Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error Messages on Boot XP-SP2-Ran HiJackThis


  • This topic is locked This topic is locked
28 replies to this topic

#1 ummagumma

ummagumma

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 12 October 2010 - 01:14 PM

I am running MS XP Home Edition Version 2002 SP2 on Dell Dimension DIM9100 Intel P4 3.00GHz 2.99GHz, 1.00 Ram

Also sound (.wav) in sounds was turning all the way down. I used Ad-Aware free and Spybot today because all of a sudden after rebooting today when windows loads (every time it loads now) got 2 error messages:

ERROR LOADING C:\windows\msadmsl.dll and ERROR LOADING C:\windows\unsceapp.exe

I did a search on the msadmsl.dll and could not find it listed on any site so now I'm here. So I ran the latest edition of HiJackThis.

I have used HiJackThis for years but moved to area where I did not have internet until few weeks ago. I ran HiJackThis and found lots of entries I have never seen and also got something I have never seen HiJackThis do. I use Sygate as a firewall and it popped up this after I ran HijackThis and opened Firefox:

Application has changed since the last time you opened it, process id: 3688
Filename: C:\Program Files\Mozilla Firefox\firefox.exe

---- Modules changed: 0 ----
---- New modules: 1 ----
C:\WINDOWS\system32\icm32.dll

I apologize if I did not list everything needed in this post, I read the rules and hope I did this correct. Any help would be greatly appreciated.

I did not save a Spybot log but here is what it found and fixed:

FunWebProducts, Virtumonde.prx, MyWay.MyWayWebSearch and MyWebSearch.

Here is the HiJackThis log file and others I think may be important:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:30:19 PM, on 10/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.torrentreactor.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - (no file)
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Prolific_OneButton] C:\Program Files\USBFast\OneBtn.exe
O4 - HKCU\..\Run: [DAEMON Tools Net Agent] "C:\Program Files\DAEMON Tools Net\DTAgent.exe" -autorun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (file missing)
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AAWXVARY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Kory\LOCALS~1\Temp\AAWXVARY.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASRSPIIL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Kory\LOCALS~1\Temp\ASRSPIIL.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DTNetService - DT Soft Ltd - C:\Program Files\DAEMON Tools Net\DTNetSrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JUCGIRGI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Kory\LOCALS~1\Temp\JUCGIRGI.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MCGEAZT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Kory\LOCALS~1\Temp\MCGEAZT.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

Ad-Aware log:

Logfile created: 10/7/2010 10:30:08
Ad-Aware version: 8.3.4
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: Kory

*********************** Definitions database information ***********************
Lavasoft definition file: 150.115
Genotype definition file version: 2010/10/07 07:43:29
Extended engine definition file: 7006.0

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 15537
Objects detected: 3


Type Detected
==========================
Processes.......: 1
Registry entries: 0
Hostfile entries: 0
Files...........: 2
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Quarantined items:
Description: c:\windows\acupavuro.dll Family Name: Win32.TrojanDownloader.Mufanom/A Engine: 1 Clean status: Success Item ID: 0 Family ID: 0
Description: c:\documents and settings\kory\application data\iryzx\daok.exe Family Name: Trojan-Spy.Win32.Zbot.apcx (v) Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: 15ca7e27153ea7ce95d5a0181d70f6bd
Description: c:\windows\acupavuro.dll Family Name: Trojan.Win32.Hiloti.ba (v) Engine: 3 Clean status: Reboot required Item ID: 1 Family ID: 0 MD5: 959aeddb1e8672bc00ae67db7b3592e5

Scan and cleaning complete: Finished correctly after 620 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: folderstoscan, enabled:1, value:
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Thu Oct 07 10:26:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Thu Oct 07 16:26:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Thu Oct 07 22:26:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Thu Oct 07 04:26:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Thu Oct 07 10:26:00 2010
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: true
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: true
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: false
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true


****************************** System information ******************************
Computer name: SASQUATCH
Processor name: Intel® Pentium® 4 CPU 3.00GHz
Processor identifier: x86 Family 15 Model 4 Stepping 3
Processor speed: ~2992MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 1027, number of processors 2, processor features: [MMX,SSE,SSE2]
Physical memory available: 536977408 bytes
Physical memory total: 1071738880 bytes
Virtual memory available: 1886953472 bytes
Virtual memory total: 2147352576 bytes
Memory load: 49%
Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Windows startup mode:

Running processes:
PID: 588 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 648 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 672 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 716 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 728 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 948 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1032 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1076 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1124 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1216 name: C:\Program Files\Sygate\SPF\smc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1236 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1268 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 608 name: C:\WINDOWS\Explorer.EXE owner: Kory domain: SASQUATCH
PID: 624 name: C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe owner: SYSTEM domain: NT AUTHORITY
PID: 956 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2012 name: C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe owner: Kory domain: SASQUATCH
PID: 2988 name: C:\Program Files\Trend Micro\Internet Security\TmProxy.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3508 name: C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3644 name: C:\Program Files\Trend Micro\BM\TMBMSRV.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3908 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3892 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2972 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3120 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 824 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Kory domain: SASQUATCH

Startup items:
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: IAAnotif
imagepath: C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
Name: UfSeAgnt.exe
imagepath: "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
Name: CanonMyPrinter
imagepath: C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
Name: CanonSolutionMenu
imagepath: C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
Name: IntelliPoint
imagepath: "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
Name: SmcService
imagepath: C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
Name: Djako
imagepath: rundll32.exe "C:\WINDOWS\acupavuro.dll",Startup
Name: Prolific_OneButton
imagepath: C:\Program Files\USBFast\OneBtn.exe
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Browser
displayname: Computer Browser
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: HidServ
displayname: HID Input Service
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: Nero BackItUp Scheduler 4.0
displayname: Nero BackItUp Scheduler 4.0
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasAuto
displayname: Remote Access Auto Connection Manager
Name: RasMan
displayname: Remote Access Connection Manager
Name: RemoteAccess
displayname: Routing and Remote Access
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SfCtlCom
displayname: Trend Micro Central Control Component
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: SmcService
displayname: Sygate Personal Firewall Pro
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TMBMServer
displayname: Trend Micro Unauthorized Change Prevention Service
Name: TmProxy
displayname: Trend Micro Proxy Service
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: w32time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: WudfSvc
displayname: Windows Driver Foundation - User-mode Driver Framework
Name: WZCSVC
displayname: Wireless Zero Configuration
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service


I'm sure I am forgetting something and not doing something I should have I apologize in advance...

