Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was sent here from another forum


  • This topic is locked This topic is locked
15 replies to this topic

#1 bojar

bojar

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 05 July 2009 - 05:11 PM

Hi,
My wife's computer got infected by what initially looked like Antivirus System Pro. I tried the initial suggestions for removing it, but after trying mbam to no avail, and then trying DDS with the same results, I was instructed to run RSIT and post the log on this forum. Thanks in advance for your help. Bojar

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-07-05 15:53:05
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 129 GB (87%) free of 148 GB
Total RAM: 447 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:05 PM, on 7/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\$ISR\0\ISRService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\debug.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: C:\WINDOWS\System32\gsf83iujid.dll - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - C:\WINDOWS\System32\gsf83iujid.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [profilewatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [kbd] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [clamwin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [alcxmonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hphupd05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hphmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [hp component manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Owner\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.3.8.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: __c0047a55 - C:\WINDOWS\System32\__c0047A55.dat (file missing)
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\System32\gsf83iujid.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense PC Rescue Service (ISRService) - Horizon DataSys Corporation - C:\$ISR\0\ISRService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6920 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa58ed58-01dd-4d91-8333-cf10577473f7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-04 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c84d72fe-e17d-4195-bb24-76c02e2e7c4e}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-03 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953}]
C:\WINDOWS\System32\gsf83iujid.dll - C:\WINDOWS\System32\gsf83iujid.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP view - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll [2003-09-03 98304]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-04 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2002-08-29 145408]
"wcmdmgr"=C:\WINDOWS\wt\updater\wcmdmgrl.exe [2003-09-23 20480]
"profilewatcher"=C:\Program Files\ProfileWatcher\profilewatcher.exe []
"kbd"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"clamwin"=C:\Program Files\ClamWin\bin\ClamTray.exe [2008-11-09 86016]
"alcxmonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"hphupd05"=c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-08-21 49152]
"hphmon05"=C:\WINDOWS\System32\hphmon05.exe [2003-08-21 483328]
"hp component manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-12-22 241664]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows System Recover!"=C:\DOCUME~1\Owner\LOCALS~1\Temp\debug.exe [2009-07-05 16469]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe -h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\backupnotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf7husjnfg98gi498aejhiugjkdg4]
C:\DOCUME~1\Owner\LOCALS~1\Temp\a6lrhqew5l.exe [2009-07-04 15001]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isr_monitor]
C:\$ISR\$APP\ISRMonitor.exe [2008-05-28 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isuspm startup]
c:\progra~1\common~1\instal~1\update~1\isuspm.exe [2004-06-16 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps2]
C:\WINDOWS\system32\ps2.exe [2002-10-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2004-04-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recordnow!]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysldtray]
C:\windows\ld12.exe [2009-07-04 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemanager]
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vttimer]
C:\WINDOWS\system32\VTTimer.exe [2005-03-08 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows system recover!]
C:\DOCUME~1\Owner\LOCALS~1\Temp\notepad.exe [2009-07-05 16469]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe]
C:\WINDOWS\System32\wltray.exe [2005-03-10 778348]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
C:\PROGRA~1\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-02-10 339968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0047a55]
C:\WINDOWS\System32\__c0047A55.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\System32\gsf83iujid.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-07-05 15:52:39 ----D---- C:\Program Files\trend micro
2009-07-05 15:52:38 ----D---- C:\rsit
2009-07-05 15:40:31 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-05 15:40:31 ----D---- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-05 15:39:58 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-05 12:14:08 ----A---- C:\WINDOWS\freddy49.exe
2009-07-05 10:07:48 ----D---- C:\Program Files\CCleaner
2009-07-05 09:40:18 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-07-05 08:57:27 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-05 08:57:27 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-04 16:51:52 ----D---- C:\Documents and Settings\Owner\Application Data\.clamwin
2009-07-04 16:51:45 ----D---- C:\Program Files\ClamWin
2009-07-04 16:13:09 ----D---- C:\KAV
2009-07-04 15:18:53 ----H---- C:\WINDOWS\pp10.exe
2009-07-04 15:17:02 ----D---- C:\Program Files\drv
2009-07-04 15:16:39 ----A---- C:\WINDOWS\ld12.exe

