BleepingComputer.com: Infected with Google Redirect, Audio Ads, Browser Script Popups

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Infected with Google Redirect, Audio Ads, Browser Script Popups Tried Avira and MalwareBytes to no avail.

#1 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 11 April 2011 - 08:38 AM

The title pretty much sums it up. My machine is basically infected with some kind of rootkit virus, I believe, the major symptoms of which are that browser search result links are redirected to bull$#!t sites, horribly annoying audio ads play at random, and frequent pop-ups appear alerting me that a script from some random site has stopped responding and asking if I would like to continue to allow it to run.

I have Avira installed, which didn't prevent or remove it. I downloaded and ran MalwareBytes free version, which didn't remove it either. I then ignorantly followed the advice from another site which linked to ComboFix as if it were a virus scanning tool, at which point I ran it, rebooted, and when that didn't work, found BleepingComputer and followed the instructions on how to proceed properly there.

Thank you in advance for any help you can provide. My DDS and GMER logs follow:

.
DDS (Ver_11-03-05.01) - NTFSx86  
Run by ChrisPowers at 23:50:29.29 on Sun 04/10/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2048.1414 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ChrisPowers\Desktop\BleepingComputer\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [SysTray] systray.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: 2o7.net
Trusted Zone: gap.com
Trusted Zone: google.com\maps
Trusted Zone: naaf.com\www
Trusted Zone: onlinecreditcenter6.com
Trusted Zone: pharmacyescrow.com\www
Trusted Zone: t-nation.com\www
Trusted Zone: testosterone.net\www
Trusted Zone: tmuscle.com\tnation
Trusted Zone: tmuscle.com\www
Trusted Zone: trendmicro.com\housecall65
DPF: RaptisoftGameLoader - hxxp://www.raptisoft.com/webgames/raptisoftgameloader.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162847448280
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38179.3680555556
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15028/CTPID.cab
TCP: {294E266F-24AD-4594-9C6A-9C33D3F97DDD} = 208.67.220.220,208.67.222.222 
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chrisp~1\applic~1\mozilla\firefox\profiles\4ztaukox.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\chrispowers\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: QuickJava: {E6C1199F-E687-42da-8C24-E7770CC3AE66} - %profile%\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-30 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-30 61960]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
S1 c2scsi;c2scsi; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2011-2-8 193192]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2011-4-10 256512]
S3 cpuz130;cpuz130;\??\c:\docume~1\chrisp~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\chrisp~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 FLASHSYS;FLASHSYS;\??\c:\program files\msi\live update 4\lu4\flashsys.sys --> c:\program files\msi\live update 4\lu4\FLASHSYS.sys [?]
S3 vmaudioflt;vmaudioflt;c:\windows\system32\drivers\vmaudioflt.sys --> c:\windows\system32\drivers\vmaudioflt.sys [?]
S3 vmaudioflt_spkout;vmaudioflt_spkout;c:\windows\system32\drivers\vmaudioflt_spkout.sys --> c:\windows\system32\drivers\vmaudioflt_spkout.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-2 19677]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== Created Last 30 ================
.
2011-04-11 03:30:03	--------	d-s---w-	C:\ComboFix
2011-04-11 02:18:42	--------	d-sha-r-	C:\cmdcons
2011-04-11 02:13:41	98816	----a-w-	c:\windows\sed.exe
2011-04-11 02:13:41	89088	----a-w-	c:\windows\MBR.exe
2011-04-11 02:13:41	256512	----a-w-	c:\windows\PEV.exe
2011-04-11 02:13:41	161792	----a-w-	c:\windows\SWREG.exe
2011-04-08 17:53:26	--------	d-----w-	c:\docume~1\chrisp~1\applic~1\Malwarebytes
2011-04-08 17:52:37	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 17:52:37	--------	d-----w-	c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-08 17:52:33	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-03-16 20:05:22	--------	d-----w-	c:\docume~1\alluse~1\applic~1\Lexmark Pro200-S500 Series
.
==================== Find3M  ====================
.
2011-03-07 18:13:05	118104	----a-w-	c:\windows\dxsdkuninst.exe
2011-03-04 19:44:14	133616	------w-	c:\windows\system32\pxafs.dll
2011-02-16 20:40:29	249856	------w-	c:\windows\Setup1.exe
2011-02-16 20:40:28	73216	----a-w-	c:\windows\ST6UNST.EXE
2011-02-09 13:53:52	270848	----a-w-	c:\windows\system32\sbe.dll
2011-02-09 13:53:52	186880	----a-w-	c:\windows\system32\encdec.dll
2011-02-02 07:58:35	2067456	----a-w-	c:\windows\system32\mstscax.dll
2011-01-27 11:57:06	677888	----a-w-	c:\windows\system32\mstsc.exe
2011-01-21 14:44:37	439296	----a-w-	c:\windows\system32\shimgvw.dll
2006-05-03 09:06:54	163328	--sh--r-	c:\windows\system32\flvDX.dll
2007-02-21 10:47:16	31232	--sh--r-	c:\windows\system32\msfDX.dll
2008-03-16 12:30:52	216064	--sh--r-	c:\windows\system32\nbDX.dll
.
============= FINISH: 23:52:47.07 ===============

Attached File(s)

  • Attached File  Attach.txt (19.1K)
    Number of downloads: 0
  • Attached File  Ark.txt (16.35K)
    Number of downloads: 1

#2 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,453
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 April 2011 - 01:16 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.



