BleepingComputer.com: Trojan: DOS/ Alureon.A

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Trojan: DOS/ Alureon.A Extremely stubborn!

#1 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 18 September 2011 - 09:08 PM

The kind of meticulous attention to detail and sincere dedication that one senses from the folks running this forum is awesome. Despite the agonizing pain that I've been going through for the past three days, I feel confident that it will all come to a positive conclusion. A reassuring feeling that I have since I came to this website this morning. It's been almost 8 hours now since I started following the instructions and here are the details:

The case in a nutshell:

The following symptoms began appearing about three days ago:
1) Internet connection became almost impossible at all (succeeds once every a dozen or more reboot attempts).
2) Very slow rebooting. When finally connected frequent Google redirecting occures with disturbing frequency and persistence.

Further investigation revealed that the "disappearance" of the Network Ethernet Adapter/Controller was behind the loss of the Internet connection. Looking in the Control Panel > System > Hardware > Device Manager revealed the absence of the Adapter (without any signs that it is missing - such as the usual yellow question mark). After many reboot attempts, it would suddenly reappear in its usual place - thus allowing the Internet connection again. Then, if the computer is left on for a few hours without activity, the Network Adapter would disappear again, shutting down the Internet connection once more.

Scanning with Microsoft Security Essentials (which has actually been running in real-time protection mode at the time of infection!?) indicated the following: Trojan: DOS/Alureon.A described as severe and must be removed. Then tried but failed to remove it.

Scanning with Malwarebytes found the following three items:

Vendor: Spyware.Passwords.XGen
Category: File
Item: c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\ES3M6NB7\info[1].exe

Vendor: Hijack.WindowsUpdates
Category: Registry Data
Item: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath
Other: Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs)

Vendor: Hijack.WindowsUpdates
Category: Registry Data
Item: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath
Other: Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs)


Also tried but failed to remove it. Noticing the change between what I thought is the "good" and "bad" versions of the values of these two keys (the letter f instead of S, I tried to edit the Registry to change it back, but that was impossible (I later learned that the virus disabled the Registry editing capabilities).

Then I followed without success the advice found here:
http://sepiroth.hubpages.com/hub/EnableRegedit

Finally, I tried HiJackThis but also failed to remove it.

I finally stumbled upon BleepingComputer (initially came for the tutorial on How to use HiJackThis) and found more info on the Alureon Rootkit and instructions for using the TDSSKiller. Even though I haven't had success yet, but I feel confident and grateful for your help.

First, I followed the procedure described in this link:

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Posted by Grinler on March 2, 2010 @ 05:20 PM · Views: 457,352 - but no success.

So, here I'm posting the log files.

DDS.txt report:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18372
Run by Owner at 17:08:57 on 2011-09-18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1314 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\cyberpower powerpanel personal edition\pppeuser.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\regist~1.lnk - c:\program files\eset\noderator\Register NOD32.exe
IE: Atomic Email Hunter - c:\program files\atompark\atomic email hunter\ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/audio/bin/sysreqlab_srlx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280857019828
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280882643609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{7D7DBF66-DF3C-4DB0-BF20-6BE61764BDDD} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cecli
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl47ff99cf;MpKsl47ff99cf;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b58e6975-7733-402a-9e51-c7e0d18fbcfb}\MpKsl47ff99cf.sys [2011-9-18 28752]
S1 b7ed4ce0;b7ed4ce0;c:\windows\system32\drivers\b7ed4ce0.sys [2009-7-3 0]
S1 MpKsl9e0ea756;MpKsl9e0ea756;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3a21c3b1-d244-4a99-b130-9121e8a45d01}\mpksl9e0ea756.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3a21c3b1-d244-4a99-b130-9121e8a45d01}\MpKsl9e0ea756.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
.
=============== Created Last 30 ================
.
2011-09-18 21:29:32 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b58e6975-7733-402a-9e51-c7e0d18fbcfb}\MpKsl47ff99cf.sys
2011-09-18 18:49:01 388096 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-17 22:41:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-17 15:24:20 -------- d-----w- c:\program files\common files\iS3
2011-09-17 15:24:19 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-09-17 15:02:28 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b58e6975-7733-402a-9e51-c7e0d18fbcfb}\mpengine.dll
2011-09-17 15:01:55 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-09-17 12:52:38 -------- dc-h--w- c:\windows\ie8
2011-09-17 12:38:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-17 12:38:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-17 12:38:03 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-17 02:36:41 -------- d-----w- C:\5d7fe6c27d8a27d474a36cdcc31f
2011-09-17 02:06:49 -------- d-----w- c:\program files\Microsoft Security Client(2)
2011-08-20 17:10:29 -------- d-----w- c:\documents and settings\owner\local settings\application data\Emex3
2011-08-20 17:06:42 -------- d-----w- c:\program files\EmEx3.com
.
==================== Find3M ====================
.
2011-06-27 21:57:04 118784 ----a-w- c:\windows\system32\msstdfmt.dll
2010-12-09 12:48:29 37794 ----a-w- c:\program files\Uninstal.exe
2001-10-30 19:14:40 124416 ----a-w- c:\program files\decks.exe
2000-12-22 16:13:34 275968 ----a-w- c:\program files\winamp11.exe
1999-08-31 10:26:12 376320 ----a-w- c:\program files\Msvcrtd.dll
1999-04-23 22:22:00 176128 ----a-w- c:\program files\COMDLG32.DLL
1998-07-29 18:00:06 266293 ----a-w- c:\program files\MSVCRT.DLL
.
============= FINISH: 17:09:42.12 ===============

Attached File(s)

  • Attached File  attach.txt (110.16K)
    Number of downloads: 0
  • Attached File  ark.txt (11.81K)
    Number of downloads: 2

This post has been edited by MaxRev: 19 September 2011 - 08:40 AM

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 23 September 2011 - 09:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419516 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 28 September 2011 - 09:15 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!


Mod Edit: Topic reopened at OP request ~ Hamluis.

This post has been edited by hamluis: 05 October 2011 - 08:02 AM

#4 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 05 October 2011 - 09:27 AM

Thank you, Louis. I'll be reposting the requested logs soon!

#5 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 05 October 2011 - 07:39 PM


Hello,

Here are the requested logs again.

And I have a question: Can I reenable the CD Emulation now? What effect does it have on the computer if left disabled?
Thank you for your help.

DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18372
Run by Owner at 15:49:20 on 2011-10-05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.581 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\TradeStation 8.6 (Build 2696)\Program\ORPlat.exe
C:\PROGRA~1\TRADES~3.6(B\Program\ordllhst.exe
C:\PROGRA~1\TRADES~3.6(B\Program\whserver.exe
C:\PROGRA~1\TRADES~3.6(B\Program\orcal.exe
C:\PROGRA~1\TRADES~3.6(B\Program\orclprxy.exe
C:\PROGRA~1\TRADES~3.6(B\Program\TSSCAN~1.EXE
C:\PROGRA~1\TRADES~3.6(B\Program\orchart.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Atomic Email Hunter - c:\program files\atompark\atomic email hunter\ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280857019828
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280882643609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: Interfaces\{7D7DBF66-DF3C-4DB0-BF20-6BE61764BDDD} : NameServer = 68.94.156.1,151.164.8.201
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cecli scecli
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl64d4357e;MpKsl64d4357e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c5b9a44-6537-438b-8c37-e31e203bc14b}\MpKsl64d4357e.sys [2011-10-2 28752]
S1 b7ed4ce0;b7ed4ce0;c:\windows\system32\drivers\b7ed4ce0.sys [2009-7-3 0]
S1 MpKsl9e0ea756;MpKsl9e0ea756;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3a21c3b1-d244-4a99-b130-9121e8a45d01}\mpksl9e0ea756.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3a21c3b1-d244-4a99-b130-9121e8a45d01}\MpKsl9e0ea756.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
.
=============== Created Last 30 ================
.
2011-10-05 02:17:26 -------- d-----w- c:\program files\Microsoft Image Composer
2011-10-03 04:12:25 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c5b9a44-6537-438b-8c37-e31e203bc14b}\MpKsl64d4357e.sys
2011-10-03 04:12:23 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c5b9a44-6537-438b-8c37-e31e203bc14b}\offreg.dll
2011-10-03 01:16:03 16896 ----a-w- c:\windows\system32\SET1396.tmp
2011-10-03 01:16:01 177152 ----a-w- c:\windows\system32\SET1375.tmp
2011-10-03 01:15:58 80896 ----a-w- c:\windows\system32\SET1355.tmp
2011-10-03 01:15:58 354304 ----a-w- c:\windows\system32\SET1358.tmp
2011-10-03 01:15:57 121856 ----a-w- c:\windows\system32\SET1349.tmp
2011-10-03 01:15:57 1135616 ----a-w- c:\windows\system32\SET134E.tmp
2011-10-03 01:11:59 58368 ----a-w- c:\windows\system32\SET5CF.tmp
2011-10-03 01:10:59 49664 ----a-w- c:\windows\system32\SET350.tmp
2011-10-03 01:08:56 19569 ----a-w- c:\windows\003500_.tmp
2011-10-03 01:06:59 58880 ----a-w- c:\windows\system32\dllcache\agentdpv.dll
2011-10-02 21:09:08 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-02 16:40:17 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c5b9a44-6537-438b-8c37-e31e203bc14b}\mpengine.dll
2011-10-01 00:59:00 -------- d-----w- c:\program files\PFPortChecker
2011-09-30 12:35:46 73728 ----a-w- c:\windows\system32\TOverlay.ax
2011-09-30 12:35:46 630784 ----a-w- c:\windows\system32\AxisToolBar.ocx
2011-09-30 12:35:46 53248 ----a-w- c:\windows\system32\DSTimeStamp.ax
2011-09-30 12:35:46 420240 ----a-w- c:\windows\system32\mpg4c32.dll
2011-09-30 12:35:46 40960 ----a-w- c:\windows\system32\wavdest.ax
2011-09-30 12:35:46 36864 ----a-w- c:\windows\system32\Sof2FFTPrj.ocx
2011-09-30 12:35:46 28672 ----a-w- c:\windows\system32\SpecBarPrj.ocx
2011-09-30 12:35:46 28672 ----a-w- c:\windows\system32\PCWinSoftPBar.ocx
2011-09-30 12:35:46 126976 ----a-w- c:\windows\system32\ArielColorCtrl.ocx
2011-09-30 12:35:45 438976 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2011-09-30 12:35:45 188416 ----a-w- c:\windows\system32\UScreenCapture.ax
2011-09-30 12:35:40 -------- d-----w- c:\program files\1AVStreamer
2011-09-29 23:08:19 -------- d-----w- c:\documents and settings\owner\local settings\application data\PackageAware
2011-09-28 19:11:11 -------- d-----w- c:\program files\AutoHotkey
2011-09-27 22:52:15 -------- d-----w- c:\documents and settings\owner\local settings\application data\CrashRpt
2011-09-27 22:52:01 -------- d-----w- c:\documents and settings\owner\local settings\application data\Procaster
2011-09-27 22:52:00 -------- d-----w- c:\program files\Livestream Procaster
2011-09-27 21:54:28 -------- d-----w- c:\program files\NCH Swift Sound
2011-09-26 03:12:20 -------- d-----w- c:\documents and settings\owner\application data\NCH Software
2011-09-19 12:40:10 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-19 12:40:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-18 18:49:01 388096 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-17 22:41:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-17 15:24:20 -------- d-----w- c:\program files\common files\iS3
2011-09-17 15:24:19 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-09-17 15:01:55 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-09-17 12:52:38 -------- dc-h--w- c:\windows\ie8
2011-09-17 12:38:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-17 12:38:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-17 12:38:03 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-17 02:36:41 -------- d-----w- C:\5d7fe6c27d8a27d474a36cdcc31f
2011-09-17 02:06:49 -------- d-----w- c:\program files\Microsoft Security Client(2)
.
==================== Find3M ====================
.
2010-12-09 12:48:29 37794 ----a-w- c:\program files\Uninstal.exe
2001-10-30 19:14:40 124416 ----a-w- c:\program files\decks.exe
2000-12-22 16:13:34 275968 ----a-w- c:\program files\winamp11.exe
1999-08-31 10:26:12 376320 ----a-w- c:\program files\Msvcrtd.dll
1999-04-23 22:22:00 176128 ----a-w- c:\program files\COMDLG32.DLL
1998-07-29 18:00:06 266293 ----a-w- c:\program files\MSVCRT.DLL
.
============= FINISH: 15:50:41.70 ===============


Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/3/2010 5:58:52 PM
System Uptime: 10/2/2011 11:11:58 PM (64 hours ago)
.
Motherboard: Intel Corporation | | D945GCNL
Processor: Intel® Pentium® Dual CPU E2200 @ 2.20GHz | LGA 775 | 2194/200mhz
Processor: Intel® Pentium® Dual CPU E2200 @ 2.20GHz | LGA 775 | 2194/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 229 GiB total, 179.394 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 37 GiB total, 10.399 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 9/28/2011 9:36:13 AM - System Checkpoint
RP2: 9/29/2011 4:04:14 PM - System Checkpoint
RP3: 9/30/2011 7:54:54 AM - Removed Adobe Reader 9.3.3.
RP4: 10/1/2011 8:18:59 AM - System Checkpoint
RP5: 10/2/2011 10:10:52 AM - System Checkpoint
RP6: 10/2/2011 4:24:03 PM - Removed upapp
RP7: 10/2/2011 5:25:02 PM - Removed HP Update
RP8: 10/2/2011 8:09:06 PM - Installed Windows XP Service Pack 3.
RP9: 10/3/2011 8:18:15 PM - System Checkpoint
RP10: 10/4/2011 10:28:41 PM - System Checkpoint
.
==== Installed Programs ======================
.
1AVStreamer version 1.9.3.00
2007 Microsoft Office system
32 Bit HP CIO Components Installer
4500_Help
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.6
Atomic Email Hunter 4.75
Atomic Mail Verifier 5.30
AutoHotkey 1.0.48.05
BESTDirect 8
BPD_HPSU
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
CustomerResearchQFolder
CyberPower PowerPanel Personal Edition
Decks v1.20
Destination Component
DeviceDiscovery
Digital Ear
DocMgr
DocProc
DocProcQFolder
Doxillion Document Converter
Easy Karaoke Player version 3.33
Easy Songwriter (Version 1.2)
Email Marketing Professional 2011 (Free Version)
Emex 3
eSupportQFolder
Fax
Free Mp3 Wma Converter V 1.91
Google Talk Plugin
GPBaseService
H&R Block Deluxe + Efile + State 2009
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 10.0
hp deskjet 3320 series
hp deskjet 3320 series (Remove only)
HP Document Manager 1.0
HP Imaging Device Functions 10.0
hp instant support
HP Officejet J4500 Series
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HPProductAssistant
HPSSupply
Intel® Graphics Media Accelerator Driver
J4500
Java Auto Updater
Java™ 6 Update 21
KaraFun Player 1.20.67-beta
KaraFun Studio 1.20.75-beta
Karaoke CD+G Creator
Karaoke Island's MP3 karaoke Player
Lightscreen
LightScribe 1.4.97.1
Livestream Procaster
Malwarebytes' Anti-Malware version 1.51.2.1300
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Image Composer 1.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MP3 Audio Recorder
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Music Editor Free
Music MasterWorks v3.94
NCH Toolbox
Nero Suite
NinjaTrader 6.5
Noderator
OCR Software by I.R.I.S. 10.0
PCI Audio Driver
PFPortChecker 1.0.39
PhotoPad Image Editor
ProductContext
PSSWCORE
Ralink Wireless LAN
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Scan
ScreenStream
Secunia PSI
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows XP (KB923789)
Shop for HP Supplies
Siglos Karaoke Player/Recorder
SmartWebPrintingOC
SolutionCenter
Status
TaxCut Premium + State + Efile 2008
Toolbox
Trader Workstation 4.0
TradeStation 8.6 (Build 2525)
TradeStation 8.6 (Build 2612)
TradeStation 8.6 (Build 2696)
TradeStation Futures
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Update for Windows XP (KB914882)
Update for Windows XP (KB932823-v3)
VC 9.0 Runtime
VideoToolkit01
VOCALOID Demo Miriam
VocalRemover Setup
Vogone Demo
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8 Release Candidate 1
Windows Media Format Runtime
Windows Media Player 10
.
==== Event Viewer Messages From Past Week ========
.
9/30/2011 9:26:00 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
9/30/2011 7:52:48 AM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
9/30/2011 7:51:25 AM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
9/30/2011 7:51:25 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
9/30/2011 2:26:32 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
9/30/2011 2:26:32 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Real\RealPlayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
9/30/2011 2:26:32 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
9/30/2011 1:30:07 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
9/29/2011 9:47:56 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.126.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
9/29/2011 9:47:56 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/28/2011 9:52:57 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.126.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/4/2011 11:22:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/4/2011 11:17:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/3/2011 11:22:27 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/3/2011 11:17:27 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 9:52:48 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 9:41:55 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
10/2/2011 9:00:57 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 8:36:50 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 8:24:25 PM, error: NtServicePack [4374] - Windows XP Service Pack 3 installation failed, leaving Windows XP partially updated.
Service Pack 3 installation did not complete.
10/2/2011 8:16:23 PM, error: NtServicePack [4373] - Windows XP Service Pack 3 installation failed.
Access is denied.
10/2/2011 8:01:37 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 7:56:37 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 6:32:28 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 5:15:19 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 5:03:09 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 4:10:28 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 11:22:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/2/2011 10:54:21 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/1/2011 8:01:36 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/1/2011 7:56:36 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
10/1/2011 10:44:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.113.570.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7702.0 Error code: 0x80070002 Error description: The system cannot find the file specified.
.
==== End Of File ===========================


GMER.log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-05 19:01:30
Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17 Hitachi_HDT725025VLA380 rev.V5DOA73A
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\afncapod.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Owner\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0151D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 01521D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 014970D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[1012] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015274D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0151D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 01521D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 014970D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015274D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0151D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 01521D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 014970D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[2024] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015274D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0151D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 01521D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 014970D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[2132] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015274D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2224] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0151D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 01521D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 014970D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[3232] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015274D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0151D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 01521D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 014970D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015274D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 0151D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 015267BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 01454315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 01646318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 0164637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 016462AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 01521D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 014970D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 0164617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 016461E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxIndirectParamA 77D86CED 3 Bytes JMP 016463DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!DialogBoxIndirectParamA + 4 77D86CF1 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxIndirectW 77D960B7 3 Bytes JMP 01646242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] USER32.dll!MessageBoxIndirectW + 4 77D960BB 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[3736] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 015274D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A6542C8A
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet004\Services\BITS\Parameters@ServiceDll C:\WINDOWS\system32\qmgr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\wuauserv\Parameters@ServiceDll C:\WINDOWS\system32\wuauserv.dll
Reg HKLM\SYSTEM\ControlSet005\Services\BITS\Parameters@ServiceDll C:\WINDOWS\system32\qmgr.dll
Reg HKLM\SYSTEM\ControlSet005\Services\wuauserv\Parameters@ServiceDll C:\WINDOWS\system32\wuauserv.dll
Reg HKLM\SYSTEM\ControlSet006\Services\BITS\Parameters@ServiceDll C:\WINDOWS\system32\qmgr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\wuauserv\Parameters@ServiceDll C:\WINDOWS\system32\wuauserv.dll

---- EOF - GMER 1.0.15 ----







#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,515
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 07 October 2011 - 12:50 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 07 October 2011 - 06:31 PM

Hello Gringo. Thank you so much for the help!

Following is the Combofix report, and here are some notes:

1) No problems during dounloading and running Combofix. Everything went as you described.
2) Nothing seems to have changed, as far as the computer's symptoms:

a) Extremely slow to connect to the internet at the beginning. After booting up, it takes 3-4 minutes for the internet connection to become available!!

B) Quick to run out of memory needed for certain tasks, such as right-mouse menue, opening several browsers,...etc - even though I increased the Virtual Memory settings last week.

Note: This Smiley face keeps injecting itself here, despite several attempts to remove it. Every time I remove it and repost my reply I see it back again!!! I don't know what to make of this!

c) To comply with your instructions, I did not run Malwarebytes again after the Combofix report. Previously, each Quick scan showed two Registry infections, but could not remove them. I have no reason to believe that that has changed now.

