Trouble with Removing something called PRAGMAxxxxxx

July 20, 2014 at 08:47:52
Specs: WINDOWS XP, 1.66 GHz 1Gb
I set out to help my neighbor with his and his friends commonly used computer. It's something about a Fishing-organisation (dosent really matter but...) Now there where tons of "mess" files flying all over the place because of different user-accounts etc. so i said i could take a look at it for him. It's been a month now, because theres one last (?) thing i CAN NOT GET RID OF, and its a virus (i think) called PRAGMA, and some random letters PRAGMApqsdjfs, in my rootkit. I have use ESET-trial version to fix it, but it cannot be removed. I cant stop the service either, then my computer gets a error message and crashes. I have tried Many programs: GMER finds it, but doesent remove it. help?
List of programs i've tried:
ESET antiviurs (trialversion)
HitmanPro (have Logfile)
TDSSkiller, have logfile
Malwarebytes have logfile
MBAM think i have logfile¨ -----------------------just to mention some-------
HELPIDIHELP?

See More: Trouble with Removing something called PRAGMAxxxxxx

Report •


#1
July 20, 2014 at 16:48:14
Nice work so far John.

Step 1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt.
Copy & Paste the contents of the log in your next post please. Let me know if it doesn't produce a log.

Step 2: Reboot

Step 3: Run Defogger & then Combofix.
http://majorgeeks.com/Defogger_d708...
http://www.bleepingcomputer.com/dow...
Please download DeFogger and save it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Once downloaded, double-click on the DeFogger icon to start the tool.
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"

If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#2
July 25, 2014 at 03:23:30
Ok, small changes since last:

Deleted ESET and replaced i with AVAST because of trial version ending. AVAST alerts at startup about PRAGMAxxxxx (letters i cant remmember), and suggests rebooting to scan at startup. This i have done 2-3 times and it takes forever, and doesent remove PRAGMAxxxx. ran all your suggested programs;

Unhide provided NO LOG.

Defogger log;

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 22:15 on 22/07/2014 (Kenneth`s nye)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
(something went wrong?)

Combofixlog;