======List of files/folders modified in the last 1 months======

2009-07-05 15:52:39 ----D---- C:\Program Files
2009-07-05 15:40:35 ----SHD---- C:\WINDOWS\Installer
2009-07-05 15:39:58 ----D---- C:\Program Files\Common Files
2009-07-05 15:39:42 ----RASH---- C:\boot.ini
2009-07-05 15:39:42 ----A---- C:\WINDOWS\win.ini
2009-07-05 15:39:42 ----A---- C:\WINDOWS\system.ini
2009-07-05 15:39:07 ----D---- C:\WINDOWS\Temp
2009-07-05 15:39:04 ----D---- C:\WINDOWS
2009-07-05 15:39:03 ----D---- C:\WINDOWS\wt
2009-07-05 15:39:02 ----D---- C:\WINDOWS\system32
2009-07-05 15:38:58 ----D---- C:\WINDOWS\Debug
2009-07-05 15:34:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-05 15:02:27 ----D---- C:\WINDOWS\System32\drivers
2009-07-05 14:19:16 ----D---- C:\WINDOWS\Prefetch
2009-07-05 14:18:47 ----D---- C:\WINDOWS\Help
2009-07-05 11:44:08 ----D---- C:\WINDOWS\pss
2009-07-05 10:13:49 ----D---- C:\WINDOWS\Minidump
2009-07-04 17:56:23 ----SHD---- C:\System Volume Information
2009-07-04 17:56:23 ----D---- C:\WINDOWS\System32\Restore
2009-07-04 16:53:09 ----D---- C:\WINDOWS\System32\CatRoot2
2009-07-04 16:11:59 ----HD---- C:\WINDOWS\inf
2009-07-04 15:45:13 ----D---- C:\Program Files\Mozilla Firefox
2009-07-04 15:18:23 ----RSHDC---- C:\WINDOWS\System32\dllcache
2009-07-04 15:16:58 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-04 15:16:45 ----D---- C:\WINDOWS\System32\wbem
2009-06-14 19:23:19 ----D---- C:\WINDOWS\System32\Macromed

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2004-10-07 35840]
R1 drvdrv;drvdrv; \??\C:\Program Files\drv\drv.sys []
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2004-01-02 11520]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [2002-08-29 196288]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2005-12-26 17801]
R2 MCSTRM;MCSTRM; C:\WINDOWS\System32\drivers\MCSTRM.sys [2007-11-03 8413]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2004-01-16 1252940]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 BCM43XX;Belkin 802.11 Network Adapter Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-03-01 371712]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-08-29 19328]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-08-29 51968]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2002-08-29 19328]
R3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2005-03-08 172544]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2002-08-29 32512]
S2 mrtRate;mrtRate; C:\WINDOWS\System32\drivers\mrtRate.sys []
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-12 391424]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2002-08-29 57344]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2002-08-29 68864]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2002-08-29 68864]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2003-11-12 41984]
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-08-29 9600]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-02-10 681469]
S3 mbamswissarmy;MBAMSwissArmy; \??\C:\WINDOWS\System32\drivers\mbamswissarmy.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2002-08-29 57984]
S3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2004-01-02 432000]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\System32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2002-08-29 15744]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208]
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2002-08-29 69248]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 ISRService;FirstDefense PC Rescue Service; C:\$ISR\0\ISRService.exe []
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\wltrysvc.exe [2005-03-01 65536]
S2 drv;drv; C:\WINDOWS\system32\svchost.exe [2002-08-29 12800]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2002-08-29 250368]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-03 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 6to4;6to4; C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]

-----------------EOF-----------------


The location of my original posting http://www.bleepingcomputer.com/forums/t/239033/got-infected-with-antivirus-system-pro/

BC AdBot (Login to Remove)

 


m

#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:04:03 AM

Posted 12 July 2009 - 10:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 bojar

bojar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 12 July 2009 - 01:00 PM

Hi DocSatan,
I Already tried dds.scr but after I double click it, it'll start up, saying that it's a diagnostic tool....after use discard it, but then just sits there, doing nothing for as long as I leave it. Tried also to run it in the safe mode, but winxp won't go into safe mode, it just keeps on rebooting. I also keep on getting a message that IE crashed and needed to close, even though I never use IE, nor am I trying to access internet. Thanks again, Bojar