So here's the report:

ComboFix 11-10-07.04 - Owner 10/07/2011 17:37:44.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1505 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Start Menu\Programs\System Recovery

c:\documents and settings\All Users\Start Menu\Programs\System Recovery\Recovery Media Creator.lnk

c:\documents and settings\All Users\Start Menu\Programs\System Recovery\System Recovery.lnk

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner\WINDOWS

c:\windows\system32\_005160_.tmp.dll

c:\windows\system32\_005161_.tmp.dll

c:\windows\system32\_005162_.tmp.dll

c:\windows\system32\_005163_.tmp.dll

c:\windows\system32\_005166_.tmp.dll

c:\windows\system32\_005167_.tmp.dll

c:\windows\system32\_005168_.tmp.dll

c:\windows\system32\_005169_.tmp.dll

c:\windows\system32\_005174_.tmp.dll

c:\windows\system32\_005175_.tmp.dll

c:\windows\system32\_005176_.tmp.dll

c:\windows\system32\_005177_.tmp.dll

c:\windows\system32\_005178_.tmp.dll

c:\windows\system32\_005179_.tmp.dll

c:\windows\system32\_005180_.tmp.dll

c:\windows\system32\_005181_.tmp.dll

c:\windows\system32\_005183_.tmp.dll

c:\windows\system32\_005184_.tmp.dll

c:\windows\system32\_005185_.tmp.dll

c:\windows\system32\_005186_.tmp.dll

c:\windows\system32\_005187_.tmp.dll

c:\windows\system32\_005188_.tmp.dll

c:\windows\system32\_005189_.tmp.dll

c:\windows\system32\_005190_.tmp.dll

c:\windows\system32\_005191_.tmp.dll

c:\windows\system32\_005192_.tmp.dll

c:\windows\system32\_005193_.tmp.dll

c:\windows\system32\_005195_.tmp.dll

c:\windows\system32\_005196_.tmp.dll

c:\windows\system32\_005197_.tmp.dll

c:\windows\system32\_005198_.tmp.dll

c:\windows\system32\_005199_.tmp.dll

c:\windows\system32\_005201_.tmp.dll

c:\windows\system32\_005202_.tmp.dll

c:\windows\system32\_005203_.tmp.dll

c:\windows\system32\_005204_.tmp.dll

c:\windows\system32\_005205_.tmp.dll

c:\windows\system32\_005206_.tmp.dll

c:\windows\system32\_005207_.tmp.dll

c:\windows\system32\_005208_.tmp.dll

c:\windows\system32\_005209_.tmp.dll

c:\windows\system32\_005210_.tmp.dll

c:\windows\system32\_005211_.tmp.dll

c:\windows\system32\_005212_.tmp.dll

c:\windows\system32\_005214_.tmp.dll

c:\windows\system32\_005215_.tmp.dll

c:\windows\system32\_005216_.tmp.dll

c:\windows\system32\_005217_.tmp.dll

c:\windows\system32\_005218_.tmp.dll

c:\windows\system32\_005219_.tmp.dll

c:\windows\system32\_005220_.tmp.dll

c:\windows\system32\_005221_.tmp.dll

c:\windows\system32\_005222_.tmp.dll

c:\windows\system32\_005223_.tmp.dll

c:\windows\system32\_005224_.tmp.dll

c:\windows\system32\_005226_.tmp.dll

c:\windows\system32\_005227_.tmp.dll

c:\windows\system32\_005228_.tmp.dll

c:\windows\system32\_005229_.tmp.dll

c:\windows\system32\_005230_.tmp.dll

c:\windows\system32\_005231_.tmp.dll

c:\windows\system32\_005232_.tmp.dll

c:\windows\system32\_005233_.tmp.dll

c:\windows\system32\_005234_.tmp.dll

c:\windows\system32\_005235_.tmp.dll

c:\windows\system32\_005236_.tmp.dll

c:\windows\system32\_005237_.tmp.dll

c:\windows\system32\_005238_.tmp.dll

c:\windows\system32\_005239_.tmp.dll

c:\windows\system32\_005240_.tmp.dll

c:\windows\system32\_005241_.tmp.dll

c:\windows\system32\_005242_.tmp.dll

c:\windows\system32\_005243_.tmp.dll

c:\windows\system32\_005244_.tmp.dll

c:\windows\system32\_005246_.tmp.dll

c:\windows\system32\_005248_.tmp.dll

c:\windows\system32\_005249_.tmp.dll

c:\windows\system32\_005250_.tmp.dll

c:\windows\system32\_005251_.tmp.dll

c:\windows\system32\_005252_.tmp.dll

c:\windows\system32\_005253_.tmp.dll

c:\windows\system32\_005254_.tmp.dll

c:\windows\system32\_005257_.tmp.dll

c:\windows\system32\_005259_.tmp.dll

c:\windows\system32\_005260_.tmp.dll

c:\windows\system32\_005261_.tmp.dll

c:\windows\system32\_005263_.tmp.dll

c:\windows\system32\_005266_.tmp.dll

c:\windows\system32\_005268_.tmp.dll

c:\windows\system32\_005269_.tmp.dll

c:\windows\system32\_005270_.tmp.dll

c:\windows\system32\_005271_.tmp.dll

c:\windows\system32\_005274_.tmp.dll

c:\windows\system32\_005275_.tmp.dll

c:\windows\system32\_005276_.tmp.dll

c:\windows\system32\_005277_.tmp.dll

c:\windows\system32\_005278_.tmp.dll

c:\windows\system32\_005283_.tmp.dll

c:\windows\system32\_005285_.tmp.dll

c:\windows\system32\_005370_.tmp.dll

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\d3d9caps.dat

C:\xcrashdump.dat

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_avast!antivirus

-------\Legacy_pcmstub

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

.

.

((((((((((((((((((((((((( Files Created from 2011-09-07 to 2011-10-07 )))))))))))))))))))))))))))))))

.

.

2011-10-07 22:43 . 2011-10-07 22:43 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6D212C90-B292-4D60-A77E-828D4F22D18C}\offreg.dll

2011-10-03 01:16 . 2008-04-14 10:41 16896 ----a-w- c:\windows\system32\SET1396.tmp

2011-10-03 01:16 . 2008-04-14 10:40 177152 ----a-w- c:\windows\system32\SET1375.tmp

2011-10-03 01:15 . 2008-04-14 10:42 80896 ----a-w- c:\windows\system32\SET1355.tmp

2011-10-03 01:15 . 2008-04-14 10:42 354304 ----a-w- c:\windows\system32\SET1358.tmp

2011-10-03 01:15 . 2008-04-14 10:42 121856 ----a-w- c:\windows\system32\SET1349.tmp

2011-10-03 01:15 . 2008-04-14 10:42 1135616 ----a-w- c:\windows\system32\SET134E.tmp

2011-10-03 01:11 . 2008-04-14 10:41 58368 ----a-w- c:\windows\system32\SET5CF.tmp

2011-10-03 01:10 . 2008-04-14 10:42 49664 ----a-w- c:\windows\system32\SET350.tmp

2011-10-03 01:08 . 2006-12-29 05:31 19569 ----a-w- c:\windows\003500_.tmp

2011-10-03 01:06 . 2007-07-27 12:00 58880 ----a-w- c:\windows\system32\dllcache\agentdpv.dll

2011-10-02 21:09 . 2011-10-02 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-10-01 00:59 . 2011-10-01 00:59 -------- d-----w- c:\program files\PFPortChecker

2011-09-30 12:55 . 2011-09-30 12:55 -------- d-----w- c:\program files\Common Files\Adobe

2011-09-30 12:35 . 2011-06-13 22:31 73728 ----a-w- c:\windows\system32\TOverlay.ax

