi.dll
2011-01-06 22:57:31 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iuser.dll
2011-01-06 22:57:30 303104 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\setup.dll
2011-01-06 01:23:11 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-06 01:23:11 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-01-06 01:22:56 -------- d-----w- C:\VIPRERESCUE
2011-01-05 23:47:13 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-01-05 23:45:02 33792 ----a-w- c:\program files\messenger\custsat.dll
2011-01-05 00:16:30 121984 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2011-01-05 00:16:30 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2011-01-05 00:05:55 -------- d-----r- c:\program files\Skype
2010-12-31 08:00:19 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-12-29 07:01:59 -------- d-----w- c:\docume~1\john\locals~1\applic~1\AskToolbar
2010-12-16 22:05:19 -------- d-----w- c:\docume~1\john\applic~1\FrostWire
2010-12-16 22:04:35 -------- d-----w- c:\program files\Ask.com
2010-12-16 22:04:23 -------- d-----w- c:\program files\FrostWire
==================== Find3M ====================
2011-01-14 02:32:46 107264 ----a-w- c:\windows\system32\ATIDD.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 14:59:09.39 ===============
Attached Files
File Type: zip ark.zip (44.7 KB, 22 views)

__________________
logicalman is offline  
Old 01-17-2011, 10:46 AM   #2
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



Bump. Anyone, Anything?

__________________
logicalman is offline  
Old 01-17-2011, 11:24 AM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi logicalman,

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.

======================
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
__________________

amateur is offline  
Old 01-18-2011, 08:24 PM   #4
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



Thank you so much for the responce, here is the file.


MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000008c
Kernel Drivers (total 121):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xB9ED9000 sr.sys
0xB9EC2000 KSecDD.sys
0xB9EAF000 WudfPf.sys
0xB9E22000 Ntfs.sys
0xB9DF5000 NDIS.sys
0xB9DDB000 Mup.sys
0xB987A000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9383000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB936F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9347000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA470000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9323000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA478000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA480000 \SystemRoot\System32\Drivers\ASAPIW2K.sys
0xB986A000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xB985A000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB984A000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9300000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA488000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB983A000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5D4000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA755000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA128000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB92E9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA138000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA148000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA490000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB92D8000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA158000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA498000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\hamachi.sys
0xB92A8000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA168000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA340000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB924A000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D92000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB921C000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xBA178000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5DA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA188000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB7021000 \SystemRoot\system32\drivers\sthda.sys
0xB6FFD000 \SystemRoot\system32\drivers\portcls.sys
0xBA1B8000 \SystemRoot\system32\drivers\drmk.sys
0xBA5E0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA671000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E2000 \SystemRoot\System32\Drivers\Beep.SYS
0xB6FBE000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
0xBA370000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA378000 \SystemRoot\System32\drivers\vga.sys
0xBA5E4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5E6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA380000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA388000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA558000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB6F8B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB6F32000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB6F0A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB6EE4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB6EC2000 \SystemRoot\System32\drivers\afd.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB6E97000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA570000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
0xB6E27000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB6DA8000 \SystemRoot\system32\DRIVERS\rt2870.sys
0xB6D77000 \SystemRoot\system32\drivers\wisgostrm.sys
0xB6D3D000 \SystemRoot\system32\drivers\WISBOARD.DLL
0xBA590000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA218000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB9093000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA390000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xBA258000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB6C9A000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB9083000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA268000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB6C82000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5EA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB6FED000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3A8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7EB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0D1000 \SystemRoot\System32\atikvmag.dll
0xBF13D000 \SystemRoot\System32\atiok3x2.dll
0xBF16B000 \SystemRoot\System32\ati3duag.dll
0xBF468000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA408000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xBA410000 \SystemRoot\System32\Drivers\PCASp50.sys
0xB4952000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB470D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB44D5000 \SystemRoot\system32\DRIVERS\srv.sys
0xB4174000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 31):
0 System Idle Process
4 System
636 C:\WINDOWS\system32\smss.exe
684 csrss.exe
712 C:\WINDOWS\system32\winlogon.exe
756 C:\WINDOWS\system32\services.exe.exe
768 C:\WINDOWS\system32\lsass.exe
940 C:\WINDOWS\system32\ati2evxx.exe
956 C:\WINDOWS\system32\svchost.exe
1020 svchost.exe
1164 C:\WINDOWS\system32\svchost.exe
1280 svchost.exe
1344 svchost.exe
1508 C:\WINDOWS\system32\spoolsv.exe
1608 C:\WINDOWS\system32\ati2evxx.exe
1620 svchost.exe
1828 C:\WINDOWS\system32\bgsvcgen.exe
1852 C:\Program Files\Bonjour\mDNSResponder.exe
1900 svchost.exe
1996 C:\Program Files\Java\jre6\bin\jqs.exe
464 C:\WINDOWS\system32\svchost.exe
288 C:\WINDOWS\explorer.exe
424 alg.exe
1192 C:\WINDOWS\system32\ctfmon.exe
1408 C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
1436 C:\Program Files\Linksys\WUSB100\WUSB100.exe
2796 C:\Program Files\Mozilla Firefox\firefox.exe
2464 C:\Program Files\Mozilla Firefox\plugin-container.exe
2252 C:\Program Files\Internet Explorer\iexplore.exe
484 C:\Program Files\Internet Explorer\iexplore.exe
1056 C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\8XKSFMLY\MBRCheck[1].exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)
PhysicalDrive0 Model Number: Maxtor6Y160M0, Rev: YAR51HW0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!
__________________
logicalman is offline  
Old 01-18-2011, 10:59 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Please post the RootkitUnhooker log as well.
__________________

