Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Olmarik.AJL trojan infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 LinFariss

LinFariss

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 21 January 2011 - 09:57 PM

Picked up a virus which was pretending to be a virus cleaner, tried to kill it with Eset, but it crashed the system when Eset tried a full system scan. Tried Restoring system, several times, to various earlier dates. Finally the system would not boot to C:\Windows at all. - Blinking window at start of windows boot. Much mucking about trying to work around the fact that I'm in a remote area in Central Australia and all my backup/boot disks are in Perth. Eventually found an ISO of a Vista boot disk (using another computer, obviously), which booted but could not restore, or boot from the system. Then found "The Ultimate Boot Disk", which also booted, and, using the 1st of several boot managers from a ram drive (cant remember the name), was able to boot the Vista system from C:
Need to use that boot disk each time to kick start Vista though.
Proceeded to backup my latest data to ext drive.
While doing that, Eset reported a virus
"MBR Sector of the 0.physical disk
Threat Win32/Olmark.AJL trojan."
When I asked it to clean, Eset reported "Error while cleaning - operation unavailable for this object type."
Proceeded to Google and help forums (there are hundreds), and to this site.
Followed the prep guide to this point. DDS.TXT following.
Attach.txt and ARK.txt attached.
Attached File  Attach.txt   7.55KB   2 downloads
Attached File  ark.txt   12.11KB   3 downloads


DDS (Ver_10-12-12.02) - NTFSx86
Run by Lin at 16:17:59.39 on Fri 21/01/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3038.1657 [GMT 8:00]

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vfsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\lxcqcoms.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Telstra\BigPond Wireless Broadband\BigPond_CM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Lin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?gcht=HC&o=101702&l=dis
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=83&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.telstra.com/
uWindow Title = Telstra BigPond Home Internet Explorer
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [lxcqmon.exe] "c:\program files\lexmark 9300 series\lxcqmon.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LXCQCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCQtime.dll,_RunDLLEntry@16
mRun: [BigPondWirelessBroadbandCM] "c:\program files\telstra\bigpond wireless broadband\BigPond_CM.exe" -tsr
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://office.surtron.com.au/XTSAC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
LSA: Notification Packages = scecli DPPWDFLT
Hosts: 127.255.255.255 serial.alcohol-soft.com
================= FIREFOX ===================

FF - ProfilePath - c:\users\lin\appdata\roaming\mozilla\firefox\profiles\0bku86gn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.iinet.net.au/customers/
FF - component: c:\program files\digitalpersona\bin\firefoxext\components\dpffcli.dll
FF - component: c:\program files\windows searchqu toolbar\datamngr\firefoxextension\components\DataMngrHlp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\FirefoxExt
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\firefoxext

