Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A reported infection.


  • This topic is locked This topic is locked
19 replies to this topic

#1 Peebs64

Peebs64

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 24 January 2011 - 05:46 PM

Hi,

I have been asked by a colleague to look into the behaviour of their PC. Original symptoms started with the PC trying to connect to the Internet by itself followed by BSODs. I questioned my colleague about the PC connecting to the Internet however they were somewhat vague. The BSODs when I investigated were PFN_LIST_CORRUPT and CORRUPT_PAGING_FILE which when I replaced the RAM module and gave the PC an extensive clean have not since re appeared.

I currently have not seen any suspicious behaviour from the PC but would appreciate if someone could have a look through the logs and if needed guide me through the clean and update. I'm sorry but at this point in time I have nothing more to go on.

Many thanks

Peebs




DDS (Ver_10-12-12.02) - NTFSx86

Run by ROY at 14:29:03.71 on 24/01/2011

Internet Explorer: 6.0.2800.1106

Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.480.96 [GMT 0:00]





============== Running Processes ===============



C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\sony\giga pocket\shwserv.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\WINDOWS\System32\mfevtps.exe

c:\fotowin\RTETPISv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\UStorSrv.exe

C:\Program Files\sony\vaio media music server\SSSvr.exe

C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe

C:\Program Files\sony\giga pocket\GPVSvr.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe

C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe

C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

C:\Program Files\sony\giga pocket\RM_SV.exe

C:\WINDOWS\System32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe

C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe

C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

C:\Program Files\Java\jre1.5.0\bin\jusched.exe

C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\RTE\RTEGPRS.exe

C:\Program Files\sony\keyboard closure setup\KSWServ.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Program Files\sony\usbsircs\usbsircs.exe

C:\Program Files\sony\giga pocket\ReserveModule.exe

C:\Program Files\Sony\VAIO Action Setup\VAServ.exe

C:\Program Files\sony\giga pocket\gps.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

H:\BleepingComputer\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.google.co.uk/

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.club-vaio.sony-europe.com/

mStart Page = hxxp://www.google.co.uk/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

uURLSearchHooks: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB2.dll

uURLSearchHooks: TranslatorBar 1 Toolbar: {00bf7b9c-acd2-4080-bea8-b1c41987070f} - c:\program files\translatorbar_1\tbTra2.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: TranslatorBar 1 Toolbar: {00bf7b9c-acd2-4080-bea8-b1c41987070f} - c:\program files\translatorbar_1\tbTra2.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx

BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

BHO: baloudHelperObj Class: {6165d324-3aaf-4c63-b545-c7d2285bea1c} - c:\program files\texthelp systems\readandwrite7\thhtmlbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110106003627.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB2.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll

TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB2.dll

TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: TranslatorBar 1 Toolbar: {00bf7b9c-acd2-4080-bea8-b1c41987070f} - c:\program files\translatorbar_1\tbTra2.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [RTEGPRS] "c:\program files\common files\rte\RTEGPRS.exe" tray

mRun: [SiS Tray]

mRun: [SiS KHooker] c:\windows\system32\khooker.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Drag'n Drop CD+DVD] c:\program files\drag'n drop cd+dvd\binfiles\DragDrop.exe /StartUp

mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe

mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h

mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe

mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe

mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe

mRun: [FRAlert] "c:\program files\file recover\Alert.exe" /PRODUCT=FR /R

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe

dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe

dRunOnce: [DeltaDep]

StartupFolder: c:\docume~1\roy\startm~1\programs\startup\yowindow.lnk - c:\program files\yowindow\yowindow.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\keyboa~1.lnk - c:\program files\sony\keyboard closure setup\KSWServ.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timerr~1.lnk - c:\program files\sony\giga pocket\ReserveModule.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vaioac~1.lnk - c:\program files\sony\vaio action setup\VAServ.exe

IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 3.70\amvconverter\grab.html

IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.05\amvconverter\grab.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html

IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 4.05\mediamanager\grab.html

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: sony-europe.com

Trusted Zone: sonystyle-europe.com

Trusted Zone: vaio-link.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll



============= SERVICES / DRIVERS ===============



R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-6 84072]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-6 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-6 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-6 141792]

R2 pavdrv;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2003-4-3 58752]

R2 RTETAPIService;RTE : TAPI;c:\fotowin\RTETPISV.EXE [2006-7-23 49152]

R2 SonyKBS;Keyboard State Detection Service;c:\windows\system32\drivers\SonyKBS.sys [2003-2-28 7936]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-6 55840]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-6 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-6 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-6 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-6 88544]

S2 gupdate1ca7e4745d47fd4;Google Update Service (gupdate1ca7e4745d47fd4);c:\program files\google\update\GoogleUpdate.exe [2009-12-16 133104]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-6 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-6 84264]



=============== Created Last 30 ================



2011-01-06 00:36:26 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-01-06 00:36:18 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-01-06 00:36:18 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-01-06 00:36:17 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-01-06 00:36:17 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-01-06 00:36:17 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-01-06 00:36:17 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-01-06 00:36:17 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-01-06 00:36:12 -------- d-----w- c:\program files\common files\Mcafee

2011-01-06 00:36:05 -------- d-----w- c:\program files\McAfee.com

2011-01-06 00:35:38 -------- d-----w- c:\program files\McAfee

2011-01-06 00:27:17 141792 ----a-w- c:\windows\system32\mfevtps.exe



==================== Find3M ====================



2011-01-19 10:05:57 65536 ----a-w- c:\windows\DUMP65ed.tmp

2011-01-19 10:04:33 65536 ----a-w- c:\windows\DUMP6580.tmp

2011-01-17 10:38:54 65536 ----a-w- c:\windows\DUMP664b.tmp

2010-12-22 22:42:21 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys

2010-12-21 16:51:36 168 -csh--r- c:\windows\system32\F2F73E34AC.sys

2010-11-11 15:40:13 0 -c--a-w- c:\windows\system32\ConduitEngine.tmp



============= FINISH: 14:29:42.26 ===============

Attached Files


I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 30 January 2011 - 03:02 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 30 January 2011 - 04:18 AM

Hi Gringo,

I'm currently not at the PC but will be tomorrow am and will post as soon as the logs are available. Thank you for your assistance with this.