Thanks for any help....

wacko.gif crazy.gif wacko.gif
Come on dude....turn up the low end!

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 20 October 2010 - 04:33 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ummagumma

ummagumma
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 20 October 2010 - 05:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.


  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.


  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Hey Mole.....

Thanks for helping man.

Well I am having even bigger problems now dude. Been working on PCs for 10 years and have never seen stuff like this happen....

Hope to hear from you soon.

Later.....

umma
Come on dude....turn up the low end!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 20 October 2010 - 06:07 PM

Let's have a look at some of the more likely culprits first.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 ummagumma

ummagumma
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 21 October 2010 - 09:21 PM

Here ya go man...

Sorry for slow response but whatever is messing with this PC is turning off system services and even disabled my net card lol. Every time I would get it back online hour later something would disable something else. I think the aliens are after me dude :crazy:

It found no infection.....

Here is the Killer Log:

2010/10/21 21:16:52.0578 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/21 21:16:52.0578 ================================================================================
2010/10/21 21:16:52.0578 SystemInfo:
2010/10/21 21:16:52.0578
2010/10/21 21:16:52.0578 OS Version: 5.1.2600 ServicePack: 2.0
2010/10/21 21:16:52.0578 Product type: Workstation
2010/10/21 21:16:52.0578 ComputerName: SASQUATCH
2010/10/21 21:16:52.0578 UserName: Kory
2010/10/21 21:16:52.0578 Windows directory: C:\WINDOWS
2010/10/21 21:16:52.0578 System windows directory: C:\WINDOWS
2010/10/21 21:16:52.0578 Processor architecture: Intel x86
2010/10/21 21:16:52.0578 Number of processors: 2
2010/10/21 21:16:52.0578 Page size: 0x1000
2010/10/21 21:16:52.0578 Boot type: Normal boot
2010/10/21 21:16:52.0578 ================================================================================
2010/10/21 21:16:52.0750 Initialize success
2010/10/21 21:17:00.0734 ================================================================================
2010/10/21 21:17:00.0734 Scan started
2010/10/21 21:17:00.0734 Mode: Manual;
2010/10/21 21:17:00.0734 ================================================================================
2010/10/21 21:17:01.0156 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/21 21:17:01.0234 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/21 21:17:01.0312 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/21 21:17:01.0359 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/21 21:17:01.0406 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/10/21 21:17:01.0484 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/10/21 21:17:01.0546 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/21 21:17:01.0656 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/21 21:17:01.0718 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/21 21:17:01.0796 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/21 21:17:01.0859 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/21 21:17:01.0921 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/21 21:17:02.0000 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/21 21:17:02.0046 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/21 21:17:02.0109 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/21 21:17:02.0187 AnyDVD (2859c5ec3943911bf1e6458089a75f35) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2010/10/21 21:17:02.0265 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/21 21:17:02.0296 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/21 21:17:02.0343 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/21 21:17:02.0390 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/10/21 21:17:02.0500 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/21 21:17:02.0562 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/21 21:17:02.0750 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/21 21:17:02.0812 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/21 21:17:02.0875 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/21 21:17:02.0984 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2010/10/21 21:17:03.0078 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/21 21:17:03.0140 bvrp_pci (c915a416f265149471d74e0815c928b2) C:\WINDOWS\system32\drivers\bvrp_pci.sys
2010/10/21 21:17:03.0187 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/21 21:17:03.0234 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/21 21:17:03.0296 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/21 21:17:03.0375 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/21 21:17:03.0437 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/21 21:17:03.0500 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/21 21:17:03.0531 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/21 21:17:03.0625 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/21 21:17:03.0765 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/21 21:17:03.0968 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/21 21:17:04.0046 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/21 21:17:04.0125 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/21 21:17:04.0203 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/21 21:17:04.0296 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/21 21:17:04.0359 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/21 21:17:04.0437 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/21 21:17:04.0500 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/21 21:17:04.0562 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/21 21:17:04.0656 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/21 21:17:04.0718 ElbyCDIO (3a85ddb9da1b86624887e3acef10a944) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2010/10/21 21:17:04.0796 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/21 21:17:04.0890 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/21 21:17:04.0953 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/21 21:17:05.0015 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/21 21:17:05.0078 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/21 21:17:05.0140 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/21 21:17:05.0218 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/21 21:17:05.0312 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/21 21:17:05.0390 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/21 21:17:05.0468 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/21 21:17:05.0531 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/21 21:17:05.0593 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/21 21:17:05.0687 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/21 21:17:05.0750 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/21 21:17:05.0796 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/21 21:17:05.0875 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/21 21:17:05.0968 iastor (d9d3f168a2fd4c2380d98821a3ff3357) C:\WINDOWS\system32\drivers\iastor.sys
2010/10/21 21:17:06.0046 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/21 21:17:06.0109 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/21 21:17:06.0187 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/21 21:17:06.0250 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/21 21:17:06.0296 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/21 21:17:06.0359 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/21 21:17:06.0406 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/21 21:17:06.0468 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/21 21:17:06.0546 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/21 21:17:06.0640 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/21 21:17:06.0734 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/21 21:17:06.0828 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/21 21:17:06.0921 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/21 21:17:06.0984 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/21 21:17:07.0062 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/21 21:17:07.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/21 21:17:07.0312 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/21 21:17:07.0359 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/21 21:17:07.0437 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/21 21:17:07.0500 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/21 21:17:07.0546 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/21 21:17:07.0625 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/21 21:17:07.0718 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/21 21:17:07.0796 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/21 21:17:07.0875 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/21 21:17:07.0921 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/21 21:17:08.0031 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/21 21:17:08.0078 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/21 21:17:08.0125 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/21 21:17:08.0187 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/21 21:17:08.0265 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/21 21:17:08.0328 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/21 21:17:08.0390 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/21 21:17:08.0453 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/21 21:17:08.0500 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/21 21:17:08.0562 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/21 21:17:08.0718 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/21 21:17:08.0781 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/21 21:17:08.0859 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/21 21:17:08.0906 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/21 21:17:09.0000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/21 21:17:09.0062 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/21 21:17:09.0156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/21 21:17:09.0281 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/21 21:17:09.0390 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/21 21:17:09.0437 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/21 21:17:09.0500 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2010/10/21 21:17:09.0578 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/21 21:17:09.0671 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/21 21:17:09.0718 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/21 21:17:09.0781 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2010/10/21 21:17:09.0843 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/21 21:17:09.0921 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/21 21:17:09.0984 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/21 21:17:10.0062 pcouffin (02aaafb7ba137ce5ddabcdf8090954d9) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/10/21 21:17:10.0125 PD0620VID (4431f2fa27f56f4bc654b0af5810cc91) C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
2010/10/21 21:17:10.0328 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/21 21:17:10.0390 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/21 21:17:10.0468 PLTurbh (7e32b692fcf44c3add10186b54111f29) C:\WINDOWS\system32\drivers\plturbh.sys
2010/10/21 21:17:10.0531 PLTurbo (8454c205ba53d22b5a34d9b2613859a9) C:\WINDOWS\system32\drivers\plturbo.sys
2010/10/21 21:17:10.0609 pnpshark (e68daac907bb158c55ad55d01d6e31ba) C:\WINDOWS\system32\DRIVERS\pnpshark.sys
2010/10/21 21:17:10.0703 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/10/21 21:17:10.0843 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/21 21:17:11.0015 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/21 21:17:11.0078 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/21 21:17:11.0140 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/21 21:17:11.0203 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/21 21:17:11.0250 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/21 21:17:11.0281 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/21 21:17:11.0312 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/21 21:17:11.0328 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/21 21:17:11.0375 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/21 21:17:11.0453 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/21 21:17:11.0500 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/21 21:17:11.0562 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/21 21:17:11.0625 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/21 21:17:11.0703 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/21 21:17:11.0765 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/21 21:17:11.0843 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/21 21:17:11.0906 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/21 21:17:11.0984 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2010/10/21 21:17:12.0062 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/10/21 21:17:12.0125 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/10/21 21:17:12.0265 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/21 21:17:12.0343 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/21 21:17:12.0390 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/21 21:17:12.0453 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/21 21:17:12.0500 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys
2010/10/21 21:17:12.0687 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/21 21:17:12.0765 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/21 21:17:12.0843 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/21 21:17:12.0921 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/21 21:17:13.0031 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/21 21:17:13.0109 Srv (553007ecce7f6565bbe645beb66d3b69) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/21 21:17:13.0171 st3shark (f7cd574cff0e0df2ced11710acfb60a2) C:\WINDOWS\system32\DRIVERS\st3shark.sys
2010/10/21 21:17:13.0265 STHDA (237ccbfc82b4c98435461972597f29d5) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/21 21:17:13.0359 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/21 21:17:13.0421 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/21 21:17:13.0484 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/21 21:17:13.0546 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/21 21:17:13.0593 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/21 21:17:13.0625 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/21 21:17:13.0656 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/21 21:17:13.0703 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/21 21:17:13.0796 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/21 21:17:13.0875 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/21 21:17:13.0937 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/21 21:17:13.0968 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/21 21:17:14.0046 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/21 21:17:14.0140 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/21 21:17:14.0203 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/21 21:17:14.0265 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/21 21:17:14.0359 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/21 21:17:14.0437 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/21 21:17:14.0531 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/21 21:17:14.0593 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/21 21:17:14.0671 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/21 21:17:14.0734 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/21 21:17:14.0843 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/21 21:17:14.0906 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/21 21:17:14.0984 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/21 21:17:15.0046 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/21 21:17:15.0093 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/21 21:17:15.0171 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/21 21:17:15.0281 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/21 21:17:15.0375 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/21 21:17:15.0484 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/10/21 21:17:15.0656 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/21 21:17:15.0718 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/21 21:17:15.0781 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/21 21:17:15.0843 ================================================================================
2010/10/21 21:17:15.0843 Scan finished
2010/10/21 21:17:15.0843 ================================================================================