ComboFix 14-07-21.01 - Kenneth`s nye 22.07.2014 23:36:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.1014.498 [GMT 2:00]
Kjører fra: c:\documents and settings\Kenneth`s nye\Skrivebord\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2014-06-22 til 2014-07-22 )))))))))))))))))))))))))))))))))
.
.
2014-07-21 04:09 . 2014-07-21 04:09 -------- d-----w- c:\windows\jumpshot.com
2014-07-21 04:06 . 2014-07-21 04:06 57800 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-07-21 04:06 . 2014-07-21 04:06 192352 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-07-21 04:06 . 2014-07-21 04:08 414520 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-07-21 04:06 . 2014-07-21 04:06 779536 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-07-21 04:06 . 2014-07-21 04:06 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-07-21 04:06 . 2014-07-21 04:06 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-07-21 04:06 . 2014-07-21 04:06 55112 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-07-21 04:06 . 2014-07-21 04:06 276432 ----a-w- c:\windows\system32\aswBoot.exe
2014-07-21 04:06 . 2014-07-21 04:06 43152 ----a-w- c:\windows\avastSS.scr
2014-07-21 03:58 . 2014-07-21 04:01 -------- d-----w- c:\documents and settings\All Users\Programdata\AVAST Software
2014-07-19 22:34 . 2014-07-21 03:05 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-19 22:33 . 2014-05-12 05:26 53208 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-19 22:33 . 2014-05-12 05:25 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-19 22:32 . 2014-07-19 22:33 -------- d-----w- c:\programfiler\Malwarebytes Anti-Malware
2014-07-19 22:02 . 2014-07-19 22:02 30976 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-07-19 20:58 . 2014-07-19 21:45 -------- d-----w- c:\documents and settings\All Users\Programdata\HitmanPro
2014-07-18 15:08 . 2014-07-18 15:06 861696 ----a-w- c:\windows\system32\drivers\mod7700.sys
2014-07-18 15:08 . 2014-07-18 15:06 28672 ----a-w- c:\windows\system32\drivers\usbccid.sys
2014-07-18 15:08 . 2014-07-18 15:06 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2014-07-18 15:08 . 2014-07-18 15:06 96000 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2014-07-18 15:08 . 2014-07-18 15:06 76544 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2014-07-18 15:08 . 2014-07-18 15:06 69760 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2014-07-18 15:08 . 2014-07-18 15:06 27520 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2014-07-18 15:08 . 2014-07-18 15:06 102784 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2014-07-18 15:08 . 2014-07-18 15:06 249472 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2014-07-18 15:08 . 2014-07-18 15:06 19200 ----a-w- c:\windows\system32\drivers\ew_hwupgrade.sys
2014-07-18 15:08 . 2014-07-18 15:06 25856 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2014-07-18 15:08 . 2014-07-18 15:06 199168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2014-07-18 15:04 . 2014-07-18 15:10 -------- d-----w- c:\programfiler\Tele2 Mobile Partner
2014-07-18 14:26 . 2014-07-21 13:07 -------- d-----w- c:\programfiler\Unibet Poker
2014-07-18 11:14 . 2014-07-18 11:19 -------- d-----w- c:\documents and settings\All Users\Programdata\WinZip
2014-07-16 11:20 . 2014-07-16 11:20 -------- d-----w- c:\windows\system32\NtmsData
2014-07-13 17:23 . 2004-08-04 11:00 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2014-07-13 17:22 . 2004-08-04 11:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2014-07-13 16:58 . 2014-07-13 17:34 -------- d-----w- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\Google
2014-07-13 16:57 . 2014-07-13 16:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2014-07-13 16:39 . 2001-10-06 12:02 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2014-07-13 16:39 . 2001-10-06 12:02 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2014-07-13 16:36 . 2001-10-06 12:02 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2014-07-13 16:36 . 2001-10-06 12:02 57856 ----a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2014-07-13 16:34 . 2001-10-06 12:02 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2014-07-13 16:30 . 2001-10-06 12:02 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2014-07-13 16:30 . 2001-10-06 12:02 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2014-07-13 16:30 . 2001-08-17 18:49 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2014-07-13 16:30 . 2001-10-06 11:25 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2014-07-13 16:28 . 2001-08-17 18:50 33088 ----a-w- c:\windows\system32\dllcache\n9i128v2.sys
2014-07-13 16:28 . 2001-10-06 12:02 59104 ----a-w- c:\windows\system32\dllcache\n9i128v2.dll
2014-07-13 16:28 . 2001-08-17 18:50 13664 ----a-w- c:\windows\system32\dllcache\n9i128.sys
2014-07-13 16:28 . 2001-10-06 12:02 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2014-07-13 16:28 . 2001-10-06 11:43 128512 ----a-w- c:\windows\system32\dllcache\n100325.sys
2014-07-13 16:28 . 2001-10-06 11:43 52255 ----a-w- c:\windows\system32\dllcache\n1000nt5.sys
2014-07-13 16:28 . 2001-10-06 11:43 75776 ----a-w- c:\windows\system32\dllcache\mxport.sys
2014-07-13 16:28 . 2001-10-06 12:02 7168 ----a-w- c:\windows\system32\dllcache\mxport.dll
2014-07-13 16:28 . 2001-08-17 19:49 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2014-07-13 16:28 . 2001-10-06 12:02 19968 ----a-w- c:\windows\system32\dllcache\mxicfg.dll
2014-07-13 16:28 . 2001-10-06 11:43 22016 ----a-w- c:\windows\system32\dllcache\mxcard.sys
2014-07-13 16:28 . 2004-08-04 11:00 229439 ----a-w- c:\windows\system32\dllcache\multibox.dll