We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply






Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


information and logs:

    In your next post I need the following

    • .logs from DDS
    • log from RKUnHooker
    • let me know of any problems you may have had


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 15 April 2011 - 12:36 PM

Hey Gringo,

First of all, thanks a million for responding to my post and taking the time to help me. You guys are awesome.

I followed the steps you described, and was able to complete all the steps without incident. The contents of the log files you requested follow:

************************************************************************************************************************
************************************************************************************************************************
***** DDS.txt
************************************************************************************************************************
************************************************************************************************************************

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ChrisPowers at 13:06:55.84 on Fri 04/15/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1556 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\ChrisPowers\Desktop\BleepingComputer 2\Defogger.exe
C:\Documents and Settings\ChrisPowers\Desktop\BleepingComputer 2\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [SysTray] systray.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: 2o7.net
Trusted Zone: gap.com
Trusted Zone: google.com\maps
Trusted Zone: naaf.com\www
Trusted Zone: onlinecreditcenter6.com
Trusted Zone: pharmacyescrow.com\www
Trusted Zone: t-nation.com\www
Trusted Zone: testosterone.net\www
Trusted Zone: tmuscle.com\tnation
Trusted Zone: tmuscle.com\www
Trusted Zone: trendmicro.com\housecall65
DPF: RaptisoftGameLoader - hxxp://www.raptisoft.com/webgames/raptisoftgameloader.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162847448280
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38179.3680555556
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15028/CTPID.cab
TCP: {294E266F-24AD-4594-9C6A-9C33D3F97DDD} = 208.67.220.220,208.67.222.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chrisp~1\applic~1\mozilla\firefox\profiles\4ztaukox.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\chrispowers\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: QuickJava: {E6C1199F-E687-42da-8C24-E7770CC3AE66} - %profile%\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-30 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-30 61960]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
S1 c2scsi;c2scsi; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2011-2-8 193192]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2011-4-10 256512]
S3 cpuz130;cpuz130;\??\c:\docume~1\chrisp~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\chrisp~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 FLASHSYS;FLASHSYS;\??\c:\program files\msi\live update 4\lu4\flashsys.sys --> c:\program files\msi\live update 4\lu4\FLASHSYS.sys [?]
S3 vmaudioflt;vmaudioflt;c:\windows\system32\drivers\vmaudioflt.sys --> c:\windows\system32\drivers\vmaudioflt.sys [?]
S3 vmaudioflt_spkout;vmaudioflt_spkout;c:\windows\system32\drivers\vmaudioflt_spkout.sys --> c:\windows\system32\drivers\vmaudioflt_spkout.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-2 19677]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== Created Last 30 ================
.
2011-04-11 03:30:03 -------- d-s---w- C:\ComboFix
2011-04-11 02:18:42 -------- d-sha-r- C:\cmdcons
2011-04-11 02:13:41 98816 ----a-w- c:\windows\sed.exe
2011-04-11 02:13:41 89088 ----a-w- c:\windows\MBR.exe
2011-04-11 02:13:41 256512 ----a-w- c:\windows\PEV.exe
2011-04-11 02:13:41 161792 ----a-w- c:\windows\SWREG.exe
2011-04-08 17:53:26 -------- d-----w- c:\docume~1\chrisp~1\applic~1\Malwarebytes
2011-04-08 17:52:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 17:52:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-08 17:52:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-16 20:05:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Lexmark Pro200-S500 Series
.
==================== Find3M ====================
.
2011-03-07 18:13:05 118104 ----a-w- c:\windows\dxsdkuninst.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 19:44:14 133616 ------w- c:\windows\system32\pxafs.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-16 20:40:29 249856 ------w- c:\windows\Setup1.exe
2011-02-16 20:40:28 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 13:09:23.35 ===============


************************************************************************************************************************
************************************************************************************************************************
***** Attach.txt
************************************************************************************************************************
************************************************************************************************************************