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 12 July 2009 - 09:14 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 bojar

bojar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 13 July 2009 - 09:14 PM

Hi PP,
Thanks a bunch for helping me. Following your instructions, after downloading ComboFix and trying to run it at first nothing happened. I then renamed it to Hello.exe but it still just sat there doing nothing. I than disabled AV (Clamwin), still nothing, then I uninstalled Malwarebytes Antimalware and then it finally started to work. The report log is included along with GMER log (which ran fine without a hitch). Hope this makes some sense, looks like there were a few files deleted, and already the computer seems stable. Thanks again for your help, you guys and girls are all awesome for donating your time to help us layfolk. Bojar

ComboFix 09-07-13.01 - Owner 07/13/2009 18:18.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.253 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Hello.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\csrss.exe
c:\docume~1\Owner\LOCALS~1\Temp\lsass.exe
c:\docume~1\Owner\LOCALS~1\Temp\services.exe
c:\docume~1\Owner\LOCALS~1\Temp\svchost.exe
c:\docume~1\Owner\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Owner\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\freddy49.exe
c:\windows\Installer\3c99a.msi
c:\windows\Installer\8abe8.msi
c:\windows\ld12.exe
c:\windows\pp10.exe
c:\windows\system32\drivers\9ca4e82e.sys
c:\windows\system32\drivers\UACrssftiqlxwpdqomll.sys
c:\windows\system32\UACavyfumwndjbivkbgr.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjxtetrgaqhkymitto.dll
c:\windows\system32\UACqowkmxfakyfwbigip.dll
c:\windows\system32\UACrdrrkonkhlhgcsyyp.dll
c:\windows\system32\UACwlvpxgcpxypqswelc.dat
c:\windows\system32\wbem\proquota.exe
C:\xcrashdump.dat
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
hxxp://www.cnn.com
c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_drv
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_9ca4e82e
-------\Service_drv


((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-05 14:57 . 2009-07-05 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-04 22:13 . 2009-07-04 22:13 -------- d-----w- C:\KAV
2009-07-04 21:17 . 2009-07-04 21:17 -------- d-----w- c:\program files\drv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 00:13 . 2009-07-05 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 21:53 . 2009-07-05 21:52 -------- d-----w- c:\program files\trend micro
2009-07-05 18:14 . 2009-07-05 18:14 1 ---h--w- c:\windows\bf23567.dat
2009-07-05 17:46 . 2009-07-05 20:15 649990 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-07-05 16:07 . 2009-07-05 16:07 -------- d-----w- c:\program files\CCleaner
2009-07-05 15:40 . 2009-07-05 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-12 02:29 . 2008-12-07 16:39 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-02-16 00:59 . 2009-02-16 00:59 23 --sha-w- c:\windows\system32\edacded0_x.dat
2006-12-31 19:05 . 2006-01-24 22:50 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\Driver Cache\i386\ndis.sys
[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\system32\dllcache\ndis.sys
[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys


[-] 2003-10-22 06:06 32256 41C5F3B926942EBDD35C6BF4154FE5F8 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[7] 2004-08-04 07:56 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\msgsvc.dll
[-] 2003-10-22 06:06 32256 41C5F3B926942EBDD35C6BF4154FE5F8 c:\windows\system32\msgsvc.dll
[-] 2003-10-22 06:06 32256 41C5F3B926942EBDD35C6BF4154FE5F8 c:\windows\system32\dllcache\msgsvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2003-09-24 20480]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"hphupd05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"hphmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"hp component manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"alcxmonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2 (0x2)

R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/4/2009 3:17 PM 9344]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 ISRService;FirstDefense PC Rescue Service;c:\$isr\0\ISRService.exe []
S0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys --> c:\windows\System32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys --> c:\windows\System32\drivers\TfSysMon.sys [?]
S2 mrtRate;mrtRate; [x]
S3 mbamswissarmy;MBAMSwissArmy;\??\c:\windows\System32\drivers\mbamswissarmy.sys --> c:\windows\System32\drivers\mbamswissarmy.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\System32\drivers\TfNetMon.sys --> c:\windows\System32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-profilewatcher - c:\program files\ProfileWatcher\profilewatcher.exe
HKLM-Run-kbd - c:\hp\KBD\KBD.EXE
Notify-__c0047a55 - c:\windows\System32\__c0047A55.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t9jq5j2.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 18:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]
@DACL=(02 0000)
"NoRun"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\System32\ODBC32.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\dssenh.dll

