DejanS

208.73.210.29 blocked by M.Anti-Malvare, cannot open some sites in any browser

80 posts in this topic

Hi :)

Eset finished scan and cleaning, and there are 3 threats which couldn't be cleaned automatically.

D:\NEW DOWNLOADS 5\Portable Flash4D v5.1 Pro Edition.rar probably a variant of Win32/Agent.LWMQUCE trojan No action

D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401895.exe a variant of Win32/Induc.A virus No action

D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401896.exe a variant of Win32/Induc.A virus No action

Should I try to delete those in "Action"?

Share this post


Link to post
Share on other sites

Yes, please use Delete option for them.

Share this post


Link to post
Share on other sites

Hi :)

Please, sorry for pause, I have problem with internet (ISP, not related to viruses).

I will try to post log now (I use neighbours PC pc connected to slow dial-up...

Please, sorry for delay, again...

Share this post


Link to post
Share on other sites

It is okay. Thanks for letting me know!

Share this post


Link to post
Share on other sites

It seems log is too big for dial up...

At least I can say news: from the moment nod32 cleaned that Win32/Agent.LWMQUCE trojan I didn't get anymore those warnings from Anti-Malware about blocking connection to that IP.

I think its great news :)

I will check out connectivity to those sites after i get internet connection and I will come here to let you know, and to proceed with cleaning and tweaking, if needed.

Thank you os much, again :)

DejanS

Share this post


Link to post
Share on other sites

p.s. End of log is here (if it helps)

D:\NEW DOWNLOADS 5\Portable Flash4D v5.1 Pro Edition.rar » RAR » Portable Flash4D v5.1 Pro Edition\Flash4D v5 - Flash Intro Builder.exe » THINAPP » Patch.exe - probably a variant of Win32/Agent.LWMQUCE trojan - was a part of the deleted object

D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401895.exe - error opening [4]

D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401896.exe - error opening [4]

Number of scanned objects: 2202748

Number of threats found: 5

Number of cleaned objects: 1

Time of completion: 3:14:01 PM Total scanning time: 57189 sec (15:53:09)

Notes:

[4] Object cannot be opened. It may be in use by another application or operating system.

Share this post


Link to post
Share on other sites

Good! :)

Monitor your system and come back tomorrow to tell how is the situation now.

Share this post


Link to post
Share on other sites

Hi

Here is report...

I was so happy to inform you that we got rid of that IP location warning/malware... It didnt appeear at all (I didnt have access to internet) and when I got internet todaz it was all ok. I could get to all those sites, no any warnings from Anti-malwareb... Bad surprise came 2h ago. First I couldn't open facebook home page, then isohunt... Then I couldn't post here from that PC... I restarted PC and I saw that warning (Anti-malware's) again... About that IP...

I don't understand. It started to work fine after cleaning with nod32. It worked flawless until now,page on internet opened so fast..

I will try to post eset's log here.

So, here we go again...

Share this post


Link to post
Share on other sites

I tried few times to paste here that Eset's log... I even separated it into 6 smaller parts and then tried,,,... its still too big (4.5MB txt file in total).

Can i attach it here as rar or zip file?its just 170KB that way... Or, any other idea?

Do you think it would be wice to scan PC again with nod32, just in safe mode?

Share this post


Link to post
Share on other sites

I don't know, but maybe this will mean something:

on infected PC I cannot measure upload speed at Speeedtest.net site anymore.

It was possible to do before infection, I did it many times.

Surfing goes more or less ok.

Other PC on same cable can measure upload speed and there are no any problems like on infected machine.

On infected PC, download speed and pings are ok.

Strange thing is that I cannot post replies to this forum on infected PC. I do it from other PC.

Is it possible that 'virus 'blocks outcoming traffic for some sites?

Share this post


Link to post
Share on other sites

Please run NOD32, make sure is up-to-date and perform a smart scan. Next, go to the log file, click on right mouse button on it there will be filter or something that which will show the information you want. Select to show information only for malware and then posted here.

Share this post


Link to post
Share on other sites

Sorry for pause, please...

NOD32 just finished scan. No infected files or threats.

It seems in previous scan NOD cleaned what that AV can clean now.

Of course, I updated it before scan.

Situation now: I cannot send emails, my upload is not measurable, I cannot go to some sites (isohunt, facebook, etc).

It seems it is not connected to ISP - other PC attached to the same router/access point works fine.

After first cleaning, infected PC worked just fine.

Any ideas?