2014-07-13 16:28 . 2001-08-17 18:50 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2014-07-13 16:27 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2014-07-13 16:27 . 2008-04-13 18:46 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2014-07-13 16:27 . 2001-08-17 19:48 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2014-07-13 16:27 . 2001-08-17 20:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2014-07-13 16:27 . 2008-04-13 18:54 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2014-07-13 16:27 . 2004-08-04 11:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2014-07-13 16:26 . 2001-08-17 20:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2014-07-13 16:26 . 2001-08-17 19:48 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2014-07-13 16:26 . 2008-04-13 18:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2014-07-13 16:25 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2014-07-13 16:25 . 2001-08-17 19:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2014-07-13 16:25 . 2001-08-17 19:52 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2014-07-13 16:25 . 2004-08-04 11:00 34816 ----a-w- c:\windows\system32\dllcache\migisol.exe
2014-07-13 16:25 . 2001-10-06 11:35 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2014-07-13 16:25 . 2004-08-04 11:00 92416 ----a-w- c:\windows\system32\dllcache\mga.sys
2014-07-13 16:25 . 2004-08-04 11:00 92032 ----a-w- c:\windows\system32\dllcache\mga.dll
2014-07-13 16:25 . 2001-10-06 12:02 235648 ----a-w- c:\windows\system32\dllcache\mgaud.dll
2014-07-13 16:25 . 2008-04-13 18:41 26112 ----a-w- c:\windows\system32\dllcache\memstpci.sys
2014-07-13 16:25 . 2001-10-06 12:01 47616 ----a-w- c:\windows\system32\dllcache\memgrp.dll
2014-07-13 16:23 . 2001-08-17 18:12 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2014-07-13 16:22 . 2008-04-14 16:20 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2014-07-13 16:21 . 2004-08-04 11:00 471102 ----a-w- c:\windows\system32\dllcache\imskdic.dll
2014-07-13 16:20 . 2001-08-17 18:12 109085 ----a-w- c:\windows\system32\dllcache\ibmtrp.sys
2014-07-13 16:20 . 2001-08-17 18:12 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2014-07-13 16:20 . 2001-10-06 12:00 9216 ----a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2014-07-13 16:20 . 2001-08-17 18:11 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys
2014-07-13 16:20 . 2004-08-03 20:29 161020 ----a-w- c:\windows\system32\dllcache\i81xnt5.sys
2014-07-13 16:20 . 2008-04-14 16:22 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2014-07-13 16:20 . 2001-08-17 18:49 58592 ----a-w- c:\windows\system32\dllcache\i740nt5.sys
2014-07-13 16:20 . 2001-10-06 12:02 353184 ----a-w- c:\windows\system32\dllcache\i740dnt5.dll
2014-07-13 16:18 . 2001-10-06 12:02 165888 ----a-w- c:\windows\system32\dllcache\hpgt53.dll
2014-07-13 16:17 . 2008-04-13 18:45 59136 ----a-w- c:\windows\system32\dllcache\gckernel.sys
2014-07-13 16:16 . 2001-08-17 18:13 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2014-07-13 16:15 . 2001-08-17 18:19 40704 ----a-w- c:\windows\system32\dllcache\es1371mp.sys
2014-07-13 16:14 . 2001-08-17 18:12 19594 ----a-w- c:\windows\system32\dllcache\e100isa4.sys
2014-07-13 16:13 . 2001-10-06 12:02 31305 ----a-w- c:\windows\system32\dllcache\disrvpp.dll
2014-07-13 16:12 . 2001-10-06 11:42 117760 ----a-w- c:\windows\system32\dllcache\d100ib5.sys
2014-07-13 16:11 . 2001-10-06 11:35 20736 ----a-w- c:\windows\system32\dllcache\cmbp0wdm.sys
2014-07-13 16:10 . 2001-10-06 11:30 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2014-07-13 16:09 . 2001-10-06 12:02 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2014-07-13 16:08 . 2001-08-17 19:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2014-07-13 16:05 . 2004-08-04 11:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2014-07-13 16:05 . 2004-08-04 11:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2014-07-13 16:05 . 2004-08-04 11:00 171008 ----a-w- c:\windows\system32\dllcache\iisui.dll
2014-07-13 16:05 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2014-07-13 16:05 . 2004-08-04 11:00 14848 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2014-07-13 16:05 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2014-07-12 18:30 . 2014-07-12 18:30 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes
2014-07-08 14:02 . 2014-07-19 12:41 -------- d-----w- c:\documents and settings\All Users\Programdata\SecTaskMan
2014-07-08 14:01 . 2014-07-08 14:01 -------- d-----w- c:\programfiler\Security Task Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-21 04:06 . 2014-06-13 09:42 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-07-18 15:06 . 2014-06-12 16:14 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2014-07-18 15:06 . 2014-06-12 16:14 1112288 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll
2014-07-17 16:09 . 2014-06-12 22:54 29160 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-07-12 02:28 . 2013-04-12 21:54 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-07-12 02:28 . 2011-07-23 14:11 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-06-13 09:41 . 2014-06-13 09:42 776976 ----a-w- c:\windows\system32\drivers\aswsnx.sys.1402656569671
2014-06-13 09:41 . 2014-06-13 09:42 54832 ----a-w- c:\windows\system32\drivers\aswrdr.sys.1402656569671
2014-06-12 01:03 . 2014-06-12 01:03 411552 ----a-w- c:\windows\system32\drivers\mlgxzpfn.sys
2014-05-31 10:45 . 2014-05-31 10:45 776976 ----a-w- c:\windows\system32\drivers\aswsnx.sys.1401533209203
2014-05-31 10:45 . 2014-05-31 10:45 54832 ----a-w- c:\windows\system32\drivers\aswrdr.sys.1401533209203
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\programfiler\opera\program\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\programfiler\opera\program\plugins\ssldivx.dll
.
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-07-21 04:05 578240 ----a-w- c:\programfiler\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kenneth`s nye^Start-meny^Programmer^Oppstart^MyPC Backup.lnk]
backup=c:\windows\pss\MyPC Backup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvastUI.exe]
2014-07-21 04:05 4086432 ----a-w- c:\programfiler\AVAST Software\Avast\AvastUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring]
2014-06-24 14:27 4624152 ----a-w- c:\programfiler\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCCCATS]