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/11/2004 10:17:21 AM
System Uptime: 4/15/2011 12:51:53 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A7V333
Processor: AMD Athlon™ XP 3000+ | SOCKET A | 2166/166mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 70 GiB total, 12.037 GiB free.
D: is FIXED (NTFS) - 186 GiB total, 23.617 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2741: 4/3/2011 5:25:57 AM - System Checkpoint
RP2742: 4/4/2011 6:25:55 AM - System Checkpoint
RP2743: 4/5/2011 7:25:19 AM - System Checkpoint
RP2744: 4/6/2011 7:25:56 AM - System Checkpoint
RP2745: 4/7/2011 8:25:55 AM - System Checkpoint
RP2746: 4/8/2011 6:18:57 PM - System Checkpoint
RP2747: 4/10/2011 11:01:56 PM - Restore Operation
RP2748: 4/11/2011 11:16:28 PM - System Checkpoint
RP2749: 4/13/2011 12:45:38 AM - System Checkpoint
RP2750: 4/14/2011 1:24:04 AM - System Checkpoint
RP2751: 4/14/2011 11:56:47 PM - Software Distribution Service 3.0
RP2752: 4/15/2011 3:05:20 AM - Software Distribution Service 3.0
RP2753: 4/15/2011 4:32:20 AM - Printer Driver Microsoft Office Document Image Writer Installed
.
==== Installed Programs ======================
.
.
3DMark05
Acronis PartitionExpert
Action Replay XBOX 1.42
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Encore DVD 1.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Premiere Pro 1.5
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
AIM 6
ASUS Probe V2.25.02
ATI AVIVO Codecs
ATI Catalyst Install Manager
Audacity 1.3.9 (Unicode)
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
AVIVO Codecs
BitPim 1.0.7
Bulk Rename Utility 2.7.1.1
CameraHelperMsi
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help English
Citrix Presentation Server Client
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DAO
Direct Show Ogg Vorbis Filter (remove only)
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Doom 3
Driver Sweeper version 2.9.0
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EasyCleaner
erLT
ESPN RunTime
Fallout
FFmpeg for Audacity on Windows
Foxit Reader
Futuremark SystemInfo
Half-Life 2: Deathmatch
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Huffyuv AVI lossless video codec (Remove Only)
IcoFX 1.6.4
IrfanView (remove only)
J2SE Development Kit 5.0 Update 6
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Java 2 SDK, SE v1.4.2_06
Java Auto Updater
Java™ 6 Update 19
LAME v3.98.2 for Audacity
LeechFTP
Lemmings for Windows 95
Lenovo USB Webcam
Lexmark Pro200-S500 Series
Logitech Desktop Messenger
Logitech MouseWare 9.80
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Video Mask Maker
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Device Emulator version 1.0 - ENU
Microsoft DirectX SDK (February 2010)
Microsoft Document Explorer 2005
Microsoft FrontPage Client - English
Microsoft Help Viewer 1.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Microsoft Visual Studio Macro Tools
Microsoft Windows Application Compatibility Database
Microsoft Xbox 360 Accessories 1.1
Mozilla Firefox (3.6.16)
Mp3tag v2.48
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Notepad++
PCI Audio Driver
Pidgin
Planescape - Torment
Platform
PowerISO
QT Lite 2.7.0
Real Alternative 1.27
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB2465367)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB971023)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB973673)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype™ 4.2
Sonique
Sound Blaster Live! Web 2K/XP
SpywareBlaster 4.4
Starsiege Tribes 1.0
StartupMonitor
Steam
Sun ODF Plugin for Microsoft Office 3.0
SUPER © Version 2010.bld.38 (May 2, 2010)
System Requirements Lab
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Video Driver
VC80CRTRedist - 8.0.50727.4053
VDMSound
VIA Platform Device Manager
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual Studio.NET Baseline - English
Web Deployment Tool
WebFldrs XP
WebReg
Winamp
Windows Driver Package - Advanced Micro Devices, Inc. (USB28xxBGA) Media (08/31/2007 5.7.0831.0)
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (08/31/2007 5.7.0831.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinMerge 2.6.12.0
WinRAR archiver
XPS Essentials Pack
XPS Essentials Pack 1.0
xu4 CVS
Yahoo! Address AutoComplete
Yahoo! Install Manager
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
4/11/2011 4:26:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxebCATSCustConnectService service to connect.
4/11/2011 4:26:43 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The system cannot find the file specified.
4/11/2011 4:26:43 PM, error: Service Control Manager [7000] - The lxebCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/11/2011 4:26:43 PM, error: Service Control Manager [7000] - The ASInsHelp service failed to start due to the following error: The system cannot find the file specified.
4/11/2011 4:21:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/11/2011 4:11:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/11/2011 4:09:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 aslm75 avgio avipbb Fips SCDEmu ssmdrv
.
==== End Of File ===========================


************************************************************************************************************************
************************************************************************************************************************
***** RKUnHooker Report
************************************************************************************************************************
************************************************************************************************************************