Regards

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 30 January 2011 - 04:58 AM

no problem I will be in later


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 31 January 2011 - 03:47 AM

Hi Gringo,

At this point the PC is not showing any symptoms as its not in general use. Below are the logs you requested.

This look like fun!! :crazy:

Thanks

Peebs


DDS (Ver_10-12-12.02) - NTFSx86
Run by ROY at 8:14:37.68 on 31/01/2011
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.480.175 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\System32\mfevtps.exe
c:\fotowin\RTETPISv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
C:\Program Files\sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\Program Files\sony\giga pocket\RM_SV.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\RTE\RTEGPRS.exe
C:\Program Files\sony\keyboard closure setup\KSWServ.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\Documents and Settings\ROY\Desktop\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.club-vaio.sony-europe.com/
mStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB2.dll
uURLSearchHooks: TranslatorBar 1 Toolbar: {00bf7b9c-acd2-4080-bea8-b1c41987070f} - c:\program files\translatorbar_1\tbTra2.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: TranslatorBar 1 Toolbar: {00bf7b9c-acd2-4080-bea8-b1c41987070f} - c:\program files\translatorbar_1\tbTra2.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: baloudHelperObj Class: {6165d324-3aaf-4c63-b545-c7d2285bea1c} - c:\program files\texthelp systems\readandwrite7\thhtmlbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110106003627.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB2.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB2.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: TranslatorBar 1 Toolbar: {00bf7b9c-acd2-4080-bea8-b1c41987070f} - c:\program files\translatorbar_1\tbTra2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RTEGPRS] "c:\program files\common files\rte\RTEGPRS.exe" tray
mRun: [SiS Tray]
mRun: [SiS KHooker] c:\windows\system32\khooker.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Drag'n Drop CD+DVD] c:\program files\drag'n drop cd+dvd\binfiles\DragDrop.exe /StartUp
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [FRAlert] "c:\program files\file recover\Alert.exe" /PRODUCT=FR /R
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRunOnce: [DeltaDep]
StartupFolder: c:\docume~1\roy\startm~1\programs\startup\yowindow.lnk - c:\program files\yowindow\yowindow.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\keyboa~1.lnk - c:\program files\sony\keyboard closure setup\KSWServ.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timerr~1.lnk - c:\program files\sony\giga pocket\ReserveModule.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vaioac~1.lnk - c:\program files\sony\vaio action setup\VAServ.exe
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 3.70\amvconverter\grab.html
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.05\amvconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 4.05\mediamanager\grab.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-6 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-6 171168]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-6 141792]
R2 pavdrv;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2003-4-3 58752]
R2 RTETAPIService;RTE : TAPI;c:\fotowin\RTETPISV.EXE [2006-7-23 49152]
R2 SonyKBS;Keyboard State Detection Service;c:\windows\system32\drivers\SonyKBS.sys [2003-2-28 7936]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-6 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-6 52104]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-6 88544]
S2 gupdate1ca7e4745d47fd4;Google Update Service (gupdate1ca7e4745d47fd4);c:\program files\google\update\GoogleUpdate.exe [2009-12-16 133104]
S2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-6 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-6 188136]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-6 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-6 313288]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-6 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-6 84264]

=============== Created Last 30 ================

2011-01-06 00:36:26 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-01-06 00:36:18 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-01-06 00:36:18 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-01-06 00:36:17 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-01-06 00:36:17 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-01-06 00:36:17 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-01-06 00:36:17 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-01-06 00:36:17 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-01-06 00:36:12 -------- d-----w- c:\program files\common files\Mcafee
2011-01-06 00:36:05 -------- d-----w- c:\program files\McAfee.com
2011-01-06 00:35:38 -------- d-----w- c:\program files\McAfee
2011-01-06 00:27:17 141792 ----a-w- c:\windows\system32\mfevtps.exe

==================== Find3M ====================

2011-01-19 10:05:57 65536 ----a-w- c:\windows\DUMP65ed.tmp
2011-01-19 10:04:33 65536 ----a-w- c:\windows\DUMP6580.tmp
2011-01-17 10:38:54 65536 ----a-w- c:\windows\DUMP664b.tmp
2010-12-22 22:42:21 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-12-21 16:51:36 168 -csh--r- c:\windows\system32\F2F73E34AC.sys
2010-11-11 15:40:13 0 -c--a-w- c:\windows\system32\ConduitEngine.tmp

============= FINISH: 8:16:13.56 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 22/07/2006 15:59:36
System Uptime: 30/01/2011 21:19:56 (11 hours ago)