2011-09-30 12:35 . 2010-09-26 12:54 630784 ----a-w- c:\windows\system32\AxisToolBar.ocx

2011-09-30 12:35 . 2010-09-06 12:17 28672 ----a-w- c:\windows\system32\PCWinSoftPBar.ocx

2011-09-30 12:35 . 2009-09-20 15:02 36864 ----a-w- c:\windows\system32\Sof2FFTPrj.ocx

2011-09-30 12:35 . 2009-09-20 14:44 28672 ----a-w- c:\windows\system32\SpecBarPrj.ocx

2011-09-30 12:35 . 2006-10-11 11:03 420240 ----a-w- c:\windows\system32\mpg4c32.dll

2011-09-30 12:35 . 2004-11-04 17:33 53248 ----a-w- c:\windows\system32\DSTimeStamp.ax

2011-09-30 12:35 . 2002-06-25 10:28 40960 ----a-w- c:\windows\system32\wavdest.ax

2011-09-30 12:35 . 2000-09-20 22:12 126976 ----a-w- c:\windows\system32\ArielColorCtrl.ocx

2011-09-30 12:35 . 2006-10-12 19:30 188416 ----a-w- c:\windows\system32\UScreenCapture.ax

2011-09-30 12:35 . 2000-05-22 05:00 438976 ----a-w- c:\windows\system32\MSHFLXGD.OCX

2011-09-30 12:35 . 2011-10-01 01:50 -------- d-----w- c:\program files\1AVStreamer

2011-09-30 12:34 . 2011-10-01 03:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-09-29 23:08 . 2011-09-29 23:08 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware

2011-09-28 19:11 . 2011-09-28 19:11 -------- d-----w- c:\program files\AutoHotkey

2011-09-27 22:52 . 2011-09-27 22:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\CrashRpt

2011-09-27 22:52 . 2011-09-27 22:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Procaster

2011-09-27 22:52 . 2011-09-27 22:52 -------- d-----w- c:\program files\Livestream Procaster

2011-09-27 21:54 . 2011-09-27 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2011-09-27 21:54 . 2011-09-27 21:54 -------- d-----w- c:\program files\NCH Swift Sound

2011-09-26 03:12 . 2011-09-26 03:12 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software

2011-09-19 12:40 . 2011-09-19 12:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-19 12:40 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-18 18:49 . 2011-09-18 18:49 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-09-18 01:12 . 2011-09-18 01:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-09-18 01:11 . 2011-09-18 01:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData

2011-09-17 22:41 . 2011-09-17 22:41 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-09-17 15:24 . 2011-09-17 15:24 -------- d-----w- c:\program files\Common Files\iS3

2011-09-17 15:24 . 2011-09-17 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2011-09-17 15:01 . 2011-08-16 13:48 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll

2011-09-17 12:52 . 2011-09-17 12:53 -------- dc-h--w- c:\windows\ie8

2011-09-17 12:38 . 2011-09-17 12:38 -------- d-----w- c:\windows\system32\wbem\Repository

2011-09-17 12:38 . 2011-09-17 15:39 -------- d-----w- c:\program files\Microsoft Security Client

2011-09-17 03:09 . 2011-09-17 03:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2011-09-17 02:36 . 2011-09-17 12:09 -------- d-----w- C:\5d7fe6c27d8a27d474a36cdcc31f

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-12 23:14 . 2011-05-22 06:49 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-12-09 12:48 . 2010-12-09 12:48 37794 ----a-w- c:\program files\Uninstal.exe

2001-10-30 19:14 . 2000-12-19 20:36 124416 ----a-w- c:\program files\decks.exe

2000-12-22 16:13 . 2001-01-03 22:18 275968 ----a-w- c:\program files\winamp11.exe

1999-08-31 10:26 . 2001-01-13 13:21 376320 ----a-w- c:\program files\Msvcrtd.dll

1999-04-23 22:22 . 2001-01-23 15:47 176128 ----a-w- c:\program files\COMDLG32.DLL

1998-07-29 18:00 . 2001-01-23 15:49 266293 ----a-w- c:\program files\MSVCRT.DLL

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register NOD32.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register NOD32.lnk

backup=c:\windows\pss\Register NOD32.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

2006-10-05 02:38 1818624 ----a-r- c:\windows\mixer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2007-07-27 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-08-27 17:34 136176 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-09-06 04:13 166424 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

2002-11-03 22:56 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

2007-08-22 21:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-09-06 04:13 141848 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-13 06:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-09-06 04:13 137752 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerPanel Personal Edition User Interaction]

2007-01-11 00:53 262144 ----a-w- c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-08-20 20:38 16384512 ----a-w- c:\windows\RTHDCPL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-12-12 03:02 274608 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"=

"c:\\Program Files\\NCH Software\\ScreenStream\\screenstream.exe"=

"c:\\Program Files\\1AVStreamer\\1AVStreamer.exe"=

"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=

"%windir%\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4100:UDP"= 4100:UDP:uPNP Router Control Port

.

S1 b7ed4ce0;b7ed4ce0;c:\windows\system32\drivers\b7ed4ce0.sys [7/3/2009 7:46 PM 0]

S1 MpKsl7704f6e0;MpKsl7704f6e0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6D212C90-B292-4D60-A77E-828D4F22D18C}\MpKsl7704f6e0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6D212C90-B292-4D60-A77E-828D4F22D18C}\MpKsl7704f6e0.sys [?]

S1 MpKsl9e0ea756;MpKsl9e0ea756;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A21C3B1-D244-4A99-B130-9121E8A45D01}\MpKsl9e0ea756.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A21C3B1-D244-4A99-B130-9121E8A45D01}\MpKsl9e0ea756.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 9:05 AM 14904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-01-28 c:\windows\Tasks\doxillionShakeIcon.job

- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-01-25 18:26]

.

2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-461017567-3565199529-2297019855-1004Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 17:34]

.

2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-461017567-3565199529-2297019855-1004UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 17:34]

.

2011-10-07 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]

.

2011-01-26 c:\windows\Tasks\photopadShakeIcon.job

- c:\program files\NCH Software\PhotoPad\photopad.exe [2011-01-23 18:46]

.

2011-10-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-461017567-3565199529-2297019855-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-10-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-461017567-3565199529-2297019855-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-10-01 c:\windows\Tasks\TradeStation Backup - Weekly.job

- c:\program files\TradeStation 8.6 (Build 2696)\Program\TSBackupRestore.exe [2009-10-12 07:06]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: Atomic Email Hunter - c:\program files\AtomPark\Atomic Email Hunter\ie.htm

TCP: Interfaces\{7D7DBF66-DF3C-4DB0-BF20-6BE61764BDDD}: NameServer = 68.94.156.1,151.164.8.201

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

Notify-TPSvc - TPSvc.dll

AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-07 17:45

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\system32\wuaueng.dll.wusetup.127046.bak 1134592 bytes executable

c:\windows\system32\wups2.dll 44768 bytes executable

c:\windows\system32\wuauclt.exe.wusetup.123468.bak 111104 bytes executable

c:\windows\system32\wuaucpl.cpl.wusetup.125203.bak 162304 bytes executable

.

scan completed successfully

hidden files: 4

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(4080)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-10-07 17:48:24 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-07 22:48

.