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB9896000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5992448 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF256000 C:\WINDOWS\System32\ati3duag.dll 4022272 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF9C6000 C:\WINDOWS\System32\ativvaxx.dll 2670592 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF060000 C:\WINDOWS\System32\ati2cqag.dll 851968 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF130000 C:\WINDOWS\System32\atikvmag.dll 716800 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xA8D2D000 C:\WINDOWS\system32\drivers\ha10kx2k.sys 679936 bytes (Creative Technology Ltd, Creative EMU10KX HAL (WDM))
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA8A7F000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0xB9730000 C:\WINDOWS\system32\drivers\ctaud2k.sys 491520 bytes (Creative Technology Ltd, Creative WDM Audio Device Driver)
0xBF1DF000 C:\WINDOWS\System32\atiok3x2.dll 487424 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)
0xA8B47000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB4E21000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB9825000 C:\WINDOWS\system32\drivers\cmaudio.sys 380928 bytes (C-Media Inc, C-Media Audio WDM Driver)
0xA8C54000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA4CC6000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF62C000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA4DE3000 C:\WINDOWS\system32\DRIVERS\atksgt.sys 274432 bytes
0xA4D46000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB4E7F000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA507E000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7411000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB4DF5000 C:\WINDOWS\system32\drivers\windrvr6.sys 180224 bytes (Jungo, WinDriver Device Driver 6.22)
0xA42A2000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA8BDF000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA8C2C000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA8AFB000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA8B21000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA4C69000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB9801000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB97BA000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB97DE000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA8C0A000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EF000 ACPI_HAL 131840 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF747A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xA8CE0000 C:\WINDOWS\System32\drivers\ctsfm2k.sys 126976 bytes (Creative Technology Ltd, SoundFont® Manager (WDM))
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA746000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9717000 C:\WINDOWS\system32\drivers\ctoss2k.sys 102400 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xA8CFF000 C:\WINDOWS\System32\drivers\emupia2k.sys 102400 bytes (Creative Technology Ltd, E-mu Plug-in Architecture Driver (WDM))
0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8A3F000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7451000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB4EC0000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA53B6000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0xA8D18000 C:\WINDOWS\System32\drivers\ctac32k.sys 86016 bytes (Creative Technology Ltd, Creative AC3 SW Decoder Device Driver (WDM))
0xA51C1000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB4ED7000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9882000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8CAD000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF743E000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB97A8000 C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys 73728 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xF7468000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB4EAF000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7400000 snapman.sys 69632 bytes (Acronis, Acronis Snapshot API)
0xBA369000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB9E5D000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA399000 C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys 65536 bytes (Logitech, Inc., Logitech Filter Driver for Mouse Class.)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7667000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB9E7D000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB9EDD000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7567000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB9E4D000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA780000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB5D7E000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7677000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA7C0000 C:\WINDOWS\system32\DRIVERS\xusb21.sys 57344 bytes (Microsoft Corporation, Windows Common Controller)
0xF7637000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7507000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB9ECD000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF74F7000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB9E9D000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB5D3E000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB9E6D000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB9E8D000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7657000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xF7577000 C:\WINDOWS\System32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB5DBE000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7647000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xA4EC6000 C:\WINDOWS\System32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xB5DCE000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB9EAD000 C:\WINDOWS\System32\Drivers\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA7B0000 C:\WINDOWS\System32\Drivers\LHidUsb.Sys 36864 bytes (Logitech, Inc., Logitech USB Mouse Function Driver.)
0xBA770000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB5D5E000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA432D000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF76E7000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7797000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF781F000 C:\WINDOWS\System32\Drivers\SCDEmu.SYS 32768 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7717000 videX32.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0xF77F7000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB9F67000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CDRom Class Filter Driver)
0xB9F37000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xA84CE000 C:\DOCUME~1\CHRISP~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF771F000 viaagp1.sys 28672 bytes (VIA Technologies, Inc., VIA NT AGP Filter)
0xF7807000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB504B000 C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys 24576 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xB9F57000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF773F000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF77DF000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7747000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB9F47000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7817000 C:\WINDOWS\system32\DRIVERS\lirsgt.sys 20480 bytes
0xF7777000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB9F6F000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB9F5F000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB9F4F000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB503B000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA702000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA53F3000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF792B000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA70E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA6AE000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xBA6CE000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA251000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB5288000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB8A7A000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF79A9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79A1000 C:\WINDOWS\System32\drivers\ctprxy2k.sys 8192 bytes (Creative Technology Ltd, Creative Proxy Device Driver (WDM))
0xF798D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB8A74000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xB8A6C000 C:\WINDOWS\system32\EGATHDRV.SYS 8192 bytes (IBM Corporation, IBM eGatherer Kernel Module)
0xF79A7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79AB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xA7FD9000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xA7FCF000 C:\WINDOWS\system32\PfModNT.sys 8192 bytes (Creative Technology Ltd., PCI/ISA Device Info. Service)
0xF79B1000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79A3000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79A5000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF798B000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB4EEF000 C:\WINDOWS\system32\drivers\aslm75.sys 4096 bytes
0xB5BB3000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA364000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB562B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
0x06170000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 102400 bytes
0x062C0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 102400 bytes
0x01260000 Hidden Image-->CLI.Foundation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 110592 bytes
0x050F0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 110592 bytes
0x060D0000 Hidden Image-->Branding.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 110592 bytes
0x00D50000 Hidden Image-->MOM.Implementation.dll [ EPROCESS 0x8915E498 ] PID: 280, 118784 bytes
0x03870000 Hidden Image-->MOM.Implementation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 118784 bytes
0x06A50000 Hidden Image-->CLI.Component.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 1232896 bytes
0x8AAACA9B Unknown page with executable code, 1381 bytes
0x049E0000 Hidden Image-->CLI.Caste.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 167936 bytes
0x06510000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 1748992 bytes
0x072D0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 192512 bytes
0x06110000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 208896 bytes
0x06370000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 217088 bytes