Share this post


Link to post
Share on other sites

Delete your ComboFix copy and then again:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Share this post


Link to post
Share on other sites

ComboFix 12-04-22.01 - User 22.04.2012 17:39:00.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.2047.1155 [GMT 2:00]

Running from: C:\Documents and Settings\User\My Documents\Downloads\ComboFix.exe

AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

((((((((((((((((((((((((( Files Created from 2012-03-22 to 2012-04-22 )))))))))))))))))))))))))))))))

2012-04-15 16:30:23 . 2012-04-15 16:30:26 -------- d-----w- C:\Program Files\Perfect Uninstaller

2012-04-14 16:35:35 . 2012-04-14 16:35:35 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-14 16:14:07 . 2012-04-14 16:14:07 1409 ----a-w- C:\WINDOWS\QTFont.for

2012-04-05 20:39:15 . 2012-04-05 20:39:16 -------- d-----w- C:\Program Files\Freemake

2012-03-25 21:36:11 . 2012-04-22 14:20:31 -------- d-----w- C:\Program Files\Smart File Advisor

2012-03-25 21:36:09 . 2012-03-25 21:36:09 -------- d-----w- C:\Program Files\Smart Projects

2012-03-25 01:51:01 . 2012-04-18 17:36:06 -------- d-----w- C:\Documents and Settings\User\Application Data\vlc

2012-03-24 14:37:21 . 2012-03-24 14:37:22 -------- d-----w- C:\Program Files\PITCH

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-03-13 04:39:39 . 2012-04-17 04:32:35 97208 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll

2011-03-23 14:05:20 92281056 --sh--w- C:\WINDOWS\setupa.exe

2006-05-03 10:06:54 163328 --sha-r- C:\WINDOWS\system32\flvDX.dll

2007-02-21 11:47:16 31232 --sha-r- C:\WINDOWS\system32\msfDX.dll

2008-03-16 13:30:52 216064 --sha-r- C:\WINDOWS\system32\nbDX.dll

2010-01-06 22:00:00 107520 --sha-r- C:\WINDOWS\system32\TAKDSDecoder.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 08:17:48 5252408]

"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 09:20:12 1305408]

"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2010-11-21 11:43:04 1113600]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-10-13 07:27:14 17351304]

"Steam"="C:\Program Files\Steam\Steam.exe" [2011-11-02 08:18:16 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22:00 7700480]

"nwiz"="nwiz.exe" [2006-10-22 11:22:00 1622016]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22:00 86016]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 23:40:44 155648]

"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 10:08:06 16342528]

"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22:02 3739648]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 20:34:40 49152]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24:52 286720]

"TWCU"="C:\Program Files\TP-LINK\TWCU\TWCU.exe" [2006-03-29 15:12:06 364544]

"hpbdfawep"="C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 12:28:34 954368]

"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2007-05-15 09:33:30 204800]

"TkBellExe"="C:\program files\real\realplayer\update\realsched.exe" [2011-06-01 11:05:32 273544]

"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2011-01-12 14:41:24 2219184]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2011-07-11 21:47:06 74752]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 01:57:22 40368]

"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 19:59:06 937920]

"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 16:50:18 460872]

"Smart File Advisor"="C:\Program Files\Smart File Advisor\sfa.exe" [2011-04-04 12:59:12 280824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-5-17 24576]

McAfee Security Scan Plus.lnk - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 08:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-09 12:18:59 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]

path=C:\Documents and Settings\User\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk

backup=C:\WINDOWS\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]

2008-07-22 11:53:10 77824 -c--a-w- C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"D:\\IGRICE\\Valve\\hl.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Program Files\\ECR Tool\\ECRSrvAPI.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"D:\\IGRICE\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"D:\\IGRICE\\Midway Home Entertainment\\Stranglehold\\Binaries\\Retail-Stranglehold.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

"D:\\IGRICE\\Valve\\hltv.exe"=

"D:\\IGRICE\\Valve\\hlds.exe"=

"C:\\Program Files\\Garena\\Garena.exe"=

"D:\\IGRICE\\Warcraft III\\Warcraft III.exe"=

"D:\\IGRICE\\Warcraft III\\War3.exe"=

"D:\\IGRICE\\Farkle\\farkle.exe"=

"D:\\IGRICE\\EA GAMES\\MOHAA\\MOHAA.exe"=

"D:\\IGRICE\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=

"D:\\IGRICE\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=

"H:\\IGRICE\\2K Sports\\NBA 2K10\\nba2k10.exe"=

"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil_.exe"=

"H:\\IGRICE\\Encore\\Hoyle Card Games 2009\\Hoyle Card Games.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"H:\\IGRICE\\Sports Interactive\\Football Manager 2010\\fm.exe"=

"C:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"H:\\IGRICE\\League of Legends\\Air\\LolClient.exe"=

"H:\\IGRICE\\League of Legends\\Game\\League of Legends.exe"=

"H:\\IGRICE\\Empire of Sports\\EmpireOfSports.exe"=

"C:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"H:\\IGRICE\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=