- - - - - - - > 'explorer.exe'(532)
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\windows\wt\updater\wcmdmgr.exe
.
**************************************************************************
.
Completion time: 2009-07-14 18:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 00:29

Pre-Run: 135,278,997,504 bytes free
Post-Run: 135,366,074,368 bytes free

174

Attached Files


Edited by PropagandaPanda, 14 July 2009 - 08:09 AM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 14 July 2009 - 08:22 AM

Hello.

ComboFix had removed a backdoor infection. This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/239083/was-sent-here-from-another-forum/
    
    Collect::
    c:\program files\drv\drv.sys
    
    Folder::
    c:\program files\drv
    
    File::
    c:\windows\system32\edacded0_x.dat
    c:\windows\bf23567.dat
    
    Driver::
    drvdrv
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS log after too. Include the Attach.txt.

Any problems at the moment?

With Regards,
The Panda

#7 bojar

bojar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 14 July 2009 - 05:49 PM

Hi Panda,
Here is the log ComboFix produced this time.
Thanks again, Bojar

ComboFix 09-07-13.01 - Owner 07/14/2009 16:28.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.176 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\windows\bf23567.dat"
"c:\windows\system32\edacded0_x.dat"

file zipped: c:\program files\drv\drv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\drv
c:\program files\drv\drv.dll
c:\program files\drv\drv.sys
c:\windows\bf23567.dat
c:\windows\system32\edacded0_x.dat

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVDRV
-------\Service_drvdrv


((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-05 21:52 . 2009-07-05 21:53 -------- d-----w- c:\program files\trend micro
2009-07-05 21:52 . 2009-07-05 21:55 -------- d-----w- C:\rsit
2009-07-05 16:07 . 2009-07-05 16:07 -------- d-----w- c:\program files\CCleaner
2009-07-05 15:40 . 2009-07-05 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-05 14:57 . 2009-07-14 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 14:57 . 2009-07-05 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-04 22:13 . 2009-07-04 22:13 -------- d-----w- C:\KAV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 17:46 . 2009-07-05 20:15 649990 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-06-12 02:29 . 2008-12-07 16:39 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-12-31 19:05 . 2006-01-24 22:50 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\Driver Cache\i386\ndis.sys
[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\system32\dllcache\ndis.sys
[-] 2003-10-04 14:54 168192 D999CE17681D7D074D534FC5BC662E0A c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys


[-] 2003-10-22 06:06 32256 41C5F3B926942EBDD35C6BF4154FE5F8 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[7] 2004-08-04 07:56 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\msgsvc.dll
[-] 2003-10-22 06:06 32256 41C5F3B926942EBDD35C6BF4154FE5F8 c:\windows\system32\msgsvc.dll
[-] 2003-10-22 06:06 32256 41C5F3B926942EBDD35C6BF4154FE5F8 c:\windows\system32\dllcache\msgsvc.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-07-14_00.25.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-12-26 06:02 . 2009-07-14 22:36 2412 c:\windows\wt\wtupdates\wtupdater\appinfo.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2003-09-24 20480]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"hphupd05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"hphmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"hp component manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"alcxmonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2 (0x2)

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 ISRService;FirstDefense PC Rescue Service;c:\$isr\0\ISRService.exe []
S0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys --> c:\windows\System32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys --> c:\windows\System32\drivers\TfSysMon.sys [?]
S2 mrtRate;mrtRate; [x]
S3 mbamswissarmy;MBAMSwissArmy;\??\c:\windows\System32\drivers\mbamswissarmy.sys --> c:\windows\System32\drivers\mbamswissarmy.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\System32\drivers\TfNetMon.sys --> c:\windows\System32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t9jq5j2.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 16:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]
@DACL=(02 0000)
"NoRun"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\System32\ODBC32.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\dssenh.dll

- - - - - - - > 'explorer.exe'(508)
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\windows\wt\updater\wcmdmgr.exe
.
**************************************************************************
.
Completion time: 2009-07-14 16:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 22:39
ComboFix2.txt 2009-07-14 00:29

Pre-Run: 135,318,679,552 bytes free
Post-Run: 135,286,771,712 bytes free

142

Attached Files


Edited by PropagandaPanda, 14 July 2009 - 05:53 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 14 July 2009 - 05:59 PM

Hello.