0x064C0000 Hidden Image-->CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 282624 bytes
0x01290000 Hidden Image-->MOM.Foundation.dll [ EPROCESS 0x8915E498 ] PID: 280, 28672 bytes
0x012C0000 Hidden Image-->LOG.Foundation.Implementation.Private.dll [ EPROCESS 0x8915E498 ] PID: 280, 28672 bytes
0x01250000 Hidden Image-->MOM.Foundation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x01280000 Hidden Image-->LOG.Foundation.Implementation.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x03930000 Hidden Image-->CLI.Component.Runtime.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x043E0000 Hidden Image-->AEM.Server.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04430000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04410000 Hidden Image-->AEM.Plugin.DPPE.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04450000 Hidden Image-->AEM.Plugin.WinMessages.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04590000 Hidden Image-->DEM.Graphics.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04570000 Hidden Image-->DEM.Foundation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04950000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04A90000 Hidden Image-->AEM.Actions.CCAA.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04A40000 Hidden Image-->AEM.Plugin.GD.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04AB0000 Hidden Image-->ResourceManagement.Foundation.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04BE0000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04D20000 Hidden Image-->DEM.Graphics.I1010.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x04E80000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05060000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05160000 Hidden Image-->DEM.Graphics.I0906.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x052C0000 Hidden Image-->DEM.Graphics.I0706.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x051F0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x051E0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05280000 Hidden Image-->DEM.Graphics.I0912.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05260000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x052D0000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05340000 Hidden Image-->DEM.Graphics.I0812.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05360000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x054B0000 Hidden Image-->DEM.Graphics.I0703.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05FC0000 Hidden Image-->AEM.Plugin.EEU.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05550000 Hidden Image-->atixclib.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05C10000 Hidden Image-->CLI.Caste.HydraVision.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05C40000 Hidden Image-->APM.Foundation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05E50000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05E90000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x05FA0000 Hidden Image-->AEM.Plugin.REG.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x06060000 Hidden Image-->CLI.Component.Client.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x06080000 Hidden Image-->CLI.Component.Wizard.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x061B0000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x060C0000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x061C0000 Hidden Image-->CLI.Caste.HydraVision.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x06B80000 Hidden Image-->CLI.Caste.HydraVision.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 28672 bytes
0x03610000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8915E498 ] PID: 280, 307200 bytes
0x03310000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 307200 bytes
0x8AAAB288 Unknown page with executable code, 3448 bytes
0x8AAAD19B Unknown page with executable code, 3685 bytes
0x01140000 Hidden Image-->NEWAEM.Foundation.dll [ EPROCESS 0x8915E498 ] PID: 280, 36864 bytes
0x038C0000 Hidden Image-->CLI.Foundation.XManifest.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x03900000 Hidden Image-->AxInterop.WBOCXLib.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x03AB0000 Hidden Image-->NEWAEM.Foundation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x03B00000 Hidden Image-->Interop.WBOCXLib.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x04E90000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x05180000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x04F50000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x04F30000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x04F20000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x05170000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x05240000 Hidden Image-->CLI.Aspect.SmartGart.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x05BE0000 Hidden Image-->CLI.Caste.HydraVision.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x06090000 Hidden Image-->CLI.Component.Wizard.Shared.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x060B0000 Hidden Image-->CLI.Component.Dashboard.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 36864 bytes
0x063B0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 372736 bytes
0x06FB0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 389120 bytes
0x04970000 Hidden Image-->CLI.Caste.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 397312 bytes
0x06C80000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 405504 bytes
0x07010000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 405504 bytes
0x05FD0000 Hidden Image-->CLI.Component.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 413696 bytes
0x061D0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 421888 bytes
0x062E0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 421888 bytes
0x01260000 Hidden Image-->LOG.Foundation.Private.dll [ EPROCESS 0x8915E498 ] PID: 280, 45056 bytes
0x01250000 Hidden Image-->LOG.Foundation.dll [ EPROCESS 0x8915E498 ] PID: 280, 45056 bytes
0x03C80000 Hidden Image-->CCC.Implementation.dll [ EPROCESS 0x8915E498 ] PID: 280, 45056 bytes
0x04ED0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 45056 bytes
0x00D50000 Hidden Image-->CCC.Implementation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 45056 bytes
0x01240000 Hidden Image-->LOG.Foundation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 45056 bytes
0x012D0000 Hidden Image-->LOG.Foundation.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 45056 bytes
0x03950000 Hidden Image-->ATICCCom.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 45056 bytes
0x04EE0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 45056 bytes
0x05090000 Hidden Image-->CLI.Aspect.SmartGart.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 45056 bytes
0x045B0000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 471040 bytes
0x03A10000 Hidden Image-->AEM.Server.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x03920000 Hidden Image-->CLI.Foundation.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x043F0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x04560000 Hidden Image-->DEM.Graphics.I0601.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x04E50000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x04EB0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x04EC0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x051B0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x05250000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x06040000 Hidden Image-->CLI.Component.Client.Shared.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0x061A0000 Hidden Image-->CLI.Caste.Graphics.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 53248 bytes
0xF7617000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x07080000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 585728 bytes
0x8AAAFE84 Unknown thread object [ ETHREAD 0x8A9BD7C0 ] TID: 144, 600 bytes
0x8AAB2084 Unknown thread object [ ETHREAD 0x8A9BD548 ] TID: 148, 600 bytes
0x8AAB115A Unknown thread object [ ETHREAD 0x8A9BD2D0 ] , 600 bytes
0x8AAAFB4F Unknown thread object [ ETHREAD 0x8A9C5020 ] , 600 bytes
0x03910000 Hidden Image-->CLI.Component.Runtime.Shared.Private.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 61440 bytes
0x04F10000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 61440 bytes
0x05200000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 61440 bytes
0x052E0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 61440 bytes
0x05310000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 61440 bytes
0x06D90000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 643072 bytes
0x8AAB1D58 Unknown page with executable code, 680 bytes
0x07320000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 684032 bytes
0x03890000 Hidden Image-->CLI.Component.SkinFactory.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 69632 bytes
0x038D0000 Hidden Image-->CLI.Component.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 69632 bytes
0x05220000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 69632 bytes
0x05C20000 Hidden Image-->APM.Server.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 69632 bytes
0x07300000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 69632 bytes
0x06870000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Wizard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 700416 bytes
0x06EF0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 757760 bytes
0x01270000 Hidden Image-->LOG.Foundation.Implementation.dll [ EPROCESS 0x8915E498 ] PID: 280, 77824 bytes
0x01290000 Hidden Image-->LOG.Foundation.Implementation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 77824 bytes
0x04EF0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 77824 bytes
0x050D0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 77824 bytes
0x05110000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 77824 bytes
0x05190000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 77824 bytes
0x05290000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 77824 bytes
0x060F0000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 77824 bytes
0x050B0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 86016 bytes
0x051C0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 86016 bytes
0x05E30000 Hidden Image-->CLI.Caste.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 86016 bytes
0x071F0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 888832 bytes
0x03990000 Hidden Image-->ADL.Foundation.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 94208 bytes
0x05070000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Runtime.dll [ EPROCESS 0x88FD1668 ] PID: 2804, 94208 bytes