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};Power Control [2009/08/31 22:18:50];c:\program files\hp\quickplay\000.fcl [2009-8-31 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_030ac640\AEstSrv.exe [2010-3-19 73728]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-3-24 133512]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-24 810120]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-3-24 96896]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-19 26168]
R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-22 361808]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-29 275968]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-3-27 595248]
R3 AVerBDA6x;AVerBDA6x service;c:\windows\system32\drivers\AVerBDA716x.sys [2009-8-31 1114880]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-7-1 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 54784]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-4-1 81296]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-8-6 44576]
R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-3-27 40752]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-10-27 114688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-25 133104]
S3 BEHRINGER_2902;usb-audio.de driver for USB AUDIO;c:\windows\system32\drivers\BUSB2902.sys [2010-3-18 340480]
S3 BUSB_AUDIO_WDM;BEHRINGER USB WDM AUDIO;c:\windows\system32\drivers\busbwdm.sys [2010-3-12 39488]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-10-27 7168]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2011-01-20 02:07:26 -------- d-----w- c:\users\lin\appdata\roaming\SUPERAntiSpyware.com
2011-01-20 02:07:26 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-01-20 02:07:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-20 01:38:59 -------- d-----w- c:\progra~2\Fun4IM
2011-01-20 01:38:49 -------- d-----w- c:\program files\Windows Searchqu Toolbar
2011-01-20 01:38:48 -------- d-----w- c:\program files\Fun4IM
2011-01-18 02:17:20 -------- d-----w- c:\users\lin\appdata\roaming\ZoomBrowser EX
2011-01-17 09:18:05 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-17 09:18:05 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-17 09:18:05 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-17 09:18:05 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-17 09:18:04 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-01-17 09:18:04 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-17 09:18:01 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-01-11 06:16:58 -------- d-----w- C:\AUTO-PROCESSED
2011-01-08 03:21:58 389120 ----a-r- c:\windows\CamPlay.exe
2011-01-08 03:21:58 290816 ----a-w- c:\windows\screenmenu.exe
2011-01-08 03:21:58 -------- d-----w- c:\windows\ViewersGuideFiles
2011-01-05 07:59:53 -------- d-----w- c:\users\lin\appdata\local\Emerald Editor Community
2011-01-05 07:59:20 -------- d-----w- c:\program files\Emerald Editor Community
2011-01-05 07:14:29 -------- d-----w- c:\program files\Advanced Logic Technology
2011-01-04 23:07:42 -------- d-----w- c:\users\lin\appdata\roaming\Microsoft Corporation
2011-01-04 11:45:30 188128 ----a-w- c:\progra~2\microsoft\vcsexpress\10.0\1033\ResourceCache.dll
2011-01-04 10:41:02 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-01-04 10:40:53 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-01-04 10:39:15 -------- d-----w- c:\windows\system32\RsFx
2011-01-04 10:37:54 -------- d-----w- c:\windows\system32\1033
2011-01-04 10:32:48 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-01-04 10:32:48 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-01-04 10:32:22 205984 ----a-w- c:\progra~2\microsoft\vbexpress\10.0\1033\ResourceCache.dll
2011-01-04 10:30:11 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-01-04 10:30:10 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-12-27 06:50:41 -------- d-----w- c:\progra~2\ZoomBrowser
2010-12-27 06:48:19 -------- d-----w- c:\program files\common files\Canon

==================== Find3M ====================

2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll

============= FINISH: 16:18:42.00 ===============

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:01 AM

Posted 27 January 2011 - 07:35 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 LinFariss

LinFariss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 28 January 2011 - 07:19 AM

Thanks Georgi
I dont have a Windows disk. This is an HP laptop, and the system comes on a D: partition off the main drive, and can only be used to restore the system to factory settings, via a hard disk format.
I tested whether I can restore the system from the D: drive, and found I can.
Ironically, since then, Vista boots off the C: drive without the assistance of "The Ultimate Boot Disk" and "Smart Boot Manager V3.7.1" which I had been using since before I reported the virus.
I have run DDS again, and stored the text files on the desktop, only to find on a later reboot, that they have disappeared.
I ran GMER this morning, and left it to finish (it takes over 8 hours). When I returned, it had crashed with a BSD.

I cant run a GMER log at all now - it hangs when it gets to \Device\HarddiskVolumeShadowCopy1. When that happens, it also interferes with the system, which suggests it is still partly memory resident, and the only way out after attempting it is to reboot. It doesnt affect that outcome whether I have virus protection and firewall turned off or not.

I've come to the conclusion that a system wipe is the best way to go for me now. All my data is safe, and I need now to get it up and running with confidence ASAP.

If you dont mind, I would like to keep this thread open, because when I've finished restoring the complete system to factory default and reinstalling windows updates and the esssential programs, I'd like to enlist your help via your tools and expertise to check that the virus has in fact been removed. (I read somewhere that BTR virii can sometime survive a disk format.)
This will take some time, but when finished, I'll be back with new DDS and GMER logs.
Thanks again,
Linton

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 30 January 2011 - 07:40 AM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.