"H:\\IGRICE\\NeutronGames\\HC Trainingscamp\\HCTrainingscamp.exe"=

"H:\\IGRICE\\NeutronGames\\HC Trainingscamp\\updater\\Updater.exe"=

"H:\\IGRICE\\KONAMI\\Pro Evolution Soccer 2011\\pes2011.exe"=

"H:\\IGRICE\\2K Sports\\NBA 2K11\\nba2k11.exe"=

"H:\\IGRICE\\KONAMI\\Pro Evolution Soccer 2011\\JSL-2011.exe"=

"H:\\IGRICE\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=

"C:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"H:\\IGRICE\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"H:\\IGRICE\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"H:\\IGRICE\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"C:\Program Files\Security Task Manager\TaskMan.exe"= C:\Program Files\Security Task Manager\TaskMan.exe:192.168.111.200/255.255.255.255:Enabled:Security Task Manager

"H:\\IGRICE\\Yu Gi Oh PoC Joey the Passion\\Yu-Gi-Oh! Power of Chaos JOEY THE PASSION\\joey_pc.exe"=

"C:\\Documents and Settings\\User\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=

"H:\\IGRICE\\KONAMI\\Pro Evolution Soccer 2012\\pes2012.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

"C:\\Program Files\\Steam\\Steam.exe"=

"H:\\IGRICE\\2K Sports\\NBA 2K12\\nba2k12.exe"=

"C:\\Program Files\\Winamp\\winamp.exe"=

"C:\\Program Files\\SopCast\\SopCast.exe"=

"C:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12799:TCP"= 12799:TCP:BitTorrent port

"57220:TCP"= 57220:TCP:Pando Media Booster

"57220:UDP"= 57220:UDP:Pando Media Booster

"8394:TCP"= 8394:TCP:League of Legends Launcher

"8394:UDP"= 8394:UDP:League of Legends Launcher

"6994:TCP"= 6994:TCP:League of Legends Launcher

"6994:UDP"= 6994:UDP:League of Legends Launcher

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [30.12.2007 17:21:56 685816]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\WINDOWS\system32\drivers\dtsoftbus01.sys [18.2.2011 16:12:12 218688]

R1 ehdrv;ehdrv;C:\WINDOWS\system32\drivers\ehdrv.sys [21.12.2010 15:04:06 115008]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [28.5.2008 10:33:36 9968]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [28.5.2008 10:33:36 74480]

R1 SAVRKBootTasks;Boot Tasks Driver;C:\WINDOWS\system32\SAVRKBootTasks.sys [2.7.2011 4:38:17 18816]

R2 acedrv10;acedrv10;C:\WINDOWS\system32\drivers\ACEDRV10.sys [24.7.2007 9:45:20 328824]

R2 acehlp10;acehlp10;C:\WINDOWS\system32\drivers\acehlp10.sys [11.7.2007 10:20:26 201848]

R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\ekrn.exe [12.1.2011 16:41:42 810144]

R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [27.4.2011 0:52:44 652872]

R2 nxsIO32;NextSensor Kernel I/O Driver;C:\WINDOWS\system32\drivers\nxsIO32.sys [7.10.2007 5:23:47 2208]

R3 ham50;Intel V92 HaM Data Fax Voice;C:\WINDOWS\system32\drivers\IntelH51.sys [6.10.2007 2:09:01 454815]

R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [27.4.2011 0:52:39 20464]

R3 pcouffin;VSO Software pcouffin;C:\WINDOWS\system32\drivers\pcouffin.sys [9.6.2009 0:13:23 47360]

S0 Lbd;Lbd;C:\WINDOWS\system32\DRIVERS\Lbd.sys --> C:\WINDOWS\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16:28 130384]

S2 gupdate1ca146cd430540;Óńëóăŕ Google Update (gupdate1ca146cd430540);C:\Program Files\Google\Update\GoogleUpdate.exe [3.8.2009 20:56:02 133104]

S3 ALSysIO;ALSysIO;\??\C:\DOCUME~1\User\LOCALS~1\Temp\ALSysIO.sys --> C:\DOCUME~1\User\LOCALS~1\Temp\ALSysIO.sys [?]

S3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys --> C:\WINDOWS\system32\DRIVERS\AmdTools.sys [?]

S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\drivers\Amps2prt.sys [14.5.2007 23:40:16 14336]

S3 GarenaPEngine;GarenaPEngine;\??\C:\DOCUME~1\User\LOCALS~1\Temp\YFH31BF.tmp --> C:\DOCUME~1\User\LOCALS~1\Temp\YFH31BF.tmp [?]

S3 GGSAFERDriver;GGSAFER Driver;\??\C:\Program Files\Garena\safedrv.sys --> C:\Program Files\Garena\safedrv.sys [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [3.8.2009 20:56:02 133104]

S3 hwusbdev;Huawei DataCard USB PNP Device;C:\WINDOWS\system32\drivers\ewusbdev.sys [19.5.2011 19:57:08 100480]

S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe [15.1.2010 14:49:20 227232]

S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\1151.tmp --> C:\WINDOWS\system32\1151.tmp [?]