Thanks again.....

umma :thumbup2:

Edited by ummagumma, 21 October 2010 - 09:24 PM.

Come on dude....turn up the low end!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 22 October 2010 - 03:38 AM

It looks like we can go ahead and run a more powerful tool. You are right that the msadmsl.dll is malicious but the fact that it can't load means it now isn't there but bad registry entries remain.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 ummagumma

ummagumma
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 22 October 2010 - 09:44 AM

Hey I'm back :mellow:

Got it done. I used to use ComboFix years ago to update Windows.

Oh this may help. I been trying to get a boot log for ya in safe mode but so far no luck. Something strange is going on during boot. Getting message's SATA Drive 0 Not Found all the way to SATA 3 lol. But then I click F1 and Windows loads...

I would think if it don't see the drive Windows would not load? Strange huh? This started few days ago who knows why....

Dam almost forgot. I noticed before I even joined Bleepingcomputer.com that I have up to 3 copies of dozens of .dlls in my system32 folder...can't be good.

Here is ComboFix Log:

ComboFix 10-10-21.07 - Kory 10/22/2010 9:29.1.2 - x86
Running from: c:\documents and settings\Kory\Desktop\ComFix.exe
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kory\Application Data\ezpinst.log
c:\documents and settings\Kory\Local Settings\Application Data\{B90B1FB3-6A33-41C6-892A-6118027640B9}
c:\documents and settings\Kory\Local Settings\Application Data\{B90B1FB3-6A33-41C6-892A-6118027640B9}\chrome.manifest
c:\documents and settings\Kory\Local Settings\Application Data\{B90B1FB3-6A33-41C6-892A-6118027640B9}\chrome\content\_cfg.js
c:\documents and settings\Kory\Local Settings\Application Data\{B90B1FB3-6A33-41C6-892A-6118027640B9}\chrome\content\overlay.xul
c:\documents and settings\Kory\Local Settings\Application Data\{B90B1FB3-6A33-41C6-892A-6118027640B9}\install.rdf
c:\windows\daemon.dll
c:\windows\system32\_000127_.tmp.dll
c:\windows\system32\linkinfo(2).dll
c:\windows\system32\service
c:\windows\system32\service\18092010_TIS17_SfFniAU.log
c:\windows\system32\systeminfo3.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-22 05:14 . 2010-10-22 05:14 -------- d-----w- c:\documents and settings\Administrator
2010-10-21 05:02 . 2010-10-21 05:16 -------- d-----w- c:\documents and settings\Kory\Application Data\AVG
2010-10-21 03:55 . 2010-10-22 02:10 -------- d-----w- c:\program files\AVG
2010-10-21 03:26 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-10-21 03:25 . 2010-10-21 03:25 -------- d-----w- c:\program files\Panda Security
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\program files\Windows Defender
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\program files\Webteh
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\documents and settings\Kory\Application Data\Sehiko
2010-10-20 16:45 . 2010-10-20 16:45 -------- d-----w- c:\documents and settings\Kory\PrivacIE
2010-10-20 16:35 . 2010-10-20 16:35 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2010-10-20 16:34 . 2010-10-20 16:34 -------- d-----w- c:\documents and settings\Kory\IETldCache
2010-10-20 16:04 . 2010-10-20 16:48 -------- dc----w- c:\windows\ie8
2010-10-20 03:53 . 2010-10-20 16:48 -------- d-----w- c:\windows\system32\NtmsData
2010-10-20 01:51 . 2010-10-20 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-20 01:50 . 2010-10-21 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-20 01:47 . 2010-10-21 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-19 03:02 . 2010-10-19 03:02 -------- d-----w- c:\documents and settings\Kory\Application Data\DivX
2010-10-19 02:57 . 2010-10-19 03:02 -------- d-----w- c:\program files\Power DVD Rip Studio
2010-10-19 01:20 . 2010-10-19 01:20 -------- d-----w- c:\documents and settings\Kory\Application Data\Ulead Systems
2010-10-19 00:50 . 2010-10-19 00:50 -------- d-----w- c:\program files\Common Files\InterVideo
2010-10-19 00:50 . 2010-10-19 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2010-10-19 00:50 . 2002-11-22 07:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll
2010-10-19 00:50 . 2002-11-22 07:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll
2010-10-19 00:50 . 2002-11-22 07:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll
2010-10-19 00:50 . 2002-11-22 07:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll
2010-10-19 00:50 . 2002-11-22 07:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll
2010-10-19 00:50 . 2002-11-22 07:57 20480 ----a-w- c:\windows\system32\IVIresize.dll
2010-10-19 00:49 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2010-10-19 00:49 . 2010-10-19 00:49 -------- d-----w- c:\program files\DivX
2010-10-19 00:48 . 2003-02-27 21:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2010-10-19 00:48 . 2002-12-05 19:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2010-10-19 00:48 . 2002-12-02 20:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2010-10-19 00:48 . 2002-12-02 18:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2010-10-19 00:48 . 2002-12-02 18:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2010-10-19 00:48 . 2010-10-19 00:48 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2010-10-19 00:48 . 2010-10-19 00:48 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2010-10-19 00:47 . 2010-10-19 00:47 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-10-19 00:47 . 2010-10-19 00:47 -------- d-----w- c:\program files\Ulead Systems
2010-10-19 00:47 . 2010-10-19 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-10-19 00:34 . 2010-10-19 00:34 -------- d-----w- c:\program files\ASIO4ALL v2
2010-10-19 00:19 . 2009-08-02 20:09 1554944 ----a-w- c:\windows\system32\vorbis.acm
2010-10-19 00:19 . 2010-10-19 00:20 -------- d-----w- c:\program files\VstPlugins
2010-10-19 00:19 . 2010-10-19 00:19 -------- d-----w- c:\program files\Outsim
2010-10-19 00:18 . 2010-10-19 00:20 -------- d-----w- c:\program files\Image-Line
2010-10-18 22:07 . 2010-10-18 22:11 -------- d-----w- c:\program files\Hard Disk Sentinel
2010-10-17 07:22 . 2010-10-17 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton
2010-10-17 07:22 . 2010-10-17 07:22 -------- d-----w- c:\documents and settings\Kory\Application Data\Ableton
2010-10-17 07:21 . 2009-06-13 00:53 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-10-17 07:21 . 2009-06-13 00:53 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-10-17 07:18 . 2010-10-17 07:18 -------- d-----w- c:\program files\Ableton
2010-10-16 19:17 . 2010-10-16 19:18 -------- d-----w- c:\program files\VirtualDJ
2010-10-15 23:35 . 2010-10-21 13:49 -------- d-----w- c:\documents and settings\Kory\Application Data\Youtube Downloader HD
2010-10-15 23:35 . 2010-10-15 23:35 -------- d-----w- c:\program files\Youtube Downloader HD
2010-10-15 18:02 . 2010-10-15 18:02 -------- d-----w- c:\program files\Audacity
2010-10-13 12:35 . 2010-10-13 12:35 -------- d-----w- c:\documents and settings\Kory\Application Data\Artifex Mundi
2010-10-13 12:35 . 2010-10-13 12:35 -------- d-----w- c:\program files\Games
2010-10-13 12:33 . 2010-10-13 12:33 -------- d-----w- c:\program files\D-Tools