Now, a custom install should remove the virus since the MBR will be overwritten. A 'repair install' won't. If you have to backup data to do so, I can provide some guidelines to be safe, or we can clean this computer as best we can before your reformat, including fixing the MBR. Please let me know how you want to proceed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 LinFariss

LinFariss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 30 January 2011 - 10:30 PM

Attached File  Attach.txt   5.02KB   1 downloadsAttached File  Attach.txt   5.02KB   1 downloadsThanks etavares.
I thought I'd made it clear in my last post I was going to proceed with a factory default re-install. I have now completed that, restoring the system to factory defaults. Then I installed Windows vista updates, my anti-virus program, plus the essential programs I use.
I've also re-instated my data from the external drive I use for data backup. Before I did that, a scan by EsetNod32 reported it clean.
I dont use Windows or any other backup programs for data backup - I just copy the data contained in my Documents folder, plus Music and Pictures folders, and use a file sync program (FreeFileSync) to update regularly. The only data I copy from the AppData account onto the external drive is Outlook pst files. No internet favourites, cookies, history etc are saved to the external drive, and hence have not not been re-instated.
On that basis, I have re-instated my data to my Documents folder, but have not yet had time to tranfer Music or Pictures folder contents.
No virii have yet been reported by Eset Nod32.
The following is the contents of the DDS.txt file, and attached are the Attach.txt file from DDS, and Ark.txt from the GMER scan.

Sorry I've pre-empted your reply. I wont do anytbing else until you post again.

Regards

Linton


DDS (Ver_10-12-12.02) - NTFSx86
Run by Lin at 10:55:59.89 on Mon 31/01/2011
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3038.1820 [GMT 8:00]

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\vfsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\lxcqcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Lin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.iinet.net.au/customers/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=83&bd=Pavilion&pf=cnnb
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\users\lin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-au\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
LSA: Notification Packages = scecli DPPWDFLT