S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [28.5.2008 10:33:38 7408]

S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\synasUSB.sys [28.7.2011 16:08:14 18432]

S3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys --> C:\WINDOWS\system32\DRIVERS\vsc.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16:28 753504]

S3 zlportio;zlportio;\??\D:\IGRICE\UltraStar Deluxe\zlportio.sys --> D:\IGRICE\UltraStar Deluxe\zlportio.sys [?]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11.7.2008 2:28:04 47128]

S4 RsFx0102;RsFx0102 Driver;C:\WINDOWS\system32\drivers\RsFx0102.sys [10.7.2008 3:49:14 242712]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11.7.2008 2:28:06 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Contents of the 'Scheduled Tasks' folder

2012-04-22 C:\WINDOWS\Tasks\Google Software Updater.job

- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-28 20:40:50 . 2009-04-04 00:50:04]

2012-04-22 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-03 18:56:02 . 2009-08-03 18:55:56]

2012-04-22 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-03 18:56:02 . 2009-08-03 18:55:56]

2012-04-21 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-527237240-725345543-1003Core.job

- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-29 21:18:09 . 2008-11-29 21:18:08]

2012-04-22 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-527237240-725345543-1003UA.job

- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-29 21:18:09 . 2008-11-29 21:18:08]

2012-04-22 C:\WINDOWS\Tasks\HP WEP.job

- C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 12:28:34 . 2007-04-25 12:28:34]

2012-02-24 C:\WINDOWS\Tasks\photostageShakeIcon.job

- C:\Program Files\NCH Software\PhotoStage\photostage.exe [2012-02-18 00:39:31 . 2012-02-18 00:39:32]

2012-04-22 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1275210071-527237240-725345543-1003.job

- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2011-03-29 08:47:46 . 2011-03-29 08:47:46]

2012-04-22 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1275210071-527237240-725345543-1003.job

- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2011-03-29 08:47:46 . 2011-03-29 08:47:46]

------- Supplementary Scan -------

uStart Page = hxxp://www.google.rs/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local;*.local

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

TCP: DhcpNameServer = 82.117.194.2 82.117.194.3

FF - ProfilePath - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\dm5592b1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/cse?cx=partner-pub-9609672093949948%3A2pdkvfm6u5y&ie=ISO-8859-1&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.rs/

FF - prefs.js: keyword.URL - hxxp://www.google.com/cse?cx=partner-pub-5528014799800033:cevktqnfrvl&ie=ISO-8859-1&q=

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

------- File Associations -------

.reg=Regedit.Document

- - - - ORPHANS REMOVED - - - -

AddRemove-DkZ Studio0.9.0 - C:\WINDOWS\iun6002.exe

AddRemove-FingerPower! Vol. 11.0 - C:\WINDOWS\iun6002.exe

AddRemove-Internet Jamb 2006 - C:\WINDOWS\iun6002.exe

AddRemove-Pharaoh's Mystery_is1 - D:\NEW DOWNLOADS 5\MyPlayCity.com\Pharaoh's Mystery\unins000.exe

AddRemove-Slot_Machine_98_v5.2 - C:\WINDOWS\iun6002.exe

Share this post


Link to post
Share on other sites

The log file is cut. Please make sure you copy/paste the entire log file.

Share this post


Link to post
Share on other sites

sorry...

Here is newest log

ComboFix 12-04-22.01 - User 22.04.2012 21:45:26.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.2047.1168 [GMT 2:00]

Running from: f:\razno\ComboFix.exe

AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

.

((((((((((((((((((((((((( Files Created from 2012-03-22 to 2012-04-22 )))))))))))))))))))))))))))))))

.

.

2012-04-15 16:30 . 2012-04-15 16:30 -------- d-----w- c:\program files\Perfect Uninstaller

2012-04-14 16:35 . 2012-04-14 16:35 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-14 16:14 . 2012-04-14 16:14 1409 ----a-w- c:\windows\QTFont.for

2012-04-05 20:39 . 2012-04-05 20:39 -------- d-----w- c:\program files\Freemake

2012-03-25 21:36 . 2012-04-22 14:20 -------- d-----w- c:\program files\Smart File Advisor

2012-03-25 21:36 . 2012-03-25 21:36 -------- d-----w- c:\program files\Smart Projects

2012-03-25 01:51 . 2012-04-18 17:36 -------- d-----w- c:\documents and settings\User\Application Data\vlc

2012-03-24 14:37 . 2012-03-24 14:37 -------- d-----w- c:\program files\PITCH

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-13 04:39 . 2012-04-17 04:32 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-03-23 14:05 92281056 --sh--w- c:\windows\setupa.exe

2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 216064 --sha-r- c:\windows\system32\nbDX.dll

2010-01-06 22:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]

"SkinClock"="c:\program files\Free Desktop Clock\DesktopClock.exe" [2010-11-21 1113600]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]

"Steam"="c:\program files\Steam\Steam.exe" [2011-11-02 1242448]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" [2006-03-29 364544]

