Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Your kind, knowledgeable assistance on scanned logs is required!

879 views 3 replies 2 participants last post by  CatByte 
#1 ·
To whomever can assist me in this matter.
I've had many an issue with my computer of late, most definitely have been affected by malware etc. I run Windows XP on my Acer netbook. Am not entirely sure what else is required. I have copied/pasted/attached the relevant logs below. Looking forward to your interpretation and analysis of it!! Many thanks!

Logfile of HijackThis v1.99.1
Scan saved at 08:55:51 PM, on 2011/01/08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\windows\system32\wuaucldt.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aspire_one
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe vryw.kco xtxiwm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.415.1646\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Windows Firewall] C:\DOCUME~1\ACER\LOCALS~1\Temp\svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [wuaucldt] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Services] C:\windows\system32\system.exe
O4 - HKCU\..\Run: [JDK5SWFMZY] C:\DOCUME~1\ACER\LOCALS~1\Temp\Nzd.exe
O4 - HKCU\..\Run: [wuaucldt] c:\documents and settings\acer\wuaucldt.exe
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01DE4D2A-1043-4694-8452-72AB0E685981}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{01DE4D2A-1043-4694-8452-72AB0E685981}: NameServer = 196.43.34.190,196.43.46.190
O17 - HKLM\System\CS3\Services\Tcpip\..\{01DE4D2A-1043-4694-8452-72AB0E685981}: NameServer = 196.43.34.190,196.43.46.190
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Winferno Subscription Service (qaca1ne7r3o5l) - Unknown owner - C:\WINDOWS\system32\sagujoussou.exe (file missing)
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe

DDS (Ver_10-12-12.02) - NTFSx86
Run by ACER at 17:48:17.84 on 2011/01/08
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.27.1033.18.1014.335 [GMT 2:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\windows\system32\wuaucldt.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ACER\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\taskmgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uSearch Page = hxxp://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://uk.search.yahoo.com
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aspire_one
mDefault_Page_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Search_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mSearch Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
mWinlogon: Shell=Explorer.exe rundll32.exe vryw.kco xtxiwm
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Taskman=c:\documents and settings\acer\application data\nsvb.exe
uWinlogon: Shell=c:\documents and settings\acer\application data\juzjf.exe,explorer.exe,c:\documents and settings\acer\application data\nsvb.exe
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Services] c:\windows\system32\system.exe
uRun: [JDK5SWFMZY] c:\docume~1\acer\locals~1\temp\Nzd.exe
uRun: [QNPlus]
uRun: [wuaucldt] c:\documents and settings\acer\wuaucldt.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Yahoo Messenger]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Firewall] c:\docume~1\acer\locals~1\temp\svchost.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [wuaucldt] c:\windows\system32\wuaucldt.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\documents and settings\acer\start menu\programs\startup\703w0xt.exe
StartupFolder: c:\documents and settings\acer\start menu\programs\startup\kabg81sd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: {01DE4D2A-1043-4694-8452-72AB0E685981} = 196.43.34.190,196.43.46.190
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {67KLN5J0-4OPM-01WE-AAX2-5657QCA554112} - c:\sp\read\DRG.exe

============= SERVICES / DRIVERS ===============

R0 xltwzlpv;xltwzlpv;c:\windows\system32\drivers\xltwzlpv.sys [2010-7-14 40128]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-8 165584]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 214024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-8 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-8 40384]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-1-16 237568]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-8 40384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-8 136176]
S2 owqtsh;gosnsmcz;c:\windows\system32\svchost.exe -k netsvcs [2009-1-16 14336]
S2 qaca1ne7r3o5l;Winferno Subscription Service;c:\windows\system32\sagujoussou.exe --> c:\windows\system32\sagujoussou.exe [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-16 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-16 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-16 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-16 40552]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-1-16 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
SUnknown SSHNAS;SSHNAS; [x]

=============== Created Last 30 ================

2011-01-08 15:30:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-08 15:30:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-08 13:51:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-08 13:51:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-01-08 13:09:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-01-08 10:01:02 -------- d-----w- c:\docume~1\acer\locals~1\applic~1\Temp
2011-01-08 09:59:09 -------- d-----w- c:\docume~1\acer\locals~1\applic~1\Real
2011-01-08 09:58:28 -------- d-----w- c:\program files\common files\xing shared
2011-01-08 08:45:22 203776 --sh--r- c:\docume~1\acer\applic~1\nsvb.exe
2011-01-08 08:44:53 33280 ----a-w- c:\windows\system32\wuaucldt.exe
2011-01-08 08:44:53 33280 ----a-w- c:\documents and settings\acer\wuaucldt.exe