2005-09-13 23:50 73728 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\dlcctime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-10-21 01:41 430080 ----a-w- c:\programfiler\Dell Photo AIO Printer 924\dlccmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2014-02-24 14:26 5075104 ----a-w- c:\programfiler\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2011-10-15 09:24 161336 ----a-w- c:\programfiler\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 19:17 49152 ----a-w- c:\programfiler\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 09:44 249856 ----a-w- c:\programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 14:16 1121792 ----a-w- c:\programfiler\McAfee\SpamKiller\MSKDetct.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:12 3872080 ----a-w- c:\programfiler\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-14 14:53 39408 ----a-w- c:\programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Telenor Online Start]
2006-11-30 12:51 178312 ----a-w- c:\programfiler\Telenor\Online Start\Telenor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NAV"=2 (0x2)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"wuauserv"=2 (0x2)
"WSearch"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Tele2 Mobile Partner. RunOuc"=2 (0x2)
"ImapiService"=3 (0x3)
"IJPLMSVC"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1ca1cef139d37f4"=2 (0x2)
"ekrn"=2 (0x2)
"MBAMService"=2 (0x2)
"MBAMScheduler"=2 (0x2)
"avast! Antivirus"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programfiler\\Telenor\\Online Start\\Telenor.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programfiler\\Messenger\\msmsgs.exe"=
"c:\\Programfiler\\ProPilkki2\\ProPilkki2.exe"=
"c:\\Programfiler\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Programfiler\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Documents and Settings\\Kenneth`s nye\\Programdata\\Spotify\\spotify.exe"=
"c:\\Programfiler\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Programfiler\\Tele2 Mobile Partner\\Tele2 Mobile Partner.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:Windows Remote Management
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [21.07.2014 06:06 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [21.07.2014 06:06 192352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [21.07.2014 06:06 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [21.07.2014 06:06 414520]
R1 NGS;Norman General Security Driver;c:\norman\NVC\BIN\ngs.sys [02.03.2009 21:23 22712]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [13.06.2014 11:42 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [21.07.2014 06:06 67824]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [18.07.2014 17:08 76544]
S2 HWDeviceService.exe;HWDeviceService.exe;c:\documents and settings\All Users\Programdata\DatacardService\HWDeviceService.exe [14.03.2011 17:27 271712]
S3 AVFSFilter;AVFSFilter;c:\windows\system32\DRIVERS\avfsfilter.sys --> c:\windows\system32\DRIVERS\avfsfilter.sys [?]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [07.10.2007 10:37 84608]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [18.07.2014 17:08 102784]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [18.07.2014 17:08 249472]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [20.07.2014 00:02 30976]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20.07.2014 00:33 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [20.07.2014 00:34 110296]
S3 wtsmpadap;Sesam Virtual Adapter;c:\windows\system32\DRIVERS\wtsmpadap.sys --> c:\windows\system32\DRIVERS\wtsmpadap.sys [?]
S3 WtSmpFlt;Sesam Adapter;c:\windows\system32\DRIVERS\wtsmpflt.sys --> c:\windows\system32\DRIVERS\wtsmpflt.sys [?]
S4 ekrn;ESET Service;c:\programfiler\ESET\ESET NOD32 Antivirus\ekrn.exe [24.02.2014 16:27 1343408]
S4 MBAMScheduler;MBAMScheduler;c:\programfiler\Malwarebytes Anti-Malware\mbamscheduler.exe [20.07.2014 00:33 1809720]
S4 MBAMService;MBAMService;c:\programfiler\Malwarebytes Anti-Malware\mbamservice.exe [20.07.2014 00:33 860472]
S4 Tele2 Mobile Partner. RunOuc;Tele2 Mobile Partner. OUC;c:\programfiler\Tele2 Mobile Partner\UpdateDog\ouc.exe [18.07.2014 17:07 655744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-07-17 20:23 1104200 ----a-w- c:\programfiler\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2014-07-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-12 02:28]
.
2014-07-22 c:\windows\Tasks\avast! Emergency Update.job
- c:\programfiler\AVAST Software\Avast\AvastEmUpdate.exe [2014-07-21 04:05]
.
2014-07-21 c:\windows\Tasks\Google Software Updater.job
- c:\programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-13 20:06]
.
2014-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programfiler\Google\Update\GoogleUpdate.exe [2009-08-14 14:54]
.
2014-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programfiler\Google\Update\GoogleUpdate.exe [2009-08-14 14:54]
.
2014-07-22 c:\windows\Tasks\User_Feed_Synchronization-{ADB8964F-12A0-45F9-B99C-A740C041B103}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.gooole.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 193.213.112.4 130.67.15.198 10.0.0.138
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-07-22 23:53
Windows 5.1.2600 Service Pack 3 NTFS
.
skanner skjulte prosesser ...
.
skanner skjulte autostart-oppføringer ...
.
skanner skjulte filer ...
.
skanning vellykket
skjulte filer: 0
.
**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
.
[HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0d687747-ed29-4f98-ae2d-ea537ec4ea34}]
@Denied: (A 2) (Administrators)
@Denied: (A 2) (S-1-5-21-3903325591-704371118-2821046096-1009)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Flags"=dword:00000400
.
[HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\SecuROM\License information*]
"datasecu"=hex:64,ee,ea,52,9f,d6,a3,11,70,90,15,19,5a,1b,0e,aa,de,99,b6,f1,58,
84,0b,29,6e,49,e2,75,fe,b8,c9,f3,00,5f,06,df,23,c3,6d,2c,68,06,c5,2c,70,40,\
"rkeysecu"=hex:68,0f,bc,3d,cc,d8,be,5b,47,2d,ac,0f,f2,14,7d,41
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Tidspunkt ferdig: 2014-07-22 23:59:26
ComboFix-quarantined-files.txt 2014-07-22 21:59
ComboFix2.txt 2014-07-21 21:52
.
Pre-Run: 24 315 797 504 byte ledig
Post-Run: 24 295 067 648 byte ledig
.
WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 53CA60415935E04B134E1AF6129509F5
DEA9E81F0228B68C9ADAF84C9B0CF931