amateur is offline  
Old 01-19-2011, 02:28 PM   #6
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF16B000 C:\WINDOWS\System32\ati3duag.dll 3133440 bytes (ATI Technologies Inc. , ati3duag.dll)
0xB9383000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2662400 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF468000 C:\WINDOWS\System32\ativvaxx.dll 1597440 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xB9E22000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB6DA8000 C:\WINDOWS\system32\DRIVERS\rt2870.sys 520192 bytes (Ralink Technology, Corp., Ralink 802.11 USB Wireless Adapter Driver)
0xB6C9A000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xBF057000 C:\WINDOWS\System32\ati2cqag.dll 499712 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xB6E27000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF0D1000 C:\WINDOWS\System32\atikvmag.dll 442368 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB924A000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB6F32000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB44D5000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 282624 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xB4174000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB6D3D000 C:\WINDOWS\system32\drivers\WISBOARD.DLL 237568 bytes (Pinnacle Systems, Pinnacle Systems DVC130/170 Board Module)
0xB6D77000 C:\WINDOWS\system32\drivers\wisgostrm.sys 200704 bytes (Pinnacle Systems, Pinnacle Systems DVC130/170 AV Capture Driver.)
0xB92A8000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xBF13D000 C:\WINDOWS\System32\atiok3x2.dll 188416 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xB921C000 C:\WINDOWS\system32\DRIVERS\MarvinBus.sys 188416 bytes (Pinnacle Systems GmbH, Pinnacle Marvin Discrete Bus Enumerator)
0xB470D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DF5000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB7021000 C:\WINDOWS\system32\drivers\sthda.sys 180224 bytes (SigmaTel, Inc., NDRC)
0xB6E97000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9347000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB6F0A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB6EE4000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB6FFD000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9323000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9300000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB6EC2000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9DDB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB6C82000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB92E9000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB6FBE000 C:\WINDOWS\system32\drivers\SBREdrv.sys 94208 bytes (Sunbelt Software, Anti-Rootkit Engine)
0xB936F000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB6F8B000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9EAF000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB92D8000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA268000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB985A000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1B8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB984A000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA128000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA258000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xBA148000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA1F8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB983A000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA138000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA188000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA168000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB986A000 C:\WINDOWS\System32\Drivers\cdrbsdrv.SYS 36864 bytes (B.H.A Corporation, CD-ROM Filter Driver for Windows2000/xp)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB987A000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB357C000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA480000 C:\WINDOWS\System32\Drivers\ASAPIW2K.sys 32768 bytes (VOB Computersysteme GmbH, ASAPI)
0xBA388000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA478000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA370000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA390000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA488000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA4B0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA340000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA470000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA378000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xBA4A8000 C:\WINDOWS\system32\DRIVERS\hamachi.sys 20480 bytes (LogMeIn, Inc., Hamachi Virtual Network Interface Driver)
0xBA380000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA410000 C:\WINDOWS\System32\Drivers\PCASp50.sys 20480 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 SPR Protocol Driver)
0xBA498000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA4A0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA490000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3A8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB9093000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D92000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB4952000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA570000 C:\WINDOWS\system32\drivers\pclepci.sys 16384 bytes (Pinnacle Systems GmbH, PCLEPCI)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB6FED000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA590000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB9083000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA59C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA558000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5E2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5EA000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5E0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5E4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5E6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5D4000 C:\WINDOWS\system32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0xBA5D8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5DA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA755000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7EB000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA671000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

Nothing detected :(
__________________
logicalman is offline  
Old 01-20-2011, 12:08 AM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi,

Download Combofix from any of the links below. Rename it to svchost.exe before saving it. Save it to your desktop.