It looks like ComboFix was not able to upload the samples.
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/239083/was-sent-here-from-another-forum/
  • Click the Browse button. Locate and select the following files:
  • C:\Qoobox\Quarantine\[4]-Submit_2009-**-**@**.**.zip
  • (If more than one file is listed, do one at a time.)
  • Leave the comment section blank.
Please tell me when the file has been uploaded.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please take a new RSIT log.

Please also post the contents of this file:
C:\Qoobox\Add-Remove Programs.txt

Any problems at the moment?

With Regards,
The Panda

Edited by PropagandaPanda, 14 July 2009 - 05:59 PM.


#9 bojar

bojar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 14 July 2009 - 06:31 PM

Ok PP, the file has been uploaded
Bojar

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 14 July 2009 - 08:05 PM

Okay. Continue with the other steps when ready.

With Regards,
The Panda

#11 bojar

bojar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 15 July 2009 - 06:22 PM

Hi Panda,
After scanning with the Kapersky online scan, No malware was found. The other two scan results are attached. Thanks, Bojar

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-07-15 17:13:01
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 129 GB (87%) free of 148 GB
Total RAM: 447 MB (17% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:07 PM, on 7/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\$ISR\0\ISRService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wupdmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [alcxmonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hphupd05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hphmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [hp component manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.3.8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247661754171
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense PC Rescue Service (ISRService) - Horizon DataSys Corporation - C:\$ISR\0\ISRService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6399 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa58ed58-01dd-4d91-8333-cf10577473f7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-04 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c84d72fe-e17d-4195-bb24-76c02e2e7c4e}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-03 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-15 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-15 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP view - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll [2003-09-03 98304]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-04 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"=C:\WINDOWS\wt\updater\wcmdmgrl.exe [2003-09-23 20480]
"alcxmonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"hphupd05"=c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-08-21 49152]
"hphmon05"=C:\WINDOWS\System32\hphmon05.exe [2003-08-21 483328]
"hp component manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-12-22 241664]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-15 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-10 68856]
"BackupNotify"=c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe -h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\backupnotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf7husjnfg98gi498aejhiugjkdg4]
C:\DOCUME~1\Owner\LOCALS~1\Temp\a6lrhqew5l.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isr_monitor]
C:\$ISR\$APP\ISRMonitor.exe [2008-05-28 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isuspm startup]
c:\progra~1\common~1\instal~1\update~1\isuspm.exe [2004-06-16 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps2]
C:\WINDOWS\system32\ps2.exe [2002-10-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2004-04-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysldtray]
C:\windows\ld12.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemanager]
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vttimer]
C:\WINDOWS\system32\VTTimer.exe [2005-03-08 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows system recover!]
C:\DOCUME~1\Owner\LOCALS~1\Temp\notepad.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe]
C:\WINDOWS\System32\wltray.exe [2005-03-10 778348]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
C:\PROGRA~1\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-02-10 339968]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-07-15 16:35:12 ----A---- C:\WINDOWS\System32\mucltui.dll.mui
2009-07-15 16:35:12 ----A---- C:\WINDOWS\System32\mucltui.dll
2009-07-15 16:35:10 ----D---- C:\WINDOWS\LastGood
2009-07-15 06:45:34 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-07-15 04:18:04 ----A---- C:\WINDOWS\System32\javaws.exe
2009-07-15 04:18:04 ----A---- C:\WINDOWS\System32\javaw.exe
2009-07-15 04:18:04 ----A---- C:\WINDOWS\System32\java.exe
2009-07-15 04:18:04 ----A---- C:\WINDOWS\System32\deploytk.dll
2009-07-14 16:39:37 ----D---- C:\WINDOWS\temp
2009-07-14 16:39:36 ----A---- C:\ComboFix.txt
2009-07-13 18:14:00 ----A---- C:\WINDOWS\zip.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\SWSC.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\SWREG.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\sed.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\PEV.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\grep.exe
2009-07-13 18:13:51 ----D---- C:\WINDOWS\ERDNT
2009-07-13 18:13:46 ----D---- C:\Qoobox
2009-07-05 15:52:39 ----D---- C:\Program Files\trend micro
2009-07-05 15:52:38 ----D---- C:\rsit
2009-07-05 10:07:48 ----D---- C:\Program Files\CCleaner
2009-07-05 09:40:18 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-07-05 08:57:27 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-05 08:57:27 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-04 16:13:09 ----D---- C:\KAV