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\hp\quickplay\000.fcl [2008-7-1 39408]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_030ac640\AEstSrv.exe [2011-1-29 73728]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-12-21 95384]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-19 26168]
R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-7-1 341328]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-3-27 595248]
R3 AVerBDA6x;AVerBDA6x service;c:\windows\system32\drivers\AVerBDA716x.sys [2011-1-29 934912]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-7-1 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-24 52736]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-4-1 81296]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-23 43552]
R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-3-27 40752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2011-01-30 13:55:20 -------- d-----w- c:\users\lin\appdata\roaming\OpenOffice.org
2011-01-30 13:38:44 -------- d-----w- c:\program files\OpenOffice.org 3
2011-01-30 13:37:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-30 07:42:53 -------- d-----w- c:\program files\CD Recovery Toolbox Free
2011-01-30 07:35:45 -------- d-----w- c:\users\lin\appdata\roaming\dvdisaster
2011-01-30 07:16:22 -------- d-----w- c:\users\lin\appdata\roaming\GetRightToGo
2011-01-30 05:30:44 693760 ----a-w- c:\windows\system32\drivers\hardlock.sys
2011-01-30 05:30:43 7168 ----a-w- c:\windows\system32\akscoinst.dll
2011-01-30 05:30:43 327168 ----a-w- c:\windows\system32\drivers\akshasp.sys
2011-01-30 05:30:43 104576 ----a-w- c:\windows\system32\drivers\aksclass.sys
2011-01-30 05:30:43 100096 ----a-w- c:\windows\system32\drivers\aksusb.sys
2011-01-30 05:30:42 6656 ----a-w- c:\windows\system32\haspvdd.dll
2011-01-30 05:30:42 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2011-01-30 05:30:42 383 ----a-w- c:\windows\system32\haspdos.sys
2011-01-30 05:10:19 -------- d-----w- c:\program files\SafeNet Sentinel
2011-01-30 05:10:19 -------- d-----w- c:\program files\common files\SafeNet Sentinel
2011-01-30 04:48:15 -------- d-----w- c:\program files\ART Inc
2011-01-30 04:46:05 749568 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iKernel.dll
2011-01-30 04:46:05 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\ctor.dll
2011-01-30 04:46:05 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\DotNetInstaller.exe
2011-01-30 04:46:05 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iscript.dll
2011-01-30 04:46:05 180224 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iuser.dll
2011-01-30 04:46:02 192644 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iGdi.dll
2011-01-30 04:46:01 323716 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\setup.dll
2011-01-30 04:41:56 -------- d-----w- c:\program files\VideoLAN
2011-01-30 03:32:51 -------- d-----w- c:\program files\FreeFileSync
2011-01-30 00:56:40 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2011-01-30 00:56:40 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2011-01-30 00:56:40 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2011-01-30 00:56:38 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2011-01-30 00:56:38 -------- d-----w- c:\program files\PDFCreator
2011-01-30 00:29:43 -------- d-----w- c:\users\lin\.gnome2_private
2011-01-30 00:29:43 -------- d-----w- c:\users\lin\.gnome2
2011-01-30 00:29:43 -------- d-----w- c:\users\lin\.gconfd
2011-01-30 00:29:43 -------- d-----w- c:\users\lin\.gconf
2011-01-30 00:29:42 -------- d-----w- c:\users\lin\.gnucash
2011-01-30 00:28:21 -------- d-----w- c:\program files\gnucash
2011-01-29 08:07:07 -------- d-----r- c:\program files\Skype
2011-01-29 07:38:33 118784 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxcqdrpp.dll
2011-01-29 07:36:50 344064 ----a-w- c:\windows\system32\lxcqcoin.dll
2011-01-29 07:01:23 -------- d-----w- c:\users\lin\appdata\roaming\FastStone
2011-01-29 07:01:15 -------- d-----w- c:\program files\FastStone Image Viewer
2011-01-29 06:41:32 -------- d-----w- c:\users\lin\appdata\roaming\Foxit Software
2011-01-29 06:41:31 -------- d-----w- c:\users\lin\appdata\roaming\Foxit
2011-01-29 06:41:08 -------- d-----w- c:\program files\Foxit Software
2011-01-29 06:17:18 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-01-29 06:17:10 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-01-29 06:16:03 -------- d-----w- c:\windows\system32\RsFx
2011-01-29 06:14:37 -------- d-----w- c:\windows\system32\1033
2011-01-29 06:11:08 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-01-29 06:11:08 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-01-29 06:10:51 205984 ----a-w- c:\progra~2\microsoft\vbexpress\10.0\1033\ResourceCache.dll
2011-01-29 06:08:57 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-01-29 06:08:57 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-01-29 05:17:47 -------- d-----w- c:\users\lin\appdata\local\Seven Zip
2011-01-29 04:17:25 -------- d-sh--w- C:\$RECYCLE.BIN
2011-01-29 04:16:11 -------- d-----w- c:\program files\DigitalPersona
2011-01-29 04:08:52 80936 ----a-w- c:\windows\system32\drivers\btwavdt.sys
2011-01-29 04:08:52 80424 ----a-w- c:\windows\system32\drivers\btwaudio.sys
2011-01-29 04:08:52 16168 ----a-w- c:\windows\system32\drivers\btwrchid.sys
2011-01-29 04:08:47 233472 ----a-w- c:\windows\system32\BtwRSupport.dll
2011-01-29 04:08:44 -------- d-----w- c:\windows\system32\es-MX
2011-01-29 04:08:44 -------- d-----w- c:\windows\system32\es-AR