Link 1
Link 2


--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how, please look in here:

How to disable your security applications
  • Double click on renamed Combofix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
__________________

amateur is offline  
Old 01-20-2011, 01:09 PM   #8
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



The software above caused my OS to crash. Apon the reboot when selected safe mode or any other mode I receive just a black screen where all there is is my mouse.

I am still on the same computer because I loaded my xp home disc so any help with getting the xp pro back up would be great. Thank You for spending your time with my issue, and I really appreciate it.
__________________
logicalman is offline  
Old 01-21-2011, 12:01 AM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Quote:
The software above caused my OS to crash
Please explain exactly what happened. At what stage did the computer crash? Did combofix complete it's run? Did you get any error messages either from Combofix or from the system? Did the computer reboot by itself or did you force reboot it? Was Combofix able to install the recovery console?
Are you able to access the task manager (CTRL+ALT+DEL)? What happens if you select " new task" and type "explorer"?

Quote:
I am still on the same computer because I loaded my xp home disc
How did you do that, over the existing operating system? Your original log shows only one HDD and one partition.


Quote:
==============Disk Partitions ==================

C: is FIXED (NTFS) - 146 GiB total, 26.661 GiB free.
D: is CDROM ()
H: is CDROM ()
Please perform the following steps if Combofix was able to install the Recovery Console.

1. Reboot your computer and as Windows starts, you will be presented with boot options for exactly two seconds - you'll have to be quick.

2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on, and press Enter. If you have just one Windows installation, type 1 and press Enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press Enter. Otherwise type in the password and then press Enter.

5. At the C:\Windows prompt, type the following bolded text, and press Enter after each line:

set allowallpaths = true (Note: if this gives you an error message, just continue with the next line.)

dir c:\qoobox

Please list all content that comes up after this command.

6. At the next prompt type the following bolded text, and press Enter:

exit

Post back here with the C:\qoobox content list.
__________________

amateur is offline  
Old 01-21-2011, 08:49 PM   #10
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



Sorry,
What happend was combofix was done with all 50 tasks, im guessing there are only 50 because thats how far it got before it started deleting files, and deleted files then folders. It deleted folders and stayed saying that it was deleting one for 2 hours which is how long I left it after i saw it wasn't making anymore progress. So I manually rebooted it by pressing the button and when I attempted to log back in I got nothing. Nothing as in it would boot and the XP Pro loading screen would come up then it goes to a black screen with just a mouse, no task manager or anything.

As for loading XP home I have it on the same HDD, I have done this before when I had to do a repair a while back to transfer all documents. It does not over ride any files and allows you to boot to one or the other.


Here is the pic of the recovery mode cmd.




Thank You again for all your help
__________________
logicalman is offline  
Old 01-21-2011, 10:23 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi logicalman,

Quote:
As for loading XP home I have it on the same HDD
Did you create a different partition for it? If not, sounds like you've done a repair or a parallel install on the same partition, but with a different version of XP which is not recommended as this can cause clash and multiple errors and issues. It will also complicate our efforts. Even if you had used the same XP version, repair/parallel installs are temporary solutions to recover data. In the long run, it's recommended that you perform a reformat and reinstall, wiping everything and installing afresh. If you had already backed up your personal data, I would recommend you do that.

Please type the following at the recovery console prompt, press enter after each line:

set allowallpaths = true

cd c:\qoobox

type combofix-quarantined-files.txt

This will show a list of files on the screen. Please copy them down for me.