2010-10-08 15:43 . 2010-10-08 15:43 -------- d-----w- c:\documents and settings\Kory\Local Settings\Application Data\TechSmith
2010-10-08 14:25 . 2010-10-08 14:25 -------- d-----w- c:\program files\SystemRequirementsLab
2010-10-08 06:11 . 2010-10-08 06:11 -------- d-----w- c:\windows\system32\scripting
2010-10-08 06:10 . 2010-10-08 06:11 -------- d-----w- c:\windows\l2schemas
2010-10-08 05:43 . 2010-10-08 05:43 -------- d-----w- c:\windows\ServicePackFiles
2010-10-08 05:23 . 2006-12-29 05:31 19569 ----a-w- c:\windows\002642_.tmp
2010-10-07 16:10 . 2010-10-22 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-07 16:10 . 2010-10-07 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-07 15:26 . 2010-10-07 15:26 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-07 15:01 . 2010-01-11 00:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-10-06 23:47 . 2010-10-06 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
2010-10-06 22:43 . 2010-10-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishv1005
2010-10-06 16:55 . 2010-10-06 16:56 -------- d-----w- c:\documents and settings\Kory\Application Data\Vso
2010-10-06 16:55 . 2010-10-06 16:55 81920 ----a-w- c:\documents and settings\Kory\Application Data\ezpinst.exe
2010-10-06 16:55 . 2010-10-06 16:55 47360 ----a-w- c:\windows\system32\drivers\SET57.tmp
2010-10-06 16:55 . 2010-10-06 16:55 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-10-06 16:55 . 2010-10-06 16:55 47360 ----a-w- c:\documents and settings\Kory\Application Data\pcouffin.sys
2010-10-06 16:55 . 2010-10-06 16:55 -------- d-----w- c:\program files\CloneDVD
2010-10-06 16:55 . 2010-10-06 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DVDXStudio
2010-10-06 15:48 . 2010-10-06 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-10-06 15:42 . 2010-10-06 15:42 -------- d-----w- c:\program files\SlySoft
2010-10-06 15:12 . 2010-10-06 15:12 -------- dc----w- c:\documents and settings\All Users\Application Data\{42E04EE4-AB57-407A-9691-3FFA8B8FEBBE}
2010-10-06 14:36 . 2010-10-19 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-06 14:26 . 2010-10-21 13:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-06 08:40 . 2010-10-06 08:40 -------- d-----w- c:\documents and settings\Kory\Application Data\MAGIX
2010-10-06 08:37 . 2001-05-16 22:54 309616 ----a-w- c:\windows\system32\wmv8dmod.dll
2010-10-06 08:37 . 2001-05-11 18:18 420240 ----a-w- c:\windows\system32\mpg4c32.dll
2010-10-06 08:37 . 2001-03-26 09:41 245760 ----a-w- c:\windows\system32\mp4sds32.ax
2010-10-06 08:34 . 2010-10-06 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX
2010-10-06 08:34 . 2010-10-06 08:37 -------- d-----w- c:\program files\MAGIX
2010-10-06 08:34 . 2007-04-27 14:43 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll
2010-10-06 08:33 . 2010-10-07 14:06 -------- d-----w- c:\windows\system32\MAGIX
2010-10-06 08:33 . 2008-04-15 20:14 700416 ----a-w- c:\windows\system32\mgxoschk.dll
2010-10-05 03:18 . 2010-10-05 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2010-10-05 03:17 . 2010-10-05 03:29 -------- d-----w- c:\documents and settings\Kory\Application Data\Nero
2010-10-05 02:47 . 2010-10-05 02:56 -------- d-----w- c:\program files\Nero
2010-10-05 02:47 . 2010-10-05 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-10-05 02:47 . 2010-10-05 03:04 -------- d-----w- c:\program files\Common Files\Nero
2010-10-05 02:45 . 2010-10-05 02:46 -------- d-----w- c:\program files\Common Files\LightScribe
2010-10-05 02:41 . 2009-07-01 17:26 16640 ----a-w- c:\windows\system32\drivers\plturbo.sys
2010-10-05 02:41 . 2009-07-01 17:26 16384 ----a-w- c:\windows\system32\drivers\plturbh.sys
2010-10-05 02:41 . 2010-10-05 02:41 -------- d-----w- c:\program files\USBFast
2010-10-03 19:40 . 2010-10-03 19:40 -------- d-----w- c:\program files\Jetico
2010-10-03 17:39 . 2010-10-03 17:40 -------- d-----w- c:\program files\BBSAK
2010-10-03 16:56 . 2010-10-03 17:03 -------- d-----w- c:\program files\PSP Brew
2010-09-30 16:58 . 2010-09-30 16:58 -------- d-----w- c:\program files\Guitar Pro 5
2010-09-27 19:32 . 2010-10-07 09:26 0 ----a-w- c:\windows\Tnikuva.bin
2010-09-25 16:13 . 2010-09-25 16:13 -------- d-----w- c:\program files\KaraokeDX
2010-09-25 16:11 . 2010-09-25 16:12 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-09-24 12:36 . 2010-09-24 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2010-09-24 07:33 . 2010-09-24 07:45 -------- d-----w- c:\documents and settings\Kory\Application Data\Media Player Classic
2010-09-24 07:06 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2010-09-24 07:03 . 2010-10-21 03:55 -------- d-----w- c:\program files\Advanced Karaoke Player
2010-09-24 05:11 . 2010-09-24 05:11 -------- d-----w- c:\program files\CDisplay
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\Kory\Local Settings\Application Data\Temp
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\Kory\Local Settings\Application Data\assembly
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\Kory\Application Data\Guitar Pro 6
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Guitar Pro 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 12:09 . 2010-09-16 12:09 27432 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-09-15 21:19 . 2010-09-15 21:19 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-09-14 13:16 . 2010-09-14 13:16 108480 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-09-13 21:27 . 2010-09-13 21:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-13 18:48 . 2010-09-13 18:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-13 18:48 . 2010-09-13 18:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 14:47 . 2010-09-13 14:47 11264 ----a-w- c:\windows\DCEBoot.exe
2010-09-08 14:09 . 2010-09-21 01:51 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-08 14:07 . 2010-09-21 01:51 50688 ----a-w- c:\windows\system32\ff_acm.acm
2010-09-07 18:02 . 2010-09-07 18:02 1409 ----a-w- c:\windows\QTFont.for
2010-08-10 10:15 . 2010-08-10 10:15 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 10:15 . 2010-08-10 10:15 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44 . 2010-07-27 23:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-27 23:44 . 2010-07-27 23:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-01-09 186904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-11-04 17:09 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-09-21 15:36 9138176 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 15:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 15:50 205480 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 09:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-09-02 02:59 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 15:37 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2009-07-01 16384]
R3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2009-07-01 16640]
R4 AAWXVARY;AAWXVARY;c:\docume~1\Kory\LOCALS~1\Temp\AAWXVARY.exe [x]
R4 ASRSPIIL;ASRSPIIL;c:\docume~1\Kory\LOCALS~1\Temp\ASRSPIIL.exe [x]
R4 JUCGIRGI;JUCGIRGI;c:\docume~1\Kory\LOCALS~1\Temp\JUCGIRGI.exe [x]
R4 MCGEAZT;MCGEAZT;c:\docume~1\Kory\LOCALS~1\Temp\MCGEAZT.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
S0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 08:08]