Pre-Run: 196,420,726,784 bytes free

Post-Run: 196,557,185,024 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,2,3,4,5,6,8

- - End Of File - - 9B39B3BE48DEA3EC94C606632E24DE7A

This post has been edited by MaxRev: 07 October 2011 - 06:44 PM

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,515
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 07 October 2011 - 08:31 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 07 October 2011 - 08:54 PM

Thanks. That was a very quick scan - only a couple of minutes!

Here's the report:


20:38:08.0718 0516 TDSS rootkit removing tool 2.6.6.0 Oct 7 2011 12:45:24

20:38:09.0250 0516 ============================================================

20:38:09.0250 0516 Current date / time: 2011/10/07 20:38:09.0250

20:38:09.0250 0516 SystemInfo:

20:38:09.0250 0516

20:38:09.0250 0516 OS Version: 5.1.2600 ServicePack: 2.0

20:38:09.0250 0516 Product type: Workstation

20:38:09.0250 0516 ComputerName: YOUR-C5E3B457C6

20:38:09.0250 0516 UserName: Owner

20:38:09.0250 0516 Windows directory: C:\WINDOWS

20:38:09.0250 0516 System windows directory: C:\WINDOWS

20:38:09.0250 0516 Processor architecture: Intel x86

20:38:09.0250 0516 Number of processors: 2

20:38:09.0250 0516 Page size: 0x1000

20:38:09.0250 0516 Boot type: Normal boot

20:38:09.0250 0516 ============================================================

20:38:11.0156 0516 Initialize success

20:38:28.0218 3496 ============================================================

20:38:28.0218 3496 Scan started

20:38:28.0218 3496 Mode: Manual;

20:38:28.0218 3496 ============================================================

20:38:28.0515 3496 Abiosdsk - ok

20:38:28.0546 3496 abp480n5 - ok

20:38:28.0609 3496 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

20:38:28.0625 3496 ACPI - ok

20:38:28.0656 3496 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

20:38:28.0656 3496 ACPIEC - ok

20:38:28.0765 3496 adpu160m - ok

20:38:28.0812 3496 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

20:38:28.0859 3496 aec - ok

20:38:28.0875 3496 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys

20:38:28.0890 3496 AegisP - ok

20:38:28.0906 3496 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

20:38:28.0921 3496 AFD - ok

20:38:29.0031 3496 Aha154x - ok

20:38:29.0062 3496 aic78u2 - ok

20:38:29.0078 3496 aic78xx - ok

20:38:29.0093 3496 AliIde - ok

20:38:29.0109 3496 Ambfilt - ok

20:38:29.0109 3496 amsint - ok

20:38:29.0125 3496 asc - ok

20:38:29.0140 3496 asc3350p - ok

20:38:29.0156 3496 asc3550 - ok

20:38:29.0171 3496 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

20:38:29.0187 3496 AsyncMac - ok

20:38:29.0218 3496 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

20:38:29.0218 3496 atapi - ok

20:38:29.0218 3496 Atdisk - ok

20:38:29.0250 3496 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

20:38:29.0281 3496 Atmarpc - ok

20:38:29.0421 3496 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

20:38:29.0421 3496 audstub - ok

20:38:29.0453 3496 b7ed4ce0 - ok

20:38:29.0484 3496 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

20:38:29.0484 3496 Beep - ok

20:38:29.0484 3496 catchme - ok

20:38:29.0515 3496 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

20:38:29.0515 3496 cbidf2k - ok

20:38:29.0609 3496 cd20xrnt - ok

20:38:29.0609 3496 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

20:38:29.0609 3496 Cdaudio - ok

20:38:29.0656 3496 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

20:38:29.0687 3496 Cdfs - ok

20:38:29.0703 3496 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

20:38:29.0718 3496 Cdrom - ok

20:38:29.0734 3496 Changer - ok

20:38:29.0750 3496 CmdIde - ok

20:38:29.0796 3496 cmpci (6b0e4ae01ca9c32c86b4f0bfca2352bc) C:\WINDOWS\system32\drivers\cmaudio.sys

20:38:29.0812 3496 cmpci - ok

20:38:29.0921 3496 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

20:38:29.0921 3496 Compbatt - ok

20:38:29.0953 3496 Cpqarray - ok

20:38:29.0968 3496 dac2w2k - ok

20:38:29.0984 3496 dac960nt - ok

20:38:30.0000 3496 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

20:38:30.0015 3496 Disk - ok

20:38:30.0078 3496 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

20:38:30.0109 3496 dmboot - ok

20:38:30.0250 3496 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys

20:38:30.0265 3496 dmio - ok

20:38:30.0296 3496 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

20:38:30.0312 3496 dmload - ok

20:38:30.0328 3496 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

20:38:30.0343 3496 DMusic - ok

20:38:30.0406 3496 dpti2o - ok

20:38:30.0421 3496 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

20:38:30.0421 3496 drmkaud - ok

20:38:30.0453 3496 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

20:38:30.0468 3496 Fastfat - ok

20:38:30.0484 3496 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

20:38:30.0500 3496 Fdc - ok

20:38:30.0546 3496 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

20:38:30.0562 3496 Fips - ok

20:38:30.0578 3496 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

20:38:30.0593 3496 Flpydisk - ok

20:38:30.0609 3496 FltMgr (54fd90f0038f07920cb9fb6591bde82f) C:\WINDOWS\system32\drivers\fltmgr.sys

20:38:30.0625 3496 FltMgr - ok

20:38:30.0656 3496 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

20:38:30.0656 3496 Fs_Rec - ok

20:38:30.0703 3496 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

20:38:30.0703 3496 Ftdisk - ok

20:38:30.0718 3496 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys

20:38:30.0734 3496 gameenum - ok

20:38:30.0750 3496 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

20:38:30.0765 3496 Gpc - ok

20:38:30.0828 3496 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

20:38:30.0828 3496 HDAudBus - ok

20:38:30.0890 3496 HidBatt (13c0d55da4b7148ef980e130b85d9f2c) C:\WINDOWS\system32\DRIVERS\HidBatt.sys

20:38:30.0890 3496 HidBatt - ok

20:38:30.0984 3496 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

20:38:31.0000 3496 HidUsb - ok

20:38:31.0015 3496 hpn - ok

20:38:31.0078 3496 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

20:38:31.0078 3496 HPZid412 - ok

20:38:31.0109 3496 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

20:38:31.0109 3496 HPZipr12 - ok

20:38:31.0218 3496 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

20:38:31.0218 3496 HPZius12 - ok

20:38:31.0250 3496 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys

20:38:31.0250 3496 HTTP - ok

20:38:31.0265 3496 i2omgmt - ok

20:38:31.0281 3496 i2omp - ok

20:38:31.0312 3496 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

20:38:31.0328 3496 i8042prt - ok

20:38:31.0515 3496 ialm (bffa387180121df1e4646c4ced3e16ca) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

20:38:31.0656 3496 ialm - ok

20:38:31.0796 3496 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

20:38:31.0812 3496 Imapi - ok

20:38:31.0859 3496 ini910u - ok

20:38:32.0000 3496 IntcAzAudAddService (b1a809e7fe19becd5aca61f0e7088c8c) C:\WINDOWS\system32\drivers\RtkHDAud.sys

20:38:32.0031 3496 IntcAzAudAddService - ok

20:38:32.0140 3496 IntelIde - ok

20:38:32.0203 3496 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

20:38:32.0218 3496 intelppm - ok

20:38:32.0234 3496 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

20:38:32.0265 3496 Ip6Fw - ok

20:38:32.0281 3496 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

20:38:32.0281 3496 IpFilterDriver - ok

20:38:32.0421 3496 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

20:38:32.0437 3496 IpInIp - ok

20:38:32.0468 3496 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

20:38:32.0484 3496 IpNat - ok

20:38:32.0500 3496 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

20:38:32.0531 3496 IPSec - ok

20:38:32.0671 3496 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

20:38:32.0687 3496 IRENUM - ok

20:38:32.0718 3496 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

20:38:32.0734 3496 isapnp - ok

20:38:32.0750 3496 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

20:38:32.0765 3496 Kbdclass - ok

20:38:32.0875 3496 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

20:38:32.0890 3496 kbdhid - ok

20:38:32.0921 3496 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

20:38:32.0968 3496 kmixer - ok

20:38:33.0000 3496 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

20:38:33.0031 3496 KSecDD - ok

20:38:33.0125 3496 lbrtfdc - ok

20:38:33.0156 3496 MBAMSwissArmy - ok

20:38:33.0187 3496 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

20:38:33.0187 3496 mnmdd - ok

20:38:33.0218 3496 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

20:38:33.0234 3496 Modem - ok

20:38:33.0234 3496 Monfilt - ok

20:38:33.0265 3496 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

20:38:33.0281 3496 Mouclass - ok

20:38:33.0328 3496 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

20:38:33.0328 3496 mouhid - ok

20:38:33.0421 3496 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

20:38:33.0453 3496 MountMgr - ok

20:38:33.0468 3496 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

20:38:33.0468 3496 MpFilter - ok

20:38:33.0546 3496 MpKsl7704f6e0 - ok

20:38:33.0562 3496 MpKsl9e0ea756 - ok

20:38:33.0593 3496 MpKsla767add2 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{80087275-D307-4035-9FA1-1C4ECBB222AE}\MpKsla767add2.sys

20:38:33.0593 3496 MpKsla767add2 - ok

20:38:33.0703 3496 mraid35x - ok

20:38:33.0765 3496 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

20:38:33.0781 3496 MRxDAV - ok

20:38:33.0796 3496 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

20:38:33.0828 3496 MRxSmb - ok

20:38:33.0843 3496 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

20:38:33.0859 3496 Msfs - ok

20:38:33.0968 3496 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

20:38:33.0984 3496 MSKSSRV - ok

20:38:34.0015 3496 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

20:38:34.0015 3496 MSPCLOCK - ok

20:38:34.0046 3496 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

20:38:34.0046 3496 MSPQM - ok

20:38:34.0078 3496 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

20:38:34.0109 3496 Mup - ok

20:38:34.0250 3496 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

20:38:34.0265 3496 NDIS - ok

20:38:34.0312 3496 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

20:38:34.0328 3496 NdisTapi - ok

20:38:34.0343 3496 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

20:38:34.0359 3496 Ndisuio - ok

20:38:34.0453 3496 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

20:38:34.0500 3496 NdisWan - ok

20:38:34.0515 3496 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

20:38:34.0531 3496 NDProxy - ok

20:38:34.0578 3496 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

20:38:34.0593 3496 NetBIOS - ok

20:38:34.0609 3496 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

20:38:34.0640 3496 NetBT - ok

20:38:34.0671 3496 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

20:38:34.0687 3496 Npfs - ok

20:38:34.0718 3496 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

20:38:34.0734 3496 Ntfs - ok

20:38:34.0765 3496 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

20:38:34.0781 3496 Null - ok

20:38:34.0890 3496 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

20:38:34.0890 3496 NwlnkFlt - ok

20:38:34.0921 3496 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

20:38:34.0921 3496 NwlnkFwd - ok

20:38:34.0968 3496 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

20:38:35.0000 3496 Parport - ok

20:38:35.0078 3496 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

20:38:35.0109 3496 PartMgr - ok

20:38:35.0140 3496 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

20:38:35.0140 3496 ParVdm - ok

20:38:35.0156 3496 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

20:38:35.0187 3496 PCI - ok

20:38:35.0203 3496 PCIDump - ok

20:38:35.0234 3496 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

20:38:35.0234 3496 PCIIde - ok

20:38:35.0281 3496 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

20:38:35.0296 3496 Pcmcia - ok

20:38:35.0312 3496 PDCOMP - ok

20:38:35.0312 3496 PDFRAME - ok

20:38:35.0328 3496 PDRELI - ok

20:38:35.0343 3496 PDRFRAME - ok

20:38:35.0343 3496 perc2 - ok

20:38:35.0359 3496 perc2hib - ok

20:38:35.0406 3496 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

20:38:35.0453 3496 PptpMiniport - ok

20:38:35.0546 3496 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

20:38:35.0578 3496 PSched - ok

20:38:35.0625 3496 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

20:38:35.0640 3496 PSI - ok

20:38:35.0656 3496 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

20:38:35.0656 3496 Ptilink - ok

20:38:35.0718 3496 ql1080 - ok

20:38:35.0734 3496 Ql10wnt - ok

20:38:35.0734 3496 ql12160 - ok

20:38:35.0750 3496 ql1240 - ok

20:38:35.0765 3496 ql1280 - ok

20:38:35.0781 3496 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

20:38:35.0781 3496 RasAcd - ok

20:38:35.0828 3496 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

20:38:35.0859 3496 Rasl2tp - ok

20:38:35.0875 3496 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

20:38:35.0906 3496 RasPppoe - ok

20:38:35.0906 3496 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

20:38:35.0906 3496 Raspti - ok

20:38:35.0937 3496 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys

20:38:35.0968 3496 Rdbss - ok

20:38:36.0031 3496 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

20:38:36.0031 3496 RDPCDD - ok

20:38:36.0093 3496 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

20:38:36.0093 3496 rdpdr - ok

20:38:36.0125 3496 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

20:38:36.0125 3496 RDPWD - ok

20:38:36.0171 3496 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

20:38:36.0203 3496 redbook - ok

20:38:36.0296 3496 RT61 (ef64988c8e699e2481d1fd45bf472ef0) C:\WINDOWS\system32\DRIVERS\RT61.sys

20:38:36.0312 3496 RT61 - ok

20:38:36.0359 3496 RTLE8023xp (badabe0940c01619e8510b90fb314929) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