Motherboard: ASUSTeK Computer INC. | | KOMUGI
Processor: Intel® Pentium® 4 CPU 2.80GHz | PGA 478 | 2792/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 1.431 GiB free.
D: is FIXED (NTFS) - 121 GiB total, 2.712 GiB free.
E: is Removable
F: is CDROM ()
G: is CDROM (CDFS)
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1273: 26/10/2010 20:05:32 - System Checkpoint
RP1274: 28/10/2010 12:34:10 - System Checkpoint
RP1275: 29/10/2010 19:54:25 - System Checkpoint
RP1276: 31/10/2010 10:45:41 - System Checkpoint
RP1277: 01/11/2010 10:49:30 - System Checkpoint
RP1278: 03/11/2010 09:11:53 - System Checkpoint
RP1279: 04/11/2010 11:32:29 - System Checkpoint
RP1280: 05/11/2010 11:33:14 - System Checkpoint
RP1281: 06/11/2010 16:06:18 - System Checkpoint
RP1282: 07/11/2010 17:12:54 - System Checkpoint
RP1283: 08/11/2010 17:41:48 - System Checkpoint
RP1284: 09/11/2010 22:02:55 - System Checkpoint
RP1285: 10/11/2010 14:44:43 - Removed Skype™ 4.1
RP1286: 11/11/2010 18:19:40 - System Checkpoint
RP1287: 12/11/2010 22:50:28 - System Checkpoint
RP1288: 13/11/2010 00:36:06 - Installed ParetoLogic Data Recovery.
RP1289: 14/11/2010 13:06:41 - System Checkpoint
RP1290: 15/11/2010 18:19:41 - System Checkpoint
RP1291: 16/11/2010 19:49:56 - System Checkpoint
RP1292: 17/11/2010 19:52:34 - System Checkpoint
RP1293: 18/11/2010 22:28:39 - System Checkpoint
RP1294: 19/11/2010 16:10:39 - Installed Skylook
RP1295: 20/11/2010 16:53:27 - System Checkpoint
RP1296: 21/11/2010 18:32:46 - System Checkpoint
RP1297: 22/11/2010 18:36:02 - System Checkpoint
RP1298: 23/11/2010 21:36:28 - System Checkpoint
RP1299: 25/11/2010 09:16:13 - System Checkpoint
RP1300: 26/11/2010 09:18:34 - System Checkpoint
RP1301: 27/11/2010 10:06:26 - System Checkpoint
RP1302: 28/11/2010 12:42:29 - System Checkpoint
RP1303: 29/11/2010 13:13:02 - System Checkpoint
RP1304: 30/11/2010 16:37:48 - System Checkpoint
RP1305: 01/12/2010 17:36:18 - System Checkpoint
RP1306: 02/12/2010 17:52:59 - System Checkpoint
RP1307: 04/12/2010 13:19:55 - System Checkpoint
RP1308: 05/12/2010 13:23:31 - System Checkpoint
RP1309: 05/12/2010 22:37:53 - Removed Skylook
RP1310: 07/12/2010 07:23:41 - System Checkpoint
RP1311: 08/12/2010 07:42:28 - System Checkpoint
RP1312: 09/12/2010 07:55:08 - System Checkpoint
RP1313: 10/12/2010 09:19:47 - System Checkpoint
RP1314: 11/12/2010 16:37:23 - System Checkpoint
RP1315: 12/12/2010 19:34:44 - System Checkpoint
RP1316: 13/12/2010 22:18:48 - System Checkpoint
RP1317: 15/12/2010 07:09:03 - System Checkpoint
RP1318: 16/12/2010 09:59:58 - System Checkpoint
RP1319: 17/12/2010 13:21:12 - System Checkpoint
RP1320: 18/12/2010 15:18:50 - System Checkpoint
RP1321: 20/12/2010 06:59:02 - System Checkpoint
RP1322: 21/12/2010 09:43:33 - System Checkpoint
RP1323: 22/12/2010 11:30:09 - System Checkpoint
RP1324: 04/01/2011 15:35:20 - System Checkpoint
RP1325: 06/01/2011 00:16:55 - System Checkpoint
RP1326: 07/01/2011 07:25:20 - System Checkpoint
RP1327: 08/01/2011 13:17:41 - System Checkpoint
RP1328: 09/01/2011 14:33:43 - System Checkpoint
RP1329: 10/01/2011 17:01:48 - System Checkpoint
RP1330: 11/01/2011 11:19:11 - Removed Skype Toolbars
RP1331: 11/01/2011 11:21:04 - Removed Skype™ 5.0
RP1332: 14/01/2011 14:01:42 - System Checkpoint
RP1333: 21/01/2011 09:37:24 - System Checkpoint
RP1334: 24/01/2011 14:20:59 - System Checkpoint
RP1335: 26/01/2011 12:54:16 - System Checkpoint