2011-01-29 04:08:42 -------- d-----w- c:\program files\WIDCOMM
2011-01-29 04:08:00 -------- d-----w- c:\windows\system32\HPMDP
2011-01-29 04:07:53 934912 ----a-w- c:\windows\system32\drivers\AVerBDA716x.sys
2011-01-29 04:07:53 3072 ----a-w- c:\windows\system32\716xCoInstaller.dll
2011-01-29 04:07:53 147877 ----a-w- c:\windows\system32\MV716x.ax
2011-01-29 04:07:53 -------- d-----w- c:\windows\Driver Cache
2011-01-29 04:07:51 -------- d-----w- c:\program files\AVerMedia
2011-01-29 04:07:35 -------- d-----w- c:\windows\system32\ENU
2011-01-29 04:07:34 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-01-29 04:07:34 1034776 ----a-w- c:\windows\system32\imsmudlg.exe
2011-01-29 04:07:34 -------- d-----w- c:\windows\system32\Lang
2011-01-29 04:07:29 312344 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-01-29 04:07:29 -------- d-----w- C:\Intel
2011-01-29 04:06:32 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-01-29 04:05:51 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2011-01-29 04:05:30 -------- d-----w- c:\program files\Realtek
2011-01-29 04:05:16 61440 ----a-w- c:\windows\system32\aestaren.dll
2011-01-29 04:05:16 372736 ----a-w- c:\windows\system32\aestecap.dll
2011-01-29 04:05:16 138240 ----a-w- c:\windows\system32\aestacap.dll
2011-01-29 04:05:15 86016 ----a-w- c:\windows\system32\AESTCom.dll
2011-01-29 04:05:15 536576 ----a-w- c:\windows\system32\idtmini1.exe
2011-01-29 04:05:15 458844 ----a-w- c:\windows\sttray.exe
2011-01-29 04:05:15 3600384 ----a-w- c:\windows\system32\stlang.dll
2011-01-29 04:05:15 12030044 ----a-w- c:\windows\system32\idtcpl.cpl
2011-01-29 04:04:46 175616 ----a-w- c:\windows\system32\staco.dll
2011-01-29 04:04:35 915456 ----a-w- c:\windows\system32\stapo.dll
2011-01-29 04:04:35 490496 ----a-w- c:\windows\system32\stapi32.dll
2011-01-29 04:04:29 -------- d-----w- c:\program files\IDT
2011-01-29 04:04:25 251 ----a-w- c:\windows\xUninstall.bat
2011-01-29 04:04:12 -------- d-----w- c:\windows\JMCR_DIR
2011-01-29 04:03:24 -------- d-----w- c:\program files\Validity Sensors, Inc
2011-01-29 04:02:57 54824 ------w- c:\windows\system32\agrsmdel.exe
2011-01-29 04:02:47 -------- d-----w- c:\windows\Options
2011-01-29 04:02:23 -------- d-----w- c:\program files\Synaptics
2011-01-29 04:01:54 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2011-01-29 04:01:54 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
2011-01-29 04:00:58 584296 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-01-29 04:00:56 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-01-29 04:00:56 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-01-29 04:00:56 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-01-29 04:00:56 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-01-29 04:00:56 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-01-29 04:00:56 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-01-29 04:00:56 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-01-29 03:20:04 -------- d-----w- c:\users\lin\appdata\local\Microsoft Help
2011-01-29 02:22:25 -------- d-----w- c:\users\lin\appdata\local\Adobe
2011-01-29 02:19:26 -------- d-----w- c:\users\lin\appdata\local\ESET
2011-01-29 00:57:50 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-01-29 00:57:50 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-01-29 00:28:38 -------- d-----w- c:\windows\system32\SRSLabs
2011-01-29 00:26:41 -------- d-----w- c:\program files\LSI SoftModem
2011-01-29 00:02:36 -------- d-----w- c:\program files\Windows Portable Devices
2011-01-29 00:01:12 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-01-29 00:01:11 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-01-29 00:01:11 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-01-28 23:59:04 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-01-28 23:59:02 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-01-28 23:58:55 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-01-28 23:47:17 231424 ----a-w- c:\windows\system32\msshsq.dll
2011-01-28 23:41:46 -------- d-----w- c:\users\lin\appdata\local\Hewlett-Packard
2011-01-28 23:23:31 -------- d-----w- c:\windows\system32\vi-VN
2011-01-28 23:23:31 -------- d-----w- c:\windows\system32\eu-ES
2011-01-28 23:23:31 -------- d-----w- c:\windows\system32\ca-ES
2011-01-28 23:12:30 -------- d-----w- c:\windows\system32\EventProviders
2011-01-28 23:10:59 805376 ----a-w- c:\windows\system32\NaturalLanguage6.dll
2011-01-28 23:09:59 89088 ----a-w- c:\windows\system32\pintlgnt.ime
2011-01-28 23:08:59 247808 ----a-w- c:\windows\system32\drvstore.dll
2011-01-28 19:17:58 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2011-01-28 19:17:58 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-01-28 19:17:58 125952 ----a-w- c:\windows\system32\srvsvc.dll
2011-01-28 19:17:58 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-01-28 19:17:57 17920 ----a-w- c:\windows\system32\netevent.dll
2011-01-28 19:17:51 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-01-28 19:17:35 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-01-28 19:00:41 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-01-28 19:00:41 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-01-28 19:00:41 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-01-28 19:00:41 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-01-28 19:00:41 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-01-28 18:00:39 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2011-01-28 17:40:15 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-01-28 17:40:15 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-01-28 16:10:55 -------- d-----w- c:\windows\system32\tr