20:38:36.0359 3496 RTLE8023xp - ok

20:38:36.0437 3496 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

20:38:36.0453 3496 Secdrv - ok

20:38:36.0531 3496 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

20:38:36.0546 3496 serenum - ok

20:38:36.0578 3496 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

20:38:36.0578 3496 Serial - ok

20:38:36.0625 3496 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

20:38:36.0625 3496 Sfloppy - ok

20:38:36.0640 3496 Simbad - ok

20:38:36.0656 3496 Sparrow - ok

20:38:36.0671 3496 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

20:38:36.0687 3496 splitter - ok

20:38:36.0750 3496 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

20:38:36.0781 3496 sr - ok

20:38:36.0796 3496 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys

20:38:36.0812 3496 Srv - ok

20:38:36.0859 3496 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

20:38:36.0859 3496 swenum - ok

20:38:36.0890 3496 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

20:38:36.0906 3496 swmidi - ok

20:38:36.0937 3496 symc810 - ok

20:38:36.0937 3496 symc8xx - ok

20:38:36.0953 3496 sym_hi - ok

20:38:36.0968 3496 sym_u3 - ok

20:38:37.0000 3496 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

20:38:37.0031 3496 sysaudio - ok

20:38:37.0093 3496 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys

20:38:37.0125 3496 Tcpip - ok

20:38:37.0156 3496 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

20:38:37.0156 3496 TDPIPE - ok

20:38:37.0187 3496 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

20:38:37.0187 3496 TDTCP - ok

20:38:37.0234 3496 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

20:38:37.0234 3496 TermDD - ok

20:38:37.0296 3496 TosIde - ok

20:38:37.0343 3496 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

20:38:37.0359 3496 Udfs - ok

20:38:37.0390 3496 ultra - ok

20:38:37.0437 3496 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

20:38:37.0453 3496 Update - ok

20:38:37.0531 3496 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

20:38:37.0546 3496 usbccgp - ok

20:38:37.0578 3496 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

20:38:37.0593 3496 usbehci - ok

20:38:37.0609 3496 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

20:38:37.0640 3496 usbhub - ok

20:38:37.0671 3496 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

20:38:37.0687 3496 usbprint - ok

20:38:37.0734 3496 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

20:38:37.0734 3496 usbscan - ok

20:38:37.0812 3496 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

20:38:37.0812 3496 usbstor - ok

20:38:37.0843 3496 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

20:38:37.0859 3496 usbuhci - ok

20:38:37.0875 3496 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

20:38:37.0890 3496 VgaSave - ok

20:38:37.0906 3496 ViaIde - ok

20:38:37.0968 3496 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

20:38:37.0984 3496 VolSnap - ok

20:38:38.0046 3496 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

20:38:38.0078 3496 Wanarp - ok

20:38:38.0093 3496 WDICA - ok

20:38:38.0109 3496 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

20:38:38.0140 3496 wdmaud - ok

20:38:38.0218 3496 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

20:38:38.0218 3496 WS2IFSL - ok

20:38:38.0234 3496 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

20:38:38.0328 3496 \Device\Harddisk0\DR0 - ok

20:38:38.0359 3496 MBR (0x1B8) (745d487793b2524e44fcb35bf3dd4742) \Device\Harddisk1\DR1

20:38:38.0359 3496 \Device\Harddisk1\DR1 - ok

20:38:38.0359 3496 Boot (0x1200) (bca1d0f084034a9b7c2dab7ae33ab663) \Device\Harddisk0\DR0\Partition0

20:38:38.0359 3496 \Device\Harddisk0\DR0\Partition0 - ok

20:38:38.0390 3496 Boot (0x1200) (ed5e95e48ea3cb711ab4a7e111e446a0) \Device\Harddisk1\DR1\Partition0

20:38:38.0390 3496 \Device\Harddisk1\DR1\Partition0 - ok

20:38:38.0390 3496 ============================================================

20:38:38.0390 3496 Scan finished

20:38:38.0390 3496 ============================================================

20:38:38.0406 1708 Detected object count: 0

20:38:38.0406 1708 Actual detected object count: 0

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,515
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 07 October 2011 - 09:13 PM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 9.4.6

    and click on remove


Update Adobe Reader

    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

      If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.


Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

    In your next post I need the following

    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 08 October 2011 - 08:51 AM

OK. Followed all the steps:

1) Uninstalled Adobe reader version 9.4.6 and updated to the new version 10.1.1
2) Updated Java and cleared the Java Cache
3) Run the TFC program

Note: For the first time, the malwarebytes showed NO infections. The two persistant Registry infections have now disappeared.

Having said that, the symptoms of the computer illness are still there:
1) The delay of the availability of Internet connection (3-4 minutes after computer starts).
2) What appears to be a general memory shortage (despite increasing the virtual memory recently)

Here are the malwarebytes and HijackThis reports:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7845

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18372

10/8/2011 7:44:18 AM

mbam-log-2011-10-08 (07-44-18).txt

Scan type: Quick scan

Objects scanned: 182457

Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)



HijackThis:



Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:04:27 AM, on 10/8/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: Atomic Email Hunter - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Atomic Email Hunter - {491A6C2B-1046-486b-8A8F-7D26BCB79A9B} - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm (HKCU)

O9 - Extra 'Tools' menuitem: Atomic Email Hunter - {491A6C2B-1046-486b-8A8F-7D26BCB79A9B} - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm (HKCU)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280857019828

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280882643609

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7D7DBF66-DF3C-4DB0-BF20-6BE61764BDDD}: NameServer = 68.94.156.1,151.164.8.201

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

--

End of file - 7011 bytes

#12 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,515
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 October 2011 - 11:35 AM

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 08 October 2011 - 04:23 PM

OK. First run HijackThis with the three mentioned items checked. Then ESET Online scanner. Here is the scan log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18372 (longhorn_ie8_rc1(wmbla).090115-0053)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=6bea59ba1499234887849238165dda68
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-08 09:03:30
# local_time=2011-10-08 04:03:30 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 70451213 70451213 0 0
# compatibility_mode=5891 16776533 42 88 0 14074730 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=150841
# found=8
# cleaned=0
# scan_time=10035
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP12\A0004890.exe a variant of Win32/InstallCore.C application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP5\A0000236.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP5\A0000237.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP5\A0000238.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP5\A0000239.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP5\A0000240.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP5\A0000241.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{7F87290E-7855-4D96-96EB-9DE86FCFE543}\RP7\A0000333.exe a variant of Win32/InstallCore.C application (unable to clean) 00000000000000000000000000000000 I

#14 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,515
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 October 2011 - 04:35 PM

Hello

The Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

    Your Emulation drivers are now re-enabled.



:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image



:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.



:Make Firefox more secure:




Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.


Here is some great reading about how to be safer online:




I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#15 User is offline   MaxRev 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 18-September 11

Posted 08 October 2011 - 05:54 PM

Thank you, Grigo for all your help. I've followed these final steps to remove and cleanup the remaining programs.

Since the computer is now clean, what could be the explanation for the delay of the Internet connection after the computer starts?
It's not a big deal, but I'm just wondering!

Regarding antisyware programs, I heard that it is not advisable to have more than one running simultaneously because they interfere with each other. Is that true?

I like the idea of running as many as possible because we know that each works differently and the synergistic effect of all the functions would be greater. Can you shed some light!

I'm currently running Microsoft Security Essentials. What do you think about it, and is it OK to combine it with all these others?

Thanks again!

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users