2010-09-14 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-11 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Kory\Application Data\Mozilla\Firefox\Profiles\r2w6j69q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=14542
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=14542&q=
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
MSConfigStartUp-SigmatelSysTrayApp - sttray.exe


.
Completion time: 2010-10-22 09:34:28
ComboFix-quarantined-files.txt 2010-10-22 14:34

Pre-Run: 50,563,026,944 bytes free
Post-Run: 50,523,209,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E5D09A436FD63110FD95CC418DB6FCD8


Thanks again Mole.......

umma :dance:

Edited by ummagumma, 22 October 2010 - 09:51 AM.

Come on dude....turn up the low end!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 22 October 2010 - 05:13 PM

Something strange is going on during boot. Getting message's SATA Drive 0 Not Found all the way to SATA 3 lol. But then I click F1 and Windows loads..


Looks like a BIOS issue but I'm no expert there I'm afraid.

The error means that the BIOS cannot find the hard drive specified in the boot order in order to boot an Operating System.
Switch on and hit F2 which will enter the BIOS. look for the hard drive menu and check:
1. To make sure the BIOS can see your hard drive in slot 0 on the motherboard.
2. To make sure this drive has been selected to boot from first in the boot order. Take out any floppy disks from the floppy drive if this device is higher in the order.

If that checks out you are probably looking at opening the case and I would direct you to the XP forum here.


I have up to 3 copies of dozens of .dlls in my system32 folder...can't be good.


We can look into that if we need to.


For now, let's take a look at the Combofix log. Some bad drivers need to be removed, I have also added in the Firefox directive to remove the Babylon search engine. This is often added without your consent, if it wasn't and you want to keep it then remove the three lines beginning with Firefox:: before you use the script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\docume~1\Kory\LOCALS~1\Temp\AAWXVARY.exe
c:\docume~1\Kory\LOCALS~1\Temp\ASRSPIIL.exe
c:\docume~1\Kory\LOCALS~1\Temp\JUCGIRGI.exe
c:\docume~1\Kory\LOCALS~1\Temp\MCGEAZT.exe

Firefox::
FF - ProfilePath - c:\documents and settings\Kory\Application Data\Mozilla\Firefox\Profiles\r2w6j69q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=14542

Driver::
AAWXVARY
ASRSPIIL
JUCGIRGI
MCGEAZT


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 ummagumma

ummagumma
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 22 October 2010 - 07:29 PM

Thanks again for the swift response Mole. :dance:

The error means that the BIOS cannot find the hard drive specified in the boot order in order to boot an Operating System.
Switch on and hit F2 which will enter the BIOS. look for the hard drive menu and check:
1. To make sure the BIOS can see your hard drive in slot 0 on the motherboard.
2. To make sure this drive has been selected to boot from first in the boot order. Take out any floppy disks from the floppy drive if this device is higher in the order.


I am pretty good with the system BIOS and everything is correct. The BIOS is recognizing the HD but for some reason the boot.ini is not. :killcomp:

Oh and who knows why but after the ComboFix ran I had a hella time getting Firefox to go to www.bleepingcomputers.com It would load my home page and gmail but kept timing out here.... :censored:

Just saw the entry: rootkit/stealth malware detector by Gmer Just thought I would let you know I have never opened that .exe yet.

Here ya go dude:

ComboFix 10-10-22.03 - Kory 10/22/2010 18:37:42.2.2 - x86
Running from: c:\documents and settings\Kory\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Kory\Desktop\CFScript.txt
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point

FILE ::
"c:\docume~1\Kory\LOCALS~1\Temp\AAWXVARY.exe"
"c:\docume~1\Kory\LOCALS~1\Temp\ASRSPIIL.exe"
"c:\docume~1\Kory\LOCALS~1\Temp\JUCGIRGI.exe"
"c:\docume~1\Kory\LOCALS~1\Temp\MCGEAZT.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AAWXVARY
-------\Legacy_ASRSPIIL
-------\Legacy_JUCGIRGI
-------\Legacy_MCGEAZT
-------\Service_AAWXVARY
-------\Service_ASRSPIIL
-------\Service_JUCGIRGI
-------\Service_MCGEAZT