THANK YOU so much for your help so far! btw this is well over my head ;)


Report •

#3
July 25, 2014 at 04:38:32
"Unhide provided NO LOG."
Thank you.

"(something went wrong?)"
No.

"THANK YOU so much for your help so far! btw this is well over my head"
2 heads are better than one, I now have to work out a way to outsmart the infection.
As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These we then, have to repair.

If any program won't run ( due to the infection ) let me know.

What is the Language please?


Report •

Related Solutions

#4
July 25, 2014 at 05:07:05
Please download Rkill from any one of these links and save it to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your reply.
http://www.bleepingcomputer.com/dow...
Double click on Rkill to run it. If the first one doesn't work try the next one.
This will help remove certain processes and should restore any file associations and your desktop. Note: Your system is still infected as Rkill does not delete files - it merely helps to temporarily disable the infections, allowing us to start the cleansing process.
Do NOT reboot your machine. Each time you reboot, Rkill is disabled and you would have to run it again in order for it to be effective.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#5
July 27, 2014 at 04:30:08
My language is Norwegian, but i have changed it to English, asuming you might have trouble understanding some of the

filenames and pathnames. (?) But that doesen't change the filenames wich are already there? If so, is there any way to

change all filenames from Norwegian into english? (still assuming that is the reason.)

All programs seem to be running nicely so far.

Log for RKiller;

RogueKiller V9.2.3.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kenneth`s nye [Admin rights]
Mode : Remove -- Date : 07/27/2014 13:04:15

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme -> NOT SELECTED
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS541080G9SA00 +++++
--- User ---
[MBR] 194c013545b7c4404d8c30a4a221caa1
[BSP] b427b7f2b2e04b7fa14960c99804dbf7 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 160650 | Size: 71712 MB
2 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 147042945 | Size: 3074 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_06132014_010701.log - RKreport_DEL_06132014_011039.log - RKreport_DEL_07172014_182005.log - RKreport_DEL_07172014_182627.log
RKreport_SCN_06132014_010634.log - RKreport_SCN_06132014_011022.log - RKreport_SCN_07172014_181727.log - RKreport_SCN_07172014_182532.log
RKreport_SCN_07272014_130145.log


Report •

#6
July 27, 2014 at 04:35:19
Stay online please John.

Report •

#7
July 27, 2014 at 04:37:52
All that NOT SELECTED stuff, means you didn't select everything & delete.