Thanks again,
Chris

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,453
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 April 2011 - 01:21 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 15 April 2011 - 02:21 PM

Hey Gringo,

So here's precisely what happened:

I closed everything, Avira was disabled, and I ran Combofix.exe from Start...Run.

Very soon after starting, I got a message in Startup Monitor asking if I wanted to allow grpconv.exe to run at startup. I figured this might be required by Combofix, so I allowed it.

Combofix then produced a window saying that VOLSNAP.sys was infected and I had to click ok to proceed.

After a few minutes, I received another popup from Combofix stating that it would need to restart in order to continue. The moment I clicked Yes, another popup from Startup Monitor appeared to ask for confirmation, but Combofix had already started to reboot and I did not even have time to see what it was trying to register.

After rebooting, Combofix did not restart, and after about ten minutes, I brought up the task manager, and a few seconds later, the machine froze with the hard drive light on.

I rebooted via the reset button, and that is where I am now. There is now a file on my desktop named catchme.log which contains the following:

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,453
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 April 2011 - 05:09 PM

hello

ok rerun combofix for me again please


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 15 April 2011 - 06:00 PM

Hey man,

It seemed to run fine this time. The log follows:


ComboFix 11-04-14.03 - ChrisPowers 04/15/2011 18:37:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1555 [GMT -4:00]
Running from: c:\documents and settings\ChrisPowers\Desktop\BleepingComputer 2\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Adobe Systems
c:\documents and settings\All Users\Application Data\Adobe Systems\Product licenses\B2B86000.dat
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-08 17:53 . 2011-04-08 17:53 -------- d-----w- c:\documents and settings\ChrisPowers\Application Data\Malwarebytes
2011-04-08 17:52 . 2011-04-08 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-08 17:52 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 17:52 . 2011-04-11 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-17 08:01 . 2009-05-01 02:57 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 18:13 . 2011-03-07 18:13 118104 ----a-w- c:\windows\dxsdkuninst.exe
2011-03-07 05:33 . 2004-06-07 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 19:44 . 2006-07-27 16:24 133616 ------w- c:\windows\system32\pxafs.dll
2011-03-04 06:37 . 2004-07-11 15:55 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 17:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-25 07:01 . 2011-02-25 01:21 2018272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-25 05:13 . 2011-02-25 01:21 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-02-22 23:06 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-07-11 15:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-07-11 15:53 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2001-08-23 17:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-23 17:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 03:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-16 20:40 . 2011-02-16 20:40 249856 ------w- c:\windows\Setup1.exe
2011-02-16 20:40 . 2011-02-16 20:40 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-02-15 12:56 . 2001-08-23 17:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2002-11-26 19:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-09 13:53 . 2002-11-26 19:15 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-08 13:33 . 2001-08-23 17:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2001-08-23 17:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-07-11 15:54 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-07-11 15:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-07-11 15:54 439296 ----a-w- c:\windows\system32\shimgvw.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"SysTray"="systray.exe" [2001-08-23 3072]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"lxebmon.exe"="c:\program files\Lexmark Pro200-S500 Series\lxebmon.exe" [2010-05-05 770728]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 98304]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ChrisPowers^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\ChrisPowers\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
c:\program files\ATI Multimedia\main\ATIDtct.EXE [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-10-15 23:00 1818624 ----a-w- c:\windows\mixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
2005-05-19 18:55 101888 ----a-w- c:\program files\ESPNRunTime\DIGServices.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
c:\program files\Roxio\Media Experience\DMXLauncher.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2010-05-05 13:58 148280 ----a-w- c:\program files\Lexmark Pro200-S500 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
c:\program files\HP\HP Software Update\HPWuSchd2.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
2001-11-29 06:00 28672 ----a-w- c:\program files\Creative\SBLive\Program\ADGJDet.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-11 09:50 20992 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-07 22:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2002-08-29 04:39 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2002-08-29 04:39 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2002-08-29 04:39 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-01-26 22:30 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
c:\program files\Vidalia\vidalia.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
2002-07-02 22:56 24576 ----a-w- c:\windows\system32\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\µtorrent\\utorrent.exe"=
"d:\\Download\\utorrent\\utorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\j2sdk1.4.2_06\\jre\\bin\\java.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chrispowers\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\lxebcoms.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/30/2009 10:57 PM 135336]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 3:02 AM 24652]
S1 c2scsi;c2scsi; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2/8/2011 7:17 PM 193192]
S3 cpuz130;cpuz130;\??\c:\docume~1\CHRISP~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\CHRISP~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 FLASHSYS;FLASHSYS;\??\c:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys --> c:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [?]
S3 vmaudioflt;vmaudioflt;c:\windows\system32\drivers\vmaudioflt.sys --> c:\windows\system32\drivers\vmaudioflt.sys [?]
S3 vmaudioflt_spkout;vmaudioflt_spkout;c:\windows\system32\drivers\vmaudioflt_spkout.sys --> c:\windows\system32\drivers\vmaudioflt_spkout.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/2/2001 11:53 PM 19677]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 6:48 PM 50048]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 7:17 AM 2805000]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/15/2006 1:47 AM 639224]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\User_Feed_Synchronization-{DEB40DE5-FEA5-43FA-8F1D-B55105D24FD2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 2o7.net
Trusted Zone: gap.com
Trusted Zone: google.com\maps
Trusted Zone: naaf.com\www
Trusted Zone: onlinecreditcenter6.com
Trusted Zone: pharmacyescrow.com\www
Trusted Zone: t-nation.com\www
Trusted Zone: testosterone.net\www
Trusted Zone: tmuscle.com\tnation
Trusted Zone: tmuscle.com\www
Trusted Zone: trendmicro.com\housecall65
TCP: {294E266F-24AD-4594-9C6A-9C33D3F97DDD} = 208.67.220.220,208.67.222.222
DPF: RaptisoftGameLoader - hxxp://www.raptisoft.com/webgames/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\ChrisPowers\Application Data\Mozilla\Firefox\Profiles\4ztaukox.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 4
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: QuickJava: {E6C1199F-E687-42da-8C24-E7770CC3AE66} - %profile%\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 18:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-57989841-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:cb,47,f3,5a,d9,8a,ae,64,26,73,6a,cf,73,83,fe,de,96,a2,d7,4a,bc,
a6,1d,2c,cd,c9,a9,1a,47,94,e0,ea,e8,f9,bc,74,62,a8,79,82,e3,1d,d6,da,fd,a6,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\LP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"="y"
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"09236.inf\00"
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:cb,47,f3,5a,d9,8a,ae,64,26,73,6a,cf,73,83,fe,de,96,a2,d7,4a,bc,
a6,1d,2c,cd,c9,a9,1a,47,94,e0,ea,e8,f9,bc,74,62,a8,79,82,e3,1d,d6,da,fd,a6,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2011-04-15 18:58:26
ComboFix-quarantined-files.txt 2011-04-15 22:58
ComboFix2.txt 2011-04-11 02:36
.
Pre-Run: 12,888,862,720 bytes free
Post-Run: 13,407,522,816 bytes free
.
- - End Of File - - EF6F49F68E57A6FFD910E5A61FD0650B