((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-22 05:14 . 2010-10-22 05:14 -------- d-----w- c:\documents and settings\Administrator
2010-10-21 05:02 . 2010-10-21 05:16 -------- d-----w- c:\documents and settings\Kory\Application Data\AVG
2010-10-21 03:55 . 2010-10-22 02:10 -------- d-----w- c:\program files\AVG
2010-10-21 03:26 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-10-21 03:25 . 2010-10-21 03:25 -------- d-----w- c:\program files\Panda Security
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\program files\Windows Defender
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\program files\Webteh
2010-10-20 16:48 . 2010-10-20 16:48 -------- d-----w- c:\documents and settings\Kory\Application Data\Sehiko
2010-10-20 16:45 . 2010-10-20 16:45 -------- d-----w- c:\documents and settings\Kory\PrivacIE
2010-10-20 16:35 . 2010-10-20 16:35 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2010-10-20 16:34 . 2010-10-20 16:34 -------- d-----w- c:\documents and settings\Kory\IETldCache
2010-10-20 16:04 . 2010-10-20 16:48 -------- dc----w- c:\windows\ie8
2010-10-20 03:53 . 2010-10-20 16:48 -------- d-----w- c:\windows\system32\NtmsData
2010-10-20 01:51 . 2010-10-20 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-20 01:50 . 2010-10-21 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-20 01:47 . 2010-10-21 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-19 03:02 . 2010-10-19 03:02 -------- d-----w- c:\documents and settings\Kory\Application Data\DivX
2010-10-19 02:57 . 2010-10-19 03:02 -------- d-----w- c:\program files\Power DVD Rip Studio
2010-10-19 01:20 . 2010-10-19 01:20 -------- d-----w- c:\documents and settings\Kory\Application Data\Ulead Systems
2010-10-19 00:50 . 2010-10-19 00:50 -------- d-----w- c:\program files\Common Files\InterVideo
2010-10-19 00:50 . 2010-10-19 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2010-10-19 00:50 . 2002-11-22 07:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll
2010-10-19 00:50 . 2002-11-22 07:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll
2010-10-19 00:50 . 2002-11-22 07:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll
2010-10-19 00:50 . 2002-11-22 07:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll
2010-10-19 00:50 . 2002-11-22 07:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll
2010-10-19 00:50 . 2002-11-22 07:57 20480 ----a-w- c:\windows\system32\IVIresize.dll
2010-10-19 00:49 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2010-10-19 00:49 . 2010-10-19 00:49 -------- d-----w- c:\program files\DivX
2010-10-19 00:48 . 2003-02-27 21:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2010-10-19 00:48 . 2002-12-05 19:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2010-10-19 00:48 . 2002-12-02 20:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2010-10-19 00:48 . 2002-12-02 18:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2010-10-19 00:48 . 2002-12-02 18:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2010-10-19 00:48 . 2010-10-19 00:48 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2010-10-19 00:48 . 2010-10-19 00:48 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2010-10-19 00:47 . 2010-10-19 00:47 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-10-19 00:47 . 2010-10-19 00:47 -------- d-----w- c:\program files\Ulead Systems
2010-10-19 00:47 . 2010-10-19 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-10-19 00:34 . 2010-10-19 00:34 -------- d-----w- c:\program files\ASIO4ALL v2
2010-10-19 00:19 . 2009-08-02 20:09 1554944 ----a-w- c:\windows\system32\vorbis.acm
2010-10-19 00:19 . 2010-10-19 00:20 -------- d-----w- c:\program files\VstPlugins
2010-10-19 00:19 . 2010-10-19 00:19 -------- d-----w- c:\program files\Outsim
2010-10-19 00:18 . 2010-10-19 00:20 -------- d-----w- c:\program files\Image-Line
2010-10-18 22:07 . 2010-10-18 22:11 -------- d-----w- c:\program files\Hard Disk Sentinel
2010-10-17 07:22 . 2010-10-17 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton
2010-10-17 07:22 . 2010-10-17 07:22 -------- d-----w- c:\documents and settings\Kory\Application Data\Ableton
2010-10-17 07:21 . 2009-06-13 00:53 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-10-17 07:21 . 2009-06-13 00:53 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-10-17 07:18 . 2010-10-17 07:18 -------- d-----w- c:\program files\Ableton
2010-10-16 19:17 . 2010-10-16 19:18 -------- d-----w- c:\program files\VirtualDJ
2010-10-15 23:35 . 2010-10-21 13:49 -------- d-----w- c:\documents and settings\Kory\Application Data\Youtube Downloader HD
2010-10-15 23:35 . 2010-10-15 23:35 -------- d-----w- c:\program files\Youtube Downloader HD
2010-10-15 18:02 . 2010-10-15 18:02 -------- d-----w- c:\program files\Audacity
2010-10-13 12:35 . 2010-10-13 12:35 -------- d-----w- c:\documents and settings\Kory\Application Data\Artifex Mundi
2010-10-13 12:35 . 2010-10-13 12:35 -------- d-----w- c:\program files\Games
2010-10-13 12:33 . 2010-10-13 12:33 -------- d-----w- c:\program files\D-Tools
2010-10-08 15:43 . 2010-10-08 15:43 -------- d-----w- c:\documents and settings\Kory\Local Settings\Application Data\TechSmith
2010-10-08 14:25 . 2010-10-08 14:25 -------- d-----w- c:\program files\SystemRequirementsLab
2010-10-08 06:11 . 2010-10-08 06:11 -------- d-----w- c:\windows\system32\scripting
2010-10-08 06:10 . 2010-10-08 06:11 -------- d-----w- c:\windows\l2schemas
2010-10-08 05:43 . 2010-10-08 05:43 -------- d-----w- c:\windows\ServicePackFiles
2010-10-08 05:23 . 2006-12-29 05:31 19569 ----a-w- c:\windows\002642_.tmp
2010-10-07 16:10 . 2010-10-22 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-07 16:10 . 2010-10-07 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-07 15:26 . 2010-10-07 15:26 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-07 15:01 . 2010-01-11 00:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-10-06 23:47 . 2010-10-06 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
2010-10-06 22:43 . 2010-10-06 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishv1005
2010-10-06 16:55 . 2010-10-06 16:56 -------- d-----w- c:\documents and settings\Kory\Application Data\Vso