==== Installed Programs ======================


101 Dalmatians Print Studio
20th Century Day by Day
3D World Atlas
7-Zip 4.57
A Bug's Life Action Game
ABBYY FineReader 5.0 Sprint Plus
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 2.0
Adobe Premiere 6 LE
Adobe Shockwave Player 11
Adventure Pinball
Agere Systems AC'97 Modem
ALOT Toolbar
Apple Software Update
ArcSoft Software Suite
Art Attack
AutoUpdate
AVIConverter 2.0
Aztec Bricks
BAMZOOKi v3.1 (build 115.158)
Bde
Beauty or the Beast
BHunter
Board Games
Cabrio v2.6
Card Classics and Solitaire Gold
CardRecovery 5.30
CCleaner (remove only)
Click to DVD 1.2
Compatibility Pack for the 2007 Office system
ConvertMovie 4.1
Corel Paint Shop Pro Photo XI
Corel Snapfire
Creatures 3
Cube Hopper
Cyberchase Castleblanca Quest
DANCE DANCE DANCE
DDR - Pen Drive Recovery(Demo) 4.0.1.6
DDR - Removable Media(Demo) 4.0.1.6
DevalVR for Internet Explorer (remove)
Dinosaur Activity Center Update
Dinosaur Activity Centre
DirectX Media Runtime 5.1
Disney's Animated StoryBook 101 Dalmatians
Disney's Jungle Fun
Disney's Lilo and Stitch Hawaiian Discovery
Disney's Master Mouse
Disney Interactive Global Compatibility Update June 2003
DivX
DivX Converter
DivX Player
DivX Web Player
Drag'n Drop CD+DVD
DVgate
eBay Toolbar
Edible Artist Version 7.3 Full
Entertainment Gamer Pack - Part 1
Entertainment Gamer Pack - Part 2
EPSON CardMonitor
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON Web-To-Page
ESPRX500 Operation Guide
ESPRX500 Reference Guide
ESPRX500 Software Guide
Family Encyclopedia
Family Tree Designer
FIFA 2000
File Recover 8.0
FotoWin Fax & Emulator
FreeSpace
Galaxy OnLine
Geomag Image 1.0
Giga Pocket 5.5
Giga Pocket Demo Movie
Giga Pocket Hardware Library 5.5
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Harry Potter - Print Studio - Slytherin Edition
Horrible Science
Human Body Explorer
I Love Spelling!
Inspiration 7.5 Intl
InterActual Player
IsEqual
ISP Selector
ISP Selector (English)
J2SE Runtime Environment 5.0
Keyboard Closure Setup 1.3.02
L&H TTS3000 British English
LEGO Creator Harry Potter
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
LyricsSeeker plugins 2.1
Macromedia Flash Player
MahJongg Master
Mavis Beacon Teaches Typing - Version 8
Maxtor OneTouch III
McAfee SecurityCenter
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Monsters Inc Wreck Room Arcade Billiards & Pinball
MoodLogic
Mosby's Medical Encyclopedia
MP3 Player Utilities 3.5.02
MP3 Player Utilities 3.70
MP3 Player Utilities 4.05
Mpeg2Decoder 1.3
Music Visualizer Library 1.4.00
My First Dictionary 2.0
myBabylon_English Toolbar
Nero 6 Demo
Norton Security Scan
Norton WMI Update
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-03-18-01
OpenMG Limited Patch 3.2-03-04-14-02
OpenMG Secure Module 3.2
P.I.M. II Plug-In
ParetoLogic Data Recovery
Pattern Maker for cross stitch - v4
Photo Story 3 for Windows
Picture Package
PictureGear Studio 1.0
PIF DESIGNER2.1
Polyominoes
Pong
PowerDVD
QuickTime
Read and Write 7
RealPlayer
RedShift 3
Retrospect Express HD 1.1
Roll
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Settlers3
Shockwave
SiS Compatible VGA V2.18
Skipper and Skeeto
Skipper and Skeeto 2
SmartSoft Video Converter
SonicStage 1.6.00
Sony DV Shared Library
Sony USB Driver
Stellar Phoenix Photo Recovery v3.5
System Tool2011
Test For Success - English
TetriMania Master
The Complete Interactive Cookbook
Theme Hospital
Top 30 Games 4 Kids
TranslatorBar 1 Toolbar
Tweak UI
Umbro Pro Football
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
USB-IrDA Adapter
VAIO Action Setup
VAIO BrightColor Wallpaper
VAIO Bubble Wallpaper
VAIO Chain Wallpaper
VAIO Clock Screen Saver
VAIO DeepSea Wallpaper
VAIO Edit Components LE
VAIO MarineSnow Wallpaper
VAIO Media 2.5
VAIO Media Music Server 2.5
VAIO Media Photo Server 2.5
VAIO Media Platform 2.5
VAIO Media Redistribution 2.5
VAIO Media Setup 2.5
VAIO Media Video Server 2.5
VAIO Online Registration (English)
VAIO Orbit Wallpaper
VAIO Remote Commander Utility 6.1
VAIO System Information
VideoLAN VLC media player 0.8.5
VOR
Web Sudoku Deluxe 1.1.1
WebFldrs XP
WellPhone
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
WinRAR archiver
WinUndelete
World Explorer

==== Event Viewer Messages From Past Week ========

24/01/2011 14:25:33, error: Service Control Manager [7016] - The VAIO Media Photo Server service has reported an invalid current state 272.