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,453
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 April 2011 - 06:44 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    J2SE Development Kit 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_04
    Java 2 Runtime Environment, SE v1.4.2_05
    Java 2 Runtime Environment, SE v1.4.2_06
    Java 2 SDK, SE v1.4.2_06


    and click on remove


Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


"information and logs"

    In your next post I need the following

    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 17 April 2011 - 01:48 AM

Hey man,

I followed the instructions you provided, and I believe I was able to accomplish everything, although I did run into a few snags here and there. The first occurred when updating Java to the latest version. After the install was finished, I received the following error:

Posted Image

Later, while clearing the Java cache, I received this error:

Posted Image

...at which point I clicked the "Details" button, which brought up the following:

Posted Image

At that point, I continued with the remainder of your instructions.

Concerning my computer's performance: I haven't seen any browser script pop-up windows in a few hours, Google links no longer appear to be redirected, and I haven't heard any audio ads in a while, although I've only had mute turned off for an hour or so.

The logs you requested follow:

***********************************************************************************************************
***********************************************************************************************************
***** MBAM
***********************************************************************************************************
***********************************************************************************************************

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6381

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/17/2011 2:14:22 AM
mbam-log-2011-04-17 (02-14-22).txt

Scan type: Quick scan
Objects scanned: 158913
Time elapsed: 18 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


***********************************************************************************************************
***********************************************************************************************************
***** HijackThis
***********************************************************************************************************
***********************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:21:40 AM, on 4/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SysTray] systray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [lxebmon.exe] "C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.2o7.net
O15 - Trusted Zone: http://*.gap.com
O15 - Trusted Zone: http://www.naaf.com
O15 - Trusted Zone: http://www.t-nation.com
O15 - Trusted Zone: http://www.testosterone.net
O15 - Trusted Zone: http://tnation.tmuscle.com
O15 - Trusted Zone: http://www.tmuscle.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/raptisoftgameloader.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162847448280
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{294E266F-24AD-4594-9C6A-9C33D3F97DDD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{294E266F-24AD-4594-9C6A-9C33D3F97DDD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{294E266F-24AD-4594-9C6A-9C33D3F97DDD}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxebserv.exe
O23 - Service: lxeb_device - - C:\WINDOWS\system32\lxebcoms.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8296 bytes

This post has been edited by ChrisPowers: 17 April 2011 - 01:54 AM

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,453
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 17 April 2011 - 01:56 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [SysTray]
      O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
      O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
      O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

This post has been edited by gringo_pr: 17 April 2011 - 01:57 AM

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 17 April 2011 - 01:19 PM

Hey Gringo,

So, I was able to run HijackThis without incident, however I ran into some trouble trying to get the ESET scan to finish. The first time I ran it, my computer froze while downloading at about 14%. I reset the machine, tried again, and this time was able to get the scan started, so I let it run overnight, and in the morning it was "frozen" at 99% and seemed to be stuck on one particular file (although the clock indicating how long it had been scanning was still ticking). I tried to take a screenshot, but although I could move the mouse cursor, everything else was unresponsive, so I copied down the information before resetting.

The file that it seemed to have been stuck on (or had most recently scanned) was:

C:\Program Files\DivX\Divx Plus Player\OSEPlugins\MP3SurroundDecode.dll

It appeared to have found one "threat," which was identified as: "probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus".

The HijackThis log follows. Let me know if I should keep trying to run this ESET scan until it successfully finishes.

Thanks,
Chris


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:21:40 AM, on 4/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SysTray] systray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [lxebmon.exe] "C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.2o7.net
O15 - Trusted Zone: http://*.gap.com
O15 - Trusted Zone: http://www.naaf.com
O15 - Trusted Zone: http://www.t-nation.com
O15 - Trusted Zone: http://www.testosterone.net
O15 - Trusted Zone: http://tnation.tmuscle.com
O15 - Trusted Zone: http://www.tmuscle.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/raptisoftgameloader.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162847448280
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{294E266F-24AD-4594-9C6A-9C33D3F97DDD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{294E266F-24AD-4594-9C6A-9C33D3F97DDD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{294E266F-24AD-4594-9C6A-9C33D3F97DDD}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxebserv.exe
O23 - Service: lxeb_device - - C:\WINDOWS\system32\lxebcoms.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8296 bytes

#12 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,453
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 17 April 2011 - 02:05 PM

Hello

That file is ligit and in the correct location so I am going to say it is ok.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

    Your Emulation drivers are now re-enabled.



:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image



:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes

This will remove all restore points except the new one you just created and clean unneeded files


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.



:Make Firefox more secure:




Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.


Here is some great reading about how to be safer online:




I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 18 April 2011 - 01:38 AM

Hey Gringo,

Well, I followed all the steps above, and so far everything seems to be working pretty well. I was never able to successfully complete the ESET online scan without my machine freezing, which is worrisome, but I guess that could be a different issue altogether.

I suppose I am left with a few questions that I would really appreciate you taking a look at if you can spare the time.

The first one is concerning the fact that many of my folders and files were hidden and, I suspect, made read-only when I first noticed the virus symptoms. I've been able to manually unhide a bunch of folders (and recursively their subfolders), but rather than wait until I notice something doesn't work and then try to figure out what to unhide, do you think it would be a bad idea to just recursively unhide every file on my drive? As it is, I have my folders set to show hidden files, so I don't want them hidden from myself anyway, but if certain apps require that certain files and folders be hidden, then I'm afraid unhiding them might screw something up. Do you guys have any recommendations on how to address that particular symptom?

Secondly, I recall reading that a firewall program or programs would be recommend in lieu of the Windows default firewall. Do you guys take a position on a third-party firewall program, or do you think I'm okay to stick with what I've got?

Finally, and probably most importantly, do you have any insight on what most likely caused this infection in the first place? Is it generally visiting a corrupted web site, opening an infected e-mail, or just a flat out direct attack exploiting some security flaw in Windows XP? Essentially, do you have an opinion on what I may have done to contract this malware so that I might avoid that mistake in the future. I felt safe with Avira (updating daily), SpywareBlaster (updating monthly), Windows firewall, and always installing Microsoft updates as soon as they become available, but that regimen obviously wasn't enough to prevent this infection.

Thanks again for all your help.

ChrisPowers

#14 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,453
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 April 2011 - 06:48 AM

Hello

The first one is concerning the fact that many of my folders and files were hidden and, I suspect, made read-only when I first noticed the virus symptoms. I've been able to manually unhide a bunch of folders (and recursively their subfolders), but rather than wait until I notice something doesn't work and then try to figure out what to unhide, do you think it would be a bad idea to just recursively unhide every file on my drive? As it is, I have my folders set to show hidden files, so I don't want them hidden from myself anyway, but if certain apps require that certain files and folders be hidden, then I'm afraid unhiding them might screw something up. Do you guys have any recommendations on how to address that particular symptom?

I want you to run this program - http://download.bleepingcomputer.com/grinler/unhide.exe and let me know if it works

Secondly, I recall reading that a firewall program or programs would be recommend in lieu of the Windows default firewall. Do you guys take a position on a third-party firewall program, or do you think I'm okay to stick with what I've got?

For me as long as you are using a router then windows firewall is OK to use

Finally, and probably most importantly, do you have any insight on what most likely caused this infection in the first place? Is it generally visiting a corrupted web site, opening an infected e-mail, or just a flat out direct attack exploiting some security flaw in Windows XP? Essentially, do you have an opinion on what I may have done to contract this malware so that I might avoid that mistake in the future. I felt safe with Avira (updating daily), SpywareBlaster (updating monthly), Windows firewall, and always installing Microsoft updates as soon as they become available, but that regimen obviously wasn't enough to prevent this infection.

There is so many ways of getting infected it would be impossible for me know how or when you got infected.

Make sure you read the Articles at the end of my last post

PC Safety and Security - What Do I Need? and COMPUTER SECURITY - a short guide to staying safer online

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#15 User is offline   ChrisPowers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 10-April 11

Posted 19 April 2011 - 02:09 PM

Hey Gringo,

Okay, well, that Unhide app seemed to work pretty well, but I wanted to give myself at least a full day of regular use before I provided feedback on whether or not things are back to normal. I have to say that aside from very minor things here and there, I feel like my machine is back in the state it was before the infection.

I really can't thank you enough for taking the time to help people with these problems. I'll be making a donation right now and encouraging others to do the same when I inevitably send them to this site for help with their hijacked machines.

Thanks again,
ChrisPowers

This post has been edited by ChrisPowers: 19 April 2011 - 06:48 PM

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users