"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]

"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-05-15 204800]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-01 273544]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]

"Smart File Advisor"="c:\program files\Smart File Advisor\sfa.exe" [2011-04-04 280824]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-5-17 24576]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-09 12:18 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk

backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]

2008-07-22 11:53 77824 -c--a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"d:\\IGRICE\\Valve\\hl.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\ECR Tool\\ECRSrvAPI.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"d:\\IGRICE\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"d:\\IGRICE\\Midway Home Entertainment\\Stranglehold\\Binaries\\Retail-Stranglehold.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

"d:\\IGRICE\\Valve\\hltv.exe"=

"d:\\IGRICE\\Valve\\hlds.exe"=

"c:\\Program Files\\Garena\\Garena.exe"=

"d:\\IGRICE\\Warcraft III\\Warcraft III.exe"=

"d:\\IGRICE\\Warcraft III\\War3.exe"=

"d:\\IGRICE\\Farkle\\farkle.exe"=

"d:\\IGRICE\\EA GAMES\\MOHAA\\MOHAA.exe"=

"d:\\IGRICE\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=

"d:\\IGRICE\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=

"h:\\IGRICE\\2K Sports\\NBA 2K10\\nba2k10.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil_.exe"=

"h:\\IGRICE\\Encore\\Hoyle Card Games 2009\\Hoyle Card Games.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"h:\\IGRICE\\Sports Interactive\\Football Manager 2010\\fm.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"h:\\IGRICE\\League of Legends\\Air\\LolClient.exe"=

"h:\\IGRICE\\League of Legends\\Game\\League of Legends.exe"=

"h:\\IGRICE\\Empire of Sports\\EmpireOfSports.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"h:\\IGRICE\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=

"h:\\IGRICE\\NeutronGames\\HC Trainingscamp\\HCTrainingscamp.exe"=

"h:\\IGRICE\\NeutronGames\\HC Trainingscamp\\updater\\Updater.exe"=

"h:\\IGRICE\\KONAMI\\Pro Evolution Soccer 2011\\pes2011.exe"=

"h:\\IGRICE\\2K Sports\\NBA 2K11\\nba2k11.exe"=

"h:\\IGRICE\\KONAMI\\Pro Evolution Soccer 2011\\JSL-2011.exe"=

"h:\\IGRICE\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"h:\\IGRICE\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"h:\\IGRICE\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"h:\\IGRICE\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\program files\Security Task Manager\TaskMan.exe"= c:\program files\Security Task Manager\TaskMan.exe:192.168.111.200/255.255.255.255:Enabled:Security Task Manager

"h:\\IGRICE\\Yu Gi Oh PoC Joey the Passion\\Yu-Gi-Oh! Power of Chaos JOEY THE PASSION\\joey_pc.exe"=

"c:\\Documents and Settings\\User\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=

"h:\\IGRICE\\KONAMI\\Pro Evolution Soccer 2012\\pes2012.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"h:\\IGRICE\\2K Sports\\NBA 2K12\\nba2k12.exe"=

"c:\\Program Files\\Winamp\\winamp.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12799:TCP"= 12799:TCP:BitTorrent port

"57220:TCP"= 57220:TCP:Pando Media Booster

"57220:UDP"= 57220:UDP:Pando Media Booster

"8394:TCP"= 8394:TCP:League of Legends Launcher

"8394:UDP"= 8394:UDP:League of Legends Launcher

"6994:TCP"= 6994:TCP:League of Legends Launcher

"6994:UDP"= 6994:UDP:League of Legends Launcher

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30.12.2007 17:21 685816]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [18.2.2011 16:12 218688]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [21.12.2010 15:04 115008]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28.5.2008 10:33 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.5.2008 10:33 74480]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2.7.2011 4:38 18816]

R2 acedrv10;acedrv10;c:\windows\system32\drivers\ACEDRV10.sys [24.7.2007 9:45 328824]

R2 acehlp10;acehlp10;c:\windows\system32\drivers\acehlp10.sys [11.7.2007 10:20 201848]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12.1.2011 16:41 810144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27.4.2011 0:52 652872]

R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [7.10.2007 5:23 2208]

R3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\drivers\IntelH51.sys [6.10.2007 2:09 454815]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27.4.2011 0:52 20464]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [9.6.2009 0:13 47360]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]

S2 gupdate1ca146cd430540;ÓńëÓăŕ Google Update (gupdate1ca146cd430540);c:\program files\Google\Update\GoogleUpdate.exe [3.8.2009 20:56 133104]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\User\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\User\LOCALS~1\Temp\ALSysIO.sys [?]

S3 amdtools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?]

S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [14.5.2007 23:40 14336]

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\User\LOCALS~1\Temp\YFH31BF.tmp --> c:\docume~1\User\LOCALS~1\Temp\YFH31BF.tmp [?]