If need to take ownership of files/folders in XP, please see here
__________________

amateur is offline  
Old 01-22-2011, 08:22 PM   #12
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



After wrighting 3 pages of what was above I logged on and searched for the text file that was looked for in recover mode and found it instantly.... Guess I should have searched first but i got a good workout for my hand. Here you go

2011-01-20 19:21:33 . 2011-01-21 00:10:37 4,881 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-01-20 19:07:11 . 2011-01-21 00:08:26 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-01-05 11:02:22 . 2011-01-05 11:02:22 23,296 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\1.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 125,672 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\a.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 165,160 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\b.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 172,176 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\c.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 105,704 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\d.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 108,920 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\e.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 60,048 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\f.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 70,624 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\g.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 52,920 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\h.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 48,336 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\i.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 28,000 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\J.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 28,080 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\k.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 69,168 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\l.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 104,888 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\m.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 36,808 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\n.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 41,072 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\o.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 96,480 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\p.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 4,440 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\q.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 36,768 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\r.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 159,760 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\s.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 95,664 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\t.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 20,960 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\u.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 30,528 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\v.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 43,520 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\w.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 2,888 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\x.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 10,744 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\y.xml.vir
2011-01-05 11:02:22 . 2011-01-05 11:02:22 11,648 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\z.xml.vir
2010-11-22 00:53:29 . 2011-01-20 19:03:13 8,368 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\john\Application Data\PriceGong\Data\mru.xml.vir
2010-06-30 05:26:21 . 2011-01-20 18:42:00 244 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job.vir
2008-10-11 22:51:50 . 2008-10-12 01:19:11 977,319 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\qtyusalr.ini.vir
2008-10-10 22:53:48 . 2008-10-10 22:53:58 977,310 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xjtepotf.ini.vir
2008-10-09 22:52:28 . 2008-10-10 22:53:13 977,310 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jpacrhyb.ini.vir
2008-10-08 21:02:25 . 2008-10-09 22:19:29 474 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cfxsvcbj.ini.vir
2008-10-07 00:11:46 . 2008-10-07 00:11:46 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\2QkVn8Cu.exe.a_a.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\FVProtect.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\userconfig9x.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\zip1.tmp.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\zip2.tmp.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\zip3.tmp.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\zipped.tmp.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:46 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogonpc.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\base64.tmp.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\iTunesMusic.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\hoproxy.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\hxiwlgpm.dat.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\hxiwlgpm.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mwin32.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ps1.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sncntr.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\taack.dat.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\taack.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\VBIEWER.OCX.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\medup012.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\medup020.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\msgp.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mtr2.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\netode.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\temp#01.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\smp\msrc.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dpcproxy.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\regc64.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\thun.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\bdn.com.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\mssecu.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\winsystem.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\akttzn.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\emesx.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\newsd32.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Rundl1.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\vcatchpi.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\awtoolb.dll.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\bdn.com.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mssecu.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sysreq.exe.vir
2008-10-06 23:40:45 . 2008-10-06 23:40:45 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\WINWGPX.EXE.vir
2008-10-06 23:20:47 . 2008-10-06 23:20:47 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\3c7T1iCB.exe.a_a.vir
2008-10-06 20:04:50 . 2008-10-08 20:59:45 1,132,469 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\qyrytspa.ini.vir
2008-10-05 16:04:29 . 2008-10-06 19:59:03 1,065,237 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ehnarggk.ini.vir
2008-10-04 1615 . 2008-10-05 02:46:36 1,031,452 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jdcsekti.ini.vir
2008-10-03 0308 . 2008-10-04 15:00:35 1,031,272 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xoxgpevc.ini.vir
2008-10-02 01:15:16 . 2008-10-03 02:33:15 1,030,981 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\birumblu.ini.vir
2008-10-01 00:20:20 . 2008-10-02 01:09:13 1,030,801 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wylkmwni.ini.vir
2008-09-30 00:24:24 . 2008-09-30 21:17:38 1,457,053 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tyyconcl.ini.vir
2008-09-29 00:24:21 . 2011-01-14 02:32:46 107,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ATIDD.dll.vir
2008-09-29 00:21:17 . 2008-09-30 00:21:48 1,853,034 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wuvknwww.ini.vir
2008-09-28 00:19:16 . 2008-09-29 00:19:46 1,124,143 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\vqtfomid.ini.vir
2008-09-14 20:04:10 . 2008-09-14 21:37:33 1,069,738 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ddrcggow.ini.vir
2008-09-14 17:07:56 . 2008-10-11 18:48:14 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-09-14 16:33:07 . 2008-10-09 01:32:15 2,395 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-09-14 14:03:46 . 2008-09-14 19:16:06 1,067,156 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yptemxos.ini.vir
2008-09-14 14:02:43 . 2008-10-12 03:54:09 842,246 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\JQXacJjl.ini2.vir
2008-09-14 14:02:43 . 2008-10-12 03:56:31 842,810 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\JQXacJjl.ini.vir
2008-04-14 12:00:00 . 2009-02-06 11:11:05 110,592 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\services.exe.exe.vir
2007-03-22 00:54:16 . 2007-03-22 00:54:16 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\TWUNK_32.EXE.vir