New log please.

message edited by Johnw


Report •

#8
July 27, 2014 at 04:49:31
"If so, is there any way to change all filenames from Norwegian into english?"
Yes.
Originally Google identified it as Haitian Creole.
I've managed so far, just slowed me down a bit.

Now I know it's Norwegian, I told google to convert it to English & I got a perfect result.
https://translate.google.com/#no/en/

I am here.
http://www.timeanddate.com/worldclo...

message edited by Johnw


Report •

#9
July 28, 2014 at 12:33:12
Yes i realized my mistake about rkiller just about 5 min ago! ok ,sending new log.

i'm having trouble with my internet connection, nothing wrong just bad ISP. Just so you know...

i also just found out about the translation thing on google to, so maybe not so many typing mistakes now.

YOU :Please disconnect any USB or external drives from the computer before you run this scan!

=Then i'll have no internet, its a usb-wireless thing. i'll still run the scan, shutting down virusprog only. If that dosent work it may take a while to my next reply, cause i'll have to unplug the usb. internett, then scan again and make new log without the usb. OK, the rabbithole goes deeper and deeper.... AND i losy my int connection again... have to update rkiller, pls stand by while im trying to get a signal over here... posting rkiller log on next reply. hopefully.. ahhh, i'm getting tired ;)


Report •

#10
July 28, 2014 at 13:53:52
RKiller log


RogueKiller V9.2.4.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kenneth`s nye [Admin rights]
Mode : Remove -- Date : 07/28/2014 21:55:16

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 212.247.156.66 212.247.156.70 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 212.247.156.66 212.247.156.70 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D86BDD5C-432B-4BA4-A2B5-350EA19AC0F9} | DhcpNameServer : 212.247.156.66 212.247.156.70 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{D86BDD5C-432B-4BA4-A2B5-350EA19AC0F9} | DhcpNameServer : 212.247.156.66 212.247.156.70 -> REPLACED ()
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2 -> REPLACED (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> REPLACED (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 2 -> REPLACED (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> REPLACED (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2 -> REPLACED (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3903325591-704371118-2821046096-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> REPLACED (1)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)

¤¤¤ Web browsers : 2 ¤¤¤
[CHROME:Addon] Default : Angry Birds [aknpkdffaafgjchaibgeefbgmgeghloj] -> DELETED
[CHROME:Addon] Default : Battle Pirates [ijbdndngabldcpdkmeiikfdkdfglpfab] -> ERROR [2]

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS541080G9SA00 +++++
--- User ---
[MBR] 194c013545b7c4404d8c30a4a221caa1
[BSP] b427b7f2b2e04b7fa14960c99804dbf7 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 160650 | Size: 71712 MB
2 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 147042945 | Size: 3074 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HUAWEI SD Storage USB Device +++++
Error reading User MBR! ([15] Enheten er ikke klar. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Forespørselen støttes ikke. )


============================================
RKreport_DEL_06132014_010701.log - RKreport_DEL_06132014_011039.log - RKreport_DEL_07172014_182005.log - RKreport_DEL_07172014_182627.log
RKreport_DEL_07272014_130415.log - RKreport_DEL_07282014_073412.log - RKreport_DEL_07282014_181940.log - RKreport_DEL_07282014_182711.log
RKreport_DEL_07282014_190728.log - RKreport_SCN_06132014_010634.log - RKreport_SCN_06132014_011022.log - RKreport_SCN_07172014_181727.log
RKreport_SCN_07172014_182532.log - RKreport_SCN_07272014_130145.log - RKreport_SCN_07282014_023505.log - RKreport_SCN_07282014_180502.log
RKreport_SCN_07282014_182440.log - RKreport_SCN_07282014_183338.log - RKreport_SCN_07282014_215225.log


Report •

#11
July 28, 2014 at 14:02:17
That's better.

Please download PragmaFix.exe and save it to your desktop.
http://noahdfear.net/downloads/Prag...
Double click PragmaFix.exe a log file will open, copy and paste the log into your next reply.


Report •

#12
July 30, 2014 at 09:18:27
Ok, i'm having trouble with downloading because of my poor internet signals. I'll post it as soon it done. THANK YOU for your patience and help. really...

Report •

#13
August 4, 2014 at 01:59:44
Still unable to run the Pragmafix properly. Even though i now have a stable internet connection it still won't run. says i need an internet connection. Should i retrace the steps above and run all programs again? starting with Unhide, DeFogger and so on? or try something else? should i try to re-download Pragmafix? I'm stuck...

(BTW, i'm in Norway, on the other side of the planet! :)... )

http://www.timeanddate.com/weather/...

message edited by JohnG.Jensen


Report •

#14
August 4, 2014 at 03:13:07
Run Rkill & try GMER again.
Is PRAGMAxxxxxx gone?

Report •

#15
August 7, 2014 at 07:00:43
Ran Rkill, found some PUP's, removed them. (no log this time, simply forgott.)

But running GMER resulted in Pragma found AND some new stuff, but during scan my computer went into bluescreen with an error message. i have now forgot what it said (i'll have to start writing things down!) Made memorydump, and had to restart the computer.

Trying one more time... brb


Report •

#16
August 7, 2014 at 08:00:45
Ok here we go:

Rkiller log:

RogueKiller V9.2.6.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kenneth`s nye [Admin rights]
Mode : Remove -- Date : 08/07/2014 16:12:27

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 10.0.0.138 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 10.0.0.138 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 10.0.0.138 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{266B5F4B-7638-471B-B0A9-2DCA8DB4B494} | DhcpNameServer : 193.213.112.4 130.67.15.198 10.0.0.138 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{266B5F4B-7638-471B-B0A9-2DCA8DB4B494} | DhcpNameServer : 193.213.112.4 130.67.15.198 10.0.0.138 -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{266B5F4B-7638-471B-B0A9-2DCA8DB4B494} | DhcpNameServer : 193.213.112.4 130.67.15.198 10.0.0.138 -> REPLACED ()

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS541080G9SA00 +++++
--- User ---
[MBR] 194c013545b7c4404d8c30a4a221caa1
[BSP] b427b7f2b2e04b7fa14960c99804dbf7 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 160650 | Size: 71712 MB
2 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 147042945 | Size: 3074 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_06132014_010701.log - RKreport_DEL_06132014_011039.log - RKreport_DEL_07172014_182005.log - RKreport_DEL_07172014_182627.log
RKreport_DEL_07272014_130415.log - RKreport_DEL_07282014_073412.log - RKreport_DEL_07282014_181940.log - RKreport_DEL_07282014_182711.log
RKreport_DEL_07282014_190728.log - RKreport_DEL_07282014_215516.log - RKreport_DEL_08042014_125638.log - RKreport_DEL_08042014_144454.log
RKreport_DEL_08072014_153317.log - RKreport_SCN_06132014_010634.log - RKreport_SCN_06132014_011022.log - RKreport_SCN_07172014_181727.log
RKreport_SCN_07172014_182532.log - RKreport_SCN_07272014_130145.log - RKreport_SCN_07282014_023505.log - RKreport_SCN_07282014_180502.log
RKreport_SCN_07282014_182440.log - RKreport_SCN_07282014_183338.log - RKreport_SCN_07282014_215225.log - RKreport_SCN_08042014_124506.log
RKreport_SCN_08042014_132851.log - RKreport_SCN_08042014_145136.log - RKreport_SCN_08072014_152530.log - RKreport_SCN_08072014_161142.log

GMER log:

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-08-07 16:53:56
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541080G9SA00 rev.MB4OC60R 73.13GB
Running: q7exv0kh.exe; Driver: C:\DOCUME~1\KENNET~2\LOKALE~1\Temp\uxtdypow.sys


---- System - GMER 2.1 ----

SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAA202BA6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAA203684] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAA247D80] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAA20F6F8] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAA20F744] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAA20F8DE] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAA247734] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAA20F666] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAA20F788] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAA20F6AE] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAA203BBA] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAA20F898] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAA204472] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAA202C0C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAA248446] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAA2486FC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAA207C68] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAA2482B1] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAA24811C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAA2027F8] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xAA450ED0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAA202C72] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAA20805E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAA204F5A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAA20F722] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAA20F766] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAA20F902] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAA247A90] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAA20F68C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAA207560] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAA20F816] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAA20F6D6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAA20794C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAA20F8BC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xAA450C6E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAA247F97] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAA204DCE] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAA247DE9] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAA204924] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xAA45EE1A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAA246D77] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAA202CD8] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAA202D3E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAA2042EC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAA202892] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAA202A64] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAA24854D] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAA2029F2] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAA20463C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAA20479E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAA202AEC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAA20412A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAA2042CC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAA202DA4] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAA2036E0] <-- ROOTKIT !!!