==================== Find3M ====================

2011-01-08 15:39:33 256 ----a-w- c:\windows\system32\pool.bin
2011-01-08 09:57:59 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-08 09:57:59 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-30 09:05:28 100352 --sh--r- c:\docume~1\acer\applic~1\juzjf.exe

============= FINISH: 17:55:19.04 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-08 20:39:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.11.0
Running: hmusgehl.exe; Driver: C:\DOCUME~1\ACER\LOCALS~1\Temp\pgeyqfow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xA6BCFCF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xA6BCFBAC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xA6BD0160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xA6BD008A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xA6BCF782]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xA6BCFC86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xA6BCF6C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xA6BCF726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xA6BCFDA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA6BD022E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xA6BCFD66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xA6BCFEE6]
SSDT 85B21E40 ZwTerminateProcess

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA6BDCBAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xA6BDC9D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xA6BDCB0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056DA64 5 Bytes JMP A6BD9FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!NtCreateSection 8056DB66 7 Bytes JMP A6BDC9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8059056D 7 Bytes JMP A6BDCBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805AEDE2 7 Bytes JMP A6BDCB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805E74E6 5 Bytes JMP A6BD85D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\WINDOWS\system32\drivers\xltwzlpv.sys section is writeable [0xF78CE000, 0x2F40, 0xEC000040]
.reloc C:\WINDOWS\system32\drivers\xltwzlpv.sys section is executable [0xF78D4E60, 0x1E60, 0xEE000040]
? C:\WINDOWS\system32\drivers\xltwzlpv.sys Access is denied.
? C:\DOCUME~1\ACER\LOCALS~1\Temp\cdfss The system cannot find the file specified. !
? C:\DOCUME~1\ACER\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\svchost.exe[208] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: DNSAPI.dllunknown module: gdiplus.dll
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[280] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 023B9DD2
.text C:\WINDOWS\System32\svchost.exe[1108] NETAPI32.dll!NetpwPathCanonicalize 5B86A3A9 5 Bytes JMP 023B9D72
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 008C9DD2
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1508] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
? C:\WINDOWS\System32\svchost.exe[1696] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: DNSAPI.dllunknown module: gdiplus.dll
.text C:\program files\real\realplayer\update\realsched.exe[3092] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
? C:\WINDOWS\system32\svchost.exe[3176] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3876] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \FileSystem\RAW \Device\RawTape xltwzlpv.sys
Device \FileSystem\MRxDAV \Device\WebDavRedirector xltwzlpv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \FileSystem\RAW \Device\RawDisk xltwzlpv.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver xltwzlpv.sys
Device xltwzlpv.sys
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\RAW \Device\RawCdRom xltwzlpv.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer xltwzlpv.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer xltwzlpv.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer xltwzlpv.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer xltwzlpv.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer xltwzlpv.sys

---- Threads - GMER 1.0.15 ----

Thread System [4:440] 85B21B60

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] owqtsh <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0011f60126cb (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011f60126cb
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh@DisplayName gosnsmcz
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh@Description Acer VCM Raw Socket Service
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\owqtsh\Parameters@ServiceDll C:\WINDOWS\system32\csobfk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0011f60126cb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh@DisplayName gosnsmcz
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh@Description Acer VCM Raw Socket Service
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\owqtsh\Parameters@ServiceDll C:\WINDOWS\system32\csobfk.dll

---- EOF - GMER 1.0.15 ----

Thanks again! Good luck.. ;-)
 

Attachments

See less See more
#2 ·
Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
 
#4 ·
Please delete the copy of ComboFix that you have on your desktop, download a fresh copy, but rename it to iexplore before saving it,

if it still wont complete a run, try running it in safe mode:

To enter safe mode:

reboot > tap F8 repeatedly on boot up until an advanced option menu appears > arrow up to "safe mode with networking"

Post the resulting log

Note: Make certain you security programs are disabled or they will interfere.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top