Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malawarebytes keeps blocking outgoing/incoming to/from malicious websites


  • This topic is locked This topic is locked
41 replies to this topic

#1 Jabba The Hutt

Jabba The Hutt

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 24 July 2011 - 06:41 AM

Hi,

I've been fighting various viruses for over a year and they keep coming back. I'm about to give up. After seeing the wonderful work you've provided others, I'm hoping that this might be the last stand.

I read your Preparation Guide and have followed all the instructions.
(I installed Combofix per the advice of a different website, but I've followed the explicit instructions here and have not run it.)


COMPUTER
IBM Laptop T-42 (from 2004!)
Windows XP Service Pack 3
Version 5.1 (Build 2600.xpsp_sp3_gdr.101209-1647)
Windows updates: has always been on. The only updates remaining to install (per Microsoft website) are 10 optional ones. The system falls to its knees trying to access the Microsoft site, so I haven't installed those.


DESCRIPTION OF THE PROBLEM
The giveaway symptom has always been that the system would slow to a crawl at random for 30-60 minutes and then eventually recover all by itself. Launching anything connecting to the internet also triggers the slow down. Several months ago, based on reading sites such as this, I used Avast, AVG, Avira, and Malawarebytes to (successfully) eliminate several viruses. Life was good.

Apparently I wasn't 100% successful. The slow downs started again 3-4 weeks ago, but with a new symptom. Malawarebytes (trial of the paid product version) keeps blocking incoming and outgoing communications (see below) to "potentially malicious website"s. These coincide with spikes in network activity (both incoming and outgoing) as displayed in mini icon for NewPerSec. Both the slow down and spikes in network activity happen at random, whether or not I'm not doing anything.

A full scan by Malawarebytes unfortunately only identifies/deletes cookies, nothing else suspicious. Ad-Aware also does not identify anything. I purchased Webroot, on the advice of a friend, and it also has not identified anything.

Now I admit I need help. DDS and GMER after the jump.


THE OUTGOING/INCOMING SUSPICIOUS COMMUNICATIONS.
MALAWAREBYTES PROTECTION LOG
(This example is 7/24. I have logs going back 1 month)
(You can see patterns in there.)

00:13:32 Csaba.Nagy IP-BLOCK 58.240.150.60 (Type: outgoing)
00:28:56 Csaba.Nagy IP-BLOCK 212.117.162.35 (Type: outgoing)
00:45:57 Csaba.Nagy IP-BLOCK 212.117.177.52 (Type: incoming)
00:47:44 Csaba.Nagy IP-BLOCK 59.34.42.90 (Type: incoming)
00:57:55 Csaba.Nagy IP-BLOCK 89.28.74.192 (Type: outgoing)
01:12:08 Csaba.Nagy IP-BLOCK 114.79.151.82 (Type: outgoing)
01:12:55 Csaba.Nagy IP-BLOCK 220.248.181.34 (Type: outgoing)
02:01:02 Csaba.Nagy IP-BLOCK 109.86.183.154 (Type: incoming)
02:40:57 Csaba.Nagy IP-BLOCK 212.117.175.93 (Type: outgoing)
02:41:19 Csaba.Nagy IP-BLOCK 117.205.48.254 (Type: outgoing)
02:56:15 Csaba.Nagy IP-BLOCK 89.28.24.69 (Type: outgoing)
03:27:01 Csaba.Nagy IP-BLOCK 222.70.98.99 (Type: outgoing)
03:42:21 Csaba.Nagy IP-BLOCK 212.117.162.35 (Type: outgoing)
03:54:01 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
03:54:03 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
03:54:04 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
03:54:04 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
03:54:04 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
03:54:04 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
03:54:05 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
03:54:06 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
04:03:45 Csaba.Nagy IP-BLOCK 213.226.193.218 (Type: incoming)
04:12:17 Csaba.Nagy IP-BLOCK 222.70.98.99 (Type: outgoing)
04:28:02 Csaba.Nagy IP-BLOCK 89.28.89.32 (Type: outgoing)
04:51:41 Csaba.Nagy IP-BLOCK 195.161.7.72 (Type: incoming)
04:57:13 Csaba.Nagy IP-BLOCK 78.26.187.168 (Type: outgoing)
05:06:01 Csaba.Nagy IP-BLOCK 89.28.39.173 (Type: incoming)
05:12:11 Csaba.Nagy IP-BLOCK 116.122.36.143 (Type: outgoing)
05:12:49 Csaba.Nagy IP-BLOCK 58.241.209.67 (Type: outgoing)
05:12:53 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:12:54 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:12:54 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:12:55 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:13:28 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:13:28 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:13:29 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:28:43 Csaba.Nagy IP-BLOCK 222.70.163.237 (Type: outgoing)
05:41:13 Csaba.Nagy IP-BLOCK 89.28.79.72 (Type: outgoing)
05:52:53 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:52:54 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:52:54 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:52:55 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
05:58:13 Csaba.Nagy IP-BLOCK 77.78.216.80 (Type: outgoing)
06:12:55 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
06:13:27 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
06:32:52 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
06:33:32 Csaba.Nagy IP-BLOCK 222.70.20.82 (Type: incoming)
06:37:12 Csaba.Nagy IP-BLOCK 121.10.120.182 (Type: incoming)


PREPARATION GUIDE NOTES

Step 5) Enable a Firewall:
Control Panel Security Center said the AVG firewall was protecting the system. But I was confident I uninstalled AVG months ago when I left Malawarebytes in charge. I couldn't find AVG on my system though! When I checked Windows Firewall, it was off! So I turned it on.
Could Security Center have mistakenly thought AVG was still there?

Step 6) Disable CD-emulation software
I don't know what kind of software that is. Unless it comes as a standard install with laptops, I'll assume I don't have it.

Steps 7-8) DDS and GMER logs below and attached.
(Note, instructions within the Attach.txt file say it should be zipped, but Step 9 says to attach the text file itself.)

Thank you for any help that you can provide. I look forward to returning Webroot and donating the proceeds to your tip jar.

Best,
Csaba
PS I downloaded Combofix, but per instructions I have not run it.
-----------------------------------

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Csaba.Nagy at 7:24:51 on 2011-07-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.264 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://webmail.stillriversystems.com/exchweb/bin/auth/owalogon.asp?url=https://webmail.stillriversystems.com/exchange&reason=0
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2665e909-eb55-446c-9417-26c0ccf71961} - c:\windows\system32\yudegoku.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: WebrootBHO Class: {d93ec24d-8741-4d41-b83d-a5793b998416} - c:\program files\webroot\security\current\plugins\browserextension\WebrootBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Webroot Browser Helper Object: {e08861fe-8847-4b2a-8ec2-08edb20e4020} - c:\program files\webroot\security\current\products\wise\toolbar\LPBar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Webroot Toolbar: {d84a64a0-f2b2-4975-b264-3a3bce8d57d6} - c:\program files\webroot\security\current\products\wise\toolbar\LPBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [TVT Scheduler Proxy] "c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe"
mRun: [TpShocks] "TpShocks.exe"
mRun: [TPKMAPHELPER] "c:\program files\thinkpad\utilities\TpKmapAp.exe" -helper
mRun: [TPKBDLED] "c:\windows\system32\TpScrLk.exe"
mRun: [TPHOTKEY] "c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe"
mRun: [TP4EX] "tp4ex.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] "c:\program files\analog devices\soundmax\SMax4PNP.exe"
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [S3TRAY2] "S3Tray2.exe"
mRun: [PRONoMgrWired] "c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe"
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [LVCOMSX] "c:\windows\system32\LVCOMSX.EXE"
mRun: [LogitechVideo[inspector]] "c:\program files\logitech\video\InstallHelper.exe" /inspect
mRun: [LogitechCameraService(E)] "c:\windows\system32\ElkCtrl.exe" /automation
mRun: [LogitechCameraAssistant] "c:\program files\logitech\video\CameraAssistant.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [IBMPRC] "c:\ibmtools\utils\ibmprc.exe"
mRun: [EZEJMNAP] "c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe"
mRun: [EPSON Stylus CX5400] "c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
mRun: [EPSON Stylus CX3800 Series] "c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE" /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [CoolSwitch] "c:\windows\system32\taskswitch.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BMMMONWND] "rundll32.exe" c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BMMLREF] "c:\program files\thinkpad\utilities\BMMLREF.EXE"
mRun: [BMMGAG] "RunDll32" c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BLOG] "rundll32.exe" c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\servicepoint\VerizonServicepoint.exe"
mRun: [dvd43] "c:\program files\dvd43\dvd43_tray.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netper~1.lnk - c:\program files\netpersec\NetPerSec.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306708158673
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38161.2521412037
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5F479E2A-58A6-4A3D-9FDB-2C47A5AF1CBE} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
LSA: Notification Packages = scecli pwdmon c:\windows\system32\tuvujuka.dll
Hosts: 82.98.231.89 url.adtrgt.com
Hosts: 82.98.231.89 googleads2.gdoubleclick.net
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\csaba.nagy.tucknt\application data\mozilla\firefox\profiles\3x5xzgap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tech-forums.net/pc/f51/virus-204611/|http://news.google.com/
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 EFlashAssist;EFlashAssist;c:\windows\system32\drivers\EFLASHAS.SYS [2005-10-20 8476]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-7-22 64512]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2011-7-17 122696]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-6-19 16384]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2004-9-3 35693]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-18 366640]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [2011-7-17 45584]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [2004-6-25 21276]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2011-7-17 3907248]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-7-17 3363168]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2004-9-3 1915837]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-18 22712]
S2 AutoExNT;ERU Autobackup;c:\windows\system32\AUTOEXNT.EXE [2005-5-23 22528]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-21 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-21 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-20 2151640]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
.
=============== Created Last 30 ================
.
2011-07-24 03:18:43 -------- d-s---w- C:\ComboFix
2011-07-24 02:13:10 -------- d-----w- c:\documents and settings\csaba.nagy.tucknt\local settings\application data\Webroot
2011-07-24 02:12:40 -------- d-----w- c:\documents and settings\csaba.nagy.tucknt\application data\webroot
2011-07-23 20:28:03 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 12:19:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 04:23:05 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-19 02:59:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-19 02:58:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-19 02:58:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-17 21:32:09 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-17 21:32:09 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-17 21:32:09 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-17 21:31:39 122696 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2011-07-17 21:30:08 6202608 ----a-w- c:\program files\common files\wruninstall.exe
2011-07-17 21:16:52 -------- dc-h--w- c:\documents and settings\all users\application data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-17 21:07:07 -------- d-----w- c:\program files\Webroot
2011-07-17 21:05:50 -------- d-----w- c:\documents and settings\all users\application data\Webroot
2011-07-17 21:05:41 -------- d-----w- c:\documents and settings\csaba.nagy.tucknt\local settings\application data\PackageAware
2011-06-27 12:15:24 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-27 12:15:24 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-06-30 12:13:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 7:28:00.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 29 July 2011 - 02:37 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Jabba The Hutt

Jabba The Hutt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 31 July 2011 - 10:14 PM

Gringo,

Thank you for your help with this.

Since my original post, and your reply, a friend evaluated the computer and did a few things to help it. But it is not there yet.

Problems:
* There are random periods of background activity (20-30 minutes)that slow the computer down (less than before however).
* Malawarebytes keeps blocking both incoming and outgoing traffic, about 2-4 per hour (example below from log). East European countries come up when I copy the IP addresses into Google.
Example:
22:33:57 Csaba.Nagy IP-BLOCK 222.170.121.176 (Type: outgoing)
22:54:22 Csaba.Nagy IP-BLOCK 222.76.88.79 (Type: incoming)
23:04:07 Csaba.Nagy IP-BLOCK 222.71.45.208 (Type: outgoing)
23:07:36 Csaba.Nagy IP-BLOCK 222.76.88.79 (Type: incoming)

* My friend noticed that MS Security Center says AVG Firewall is active, but we can't find any trace of AVG Firewall (I think I installed it over a year ago). He even tried to remove it with AVG_remover (and the tool couldn't find AVG). (I have the log file.) When we tried to activate Windows Firewall, Security Center complained but we left it on anyway. Something eventually deactivated Windows Firewall all by itself.

So while the computer is better than it was before, these three things make me nervous that something much more nefarious remains.

Here are the logs as requested.

I won't let my friend touch the computer while you are helping me out! (He uninstalled Combofix today and promised he wouldn't touch the laptop again.)

Thank you again.

Csaba

--------------------DDS-------------------
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Csaba.Nagy at 22:31:40 on 2011-07-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.262 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://webmail.stillriversystems.com/exchweb/bin/auth/owalogon.asp?url=https://webmail.stillriversystems.com/exchange&reason=0
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: WebrootBHO Class: {d93ec24d-8741-4d41-b83d-a5793b998416} - c:\program files\webroot\security\current\plugins\browserextension\WebrootBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Webroot Browser Helper Object: {e08861fe-8847-4b2a-8ec2-08edb20e4020} - c:\program files\webroot\security\current\products\wise\toolbar\LPBar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Webroot Toolbar: {d84a64a0-f2b2-4975-b264-3a3bce8d57d6} - c:\program files\webroot\security\current\products\wise\toolbar\LPBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [TVT Scheduler Proxy] "c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe"
mRun: [TpShocks] "TpShocks.exe"
mRun: [TPKMAPHELPER] "c:\program files\thinkpad\utilities\TpKmapAp.exe" -helper
mRun: [TPKBDLED] "c:\windows\system32\TpScrLk.exe"
mRun: [TPHOTKEY] "c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe"
mRun: [TP4EX] "tp4ex.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] "c:\program files\analog devices\soundmax\SMax4PNP.exe"
mRun: [S3TRAY2] "S3Tray2.exe"
mRun: [PRONoMgrWired] "c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe"
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [LVCOMSX] "c:\windows\system32\LVCOMSX.EXE"
mRun: [LogitechVideo[inspector]] "c:\program files\logitech\video\InstallHelper.exe" /inspect
mRun: [LogitechCameraService(E)] "c:\windows\system32\ElkCtrl.exe" /automation
mRun: [LogitechCameraAssistant] "c:\program files\logitech\video\CameraAssistant.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [IBMPRC] "c:\ibmtools\utils\ibmprc.exe"
mRun: [EZEJMNAP] "c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe"
mRun: [EPSON Stylus CX5400] "c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
mRun: [EPSON Stylus CX3800 Series] "c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE" /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [CoolSwitch] "c:\windows\system32\taskswitch.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BMMMONWND] "rundll32.exe" c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BMMLREF] "c:\program files\thinkpad\utilities\BMMLREF.EXE"
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BLOG] "rundll32.exe" c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\servicepoint\VerizonServicepoint.exe"
mRun: [dvd43] "c:\program files\dvd43\dvd43_tray.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\csaban~1.tuc\startm~1\programs\startup\netper~1.lnk - c:\program files\netpersec\NetPerSec.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netper~1.lnk - c:\program files\netpersec\NetPerSec.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306708158673
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38161.2521412037
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5F479E2A-58A6-4A3D-9FDB-2C47A5AF1CBE} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\csaba.nagy.tucknt\application data\mozilla\firefox\profiles\3x5xzgap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tech-forums.net/pc/f51/virus-204611/|http://news.google.com/
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 EFlashAssist;EFlashAssist;c:\windows\system32\drivers\EFLASHAS.SYS [2005-10-20 8476]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-7-22 64512]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2011-7-17 122696]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-6-19 16384]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2004-9-3 35693]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-18 366640]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [2011-7-17 45584]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2011-7-17 3907248]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-7-17 3363168]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2004-9-3 1915837]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-18 22712]
S2 AutoExNT;ERU Autobackup;c:\windows\system32\AUTOEXNT.EXE [2005-5-23 22528]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-21 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 esihdrv;esihdrv;\??\c:\docume~1\csaban~1.tuc\locals~1\temp\esihdrv.sys --> c:\docume~1\csaban~1.tuc\locals~1\temp\esihdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-21 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-20 2151640]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
.
=============== Created Last 30 ================
.
2011-08-01 02:08:47 -------- d-s---w- C:\ComboFix
2011-07-27 02:57:23 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-07-24 20:07:29 -------- d-sha-r- C:\cmdcons
2011-07-24 02:13:10 -------- d-----w- c:\documents and settings\csaba.nagy.tucknt\local settings\application data\Webroot
2011-07-24 02:12:40 -------- d-----w- c:\documents and settings\csaba.nagy.tucknt\application data\webroot
2011-07-23 20:28:03 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 12:19:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 04:23:05 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-19 02:59:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-19 02:58:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-19 02:58:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-17 21:32:09 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-17 21:32:09 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-17 21:32:09 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-17 21:31:39 122696 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2011-07-17 21:30:08 6202608 ----a-w- c:\program files\common files\wruninstall.exe
2011-07-17 21:16:52 -------- dc-h--w- c:\documents and settings\all users\application data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-17 21:07:07 -------- d-----w- c:\program files\Webroot
2011-07-17 21:05:50 -------- d-----w- c:\documents and settings\all users\application data\Webroot
2011-07-17 21:05:41 -------- d-----w- c:\documents and settings\csaba.nagy.tucknt\local settings\application data\PackageAware
.
==================== Find3M ====================
.
2011-07-26 08:24:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:33:49.36 ===============

----------------------------ATTACH----------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/23/2004 8:32:06 AM
System Uptime: 7/31/2011 10:12:16 PM (0 hours ago)
.
Motherboard: IBM | | 23733VU
Processor: Intel® Pentium® M processor 1.70GHz | None | 1694/400mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 70 GiB total, 16.954 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP1: 7/31/2011 10:17:37 PM - System Checkpoint
.
==== Installed Programs ======================
.
1Click DVD Copy Pro 3.0.1.6
7-Zip 4.65
ABBYY FineReader 5.0 Sprint Plus
Access IBM
Access IBM Message Center
Ad-Aware
Adobe Acrobat 6.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Alt-Tab Task Switcher Powertoy for Windows XP
Apple Software Update
ArcSoft PhotoImpression 5
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
AutoUpdate
Calculator Powertoy for Windows XP
Canon MP Navigator 2.2
Canon MP830
Canon Utilities Easy-PhotoPrint
Cisco IP Communicator
Cisco Systems VPN Client 4.6.00.0049
Cisco TSP
CmdHere Powertoy For Windows XP
Compatibility Pack for the 2007 Office system
Copy Paths to Clipboard
CopyToDVD
Crystal Ball 7
DISKdata
DivX Player
DivX Web Player
DNA
DVD43 v3.9.0
EASEUS Data Recovery Wizard 4.3.6
Easy-WebPrint
Easy Mosaic 4.0
EPSON Copy Utility
EPSON CX 3800 Guide
EPSON EIC CX5400
EPSON Photo Print
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
Explore From Here (Remove only)
FileMaker Pro 6
FileMaker Pro 8
Google Toolbar for Internet Explorer
Google Update Helper
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
IBM 32-bit Runtime Environment for Java 2, v1.4.1
IBM DLA
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
Image Resizer Powertoy for Windows XP
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Intel® PROSet/Wireless Software
InterVideo WinDVD
InterVideo WinDVD Creator 2
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java Web Start
Java™ 6 Update 24
Java™ 6 Update 3
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Shockwave Player
Malwarebytes' Anti-Malware version 1.51.1.1800
Markstrat Online Team
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Data Access Components KB870669
Microsoft Office File Validation Add-In
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Standard 2003
Microsoft Office Publisher 2003
Microsoft Office Visio Professional 2003
Microsoft Outlook Personal Folders Backup
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Windows Journal Viewer
mMHouse
Mozilla Firefox 5.0 (x86 en-US)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
MWSnap 3
mXML
Netflix Movie Viewer
NetPerSec
NSIS SensitivityToolkit
OmniPage SE 2.0
PC-Doctor for Windows
PerSono
Pharos
Picaboo 1.8.214
Picasa 2
PodUtil 3.0.3
Presto! PageManager 7.15.11
PrintFile
QuickTime
RegEditX
ScanToWeb
Scroll Lock Indicator Utility
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Send To Extensions PowerToy
Sensitivity Toolkit
SideCar 32
Slideshow Generator Powertoy for Windows XP
Software Installer
Sonic Update Manager
Sony USB Driver
SoundMAX
SSH Secure Shell
StartStop
StuffIt Expander 6.0
System Migration Assistant 5.0
System Update
TBS WMP Plug-in
Tera Term Pro
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Integrated 56K Modem
ThinkPad Keyboard Customizer Utility
ThinkPad Power Management Driver
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Active Protection System
TrackPoint Accessibility Features
Tweakui Powertoy for Windows XP
UnInstall Icon Restore 1.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Profile Hive Cleanup Service
Verizon Servicepoint 1.3.21
Verizon Yahoo! Applications
Viewpoint Media Player (Remove Only)
Virtual Desktop Manager Powertoy for Windows XP
VLC media player 0.9.8a
VSO Inspector 1.3.1.82
Wallpapers
WebFldrs XP
Webroot Software
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
Winwonk OpenTarget (remove only)
Xvid 1.1.3 final uninstall
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME)
.
==== Event Viewer Messages From Past Week ========
.
7/31/2011 10:17:00 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the System Update service to connect.
7/31/2011 10:17:00 PM, error: Service Control Manager [7000] - The System Update service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/24/2011 4:54:16 PM, error: Service Control Manager [7034] - The Logitech Process Monitor service terminated unexpectedly. It has done this 1 time(s).
7/24/2011 4:43:55 PM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 000E3520FD6E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/24/2011 4:42:51 PM, error: System Error [1003] - Error code 000000ca, parameter1 00000004, parameter2 8504bcf0, parameter3 00000000, parameter4 00000000.
7/24/2011 4:41:54 PM, error: Service Control Manager [7000] - The PMEM service failed to start due to the following error: The system cannot find the file specified.
7/24/2011 4:40:56 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
7/24/2011 4:20:27 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
7/24/2011 4:12:08 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2011 2:35:17 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
.
==== End Of File ===========================

--------------------------RKUnhooker---------------------------
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF6337000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 3325952 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2310144 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xF5EA5000 C:\WINDOWS\System32\Drivers\Cpmt.sys 1916928 bytes (Cisco Systems, Inc., Cpmt.sys)
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF66BA000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 1200128 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF612A000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 999424 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF6079000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 724992 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xBF2E6000 C:\WINDOWS\System32\ativvaxx.dll 606208 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF764F000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB0860000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 503808 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xB9938000 C:\WINDOWS\system32\drivers\pwipf6.sys 475136 bytes (Privacyware/PWI, Inc., pwipf6)
0xB96F2000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF5DD4000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB99AC000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB0718000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF37A000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAF09F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB98F8000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 245760 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF621E000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 245760 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xF629E000 C:\WINDOWS\system32\drivers\smwdm.sys 221184 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xBF04E000 C:\WINDOWS\System32\ati2cqag.dll 204800 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF080000 C:\WINDOWS\System32\atikvmag.dll 204800 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF5E32000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF77D1000 SSIDRV.SYS 196608 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Interdiction Driver)
0xF7812000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB0903000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF77A4000 C:\WINDOWS\SYSTEM32\Drivers\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF630B000 C:\WINDOWS\System32\DRIVERS\SynTP.sys 180224 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xAEC61000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB9762000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB98A0000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB96CC000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF627A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6682000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF62D4000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB987E000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF625A000 C:\WINDOWS\system32\drivers\aeaudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xF771A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF6663000 C:\WINDOWS\System32\DRIVERS\e1000325.sys 126976 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.1 deserialized driver)
0xF7767000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7786000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF5E8A000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 110592 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xF7635000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB0B76000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF773A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB4ADA000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB0B8F000 C:\WINDOWS\system32\dla\tfsnudf.sys 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xF76DC000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5E73000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB0B60000 C:\WINDOWS\System32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xF76F3000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xF7752000 Shockprf.sys 86016 bytes (Lenovo, Shockproof Disk Driver)
0xB0BA7000 C:\WINDOWS\system32\dla\tfsnifs.sys 86016 bytes (Sonic Solutions, Drive Letter Access Component)
0xB054B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF62F7000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF66A6000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EF000 ACPI_HAL 81152 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9A05000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB98E5000 C:\Program Files\Symantec\SYMEVENT.SYS 77824 bytes (Symantec Corporation, Symantec Event Library)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7708000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7801000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5E62000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB97EE000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF79B1000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB77D7000 C:\WINDOWS\System32\drivers\ibmfilter.sys 65536 bytes (IBM, IBM FFE and RRU filter driver)
0xF7991000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF79E1000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF78C1000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xF79C1000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB7FC9000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7A21000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB1394000 C:\WINDOWS\SYSTEM32\Drivers\SSFMONM.SYS 57344 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper FileSystem Filter Driver)
0xF78B1000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7981000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF6D30000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7891000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6CF0000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xF6D10000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF78E1000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xBA736000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF79A1000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7881000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6D20000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB1384000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF7861000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF6CD0000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7871000 SSHRMD.SYS 40960 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Mini Driver)
0xF6CE0000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xAF5F8000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB7CBB000 C:\WINDOWS\system32\DRIVERS\CdpPacket.sys 36864 bytes (Cisco Systems, CdpPacket.sys)
0xF78A1000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7971000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xAF2B0000 C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF6D00000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF6D40000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF78D1000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB7FA9000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA726000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7B11000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7C09000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7C21000 C:\WINDOWS\System32\drivers\Smapint.sys 32768 bytes (Microsoft Corporation, SMAPI I/O)
0xF7C01000 C:\WINDOWS\System32\drivers\Tppwr.sys 32768 bytes (IBM Corp., IBM ThinkPad Power Management Device Driver)
0xF7C39000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7C51000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7B09000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CDRom Class Filter Driver)
0xF7BC1000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB911B000 C:\DOCUME~1\CSABAN~1.TUC\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF7C59000 C:\WINDOWS\System32\DRIVERS\nscirda.sys 28672 bytes (National Semiconductor Corporation, NSC Fast Infrared Driver.)
0xF7AE9000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB135C000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7C41000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7C49000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7C69000 C:\WINDOWS\system32\drivers\pfc.sys 24576 bytes (Padus, Inc., Padus® ASPI Shell)
0xF7BF1000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF7C19000 C:\WINDOWS\System32\drivers\TDSMAPI.SYS 24576 bytes
0xF7BE1000 C:\WINDOWS\System32\drivers\TSMAPIP.SYS 24576 bytes
0xF7C31000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7BF9000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7C61000 C:\WINDOWS\System32\DRIVERS\dvd43llh.sys 20480 bytes (RIF, dvd43llh.sys)
0xB9DFA000 C:\WINDOWS\system32\drivers\LVPrcMon.sys 20480 bytes (-, -)
0xF7BD1000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7AF1000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7B21000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7B19000 C:\WINDOWS\System32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF7B29000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7AE1000 C:\WINDOWS\SYSTEM32\Drivers\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7C11000 C:\WINDOWS\System32\Drivers\TPHKDRV.SYS 20480 bytes (IBM Corporation, ThinkPad Hotkey Driver)
0xB9DF2000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB7ADE000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7C79000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7D4D000 C:\WINDOWS\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB4AFE000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xB0794000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface DRIVER)
0xF67EF000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF75FC000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7D41000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB4B02000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7C7D000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7C71000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7C75000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB58A3000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7D25000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xF7D51000 C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys 12288 bytes (Lenovo., ThinkPad Power Management Driver)
0xF7D45000 C:\WINDOWS\System32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xF7600000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7D29000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB7ADA000 C:\WINDOWS\System32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF7DE9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB7B7D000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7D65000 EFlashAs.sys 8192 bytes (IBM Corporation, IBM ThinkPad EFlash Update Assist Driver)
0xB17DA000 C:\WINDOWS\SYSTEM32\EGATHDRV.SYS 8192 bytes (IBM Corporation, IBM eGatherer Kernel Module)
0xF7DE7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7D61000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7DEB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB17DC000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7DED000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7DF3000 C:\WINDOWS\System32\Drivers\ShockMgr.SYS 8192 bytes (Lenovo., ShockMgr Device Driver)
0xF7DBB000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7DBD000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB7B7F000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xB17E0000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 8192 bytes
0xF7DB9000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7D63000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7F27000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB7A06000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7E75000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7E2A000 C:\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7E29000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7F71000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xB79A3000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0x861CA900 unknown_irp_handler 1792 bytes
0x861CA978 unknown_irp_handler 1672 bytes
0x861CA9F0 unknown_irp_handler 1552 bytes
0x861CAA68 unknown_irp_handler 1432 bytes
0x861CAAE0 unknown_irp_handler 1312 bytes
0x85548B58 unknown_irp_handler 1192 bytes
0x861CAB58 unknown_irp_handler 1192 bytes
0x861B6B58 unknown_irp_handler 1192 bytes
0x85548BD0 unknown_irp_handler 1072 bytes
0x85F6AC30 unknown_irp_handler 976 bytes
0x85548C48 unknown_irp_handler 952 bytes
0x85548CC0 unknown_irp_handler 832 bytes
0x85548D38 unknown_irp_handler 712 bytes
0x862B5DC8 unknown_irp_handler 568 bytes
0x862B4DC8 unknown_irp_handler 568 bytes
0x86277DC8 unknown_irp_handler 568 bytes
0x862B5E40 unknown_irp_handler 448 bytes
0x862B4E40 unknown_irp_handler 448 bytes
0x86277E40 unknown_irp_handler 448 bytes
0x862B5EB8 unknown_irp_handler 328 bytes
0x862B4EB8 unknown_irp_handler 328 bytes
0x86277EB8 unknown_irp_handler 328 bytes
0x862B5F30 unknown_irp_handler 208 bytes
0x862B4F30 unknown_irp_handler 208 bytes
0x86277F30 unknown_irp_handler 208 bytes
0x862B5FA8 unknown_irp_handler 88 bytes
0x862B4FA8 unknown_irp_handler 88 bytes
0x86277FA8 unknown_irp_handler 88 bytes
==============================================
>Stealth
==============================================

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 31 July 2011 - 10:16 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 03 August 2011 - 12:55 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Jabba The Hutt

Jabba The Hutt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 03 August 2011 - 10:54 PM

Gringo,

Thank you for your help. I believe this is what you asked for. I have not noticed anything different yet with the computer.

Combofix complains that AVG is installed, but I can't find it, and neither did the AVG remover tool.

best,

Csaba

------------------
ComboFix 11-08-03.03 - Csaba.Nagy 08/03/2011 23:38:21.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.579 [GMT -4:00]
Running from: c:\documents and settings\Csaba.Nagy.TUCKNT\My Documents\Downloads\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\program files\messenger\msmsgsin.exe
c:\windows\logoff.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\paradise.dll
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))
.
.
2011-07-27 02:57 . 2011-07-27 02:57 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-07-24 02:13 . 2011-07-24 02:13 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Local Settings\Application Data\Webroot
2011-07-24 02:12 . 2011-07-24 02:12 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Application Data\webroot
2011-07-23 20:28 . 2011-07-22 12:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 12:19 . 2011-07-22 12:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 04:23 . 2011-07-22 04:23 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-22 04:23 . 2011-06-20 14:31 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-22 04:22 . 2011-07-22 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-07-19 02:59 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-19 02:58 . 2011-07-19 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-19 02:58 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-17 21:32 . 2011-05-23 17:09 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-17 21:32 . 2011-05-23 17:09 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-17 21:32 . 2011-05-23 17:09 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-17 21:31 . 2011-05-26 15:22 122696 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2011-07-17 21:30 . 2011-07-17 21:30 6202608 ----a-w- c:\program files\Common Files\wruninstall.exe
2011-07-17 21:29 . 2011-07-18 03:34 -------- d-----w- c:\program files\Microsoft Silverlight
2011-07-17 21:16 . 2011-07-17 21:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-17 21:07 . 2011-07-17 21:07 -------- d-----w- c:\program files\Webroot
2011-07-17 21:05 . 2011-08-04 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-17 21:05 . 2011-07-17 21:05 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-26 08:24 . 2011-05-30 20:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-06-23 12:14 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-27 12:15 . 2011-05-29 16:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{6B78A880-15CA-468f-8422-A7960AD6FBB9}"
[HKEY_CLASSES_ROOT\CLSID\{6B78A880-15CA-468f-8422-A7960AD6FBB9}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{4EE7A346-5845-471e-9FAB-002EAF83F8B0}"
[HKEY_CLASSES_ROOT\CLSID\{4EE7A346-5845-471e-9FAB-002EAF83F8B0}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}"
[HKEY_CLASSES_ROOT\CLSID\{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{493FC96E-B938-4924-9B38-C4088E9B8AC2}"
[HKEY_CLASSES_ROOT\CLSID\{493FC96E-B938-4924-9B38-C4088E9B8AC2}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-15 323392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 94208]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 14:33 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-20 45632]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"VerizonServicepoint.exe"="c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-07-17 1383496]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install Webroot FF RunOnce.lnk - c:\program files\Common Files\wruninstall.exe [2011-7-17 6202608]
Install Webroot IE RunOnce.lnk - c:\program files\Common Files\wruninstall.exe [2011-7-17 6202608]
.
c:\documents and settings\Csaba.Nagy.TUCKNT\Start Menu\Programs\Startup\
NetPerSec.lnk - c:\program files\NetPerSec\NetPerSec.exe [2004-6-23 192512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NetPerSec.lnk - c:\program files\NetPerSec\NetPerSec.exe [2004-6-23 192512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-01 20:09 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SideCar\\SideCar.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 EFlashAssist;EFlashAssist;c:\windows\system32\drivers\EFLASHAS.SYS [10/20/2005 2:41 PM 8476]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2011 12:23 AM 64512]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/17/2011 5:31 PM 122696]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/19/2004 5:05 AM 16384]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [9/3/2004 12:31 PM 35693]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/18/2011 10:59 PM 366640]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [7/17/2011 5:32 PM 45584]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [7/17/2011 5:16 PM 3363168]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [9/3/2004 12:31 PM 1915837]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/18/2011 10:58 PM 22712]
S2 AutoExNT;ERU Autobackup;c:\windows\system32\AUTOEXNT.EXE [5/23/2005 2:25 PM 22528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2010 2:52 AM 135664]
S3 esihdrv;esihdrv;\??\c:\docume~1\CSABAN~1.TUC\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\CSABAN~1.TUC\LOCALS~1\Temp\esihdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2010 2:52 AM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 10:31 AM 2151640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BLACKBOX
*Deregistered* - BlackBox
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 11:19]
.
2011-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 18:21]
.
2007-01-31 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-06-19 05:38]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 06:51]
.
2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 06:51]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.stillriversystems.com/exchweb/bin/auth/owalogon.asp?url=https://webmail.stillriversystems.com/exchange&reason=0
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Csaba.Nagy.TUCKNT\Application Data\Mozilla\Firefox\Profiles\3x5xzgap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tech-forums.net/pc/f51/virus-204611/|http://news.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 23:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
.
Completion time: 2011-08-04 00:04:21
ComboFix-quarantined-files.txt 2011-08-04 04:04
.
Pre-Run: 18,042,765,312 bytes free
Post-Run: 18,013,175,808 bytes free
.
- - End Of File - - 22725375AD3EF493E640BE69030E88ED

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 03 August 2011 - 11:07 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Jabba The Hutt

Jabba The Hutt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 04 August 2011 - 01:04 AM

I assume this is all there is.
Csaba

2011/08/04 02:19:19.0267 6168 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/08/04 02:19:19.0697 6168 ================================================================================
2011/08/04 02:19:19.0697 6168 SystemInfo:
2011/08/04 02:19:19.0697 6168
2011/08/04 02:19:19.0697 6168 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/04 02:19:19.0697 6168 Product type: Workstation
2011/08/04 02:19:19.0697 6168 ComputerName: 6-14738F
2011/08/04 02:19:19.0697 6168 UserName: Csaba.Nagy
2011/08/04 02:19:19.0697 6168 Windows directory: C:\WINDOWS
2011/08/04 02:19:19.0697 6168 System windows directory: C:\WINDOWS
2011/08/04 02:19:19.0697 6168 Processor architecture: Intel x86
2011/08/04 02:19:19.0697 6168 Number of processors: 1
2011/08/04 02:19:19.0697 6168 Page size: 0x1000
2011/08/04 02:19:19.0697 6168 Boot type: Normal boot
2011/08/04 02:19:19.0697 6168 ================================================================================
2011/08/04 02:19:21.0320 6168 Initialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 07 August 2011 - 02:44 AM

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Jabba The Hutt

Jabba The Hutt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 07 August 2011 - 10:27 AM

Gringo,

Thank you again for your help.

A few things to note:
* The Malwarebytes trial ended. Let me know when I should re-install it. (I can't see if communications are being blocked as before.)
* When I launched Netscape 5.0, Webroot says that it blocked access to "as.starware.com"
* When I ran your script, on two separate occasions webroot asked me if I wanted to allow your tool to access to the internet. I said yes both times. When I re-ran the script a second time the log file was generated without any complaints from webroot.

The symptoms of the laptop remain unchanged, there are random periods of intense hard drive and wireless activity.

thank you,
Csaba

Windows IP Configuration



Host Name . . . . . . . . . . . . : 6-14738F

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/1000 MT Mobile Connection

Physical Address. . . . . . . . . : 00-0D-60-75-95-40



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® PRO/Wireless 2200BG Network Connection

Physical Address. . . . . . . . . : 00-0E-35-20-FD-6E

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.62

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Sunday, August 07, 2011 11:18:31 AM

Lease Expires . . . . . . . . . . : Monday, August 08, 2011 11:18:31 AM

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.93.104, 74.125.93.106, 74.125.93.103, 74.125.93.99
74.125.93.147, 74.125.93.105

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65



Pinging google.com [74.125.113.103] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 74.125.113.103:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 60 75 95 40 ...... Intel® PRO/1000 MT Mobile Connection - Packet Scheduler Miniport
0x10004 ...00 0e 35 20 fd 6e ...... Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.62 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.62 192.168.1.62 25
192.168.1.62 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.62 192.168.1.62 25
224.0.0.0 240.0.0.0 192.168.1.62 192.168.1.62 25
255.255.255.255 255.255.255.255 192.168.1.62 2 1
255.255.255.255 255.255.255.255 192.168.1.62 192.168.1.62 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 07 August 2011 - 11:31 AM

After you have run these steps - you need to let me know how the computer is doing

Resetting Router


  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

flush the DNS:

Now lets flush the DNS on the computer:

  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:


    ipconfig /flushdns

Now lets check the router again

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Jabba The Hutt

Jabba The Hutt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 07 August 2011 - 12:10 PM

Gringo,
How confident are you that the router is infected? My roommate doesn't like people touching his stuff. I can show him this page which might reduce his resistance.

thank you,
Csaba

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 07 August 2011 - 12:38 PM

Hello

I am not but wanted to rule it out


lets do this I want you to change the DNS on the computer and if it fixes the problem then it is the router - you can see how to do this on this page and use the settings on the page

https://store.opendns.com/setup/device/windows-xp/



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Jabba The Hutt

Jabba The Hutt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 07 August 2011 - 02:53 PM

Gringo,

Thank you for your quick responses.

I haven't used the system long enough since changing the DNS to notice if there are any difference yet.

Csaba



Windows IP Configuration



Host Name . . . . . . . . . . . . : 6-14738F

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/1000 MT Mobile Connection

Physical Address. . . . . . . . . : 00-0D-60-75-95-40



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® PRO/Wireless 2200BG Network Connection

Physical Address. . . . . . . . . : 00-0E-35-20-FD-6E

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.62

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 208.67.222.222

208.67.220.220

Lease Obtained. . . . . . . . . . : Sunday, August 07, 2011 3:43:16 PM

Lease Expires . . . . . . . . . . : Monday, August 08, 2011 3:43:16 PM

Server: resolver1.opendns.com
Address: 208.67.222.222

Name: google.com
Addresses: 74.125.93.105, 74.125.93.99, 74.125.93.103, 74.125.93.104
74.125.93.106, 74.125.93.147

Server: resolver1.opendns.com
Address: 208.67.222.222

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43



Pinging google.com [74.125.93.103] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 74.125.93.103:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 60 75 95 40 ...... Intel® PRO/1000 MT Mobile Connection - Packet Scheduler Miniport
0x10004 ...00 0e 35 20 fd 6e ...... Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.62 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.62 192.168.1.62 25
192.168.1.62 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.62 192.168.1.62 25
224.0.0.0 240.0.0.0 192.168.1.62 192.168.1.62 25
255.255.255.255 255.255.255.255 192.168.1.62 2 1
255.255.255.255 255.255.255.255 192.168.1.62 192.168.1.62 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 07 August 2011 - 04:23 PM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 7.0.9
J2SE Runtime Environment 5.0 Update 6
Java Web Start
Java™ 6 Update 3


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users