======List of files/folders modified in the last 1 months======

2009-07-15 17:13:05 ----D---- C:\WINDOWS\Prefetch
2009-07-15 17:10:25 ----D---- C:\Program Files\Mozilla Firefox
2009-07-15 17:00:31 ----D---- C:\WINDOWS\System32\CatRoot2
2009-07-15 16:35:12 ----D---- C:\WINDOWS\system32
2009-07-15 16:35:10 ----HD---- C:\WINDOWS\inf
2009-07-15 16:35:10 ----D---- C:\WINDOWS
2009-07-15 06:45:33 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-15 04:18:33 ----SHD---- C:\WINDOWS\Installer
2009-07-15 04:17:44 ----D---- C:\Program Files\Java
2009-07-14 18:48:50 ----D---- C:\WINDOWS\wt
2009-07-14 18:48:46 ----D---- C:\WINDOWS\Debug
2009-07-14 18:47:52 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-14 16:39:38 ----D---- C:\WINDOWS\System32\drivers
2009-07-14 16:36:27 ----A---- C:\WINDOWS\system.ini
2009-07-14 16:34:04 ----D---- C:\WINDOWS\System32\config
2009-07-14 16:33:35 ----D---- C:\Program Files
2009-07-14 16:32:06 ----D---- C:\WINDOWS\AppPatch
2009-07-14 16:32:01 ----D---- C:\Program Files\Common Files
2009-07-14 16:28:06 ----SHD---- C:\System Volume Information
2009-07-14 16:28:06 ----D---- C:\WINDOWS\System32\Restore
2009-07-13 18:28:14 ----RSHDC---- C:\WINDOWS\System32\dllcache
2009-07-13 18:22:58 ----D---- C:\WINDOWS\System32\wbem
2009-07-13 18:09:51 ----HD---- C:\hp
2009-07-05 15:39:42 ----RASH---- C:\boot.ini
2009-07-05 15:39:42 ----A---- C:\WINDOWS\win.ini
2009-07-05 14:18:47 ----D---- C:\WINDOWS\Help
2009-07-05 11:44:08 ----D---- C:\WINDOWS\pss
2009-07-05 10:13:49 ----D---- C:\WINDOWS\Minidump
2009-07-04 15:16:58 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2004-10-07 35840]
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2004-01-02 11520]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [2002-08-29 196288]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2005-12-26 17801]
R2 MCSTRM;MCSTRM; C:\WINDOWS\System32\drivers\MCSTRM.sys [2007-11-03 8413]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2004-01-16 1252940]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 BCM43XX;Belkin 802.11 Network Adapter Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-03-01 371712]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-08-29 19328]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-08-29 51968]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2002-08-29 19328]
R3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2005-03-08 172544]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2002-08-29 32512]
S2 mrtRate;mrtRate; C:\WINDOWS\System32\drivers\mrtRate.sys []
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-12 391424]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2002-08-29 57344]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2002-08-29 68864]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2002-08-29 68864]
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2003-11-12 41984]
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-08-29 9600]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-02-10 681469]
S3 mbamswissarmy;MBAMSwissArmy; \??\C:\WINDOWS\System32\drivers\mbamswissarmy.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2002-08-29 57984]
S3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2004-01-02 432000]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\System32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2002-08-29 15744]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 ISRService;FirstDefense PC Rescue Service; C:\$ISR\0\ISRService.exe []
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-15 152984]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\wltrysvc.exe [2005-03-01 65536]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2002-08-29 250368]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-03 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 6to4;6to4; C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]

-----------------EOF-----------------

Attached Files


Edited by PropagandaPanda, 16 July 2009 - 08:55 AM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 16 July 2009 - 09:00 AM

Hello.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf7husjnfg98gi498aejhiugjkdg4]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps2]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysldtray]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows system recover!]
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Take a new RSIT log after. Any problems?