****services.exe.exe was me renaming it so it was easily found.
__________________
logicalman is offline  
Old 01-23-2011, 01:37 AM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Quote:
I logged on and searched for the text file
Since this is not something you can do in the Recovery Console, are you able to logon now and no black secreen? The reason I asked you to boot to the recovery console was because you were not able to go beyond a black screen in your XP Professional, and thought you may have created a separate partition for the XP Home. If you are now able to logon, it would mean that what you did was a repair install of the operating system with a different version of XP on the same partition, which is not recommended as I explained before.

Please advise what the state of the machine is at the moment.
__________________

amateur is offline  
Old 01-23-2011, 06:28 AM   #14
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



Windows XP Pro is still only giving me a black screen.
I loaded XP home on the same harddrive as a different folder name so that I could run one operating system or the other.

So I have 2 folders for operating systems WINDOWS(PRO) and WINDOWS2(HOME). All documents are still accesable through loading XP Home.

So I did a full install of windows xp home on the same HDD as Windows XP Pro.

I am able to run XP home but XP pro only gives me a black screen possibly due to something deleted by Combofix.
__________________
logicalman is offline  
Old 01-23-2011, 09:23 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi logicalman,

Combofix had cleaned up a lot of junk in your original installation, XP Pro. The quarantined files text does not show anything that would cause the black screen that you've experienced. The preliminary checks did not show any rootkit infection either.

Combofix creates a backup which we can use, but now with the parallel install of XP Home after Combofix was run, I am not sure how the system would react. I reiterate that you'd be much better off to back up your personal data and go with a reformat and clean install.

However, if you want to give it a try, please follow the instructions below. Make sure that you've backed up your personal data before proceeding.

Boot to Recovery Console on your XP Pro as you've done before

At the C:\Windows> prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

(Note - there is a space between cd and erdnt)

You should now be at C:\Windows\erdnt\hiv-backup>

Type in the following bolded text and press Enter:

batch erdnt.con

(note - this is a .con extension, not .com)

A prompt will appear that this program will restore a registry backup. Once you click OK, the Erunt backups will begin copying. When they have finished, you will see another dialog box advising you the restoration is complete.

Click OK, then type in Exit and press Enter.

Windows will now begin loading. Let me know if it was successfully loaded.
__________________

amateur is offline  
Old 01-23-2011, 01:02 PM   #16
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



I loaded the back up and it copied files but nothing occured after that. It just prompted me for another command. After exiting I still recieved a black screen.


C:\Qoobox\Quarantine\C\WINDOWS\system32\services.exe.exe.vir

I am quite sure that this is the problem ^^^ because now I am unable to locate services.exe in my system32 folder.

Is there anyway that I can get this folder out of quarantine or was it deleted?

There is no services.exe in windows32 which causes the OS to do what it is doing now.
__________________
logicalman is offline  
Old 01-23-2011, 04:58 PM   #17
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



So that was the problem so putting services.exe back into system32 allows me to run XP Pro agian.

So.....

Back to the original problem which is services.exe is still running at 100% CPU when Plug and Play service is applied.

Back to square 1.
__________________
logicalman is offline  
Old 01-23-2011, 10:14 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Go to Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV --custom# #s #d #f #5 # %systemdrive%\services.* >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

Also post a fresh DDS.txt and Ark.txt (GMER) please for me to see.
__________________

amateur is offline  
Old 01-24-2011, 11:42 AM   #19
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



1,602 ------ C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk 5D373090F4BEFA078A2DF30FDD33B7A3
1,609 ------ C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Administrative Tools\Services.lnk 96D4487234F80647877310E4D31F54F7
1,609 ------ C:\Documents and Settings\All Users.WINDOWSS\Start Menu\Programs\Administrative Tools\Services.lnk 5757F97EE9F5C708471965538B121129
110,592 Microsoft Corporation C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe 020CEAAEDC8EB655B6506B8C70D53BB6
108,544 Microsoft Corporation C:\WINDOWS\$NtUninstallKB956572$\services.exe 0E776ED5F7CC9F94299E70461B7B8185
110,592 Microsoft Corporation C:\WINDOWS\system32\services.exe.exe 65DF52F5B8B6E9BBD183505225C37315
110,592 Microsoft Corporation C:\WINDOWS\system32\dllcache\services.exe 65DF52F5B8B6E9BBD183505225C37315