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [E9, 7D, 24, AA]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [D8, 2C, 20, AA, 3E, 2D, 20, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [3C, 46, 20, AA, 9E, 47, 20, ...] {CMP AL, 0x46; AND [EDX-0x55dfb862], CH; IN AL, DX; SUB AH, [EAX]; STOSB }
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL AA20562B \SystemRoot\system32\drivers\aswSnx.sys

---- User code sections - GMER 2.1 ----

.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\Documents and Settings\All Users\Programdata\DatacardService\HWDeviceService.exe[204] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\All Users\Programdata\DatacardService\HWDeviceService.exe[204] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE[240] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE[240] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[320] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[320] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\Programfiler\Google\Update\1.3.24.15\GoogleCrashHandler.exe[496] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Programfiler\Google\Update\1.3.24.15\GoogleCrashHandler.exe[496] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[544] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\System32\smss.exe[632] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[684] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[684] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[708] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1068] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1204] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1204] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1244] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\Programfiler\AVAST Software\Avast\AvastSvc.exe[1468] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Programfiler\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
.text C:\Programfiler\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1552] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1552] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\System32\SCardSvr.exe[1596] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\SCardSvr.exe[1596] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[2000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[2044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[2444] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[2444] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[2524] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[2524] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\Programfiler\AVAST Software\Avast\AvastUI.exe[2664] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Programfiler\AVAST Software\Avast\AvastUI.exe[2664] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
.text C:\Programfiler\AVAST Software\Avast\AvastUI.exe[2664] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2716] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2716] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[2788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[2788] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[2936] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[2936] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[3232] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[3232] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\Documents and Settings\Kenneth`s nye\Skrivebord\q7exv0kh.exe[3508] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\Kenneth`s nye\Skrivebord\q7exv0kh.exe[3508] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[3576] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[3576] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[3968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[3968] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[4080] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[4080] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62]

---- User IAT/EAT - GMER 2.1 ----

IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 2.1 ----

Device Ntfs.sys
Device Fastfat.SYS

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys

---- Services - GMER 2.1 ----

Service (*** hidden *** ) PRAGMArcjpncyfux <-- ROOTKIT !!!

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMArcjpncyfux (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMArcjpncyfux
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMArcjpncyfux
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMArcjpncyfux (not active ControlSet)
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\Programfiler\Fellesfiler\Microsoft Shared\Information Retrieval\ITIRCL52.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@InprocServer32 6r=^Vn-}f(ZXfeAR6.jiTranslationFiles_1031>BbxH8x=!g(3?!!!_GX=b?
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ ITIR.DefaultCharMap.5.2
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ mscoree.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32\1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32\1.1.4322@ImplementedInThisVersion
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32\1.1.4322@ 1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ SymWriter.pdb
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\Server@ diasymreader.dll

---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

---- EOF - GMER 2.1 ----

There is something out there, and it ain't no man! (Predator-movie with Arnold S... a joke! )

BTW i see the warning about rebook.sys from RKiller, but i have ignored it when i couldn't find a new sys.file to replace it with.

message edited by JohnG.Jensen


Report •

#17
August 7, 2014 at 08:13:15
Just a thought:

This computer shares internet with my neighbor family of 2 parents and their two kids. I'm pretty sure that security is not on their A-List of things to do, and the kids are most likely all over the internet. Could this be related to MY problems with this comp. in any way? Is there a way to isolate this one from the rest of the shared wireless router, or does it not matter at all? I don't know much about Routers and IP- Addresses and so on.


Report •

#18
August 7, 2014 at 14:31:35
"List of programs i've tried:
Malwarebytes have logfile"

Did you check/tick the rootkit finder.

If you ran Malwarebytes ( MBAM ) without checking rootkits, run it again & post the log.
Here are the instructions.

Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan ( now called Threat Scan )
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif

message edited by Johnw


Report •

#19
August 7, 2014 at 14:46:09
"This computer shares internet with my neighbor"
shared router security
http://is.gd/Hb6KKZ

Report •

#20
August 7, 2014 at 15:01:45
"BTW i see the warning about rebook.sys from RKiller"
Do you mean redbook?

Report •

#21
August 18, 2014 at 08:42:06
Yes i mean redbook.sys, checked it out on google, and could be trouble, but mentioned that FIFA uses it, and has FIFA (football/soccer game) installed so chose to ignore it. Ran MBAM WITH rootkitscan and found nothing... still working on the shared router idea...

Sidequestion- At WINDOWS startup, sound is "laggy" or disturbed somewhat, like something is loading while sound is being played and makes it sound .ehhh.... weird and crackly. Also noticed it on my own comp.(wich does not have PRAGMA or any other virus). Is this simply due to low cpu and RAM capability? No need to put a lot of effort in answering this q, unless its a clue to my real problem.

Again thanks so far! :)


Report •


Ask Question