2011-01-28 16:10:55 -------- d-----w- c:\windows\system32\sv
2011-01-28 16:10:55 -------- d-----w- c:\windows\system32\ru
2011-01-28 16:10:54 -------- d-----w- c:\windows\system32\no
2011-01-28 16:10:52 -------- d-----w- c:\windows\system32\da
2011-01-28 16:10:50 -------- d-----w- c:\windows\system32\ko
2011-01-28 16:10:50 -------- d-----w- c:\windows\system32\ja
2011-01-28 16:10:50 -------- d-----w- c:\windows\system32\it
2011-01-28 16:10:50 -------- d-----w- c:\windows\system32\fr
2011-01-28 16:10:50 -------- d-----w- c:\windows\system32\es
2011-01-28 16:10:50 -------- d-----w- c:\windows\system32\de
2011-01-28 16:10:49 -------- d-----w- c:\windows\DPDrv
2011-01-28 16:07:03 -------- d-----w- c:\progra~2\Downloaded Installations
2011-01-28 15:52:22 72704 ----a-w- c:\windows\system32\admparse.dll
2011-01-28 14:48:20 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-01-28 14:48:19 411648 ----a-w- c:\windows\system32\drivers\http.sys
2011-01-28 14:48:19 30720 ----a-w- c:\windows\system32\httpapi.dll
2011-01-28 14:47:52 -------- d-----w- c:\program files\MSXML 4.0
2011-01-28 14:43:15 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2011-01-28 14:43:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2011-01-28 14:43:15 19968 ----a-w- c:\windows\system32\ARP.EXE
2011-01-28 14:43:15 105984 ----a-w- c:\windows\system32\netiohlp.dll
2011-01-28 14:43:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2011-01-28 14:43:14 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2011-01-28 14:43:14 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2011-01-28 14:43:14 10240 ----a-w- c:\windows\system32\finger.exe
2011-01-28 14:42:47 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-01-28 14:42:47 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-01-28 14:42:16 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-01-28 14:42:16 518144 ----a-w- c:\windows\system32\RMActivate.exe
2011-01-28 14:42:15 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2011-01-28 14:42:15 471552 ----a-w- c:\windows\system32\secproc.dll
2011-01-28 14:42:15 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-01-28 14:42:15 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-01-28 14:42:15 332288 ----a-w- c:\windows\system32\msdrm.dll
2011-01-28 14:42:15 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-01-28 14:42:14 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-01-28 14:41:58 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-01-28 14:41:58 1696256 ----a-w- c:\windows\system32\gameux.dll
2011-01-28 14:41:57 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-01-28 14:41:48 310784 ----a-w- c:\windows\system32\unregmp2.exe
2011-01-28 14:41:48 1418752 ----a-w- c:\program files\windows media player\setup_wm.exe
2011-01-28 14:41:32 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-01-28 14:41:29 160256 ----a-w- c:\windows\system32\wkssvc.dll
2011-01-28 14:41:23 2048 ----a-w- c:\windows\system32\tzres.dll
2011-01-28 14:41:00 499712 ----a-w- c:\windows\system32\kerberos.dll
2011-01-28 14:41:00 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2011-01-28 14:39:54 1248768 ----a-w- c:\windows\system32\msxml3.dll
2011-01-28 14:38:45 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2011-01-28 14:32:40 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2011-01-28 14:32:40 31744 ----a-w- c:\windows\system32\msvidc32.dll
2011-01-28 14:32:40 22528 ----a-w- c:\windows\system32\msyuv.dll
2011-01-28 14:32:40 13312 ----a-w- c:\windows\system32\msrle32.dll
2011-01-28 14:32:40 1314816 ----a-w- c:\windows\system32\quartz.dll
2011-01-28 14:32:40 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2011-01-28 14:32:39 91136 ----a-w- c:\windows\system32\avifil32.dll
2011-01-28 14:32:39 82944 ----a-w- c:\windows\system32\mciavi32.dll
2011-01-28 14:32:39 123904 ----a-w- c:\windows\system32\msvfw32.dll
2011-01-28 14:32:36 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-01-28 14:31:23 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2011-01-28 14:27:37 -------- d-----w- c:\program files\ESET
2011-01-28 12:15:06 2730536 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-01-28 12:15:02 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{39fcb9e2-903a-4281-be9c-14c1cd720649}\mpengine.dll
2011-01-28 12:15:02 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-28 12:13:37 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-01-28 12:13:36 98304 ----a-w- c:\windows\system32\cabview.dll
2011-01-28 12:08:46 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-01-28 12:08:27 -------- d-----w- c:\users\lin\appdata\local\AOL
2011-01-28 12:08:22 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-01-28 12:08:18 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-01-28 12:08:18 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-01-28 11:40:05 -------- d-----w- c:\users\lin\Bluetooth Software
2011-01-28 11:40:01 -------- d-----w- c:\users\lin\appdata\local\QuickPlay
2011-01-28 11:39:50 -------- d-----w- c:\users\lin\appdata\roaming\Symantec
2011-01-28 11:39:26 -------- d-----w- c:\users\lin\appdata\roaming\DigitalPersona
2011-01-28 11:39:26 -------- d-----w- c:\users\lin\appdata\local\DigitalPersona
2011-01-28 11:35:11 -------- d-----w- c:\program files\MediaRing
2011-01-28 11:34:20 -------- d-----w- c:\users\lin\appdata\roaming\Macrovision