DDS (Ver_10-12-12.02) - NTFSx86
Run by john at 14:38:19.67 on Mon 01/24/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.930 [GMT -5:00]

============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\john\LOCALS~1\Temp\Rar$EX03.797\gmer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\TTZJUNBA\dds[1].scr
============== Pseudo HJT Report ===============
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {07c1460c-727e-4938-8111-77ec98f4501c} - c:\windows\system32\atipdlx.dll
BHO: {149F11BC-D5BF-4491-B94E-C72FB081F35D} - No File
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {6656C0B0-7069-45BE-868B-449B4BFC9C2B} - No File
BHO: {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: {c1f9ebfa-dfd0-43f0-977a-13b8ef72cf72} - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mExplorerRun: [SBRHNRSafJ] c:\documents and settings\all users\application data\jgfgpqfq\rwjghexa.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\motion~1.lnk - c:\program files\panasonic\motionsd studio\sd_browser\AutoLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb100\WUSB100.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: yayvWpmJ - yayvWpmJ.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {149F11BC-D5BF-4491-B94E-C72FB081F35D} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJcaXQJ
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\i5un9u0l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\john\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Shop to Win: {46d606b0-a645-11df-981c-0800200c9a66} - %profile%\extensions\{46d606b0-a645-11df-981c-0800200c9a66}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-1-5 98392]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S0 ahogseyj;ahogseyj;c:\windows\system32\drivers\jlexcsln.dat --> c:\windows\system32\drivers\jlexcsln.dat [?]
S1 qhskraho;qhskraho;\??\c:\windows\system32\drivers\qhskraho.sys --> c:\windows\system32\drivers\qhskraho.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-1-11 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-11 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-1-11 23680]
=============== Created Last 30 ================
2011-01-20 23:41:36 4158604 ----a-w- c:\windows\svchost.exe
2011-01-20 20:41:54 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-01-20 20:39:47 33792 ----a-w- c:\program files\messenger\custsat.dll
2011-01-20 19:14:35 -------- d-sha-r- C:\cmdcons
2011-01-20 19:07:18 98816 ----a-w- c:\windows\sed.exe
2011-01-20 19:07:18 89088 ----a-w- c:\windows\MBR.exe
2011-01-20 19:07:18 256512 ----a-w- c:\windows\PEV.exe
2011-01-20 19:07:18 161792 ----a-w- c:\windows\SWREG.exe
2011-01-15 09:20:49 -------- d-----w- C:\Music
2011-01-12 23:18:17 -------- d-----w- C:\.jagex_cache_32
2011-01-06 22:57:31 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iKernel.dll
2011-01-06 22:57:31 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\ctor.dll
2011-01-06 22:57:31 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\DotNetInstaller.exe
2011-01-06 22:57:31 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iscript.dll
2011-01-06 22:57:31 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iGdi.dll
2011-01-06 22:57:31 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iuser.dll
2011-01-06 22:57:30 303104 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\setup.dll
2011-01-06 01:23:11 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-06 01:23:11 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-01-06 01:22:56 -------- d-----w- C:\VIPRERESCUE
2011-01-05 00:16:30 121984 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2011-01-05 00:16:30 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2011-01-05 00:05:55 -------- d-----r- c:\program files\Skype
2010-12-31 08:00:19 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-12-29 07:01:59 -------- d-----w- c:\docume~1\john\locals~1\applic~1\AskToolbar
==================== Find3M ====================
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
============= FINISH: 14:38:40.09 ===============
__________________
logicalman is offline  
Old 01-24-2011, 11:46 AM   #20
Registered Member
 
Join Date: Jan 2011
Posts: 38
OS: Windows Xp Pro



GMER 1.0.15.15530 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-01-24 14:46:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\john\LOCALS~1\Temp\kwlyrfoc.sys

---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\john\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1752] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2020] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00125a0fdc21 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00125a0fdc21
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00125a0fdc21 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...
---- EOF - GMER 1.0.15 ----

__________________
logicalman is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Plug and Play Causing 100% CPU
Last week I was struck with a problem causing my PC to run at 100% CPU. Services.exe runs up all the processing space Through the week I have found that when turning on Plug and Play through mscofig will cause this to happen and when I have it off it does not effect my PC but i am unable to...
logicalman Resolved HJT Threads 1 01-13-2011 11:02 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 07:37 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts