Neohart
2011-09-27, 07:13
Hello and thank you for taking the time to read this, I have been having a problem recently with my computer running slow, And after about 15-20 minutes of the computer being on, I hear wierd sounds and then i cannot use my taskbar at all!
If i open task manager I see that one of my svchost.exe is running very high!
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Wut at 23:08:33 on 2011-09-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2444 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Dyyno\Dyyno Broadcaster\launcherd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Dyyno Launcher] "c:\program files\dyyno\dyyno broadcaster\dyyno_launcher.exe" 30100 30101 30102 30103 30104
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10v_Plugin.exe -update plugin
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [StartNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gamers~1.lnk - c:\program files\gamersfirst\live!\Live.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: Interfaces\{8A2FAEC1-E7D6-4AF2-A954-18DE8C48542D} : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wut\application data\mozilla\firefox\profiles\znpdqnqv.default\
FF - prefs.js: browser.search.defaulturl - Bing
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - joystiq.com
FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScope42.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScopeDRM11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2011-9-26 10872]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-28 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-28 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-28 269480]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-28 66616]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-2-19 22504]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-7-21 266240]
R2 Dyyno Launcher;Dyyno Service;c:\program files\dyyno\dyyno broadcaster\launcherd.exe [2011-5-18 415072]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-2 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-2 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-16 1684736]
S3 cpuz132;cpuz132;\??\c:\docume~1\jdawg\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\jdawg\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
S4 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
.
=============== Created Last 30 ================
.
2011-09-27 04:01:50 -------- d-----w- c:\documents and settings\wut\application data\Grisoft
2011-09-27 00:09:30 -------- d-----w- c:\program files\common files\ParetoLogic
2011-09-27 00:09:26 -------- d-----w- c:\program files\ParetoLogic
2011-09-27 00:09:26 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2011-09-26 23:20:00 10872 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
2011-09-26 23:19:59 -------- d-----w- c:\documents and settings\all users\application data\Grisoft
2011-09-18 03:35:18 -------- d-----w- c:\program files\The Free YouTube Downloader
2011-09-18 03:34:50 -------- d-----w- c:\program files\StartNow Toolbar
2011-09-17 16:16:44 -------- d-----w- c:\documents and settings\wut\application data\GetRightToGo
2011-09-14 03:32:48 -------- d-----w- c:\documents and settings\wut\riotsGamesLogs
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\tbpx.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\rntq.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\htod.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\frcj.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\tnan.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\nwby.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\mmpk.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\joft.exe
.
==================== Find3M ====================
.
2011-09-17 19:45:13 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-09-17 19:45:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-09-13 22:56:57 141200 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-13 22:56:48 281656 -c--a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-13 22:56:48 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-09 09:11:14 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-09-04 16:07:33 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-15 22:56:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-28 22:49:12 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-07-28 22:48:36 13555712 ----a-w- c:\windows\system32\amdocl.dll
2011-07-28 22:20:10 7084544 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-07-28 22:17:42 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-07-28 22:01:36 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-07-28 22:01:30 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-07-28 21:57:54 5697536 ----a-w- c:\windows\system32\aticaldd.dll
2011-07-28 21:40:22 18440192 ----a-w- c:\windows\system32\atioglxx.dll
2011-07-28 21:34:58 3973696 ----a-w- c:\windows\system32\ati3duag.dll
2011-07-28 21:32:10 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-28 21:31:06 303104 ----a-w- c:\windows\system32\ati2dvag.dll
2011-07-28 21:27:30 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-07-28 21:15:32 3166208 ----a-w- c:\windows\system32\ativvaxx.dll
2011-07-28 21:14:02 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-28 21:13:50 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-28 21:13:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-07-28 21:13:34 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-28 21:13:20 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-07-28 21:12:06 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-07-28 21:10:48 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-07-28 21:09:28 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-07-28 21:05:36 704512 ----a-w- c:\windows\system32\atikvmag.dll
2011-07-28 21:01:08 208896 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-28 21:00:46 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-07-28 20:59:14 507904 ----a-w- c:\windows\system32\atiok3x2.dll
2011-07-28 20:55:02 876544 ----a-w- c:\windows\system32\ati2cqag.dll
2011-07-28 20:53:52 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-07-28 20:53:52 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-28 20:53:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-15 13:29:35 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 20:04:21 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AE634D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae697d0]; MOV EAX, [0x8ae6984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AEB6AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000076[0x8AEBC9E8]
5 ACPI[0xB7E66620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF1DB00]
\Driver\atapi[0x8AF16F38] -> IRP_MJ_CREATE -> 0x8AE634D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE6331B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:10:09.00 ===============
If i open task manager I see that one of my svchost.exe is running very high!
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Wut at 23:08:33 on 2011-09-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2444 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Dyyno\Dyyno Broadcaster\launcherd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Dyyno Launcher] "c:\program files\dyyno\dyyno broadcaster\dyyno_launcher.exe" 30100 30101 30102 30103 30104
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10v_Plugin.exe -update plugin
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [StartNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gamers~1.lnk - c:\program files\gamersfirst\live!\Live.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: Interfaces\{8A2FAEC1-E7D6-4AF2-A954-18DE8C48542D} : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wut\application data\mozilla\firefox\profiles\znpdqnqv.default\
FF - prefs.js: browser.search.defaulturl - Bing
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - joystiq.com
FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScope42.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScopeDRM11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2011-9-26 10872]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-28 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-28 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-28 269480]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-28 66616]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-2-19 22504]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-7-21 266240]
R2 Dyyno Launcher;Dyyno Service;c:\program files\dyyno\dyyno broadcaster\launcherd.exe [2011-5-18 415072]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-2 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-2 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-16 1684736]
S3 cpuz132;cpuz132;\??\c:\docume~1\jdawg\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\jdawg\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
S4 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
.
=============== Created Last 30 ================
.
2011-09-27 04:01:50 -------- d-----w- c:\documents and settings\wut\application data\Grisoft
2011-09-27 00:09:30 -------- d-----w- c:\program files\common files\ParetoLogic
2011-09-27 00:09:26 -------- d-----w- c:\program files\ParetoLogic
2011-09-27 00:09:26 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2011-09-26 23:20:00 10872 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
2011-09-26 23:19:59 -------- d-----w- c:\documents and settings\all users\application data\Grisoft
2011-09-18 03:35:18 -------- d-----w- c:\program files\The Free YouTube Downloader
2011-09-18 03:34:50 -------- d-----w- c:\program files\StartNow Toolbar
2011-09-17 16:16:44 -------- d-----w- c:\documents and settings\wut\application data\GetRightToGo
2011-09-14 03:32:48 -------- d-----w- c:\documents and settings\wut\riotsGamesLogs
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\tbpx.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\rntq.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\htod.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\wut\local settings\application data\frcj.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\tnan.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\nwby.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\mmpk.exe
2011-09-08 14:02:28 0 ----a-w- c:\documents and settings\all users\application data\joft.exe
.
==================== Find3M ====================
.
2011-09-17 19:45:13 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-09-17 19:45:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-09-13 22:56:57 141200 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-13 22:56:48 281656 -c--a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-13 22:56:48 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-09 09:11:14 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-09-04 16:07:33 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-15 22:56:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-28 22:49:12 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-07-28 22:48:36 13555712 ----a-w- c:\windows\system32\amdocl.dll
2011-07-28 22:20:10 7084544 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-07-28 22:17:42 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-07-28 22:01:36 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-07-28 22:01:30 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-07-28 21:57:54 5697536 ----a-w- c:\windows\system32\aticaldd.dll
2011-07-28 21:40:22 18440192 ----a-w- c:\windows\system32\atioglxx.dll
2011-07-28 21:34:58 3973696 ----a-w- c:\windows\system32\ati3duag.dll
2011-07-28 21:32:10 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-28 21:31:06 303104 ----a-w- c:\windows\system32\ati2dvag.dll
2011-07-28 21:27:30 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-07-28 21:15:32 3166208 ----a-w- c:\windows\system32\ativvaxx.dll
2011-07-28 21:14:02 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-28 21:13:50 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-28 21:13:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-07-28 21:13:34 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-28 21:13:20 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-07-28 21:12:06 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-07-28 21:10:48 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-07-28 21:09:28 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-07-28 21:05:36 704512 ----a-w- c:\windows\system32\atikvmag.dll
2011-07-28 21:01:08 208896 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-28 21:00:46 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-07-28 20:59:14 507904 ----a-w- c:\windows\system32\atiok3x2.dll
2011-07-28 20:55:02 876544 ----a-w- c:\windows\system32\ati2cqag.dll
2011-07-28 20:53:52 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-07-28 20:53:52 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-28 20:53:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-15 13:29:35 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 20:04:21 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AE634D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae697d0]; MOV EAX, [0x8ae6984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AEB6AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000076[0x8AEBC9E8]
5 ACPI[0xB7E66620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF1DB00]
\Driver\atapi[0x8AF16F38] -> IRP_MJ_CREATE -> 0x8AE634D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE6331B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:10:09.00 ===============