S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3.8.2009 20:56 133104]

S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [19.5.2011 19:57 100480]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15.1.2010 14:49 227232]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1151.tmp --> c:\windows\system32\1151.tmp [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.5.2008 10:33 7408]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [28.7.2011 16:08 18432]

S3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\DRIVERS\vsc.sys --> c:\windows\system32\DRIVERS\vsc.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]

S3 zlportio;zlportio;\??\d:\igrice\UltraStar Deluxe\zlportio.sys --> d:\igrice\UltraStar Deluxe\zlportio.sys [?]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11.7.2008 2:28 47128]

S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10.7.2008 3:49 242712]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11.7.2008 2:28 369688]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-22 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-28 00:50]

.

2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-03 18:55]

.

2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-03 18:55]

.

2012-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-527237240-725345543-1003Core.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-29 21:18]

.

2012-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-527237240-725345543-1003UA.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-29 21:18]

.

2012-04-22 c:\windows\Tasks\HP WEP.job

- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 12:28]

.

2012-02-24 c:\windows\Tasks\photostageShakeIcon.job

- c:\program files\NCH Software\PhotoStage\photostage.exe [2012-02-18 00:39]

.

2012-04-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1275210071-527237240-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 08:47]

.

2012-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1275210071-527237240-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 08:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.rs/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

TCP: DhcpNameServer = 82.117.194.2 82.117.194.3

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dm5592b1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/cse?cx=partner-pub-9609672093949948%3A2pdkvfm6u5y&ie=ISO-8859-1&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.rs/

FF - prefs.js: keyword.URL - hxxp://www.google.com/cse?cx=partner-pub-5528014799800033:cevktqnfrvl&ie=ISO-8859-1&q=

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

------- File Associations -------

.

.reg=Regedit.Document

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-DkZ Studio0.9.0 - c:\windows\iun6002.exe

AddRemove-FingerPower! Vol. 11.0 - c:\windows\iun6002.exe

AddRemove-Internet Jamb 2006 - c:\windows\iun6002.exe

AddRemove-Pharaoh's Mystery_is1 - d:\new downloads 5\MyPlayCity.com\Pharaoh's Mystery\unins000.exe

AddRemove-Slot_Machine_98_v5.2 - c:\windows\iun6002.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-22 21:57

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

"ImagePath"="\??\c:\docume~1\User\LOCALS~1\Temp\YFH31BF.tmp"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\1151.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1612)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

- - - - - - - > 'explorer.exe'(3096)

c:\program files\CyberLink\PowerDVD\deskband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\msi.dll

c:\windows\system32\browselc.dll

.

Completion time: 2012-04-22 22:02:43

ComboFix-quarantined-files.txt 2012-04-22 20:02

.

Pre-Run: 3.655.905.280 bytes free

Post-Run: 3.644.755.968 bytes free

.

- - End Of File - - 71CF58A18961FB11110CFF3A62C43809

Share this post


Link to post
Share on other sites

Step 1

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

avpsettings.gif

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

Step 2

Download aswMBR.exe ( 1.8mB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Kaspersky AVP
  • aswMBR log

Share this post


Link to post
Share on other sites

Finally, this morning kaspersky finished its job...:)

log:

Status: Deleted (events: 41)

23.4.2012 20:30:35 Deleted adware not-a-virus:AdWare.Win32.OneStep.hbp D:\NEW DOWNLOADS 4\Wooden theme.exe Medium

23.4.2012 20:30:35 Deleted adware not-a-virus:AdWare.Win32.OneStep.hbp D:\NEW DOWNLOADS 4\Wooden theme.exe//# Medium

23.4.2012 20:30:35 Deleted adware not-a-virus:AdWare.Win32.OneStep.hbp D:\NEW DOWNLOADS 4\Wooden theme.exe//#//kfsetup_122_keenwebd.exe Medium

23.4.2012 20:30:35 Deleted adware not-a-virus:AdWare.Win32.OneStep.hbp D:\NEW DOWNLOADS 4\Wooden theme.exe//#//kfsetup_122_keenwebd.exe//data0000.res Medium

23.4.2012 20:30:35 Deleted adware not-a-virus:AdWare.Win32.OneStep.hbp D:\NEW DOWNLOADS 4\Wooden theme.exe//#//kfsetup_122_keenwebd.exe//data0000.res//keenfinder.exe Medium

23.4.2012 20:33:10 Deleted Trojan program Trojan.Win32.Inject.bwjm D:\NEW DOWNLOADS 4\full_GetFLV.8.79-SND\full_GetFLV.8.79-SND\GetFLV.8.79-SND\GetFLV 8.79_Patch&Keygen.exe High

23.4.2012 20:33:19 Deleted Trojan program Trojan.Win32.Inject.bwjm D:\NEW DOWNLOADS 4\getflv8\crack\GetFLV 8.79_Patch&Keygen.exe High

23.4.2012 21:34:12 Deleted Trojan program Trojan.Win32.Genome.afqz F:\Download arhiva 5\chtdutrn.exe High