==================== Find3M ====================

2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 10:56:49.10 ===============

Attached Files

  • Attached File  ark.txt   4.04KB   1 downloads


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 31 January 2011 - 06:33 PM

Hello, LinFariss.

It sounded like you were going to proceed, but many times folks want to clean what they can before they copy and backup their files just to be safe. It looks pretty good from that. Is it running better now?

There are two security holes we should close. We'll also run MBAM for a second opinion just to be safe. I expect it to be clean, but it only takes 10 minutes or so for the Quick scan so better safe than sorry.



Step 1

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 2

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 23 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java™ 6 Update 22
    Java™ 6 Update 5
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version.




Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 LinFariss

LinFariss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 31 January 2011 - 09:49 PM

Thankyou etavares
All done -
Uninstalled Acrobat reader (I normally use Foxit)
Updated Java
Installed and ran MalwareBytes (free version).
Following is the log file from that scan.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5651

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/02/2011 10:38:23 AM
mbam-log-2011-02-01 (10-38-23).txt

Scan type: Quick scan
Objects scanned: 149936
Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

END of log

Cheers
Linton

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 01 February 2011 - 06:08 PM

Hello, LinFariss.

Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • If that link doesn't work, try this one.
  • Doubleclick the Posted Image icon to start the program.
  • Then, click the big Posted Image button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 LinFariss

LinFariss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 February 2011 - 12:07 AM

Thank you very much, etavares and Georgi, for your help.
I'll follow through with the suggestions you have made.
I realise now I had become a bit blase about security, not having had a major infringement for about 8 years now.
I appreciate the new level of awareness I have reached about security generally through the above experience, and through your advice.
Thanks again,
Linton

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 02 February 2011 - 05:58 PM

You're welcome. Safe surfing!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 05 February 2011 - 04:39 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users