==== End Of File ===========================



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 1)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D4000 C:\WINDOWS\system32\ntoskrnl.exe 2040832 bytes (Microsoft Corporation, NT Kernel & System)
0x804D4000 PnpManager 2040832 bytes
0x804D4000 RAW 2040832 bytes
0x804D4000 WMIxWDM 2040832 bytes
0xBF800000 Win32k 1814528 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1814528 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6142000 C:\WINDOWS\System32\DRIVERS\AGRSM.sys 1171456 bytes (Agere Systems, SoftModem Device Driver)
0xBF9BB000 C:\WINDOWS\System32\SiSGRV.dll 1069056 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver)
0xF5FB7000 C:\WINDOWS\System32\DRIVERS\smrt.sys 761856 bytes (Sony Corporation, Sony MPEG RealTime encoder board)
0xF60B4000 C:\WINDOWS\system32\drivers\smwdm.sys 581632 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xF765D000 Ntfs.sys 565248 bytes (Microsoft Corporation, NT File System Driver)
0xEE34C000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 434176 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6292000 C:\WINDOWS\System32\DRIVERS\sisgrp.sys 401408 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver)
0xEE2A0000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 393216 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF76FB000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xEE441000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 344064 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEC50B000 C:\WINDOWS\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0xF77BB000 ACPI.sys 180224 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEC64A000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 176128 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xEE3DE000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 167936 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF7635000 NDIS.sys 163840 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEB453000 C:\WINDOWS\system32\drivers\kmixer.sys 159744 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE407000 C:\WINDOWS\System32\DRIVERS\netbt.sys 159744 bytes (Microsoft Corporation, MBT Transport driver)
0xEB086000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF5F18000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xF568F000 C:\WINDOWS\System32\DRIVERS\update.sys 139264 bytes (Microsoft Corporation, Update Driver)
0xF6071000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 139264 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xEC87D000 C:\WINDOWS\System32\drivers\afd.sys 135168 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF6093000 C:\WINDOWS\system32\drivers\portcls.sys 135168 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6260000 C:\WINDOWS\System32\DRIVERS\ks.sys 131072 bytes (Microsoft Corporation, Kernel CSA Library)
0x806C7000 ACPI_HAL 127872 bytes
0x806C7000 C:\WINDOWS\system32\hal.dll 127872 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF777F000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF779E000 pcmcia.sys 118784 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF761B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xEB22E000 C:\DOCUME~1\ROY\LOCALS~1\Temp\awtyipow.sys 98304 bytes
0xF7769000 atapi.sys 90112 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEC936000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 90112 bytes
0xEB0D1000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
0xF5F4D000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 90112 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF76E7000 KSecDD.sys 81920 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5F63000 C:\WINDOWS\System32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xEE495000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xEE42E000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xEBBC9000 C:\WINDOWS\system32\drivers\wdmaud.sys 77824 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6280000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 73728 bytes (Microsoft Corporation, Video Port Driver)
0xBFF80000 C:\WINDOWS\System32\drivers\dxg.sys 69632 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF5F3C000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7758000 sr.sys 69632 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7808000 pci.sys 65536 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xEE559000 C:\WINDOWS\System32\Drivers\Udfs.SYS 65536 bytes (Microsoft Corporation, UDF File System Driver)
0xEC3F3000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 61440 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF6C1C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF6BEC000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 61440 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xEE4E9000 C:\WINDOWS\System32\DRIVERS\pavdrv51.sys 61440 bytes (Panda Software, Panda Antivirus Filter Driver for Windows XP)
0xF7988000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 57344 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xECF20000 C:\WINDOWS\System32\DRIVERS\irda.sys 57344 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xF7828000 ohci1394.sys 57344 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF6C2C000 C:\WINDOWS\System32\DRIVERS\redbook.sys 57344 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEC07F000 C:\WINDOWS\system32\drivers\sysaudio.sys 57344 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7838000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF6C6C000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7938000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 53248 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF6C3C000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 49152 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7878000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 49152 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF6BFC000 C:\WINDOWS\System32\DRIVERS\R8139n51.SYS 49152 bytes (Realtek Semiconductor Corporation, Realtek RTL8139/810x Family NDIS 5.1 Drv)
0xF6BDC000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 49152 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF78B8000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF6C0C000 C:\WINDOWS\System32\DRIVERS\STREAM.SYS 49152 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF7858000 VolSnap.sys 49152 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xEB3C4000 C:\WINDOWS\system32\drivers\mfebopk.sys 45056 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF6C4C000 C:\WINDOWS\System32\DRIVERS\imapi.sys 40960 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7848000 MountMgr.sys 40960 bytes (Microsoft Corporation, Mount Manager)
0xF78E8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF78A8000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 40960 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF78D8000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7868000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7968000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF79B8000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7818000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF78C8000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7958000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEB384000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF6C5C000 C:\WINDOWS\System32\DRIVERS\SonyWBMS.SYS 36864 bytes (Sony Corporation, Sony Memory Stick I/F Driver)
0xF7978000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7AE0000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7B50000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7AD0000 C:\WINDOWS\System32\DRIVERS\processr.sys 32768 bytes (Microsoft Corporation, Processor Device Driver)
0xF7AA0000 SISAGPX.sys 32768 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xF7B20000 C:\DOCUME~1\ROY\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF7B38000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 24576 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7AD8000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7B08000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7A88000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 24576 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7B58000 C:\WINDOWS\System32\Drivers\StarOpen.SYS 24576 bytes
0xF7AC8000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 24576 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7B48000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7A90000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7AF8000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7A98000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7AF0000 C:\WINDOWS\System32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF7B00000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7AE8000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 20480 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7B40000 C:\WINDOWS\System32\drivers\vga.sys 20480 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF75F3000 C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS 16384 bytes (B.H.A Corporation, CD-ROM Filter Driver for Windows2000/xp)
0xF7D00000 C:\WINDOWS\system32\ckldrv.sys 16384 bytes
0xF56B9000 C:\WINDOWS\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xEC8F2000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF75DB000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 16384 bytes (Microsoft Corporation, TDI Wrapper)
0xF75E3000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 16384 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xEE3C6000 C:\WINDOWS\System32\watchdog.sys 16384 bytes (Microsoft Corporation, Watchdog Driver)
0xF7C18000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEE3C2000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF56C1000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF56B1000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF75D7000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7CDC000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7CEC000 C:\WINDOWS\system32\drivers\srvkp.sys 12288 bytes (Silicon Integrated Systems Corporation, SiS VGA Driver Manager)
0xF7D46000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes (Andrea Electronics Corporation, Andrea Audio Stub Driver)
0xF7D56000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7DBE000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7D54000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7D08000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7D58000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7D5A000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7DC0000 C:\WINDOWS\System32\DRIVERS\SonyKBS.sys 8192 bytes (Sony Corporation, Sony Keyboard State Control Service)
0xF7D4E000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7D0A000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7EE1000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7F5C000 C:\WINDOWS\System32\DRIVERS\DMICall.sys 4096 bytes (Sony Corporation, Windows 2000 DMI Call Kernel Driver)
0xF7EAD000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7F0D000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7DD0000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7EE5000 C:\WINDOWS\System32\DRIVERS\swenum.sys 4096 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [ndisip.sys]
WARNING: Virus alike driver modification [sonypvs1.sys]
WARNING: Virus alike driver modification [dxapi.sys]
WARNING: Virus alike driver modification [slip.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [bdasup.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [ADFUUD.SYS]
WARNING: Virus alike driver modification [ks.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [dmio.sys]
WARNING: Virus alike driver modification [serenum.sys]
WARNING: Virus alike driver modification [streamip.sys]
WARNING: Virus alike driver modification [mpe.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [ccdecode.sys]
WARNING: Virus alike driver modification [rdbss.sys]
WARNING: Virus alike driver modification [rdpdr.sys]
WARNING: Virus alike driver modification [wstcodec.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [RMCast.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [SISAGP.SYS]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [irstusb.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [sonyhcs.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [sonyhcc.sys]
WARNING: Virus alike driver modification [swenum.sys]
WARNING: Virus alike driver modification [mrxsmb.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [mspqm.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [msdv.sys]
WARNING: Virus alike driver modification [mspclock.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [mstee.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [ntfs.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [ssm_wh.sys]
WARNING: Virus alike driver modification [ssm_whnt.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
0xEBF31730 Unknown thread object [ ETHREAD 0x844A93F8 ] , 600 bytes
0xEBBFB730 Unknown thread object [ ETHREAD 0x844494E0 ] , 600 bytes
WARNING: Virus alike driver modification [sonyhcb.sys]
WARNING: Virus alike driver modification [ssm_cm.sys]
WARNING: Virus alike driver modification [ssm_cmnt.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [enum1394.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [mskssrv.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [dmboot.sys]
WARNING: Virus alike driver modification [nabtsfec.sys]
WARNING: Virus alike driver modification [nwlnkipx.sys]
WARNING: Virus alike driver modification [imagedrv.sys]
WARNING: Virus alike driver modification [scsiport.sys]
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 31 January 2011 - 05:47 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 31 January 2011 - 07:49 AM

Hi Gringo,

This doesn't seem to be that straight forward at the moment. Ran ComboFix as per your instructions; it installed the Recovery console and then ran through the scanning stages. THere were also some file replacements at the end however the PC rebooted and I cannot find the log file.

I carried out a Windows search on the C: drive in an attempt to locate the log but this resulted in the search looping and not finishing. I'm also seeing shortcuts called ComboFix that have the same function as My Computer. If I can get screenshots I'll post them for you to see.

Berwildered...

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#8 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 31 January 2011 - 07:57 AM

Hi Gringo, an update,

Re-run ComboFix without the issues I described above.

Below is the log file:

Thanks

Peebs

ComboFix 11-01-30.02 - ROY 31/01/2011 12:35:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.480.133 [GMT 0:00]
Running from: c:\documents and settings\ROY\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\ALANNAH\Application Data\alot
c:\documents and settings\ALANNAH\Application Data\PriceGong
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\1.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\a.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\b.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\c.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\d.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\e.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\f.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\g.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\h.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\i.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\J.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\k.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\l.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\m.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\n.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\o.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\p.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\q.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\r.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\s.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\t.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\u.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\v.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\w.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\x.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\y.xml
c:\documents and settings\ALANNAH\Application Data\PriceGong\Data\z.xml
c:\documents and settings\EILEEN\Application Data\alot
c:\documents and settings\LocalService\Application Data\alot
c:\documents and settings\ROY\Application Data\alot
c:\documents and settings\ROY\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\ROY\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\ROY\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\ROY\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\ROY\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\ROY\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\ROY\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\ROY\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\ROY\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\ROY\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\ROY\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\ROY\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\ROY\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\ROY\Application Data\alot\configurator\configurator.xml
c:\documents and settings\ROY\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\ROY\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\ROY\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\ROY\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\ROY\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\ROY\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\ROY\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\ROY\Application Data\alot\products\products.xml
c:\documents and settings\ROY\Application Data\alot\products\products.xml.backup
c:\documents and settings\ROY\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\ROY\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\ROY\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_2\images\default_1222_alot_lot_results.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_2\images\default_1222_alot_lot_results.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_3\images\default_1224_alot_lot_playonline_uk.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_3\images\default_1224_alot_lot_playonline_uk.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_4\images\default_1225_alot_lot_euromillions.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_4\images\default_1225_alot_lot_euromillions.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_5\images\default_1025_alot_lot_toolbox.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_5\images\default_1025_alot_lot_toolbox.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_6\images\default_1230_alot_mrkt_instantwin.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_6\images\default_1230_alot_mrkt_instantwin.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_7\images\default_2115_default_1222_alot_lot_results.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_7\images\default_2115_default_1222_alot_lot_results.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_8\images\default_1124_alot_mrkt_ticket.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_8\images\default_1124_alot_mrkt_ticket.png
c:\documents and settings\ROY\Application Data\alot\Resources\Button_9\images\default_1795_alot_configure.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\Button_9\images\default_1795_alot_configure.png
c:\documents and settings\ROY\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\ROY\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\ROY\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\ROY\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\ROY\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\ROY\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\ROY\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\ROY\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\ROY\Application Data\alot\toolbar.xml
c:\documents and settings\ROY\Application Data\alot\toolbar.xml.backup
c:\documents and settings\ROY\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\ROY\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\ROY\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\ROY\Application Data\alot\Updater\Updater.xml
c:\documents and settings\ROY\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\ROY\Application Data\PriceGong
c:\documents and settings\ROY\Application Data\PriceGong\Data\1.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\a.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\b.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\c.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\d.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\e.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\f.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\g.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\h.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\i.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\J.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\k.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\l.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\m.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\n.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\o.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\p.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\q.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\r.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\s.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\t.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\u.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\v.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\w.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\x.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\y.xml
c:\documents and settings\ROY\Application Data\PriceGong\Data\z.xml
c:\documents and settings\ROY\Recent\Thumbs.db
c:\windows\desktop
c:\windows\desktop\Galaxy OnLine.lnk

-- Previous Run --

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\system32\bits\qmgr.dll

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\system32\bits\qmgr.dll

Infected copy of c:\windows\system32\dxdiag.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\dxdiag.exe

--------

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-31 )))))))))))))))))))))))))))))))
.

2011-01-11 12:55 . 2011-01-11 12:56 -------- d-----w- c:\documents and settings\Administrator
2011-01-06 00:36 . 2010-11-12 14:17 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-01-06 00:36 . 2010-11-12 14:17 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-01-06 00:36 . 2010-11-12 14:17 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-01-06 00:36 . 2010-11-12 14:17 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-01-06 00:36 . 2010-11-12 14:17 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-01-06 00:36 . 2010-11-12 14:17 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-01-06 00:36 . 2010-11-12 14:17 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-01-06 00:36 . 2010-11-12 14:17 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-01-06 00:36 . 2011-01-06 00:36 -------- d-----w- c:\program files\Common Files\Mcafee
2011-01-06 00:35 . 2011-01-06 07:59 -------- d-----w- c:\program files\McAfee
2011-01-06 00:27 . 2010-10-13 22:28 141792 ----a-w- c:\windows\system32\mfevtps.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-19 10:05 . 2006-07-22 13:53 65536 ----a-w- c:\windows\DUMP65ed.tmp
2011-01-19 10:04 . 2006-07-22 13:53 65536 ----a-w- c:\windows\DUMP6580.tmp
2011-01-17 10:38 . 2006-07-22 13:53 65536 ----a-w- c:\windows\DUMP664b.tmp
2010-11-11 15:40 . 2010-11-11 15:40 0 -c--a-w- c:\windows\system32\ConduitEngine.tmp
.

------- Sigcheck -------



[7] 2004-09-22 17:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2002-11-26 18:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2002-11-26 18:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\MsPMSNSv.dll

[-] 2002-12-11 23:14 . CA6CC3A47D8813208CEE02EB40DACA21 . 355328 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dsound.dll
[-] 2002-12-11 23:14 . CA6CC3A47D8813208CEE02EB40DACA21 . 355328 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\system32\dsound.dll
[-] 2002-12-11 23:14 . CA6CC3A47D8813208CEE02EB40DACA21 . 355328 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\system32\dllcache\dsound.dll

[-] 2002-12-11 23:14 . E5F6CF1886B4F103AC6C1728394523E5 . 1634304 . . [5.3.0000000.901 built by: DIRECTX] . . c:\windows\system32\d3d9.dll

[-] 2002-12-11 23:14 . 61CC64C43BEC193100E3722F6CF4B1E1 . 284160 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ddraw.dll
[-] 2002-12-11 23:14 . 61CC64C43BEC193100E3722F6CF4B1E1 . 284160 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\system32\ddraw.dll
[-] 2002-12-11 23:14 . 61CC64C43BEC193100E3722F6CF4B1E1 . 284160 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\system32\dllcache\ddraw.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB2.dll" [2010-10-18 3908192]
"{00bf7b9c-acd2-4080-bea8-b1c41987070f}"= "c:\program files\TranslatorBar_1\tbTra2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CLASSES_ROOT\clsid\{00bf7b9c-acd2-4080-bea8-b1c41987070f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00bf7b9c-acd2-4080-bea8-b1c41987070f}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\TranslatorBar_1\tbTra2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\myBabylon_English\tbmyB2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB2.dll" [2010-10-18 3908192]
"{00bf7b9c-acd2-4080-bea8-b1c41987070f}"= "c:\program files\TranslatorBar_1\tbTra2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CLASSES_ROOT\clsid\{00bf7b9c-acd2-4080-bea8-b1c41987070f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{00BF7B9C-ACD2-4080-BEA8-B1C41987070F}"= "c:\program files\TranslatorBar_1\tbTra2.dll" [2010-10-18 3908192]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\tbmyB2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{00bf7b9c-acd2-4080-bea8-b1c41987070f}]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTEGPRS"="c:\program files\Common Files\RTE\RTEGPRS.exe" [2004-04-02 2314240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-03-31 88267]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Drag'n Drop CD+DVD"="c:\program files\drag'n drop cd+dvd\BinFiles\DragDrop.exe" [2003-06-23 1171456]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-11-09 634880]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2005-09-21 18583552]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 462336]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2007-02-25 36972]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-25 632048]
"FRAlert"="c:\program files\File Recover\Alert.exe" [2010-10-12 985032]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-08-04 1180976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\ROY\Start Menu\Programs\Startup\
YoWindow.lnk - c:\program files\YoWindow\yowindow.exe [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-22 113664]
Keyboard Closure Setup.lnk - c:\program files\sony\keyboard closure setup\KSWServ.exe [2003-8-1 90112]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-7-22 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-7-22 106496]
Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2003-8-1 208896]
Timer Recording Manager.lnk - c:\program files\sony\giga pocket\ReserveModule.exe [2006-7-22 262144]
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2003-8-1 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [06/01/2011 00:36 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [06/01/2011 00:36 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [06/01/2011 00:36 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [06/01/2011 00:36 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [06/01/2011 00:36 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [06/01/2011 00:27 141792]
R2 RTETAPIService;RTE : TAPI;c:\fotowin\RTETPISV.EXE [23/07/2006 15:07 49152]
R2 SonyKBS;Keyboard State Detection Service;c:\windows\system32\drivers\SonyKBS.sys [28/02/2003 13:12 7936]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [06/01/2011 00:36 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [06/01/2011 00:36 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [06/01/2011 00:36 88544]
S2 gupdate1ca7e4745d47fd4;Google Update Service (gupdate1ca7e4745d47fd4);c:\program files\Google\Update\GoogleUpdate.exe [16/12/2009 11:59 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [06/01/2011 00:36 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [06/01/2011 00:36 84264]

--- Other Services/Drivers In Memory ---

*Deregistered* - eeCtrl
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 13:21]

2011-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 11:59]

2011-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 11:59]

2011-01-21 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 18:22]

2011-01-21 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 12:25]

2010-12-15 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2011-01-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-01 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.70\AMVConverter\grab.html
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.05\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.05\MediaManager\grab.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
TCP: {6B9A8C1D-25A8-48F8-A390-B73F833A9825} = 192.168.254.200
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SiS Tray - (no file)
HKLM-Run-SiS KHooker - c:\windows\System32\khooker.exe
HKU-Default-RunOnce-DeltaDep - (no file)
AddRemove-I Love Spelling! - c:\windows\Uninst.exe -rDK Multimedia\I Love Spelling!\1.0.0.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-31 12:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):45,5a,89,08,55,28,20,95,d3,ad,fe,46,96,9a,c3,9c,58,7c,48,ed,57,
0a,06,c7,11,d1,6e,d9,c5,1d,d2,19,4e,7a,9b,ba,08,5d,44,3e,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e9eec83e-c48d-483a-a333-7081784cb31a}]
@Denied: (Full) (Everyone)
"Model"=dword:00000123
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,ab,9e,50,1b,eb,77,d1,ab,bc,b8,88,34,d9,b0,a2,44,20,df,73,21,c6,9e,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\ODBC32.dll
c:\fotowin\RTETPI32.dll

- - - - - - - > 'lsass.exe'(1052)
c:\windows\System32\dssenh.dll
.
Completion time: 2011-01-31 12:49:49
ComboFix-quarantined-files.txt 2011-01-31 12:49

Pre-Run: 2,082,689,024 bytes free
Post-Run: 2,045,882,368 bytes free

- - End Of File - - DCB9DB7DC52AE4AA76FF3A38C7AA23F3
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 31 January 2011 - 11:28 AM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
wscntfy.exe
xmlprov.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

ALOT Toolbar
J2SE Runtime Environment 5.0


and click on remove

Adobe Acrobat

I see that you are using Adobe Acrobat which if fine for editing pdf files but because today’s viruses are using vulnerabilities in older versions of Adobe and because it is easier to update I suggest that you use the free Adobe reader or Foxit reader to view all PDF files

you don't need to uninstall Acrobat, but do use one of these free readers

You can download it from here Adobe free reader
uncheck any of the extra stuff that they offer

If you don't like Adobe Reader (53.5 MB), you can download Foxit PDF Reader(7 MB) It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing Foxit PDF Reader, be careful not to install anything to do with AskBar.

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • report from system look
  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 31 January 2011 - 11:28 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 01 February 2011 - 04:10 AM

Hi Gringo,

Downloaded SystemLook from both links to desktop however when I run the exe I get the following error:

The application has failed to start because the application configuration is incorrect.


Any ideas?

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 01 February 2011 - 05:14 AM

do the rest of post

redownload it and try again - make sure antivirus is off during running of system look


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 01 February 2011 - 06:26 AM

Hi Gringo,

The logs as requested:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

01/02/2011 10:55:34
mbam-log-2011-02-01 (10-55-34).txt

Scan type: Quick scan
Objects scanned: 140304
Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:07:05, on 01/02/2011
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\mfevtps.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\fotowin\RTETPISv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\sony\vaio media music server\SSSvr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB2.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: TranslatorBar 1 Toolbar - {00bf7b9c-acd2-4080-bea8-b1c41987070f} - C:\Program Files\TranslatorBar_1\tbTra2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\Texthelp Systems\ReadAndWrite7\thhtmlbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110106003627.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB2.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB2.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: TranslatorBar 1 Toolbar - {00bf7b9c-acd2-4080-bea8-b1c41987070f} - C:\Program Files\TranslatorBar_1\tbTra2.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [FRAlert] "C:\Program Files\File Recover\Alert.exe" /PRODUCT=FR /R
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: YoWindow.lnk = C:\Program Files\YoWindow\yowindow.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Keyboard Closure Setup.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B9A8C1D-25A8-48F8-A390-B73F833A9825}: NameServer = 192.168.254.200
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Update Service (gupdate1ca7e4745d47fd4) (gupdate1ca7e4745d47fd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\System32\mfevtps.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: RTE : TAPI (RTETAPIService) - Unknown owner - c:\fotowin\RTETPISv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - http://bestanimations.com/Animals/Mammals/Dogs/Dog-03-june.gif

--
End of file - 13226 bytes


Regarding the SystemLook - I have downloaded this again from both the links and also directly from the website and I'm still seeing the same error with all AV disabled. I have renamed the file with no luck and also tried running the exe in safe mode. Still a no go!

Otherwise PC's is showing no symptoms..

Regards

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 01 February 2011 - 07:43 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
      O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
      O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
      O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray
      O4 - Startup: YoWindow.lnk = C:\Program Files\YoWindow\yowindow.exe
      O4 - Global Startup: Adobe Gamma Loader.lnk = ?
      O4 - Global Startup: Keyboard Closure Setup.lnk = ?
      O4 - Global Startup: Picture Package Menu.lnk = ?
      O4 - Global Startup: Picture Package VCD Maker.lnk = ?
      O4 - Global Startup: Remocon Driver.lnk = ?
      O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\sony\giga pocket\ReserveModule.exe
      O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • copy and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:23 PM

Posted 01 February 2011 - 11:34 AM

Hi Gringo,

As instructed I've removed the startup entries and below is the results of the ESET scan:

C:\Documents and Settings\ROY\My Documents\ROY\javadownloads\endhouseSetup.exe probably a variant of Win32/Rbot.NQUJBXI trojan
C:\Documents and Settings\ROY\My Documents\ROY\WORKRELATED\ROYSWORK\PURE FLUIDS\download\marinefree_297.exe multiple threats

Regards

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 01 February 2011 - 12:29 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Documents and Settings\ROY\My Documents\ROY\WORKRELATED\ROYSWORK\PURE FLUIDS\download\marinefree_297.exe"
    del /f /s /q "C:\Documents and Settings\ROY\My Documents\ROY\javadownloads\endhouseSetup.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users