2010-10-06 16:55 . 2010-10-06 16:55 81920 ----a-w- c:\documents and settings\Kory\Application Data\ezpinst.exe
2010-10-06 16:55 . 2010-10-06 16:55 47360 ----a-w- c:\windows\system32\drivers\SET57.tmp
2010-10-06 16:55 . 2010-10-06 16:55 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-10-06 16:55 . 2010-10-06 16:55 47360 ----a-w- c:\documents and settings\Kory\Application Data\pcouffin.sys
2010-10-06 16:55 . 2010-10-06 16:55 -------- d-----w- c:\program files\CloneDVD
2010-10-06 16:55 . 2010-10-06 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DVDXStudio
2010-10-06 15:48 . 2010-10-06 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-10-06 15:42 . 2010-10-06 15:42 -------- d-----w- c:\program files\SlySoft
2010-10-06 15:12 . 2010-10-06 15:12 -------- dc----w- c:\documents and settings\All Users\Application Data\{42E04EE4-AB57-407A-9691-3FFA8B8FEBBE}
2010-10-06 14:36 . 2010-10-19 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-06 14:26 . 2010-10-21 13:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-06 08:40 . 2010-10-06 08:40 -------- d-----w- c:\documents and settings\Kory\Application Data\MAGIX
2010-10-06 08:37 . 2001-05-16 22:54 309616 ----a-w- c:\windows\system32\wmv8dmod.dll
2010-10-06 08:37 . 2001-05-11 18:18 420240 ----a-w- c:\windows\system32\mpg4c32.dll
2010-10-06 08:37 . 2001-03-26 09:41 245760 ----a-w- c:\windows\system32\mp4sds32.ax
2010-10-06 08:34 . 2010-10-06 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX
2010-10-06 08:34 . 2010-10-06 08:37 -------- d-----w- c:\program files\MAGIX
2010-10-06 08:34 . 2007-04-27 14:43 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll
2010-10-06 08:33 . 2010-10-07 14:06 -------- d-----w- c:\windows\system32\MAGIX
2010-10-06 08:33 . 2008-04-15 20:14 700416 ----a-w- c:\windows\system32\mgxoschk.dll
2010-10-05 03:18 . 2010-10-05 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2010-10-05 03:17 . 2010-10-05 03:29 -------- d-----w- c:\documents and settings\Kory\Application Data\Nero
2010-10-05 02:47 . 2010-10-05 02:56 -------- d-----w- c:\program files\Nero
2010-10-05 02:47 . 2010-10-05 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-10-05 02:47 . 2010-10-05 03:04 -------- d-----w- c:\program files\Common Files\Nero
2010-10-05 02:45 . 2010-10-05 02:46 -------- d-----w- c:\program files\Common Files\LightScribe
2010-10-05 02:41 . 2009-07-01 17:26 16640 ----a-w- c:\windows\system32\drivers\plturbo.sys
2010-10-05 02:41 . 2009-07-01 17:26 16384 ----a-w- c:\windows\system32\drivers\plturbh.sys
2010-10-05 02:41 . 2010-10-05 02:41 -------- d-----w- c:\program files\USBFast
2010-10-03 19:40 . 2010-10-03 19:40 -------- d-----w- c:\program files\Jetico
2010-10-03 17:39 . 2010-10-03 17:40 -------- d-----w- c:\program files\BBSAK
2010-10-03 16:56 . 2010-10-03 17:03 -------- d-----w- c:\program files\PSP Brew
2010-09-30 16:58 . 2010-09-30 16:58 -------- d-----w- c:\program files\Guitar Pro 5
2010-09-27 19:32 . 2010-10-07 09:26 0 ----a-w- c:\windows\Tnikuva.bin
2010-09-25 16:13 . 2010-09-25 16:13 -------- d-----w- c:\program files\KaraokeDX
2010-09-25 16:11 . 2010-09-25 16:12 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-09-24 12:36 . 2010-09-24 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2010-09-24 07:33 . 2010-09-24 07:45 -------- d-----w- c:\documents and settings\Kory\Application Data\Media Player Classic
2010-09-24 07:06 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2010-09-24 07:03 . 2010-10-21 03:55 -------- d-----w- c:\program files\Advanced Karaoke Player
2010-09-24 05:11 . 2010-09-24 05:11 -------- d-----w- c:\program files\CDisplay
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\Kory\Local Settings\Application Data\Temp
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\Kory\Local Settings\Application Data\assembly
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\Kory\Application Data\Guitar Pro 6
2010-09-23 22:43 . 2010-09-23 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Guitar Pro 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 12:09 . 2010-09-16 12:09 27432 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-09-15 21:19 . 2010-09-15 21:19 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-09-14 13:16 . 2010-09-14 13:16 108480 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-09-13 21:27 . 2010-09-13 21:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-13 18:48 . 2010-09-13 18:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-13 18:48 . 2010-09-13 18:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 14:47 . 2010-09-13 14:47 11264 ----a-w- c:\windows\DCEBoot.exe
2010-09-08 14:09 . 2010-09-21 01:51 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-08 14:07 . 2010-09-21 01:51 50688 ----a-w- c:\windows\system32\ff_acm.acm
2010-09-07 18:02 . 2010-09-07 18:02 1409 ----a-w- c:\windows\QTFont.for
2010-08-10 10:15 . 2010-08-10 10:15 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 10:15 . 2010-08-10 10:15 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44 . 2010-07-27 23:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-27 23:44 . 2010-07-27 23:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-10-22_14.33.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-22 23:51 . 2010-10-22 23:51 16384 c:\windows\Temp\Perflib_Perfdata_724.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-01-09 186904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2008-11-04 17:09 615696 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
2006-09-21 15:36 9138176 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 15:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 15:50 205480 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 09:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-09-02 02:59 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 15:37 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2009-07-01 16384]
R3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2009-07-01 16640]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
S0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 08:08]