23.4.2012 21:34:38 Deleted Trojan program Trojan.Win32.Pincav.vvt F:\MAXTOR F PARTICIJA\GAMES 2\ruskirulet11\RuskiRulet_v1_1.exe High

23.4.2012 21:52:22 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\candk igra.exe High

23.4.2012 21:52:22 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\candk igra.exe//UPX High

23.4.2012 21:52:22 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\candk igra.exe//UPX//gamesforfree.exe High

23.4.2012 21:52:22 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\candk igra.exe//UPX//gamesforfree.exe//UPX High

23.4.2012 21:52:33 Deleted adware not-a-virus:AdWare.Win32.WinAD.i F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\de igra.exe Medium

23.4.2012 21:52:33 Deleted adware not-a-virus:AdWare.Win32.WinAD.i F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\de igra.exe//UPX Medium

23.4.2012 21:52:33 Deleted adware not-a-virus:AdWare.Win32.WinAD.i F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\de igra.exe//UPX//gamesforfree.exe Medium

23.4.2012 21:52:33 Deleted adware not-a-virus:AdWare.Win32.WinAD.i F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\de igra.exe//UPX//gamesforfree.exe//UPX Medium

23.4.2012 21:52:42 Deleted Trojan program Trojan.Win32.Keenval.a F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe High

23.4.2012 21:52:42 Deleted adware not-a-virus:AdWare.Win32.MegaSearch.g F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe Medium

23.4.2012 21:52:42 Deleted adware not-a-virus:AdWare.Win32.MegaSearch.g F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe Medium

23.4.2012 21:52:42 Deleted adware not-a-virus:AdWare.Win32.MegaSearch.g F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe//setup_powersearch_Alawar.exe Medium

23.4.2012 21:52:42 Deleted adware not-a-virus:AdWare.Win32.MegaSearch.g F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe//setup_powersearch_Alawar.exe//pwrsal01.dll Medium

23.4.2012 21:52:42 Deleted Trojan program Trojan-Downloader.Win32.Keenval.n F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe//setup_powersearch_Alawar.exe//setup.exe High

23.4.2012 21:52:42 Deleted Trojan program Trojan-Downloader.Win32.Keenval.h F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe//setup_Incredifind_Alawar.exe High

23.4.2012 21:52:42 Deleted Trojan program Trojan-Downloader.Win32.Keenval.h F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe//setup_Incredifind_Alawar.exe//SearchUpgraderInstall_153.exe High

23.4.2012 21:52:42 Deleted Trojan program Trojan-Downloader.Win32.Keenval.h F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe//setup_Incredifind_Alawar.exe//SearchUpgraderInstall_153.exe//data0005 High

23.4.2012 21:52:42 Deleted Trojan program Trojan.Win32.Keenval.a F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\gmchess.exe//Alawar_gamebar.exe//Alawar_bundle.exe//setup_Incredifind_Alawar.exe//IncFindBHO170.dll High

23.4.2012 21:54:30 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\lightswitch.exe High

23.4.2012 21:54:30 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\lightswitch.exe//UPX High

23.4.2012 21:54:30 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\lightswitch.exe//UPX//gamesforfree.exe High

23.4.2012 21:54:30 Deleted Trojan program Trojan-Downloader.Win32.IstBar.gen F:\MAXTOR H PARTICIJA\My Documents\DAP Downloads\lightswitch.exe//UPX//gamesforfree.exe//UPX High

23.4.2012 22:02:49 Deleted Trojan program Trojan-GameThief.Win32.Taworm.eey F:\MAXTOR H PARTICIJA\My Documents\RAZNO\Antinetsky-EN.exe High

23.4.2012 22:02:49 Deleted Trojan program Trojan-GameThief.Win32.Taworm.eey F:\MAXTOR H PARTICIJA\My Documents\RAZNO\Antinetsky-EN.exe//UPX High

23.4.2012 22:56:56 Deleted Trojan program Trojan-PSW.PHP.Agent.j F:\RAZNO\G-PHI$HING.rar High

23.4.2012 22:56:56 Deleted Trojan program Trojan-PSW.PHP.Agent.k F:\RAZNO\G-PHI$HING.rar//G-PHI$HING/Gmail.de/login.php High

23.4.2012 22:56:56 Deleted Trojan program Trojan-PSW.PHP.Agent.j F:\RAZNO\G-PHI$HING.rar//G-PHI$HING/Gmail.com/mail.php High

23.4.2012 23:45:32 Deleted Trojan program Trojan-PSW.PHP.Agent.j F:\RAZNO\G-PHI$HING\G-PHI$HING\Gmail.com\mail.php High

23.4.2012 23:45:57 Deleted Trojan program Trojan-PSW.PHP.Agent.k F:\RAZNO\G-PHI$HING\G-PHI$HING\Gmail.de\login.php High

24.4.2012 2:37:09 Deleted unknown threat UDS:DangerousObject.Multi.Generic G:\Downloads\GarenaMaster-v89.02\DATA\DLL\Warcraft3.dll High

24.4.2012 6:08:50 Deleted Trojan program Trojan.Win32.Menti.ikfc H:\IGRICE\Mini Games\PopCap Games\Pocket Tanks\game.exe High

24.4.2012 6:19:47 Deleted Trojan program Trojan.Win32.Menti.ikfc H:\IGRICE\Pocket Tanks\game.exe High

Status: Disinfected (events: 4)

23.4.2012 21:33:21 Disinfected Trojan program Trojan-PSW.Win32.LdPinch.auap F:\MAXTOR F PARTICIJA\ARHIVA STARI KOMPJUTER\Od Marina\TABLATURE\INSTALL\TABLEDIT_V2_60__A10_.ZIP High

23.4.2012 21:33:21 Disinfected Trojan program Trojan-PSW.Win32.LdPinch.auap F:\MAXTOR F PARTICIJA\ARHIVA STARI KOMPJUTER\Od Marina\TABLATURE\INSTALL\TABLEDIT_V2_60__A10_.ZIP/Tabledit v2.60 crack.exe High

23.4.2012 21:33:31 Disinfected Trojan program Trojan.Win32.Pincav.vvt F:\MAXTOR F PARTICIJA\GAMES 2\ruskirulet11.zip High

23.4.2012 21:33:31 Disinfected Trojan program Trojan.Win32.Pincav.vvt F:\MAXTOR F PARTICIJA\GAMES 2\ruskirulet11.zip/RuskiRulet_v1_1.exe High

Share this post


Link to post
Share on other sites

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-04-24 07:17:10

-----------------------------

07:17:10.343 OS Version: Windows 5.1.2600 Service Pack 2

07:17:10.343 Number of processors: 2 586 0x6B01

07:17:10.343 ComputerName: MOBILE UserName: User

07:17:10.781 Initialize success

07:27:06.203 AVAST engine defs: 12042301

07:27:39.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5

07:27:39.296 Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3

07:27:39.296 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-19

07:27:39.296 Disk 1 Vendor: Hitachi_HDP725050GLA360 GM4OA5CA Size: 476940MB BusType: 3

07:27:39.312 Disk 0 MBR read successfully

07:27:39.312 Disk 0 MBR scan

07:27:39.343 Disk 0 Windows XP default MBR code

07:27:39.359 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63

07:27:39.359 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310

07:27:39.375 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373

07:27:39.375 Disk 0 scanning sectors +488376000

07:27:39.453 Disk 0 scanning C:\WINDOWS\system32\drivers

07:27:59.453 Service scanning

07:28:18.859 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32

07:28:23.906 Modules scanning

07:28:30.531 Module: C:\WINDOWS\System32\DRIVERS\nxsIO32.sys **SUSPICIOUS**

07:28:30.937 Disk 0 trace - called modules:

07:28:30.953 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync04.sys >>UNKNOWN [0x8a5521e8]<<

07:28:31.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a529ab8]

07:28:31.281 3 CLASSPNP.SYS[ba0e8fcf] -> nt!IofCallDriver -> \Device\0000009e[0x8a596290]

07:28:31.281 5 ACPI.sys[b9e7d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x8a4e1940]

07:28:31.281 \Driver\atapi[0x8a5c9378] -> IRP_MJ_CREATE -> 0x8a5521e8

07:28:31.593 AVAST engine scan C:\WINDOWS

07:28:52.437 AVAST engine scan C:\WINDOWS\system32

07:33:21.109 AVAST engine scan C:\WINDOWS\system32\drivers

07:33:41.015 AVAST engine scan C:\Documents and Settings\User

07:58:02.453 AVAST engine scan C:\Documents and Settings\All Users

08:22:33.046 Scan finished successfully

08:36:17.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\My Documents\MBR.dat"

08:36:17.796 The log file has been saved successfully to "C:\Documents and Settings\User\My Documents\aswMBR.txt"

Share this post


Link to post
Share on other sites

Results:

Upload speed still is 0. Not measurable.

Thats probably reason why I can't send any emails.

I just can get those.

Facebook is not reachable (after cleaning cashe & cookies I can get to Facebook home page, but not to log in to account. In next try I cannot get even to home page).

Isohunt works, more or less (not stabile, but it can be about browser, servers....)

I again checked out the same internet cable with neighbor's laptop.

Upload speed is ok, and its possible to reach facebook.

So, it seems problem is not connected to my ISP or my internet connection.

I hope those logs will help.

I can't wait to solve this problem.

Share this post


Link to post
Share on other sites

Thanks for your information!

Please visit www.virustotal.com and upload the following file:

C:\WINDOWS\System32\DRIVERS\nxsIO32.sys

Wait until scan finished and then post the link in your next reply.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.