With Regards,
The Panda

#13 bojar

bojar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 16 July 2009 - 06:57 PM

Hi Panda,
Although this computer is now much more stable, I still seem to have some problems with the operating system. When I try to run windows update the IE (which it insists it must have) crashes. When I try to install the latest Internet Explorer during the installation process I get a message
"The procedure entry point SHRegGetValueW could not be located in the dynamic link library SHLWAPI.dll . Also when I try to install Kapersky AV I get a message that Windows XP SP 2 or higher is required to install this application. But I already have a SP2 on this computer. My problem is compounded by the fact that this computer came preloaded with windows, and my wife doesn't remember seeing a windows installation cd. I have a windows xp professional cd, but that won't work on hers, or will it?

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-07-16 16:42:35
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 128 GB (87%) free of 148 GB
Total RAM: 447 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:43 PM, on 7/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\$ISR\0\ISRService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense PC Rescue Service (ISRService) - Horizon DataSys Corporation - C:\$ISR\0\ISRService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6481 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa58ed58-01dd-4d91-8333-cf10577473f7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-04 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-07-15 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c84d72fe-e17d-4195-bb24-76c02e2e7c4e}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-03 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-16 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-16 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP view - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll [2003-09-03 98304]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-04 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"=C:\WINDOWS\wt\updater\wcmdmgrl.exe [2003-09-23 20480]
"alcxmonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"hphupd05"=c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-08-21 49152]
"hphmon05"=C:\WINDOWS\System32\hphmon05.exe [2003-08-21 483328]
"hp component manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-12-22 241664]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-16 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-10 68856]
"BackupNotify"=c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\backupnotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isr_monitor]
C:\$ISR\$APP\ISRMonitor.exe [2008-05-28 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isuspm startup]
c:\progra~1\common~1\instal~1\update~1\isuspm.exe [2004-06-16 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2004-04-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemanager]
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vttimer]
C:\WINDOWS\system32\VTTimer.exe [2005-03-08 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe]
C:\WINDOWS\System32\wltray.exe [2005-03-10 778348]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
C:\PROGRA~1\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-02-10 339968]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-07-16 16:39:44 ----A---- C:\WINDOWS\System32\javaws.exe
2009-07-16 16:39:44 ----A---- C:\WINDOWS\System32\javaw.exe
2009-07-16 16:39:43 ----A---- C:\WINDOWS\System32\java.exe
2009-07-16 16:26:47 ----SHD---- C:\RECYCLER
2009-07-16 16:20:58 ----D---- C:\Program Files\ERUNT
2009-07-15 16:35:12 ----A---- C:\WINDOWS\System32\mucltui.dll.mui
2009-07-15 16:35:12 ----A---- C:\WINDOWS\System32\mucltui.dll
2009-07-15 06:45:34 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-07-15 04:18:04 ----A---- C:\WINDOWS\System32\deploytk.dll
2009-07-14 16:39:37 ----D---- C:\WINDOWS\temp
2009-07-14 16:39:36 ----A---- C:\ComboFix.txt
2009-07-13 18:14:00 ----A---- C:\WINDOWS\zip.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\SWSC.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\SWREG.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\sed.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\PEV.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-13 18:14:00 ----A---- C:\WINDOWS\grep.exe
2009-07-13 18:13:51 ----D---- C:\WINDOWS\ERDNT
2009-07-13 18:13:46 ----D---- C:\Qoobox
2009-07-05 15:52:39 ----D---- C:\Program Files\trend micro
2009-07-05 15:52:38 ----D---- C:\rsit
2009-07-05 10:07:48 ----D---- C:\Program Files\CCleaner
2009-07-05 09:40:18 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-07-05 08:57:27 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-05 08:57:27 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-04 16:13:09 ----D---- C:\KAV