2010-09-14 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-11 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Kory\Application Data\Mozilla\Firefox\Profiles\r2w6j69q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.usatoday.com/news/default.htm
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=14542&q=
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-22 18:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1056)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\locator.exe
.
**************************************************************************
.
Completion time: 2010-10-22 18:53:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-22 23:53
ComboFix2.txt 2010-10-22 14:34

Pre-Run: 50,245,885,952 bytes free
Post-Run: 50,147,876,864 bytes free

- - End Of File - - F44E1A916EC0D3EF5D46B74EE4C7AA83



Again and again I thank you.......


umma :bananas:

Come on dude....turn up the low end!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 22 October 2010 - 07:48 PM

  • click Start and Run and enter c:\boot.ini
  • The file should open
  • Copy and paste the file contents for my review


Meanwhile, the Combofix log looks good so we can move to the next step.

Please run ESET's online scanner

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 ummagumma

ummagumma
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 23 October 2010 - 07:17 PM

Hey dude I'm back......

The
ESET's Scanner found nothing.........

Here is the boot log.....

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


umma :gathering:
Come on dude....turn up the low end!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 23 October 2010 - 08:18 PM

Your boot.ini file looks fine.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    msadmsl.dll
    :regfind
    *msadmsl*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#13 ummagumma

ummagumma
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 23 October 2010 - 09:14 PM

Hey don't know if you are looking for that unknown to the net msadmsl.dll I found on PC.

When you said something about it not being in the log then it was gone I assumed that was the end of it.

It don't get the "missing dll" files on boot anymore. Seems like something is messing with system settings and such every other day.

Here is latest log file:

SystemLook 04.09.10 by jpshortstuff
Log created at 20:31 on 23/10/2010 by Kory
Administrator - Elevation successful

========== filefind ==========

Searching for "msadmsl.dll"
No files found.

========== regfind ==========

Searching for "*msadmsl*"
No data found.

-= EOF =-

Thanks again mate....

umma :thumbup2:
Come on dude....turn up the low end!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 24 October 2010 - 11:20 AM

Yes, I was looking for remnants of the infection in files and registry. System Look didn't find anything.

Seems like something is messing with system settings and such every other day.


This quote seems to be the only remaining evidence of anything wrong. What settings are being affected? Is it every other day precisely? Anything else you can tell me?
Posted Image
m0le is a proud member of UNITE

#15 ummagumma

ummagumma
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the mountains of Kentucky......
  • Local time:05:57 PM

Posted 24 October 2010 - 11:45 AM

Well before coming here I got one BSOD and had like 7 system service's disabled after uninstalling Ad-Aware.

Also I "was" using AVG 2011 but uninstalled it and Ad-Aware because they were sucking the life out of my system resources. There was something running in the process's that AVG installed just labeled "system" with no name or .exe or .dll that was main vampire and after removing it the process is still there but not sucking ram like it did before.

Also just noticed when looking at process's System Idle Process is only process that is labeled now for some reason.

I'm certain something strange will happen soon as it always does, not "exactly" ever other day but seems as this PC has a mind and will of it's own.

If there are any programs you can suggest that could monitor any file changes that would be great.

Oh and how or why would there be so many .dll flies in system32 folder with same name? And is that a concern as I've never seen this before?

Thanks again Mole.........

umma :mellow:



Come on dude....turn up the low end!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users