======List of files/folders modified in the last 1 months======

2009-07-16 16:40:23 ----D---- C:\Program Files\Mozilla Firefox
2009-07-16 16:39:44 ----D---- C:\WINDOWS\system32
2009-07-16 16:39:15 ----SHD---- C:\WINDOWS\Installer
2009-07-16 16:38:10 ----D---- C:\WINDOWS\Prefetch
2009-07-16 16:36:48 ----D---- C:\WINDOWS\wt
2009-07-16 16:36:48 ----D---- C:\WINDOWS
2009-07-16 16:36:44 ----D---- C:\WINDOWS\Debug
2009-07-16 16:35:56 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-16 16:33:09 ----D---- C:\Program Files\Common Files
2009-07-16 16:20:58 ----D---- C:\Program Files
2009-07-15 17:00:31 ----D---- C:\WINDOWS\System32\CatRoot2
2009-07-15 16:35:10 ----HD---- C:\WINDOWS\inf
2009-07-15 06:45:33 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-15 04:17:44 ----D---- C:\Program Files\Java
2009-07-14 16:39:38 ----D---- C:\WINDOWS\System32\drivers
2009-07-14 16:36:27 ----A---- C:\WINDOWS\system.ini
2009-07-14 16:34:04 ----D---- C:\WINDOWS\System32\config
2009-07-14 16:32:06 ----D---- C:\WINDOWS\AppPatch
2009-07-14 16:28:06 ----SHD---- C:\System Volume Information
2009-07-14 16:28:06 ----D---- C:\WINDOWS\System32\Restore
2009-07-13 18:28:14 ----RSHDC---- C:\WINDOWS\System32\dllcache
2009-07-13 18:22:58 ----D---- C:\WINDOWS\System32\wbem
2009-07-13 18:09:51 ----HD---- C:\hp
2009-07-05 15:39:42 ----RASH---- C:\boot.ini
2009-07-05 15:39:42 ----A---- C:\WINDOWS\win.ini
2009-07-05 14:18:47 ----D---- C:\WINDOWS\Help
2009-07-05 11:44:08 ----D---- C:\WINDOWS\pss
2009-07-05 10:13:49 ----D---- C:\WINDOWS\Minidump
2009-07-04 15:16:58 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2004-10-07 35840]
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2004-01-02 11520]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [2002-08-29 196288]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2005-12-26 17801]
R2 MCSTRM;MCSTRM; C:\WINDOWS\System32\drivers\MCSTRM.sys [2007-11-03 8413]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2004-01-16 1252940]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 BCM43XX;Belkin 802.11 Network Adapter Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-03-01 371712]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-08-29 19328]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-08-29 51968]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2002-08-29 19328]
R3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2005-03-08 172544]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2002-08-29 32512]
S2 mrtRate;mrtRate; C:\WINDOWS\System32\drivers\mrtRate.sys []
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-12 391424]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2002-08-29 57344]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2002-08-29 68864]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2002-08-29 68864]
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2003-11-12 41984]
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-08-29 9600]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-02-10 681469]
S3 mbamswissarmy;MBAMSwissArmy; \??\C:\WINDOWS\System32\drivers\mbamswissarmy.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2002-08-29 57984]
S3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2004-01-02 432000]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\System32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2002-08-29 15744]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 ISRService;FirstDefense PC Rescue Service; C:\$ISR\0\ISRService.exe []
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-16 152984]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\wltrysvc.exe [2005-03-01 65536]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2002-08-29 250368]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-03 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 6to4;6to4; C:\WINDOWS\System32\svchost.exe [2002-08-29 12800]

-----------------EOF-----------------

Attached Files

  • Attached File  log.txt   20.66KB   12 downloads

Edited by PropagandaPanda, 17 July 2009 - 07:34 AM.


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 17 July 2009 - 08:22 AM

Hello.

Let's try installing SP3.

Create New System Restore Point
We'll create a backup before continuing.
  • Click on your Start Menu -> Run. Type into the Run box:
    %systemroot%\system32\restore\rstrui.exe
  • In the System Restore, select Create a restore point.
  • Give the Restore Point a name and click Create.
  • You should see a success message. Exit the System Restore.
Please download the SP3 installation package from here. (I know it says not for single machines, but the Windows Updates is not working for you.)

Run the installer.

Tell me how it goes. Take a new RSIT log after.

With Regards,
The Panda

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 20 July 2009 - 12:07 PM

Hello.

PP is away as said in his signature so I will continue to help you here.

Please follow his instructions in his last reply. Also, provide a description of any remaining problems in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users