Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Zero Access After Malware Removal - Cannot Access Internet


  • This topic is locked This topic is locked
16 replies to this topic

#1 atraum

atraum

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 19 December 2011 - 02:11 PM

Like many I have referred to your site many times over the years to help extract the baddies of the online world mostly for friends computers, I have always been able to get the systems back up and running by either following a main thread or a thread in where a technician walks another user through an issue that is similar. Unfortunately it appears as though I need a bit more specialized help since the items I have tried have not worked and I fear that if I proceed with non specific information I will only make it harder for your team to identify the issue. In a nutshell I am at a standstill and will not be using any more tools until I hear from your team. DDS log and GMER log created and then no additional activity on the system. Here is the history of the system in question:
Specific Issue
A) Wired connection continually says Acquiring network address
B) When attempting to "Change Windows Firewall settings" in LAN tray icon the following error is displayed "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? When selecting Yes windows displays "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service."
c) Other items of interest = Opening the task manager does not display the toolbar or tabs, just the running processes.

1) Wired Connection tested on another system to ensure operation
2) The system had a variant of Windows Internet Protection 2012 malware and the following walk through was used to get the system back up and going for Malwarebytes and Avast scans: http://www.bleepingcomputer.com/virus-removal/remove-xp-internet-security-2012 - Malwarebytes Free was already installed on system so once FixNCR.reg and Rkill were completed Malwarebytes was run successfully followed by an Avast boot scan.
3) Current Malwarebytes (database is outdated by 20 days)and Avast (version 111215-1, release date 12/15/2011) scans show no baddies
4) Initial use of Combofix indicated a Rootkit virus that I believe was ZeroAccess. Combofix did indicate that if internet access was not restored on completion and after reset to run again. Combofix ran successfully (no lockup). Since internet access was not restored on reboot Combofix was run again although this time it did not prompt anything in regards to a Rootkit, it ran through successfully again and although did not request a reboot internet access was not restored. A reboot was completed with no change.
5) TDSS Fix Tool 2.1.3 indicates Backdoor.Tidserv has not been found
5) CAT5 now unplugged since I'm not sure if I should be on the network until fixed

DDS.txt Log START:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Run by LaNell and Marty at 8:42:17 on 2011-12-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1634 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxsrvc.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://by127w.bay127.mail.live.com/mail/TodayLight.aspx?&n=330886464
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230102897890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{0B17E038-DE23-4C14-AC25-9BA2E8C019D7} : DhcpNameServer = 10.0.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\lanell and marty\application data\mozilla\firefox\profiles\6a31v703.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.live.com/default.aspx?wa=wsignin1.0
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WBG&o=15136&locale=en_US&apn_uid=8052DDB2-0D1F-4D92-9763-6929054D4E00&apn_ptnrs=RS&apn_sauid=7D367AF9-F945-4C80-8846-B4D015126C68&apn_dtid=&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\alwil software\avast5\webrep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\lanell and marty\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-17 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-15 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-15 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 44768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-24 24652]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca1b18fce9fd9e;Google Update Service (gupdate1ca1b18fce9fd9e);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2009-11-8 29184]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-19 02:07:13 -------- d-sha-r- C:\cmdcons
2011-12-19 02:07:13 -------- d-----w- c:\windows\setup.pss
2011-12-19 00:37:07 98816 ----a-w- c:\windows\sed.exe
2011-12-19 00:37:07 518144 ----a-w- c:\windows\SWREG.exe
2011-12-19 00:37:07 256000 ----a-w- c:\windows\PEV.exe
2011-12-19 00:37:07 208896 ----a-w- c:\windows\MBR.exe
2011-12-18 19:55:44 184072 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2011-12-17 22:02:55 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2011-12-17 22:01:56 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2011-12-17 22:00:59 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2011-12-17 21:59:57 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2011-12-17 21:58:58 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2011-12-17 21:57:57 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2011-12-17 21:56:57 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2011-12-17 21:55:59 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2011-12-17 21:54:57 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2011-12-17 21:53:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2011-12-17 21:52:59 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2011-12-17 21:51:59 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2011-12-17 21:50:57 27296 -c--a-w- c:\windows\system32\dllcache\perc2.sys
2011-12-17 21:49:57 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2011-12-17 21:48:58 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2011-12-17 21:47:52 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2011-12-17 21:47:51 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-12-17 21:47:47 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2011-12-17 21:47:37 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2011-12-17 21:47:36 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-12-17 21:47:25 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-12-17 21:47:21 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-12-17 21:47:20 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2011-12-17 21:47:13 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-12-17 21:47:12 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2011-12-17 21:47:07 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2011-12-17 21:45:59 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2011-12-17 21:44:57 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2011-12-17 21:43:58 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2011-12-17 21:42:59 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2011-12-17 21:41:58 119296 -c--a-w- c:\windows\system32\dllcache\hpdigwia.dll
2011-12-17 21:40:54 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2011-12-17 21:39:58 114944 -c--a-w- c:\windows\system32\dllcache\epstw2k.sys
2011-12-17 21:38:59 26698 -c--a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
2011-12-17 21:37:58 28672 -c--a-w- c:\windows\system32\dllcache\cyycoins.dll
2011-12-17 21:36:58 74240 -c--a-w- c:\windows\system32\dllcache\camexo20.dll
2011-12-17 21:35:59 26624 -c--a-w- c:\windows\system32\dllcache\ativxbar.sys
2011-12-17 21:29:36 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-12-17 20:32:53 -------- d-----w- C:\ERDNT
2011-12-13 08:25:27 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{0fae90d2-fc9c-458c-a2be-8913ce9f6672}\mpengine.dll
2011-12-01 23:00:00 -------- d-----w- c:\program files\Microsoft XNA
2011-12-01 22:33:21 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-12-01 22:33:21 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-12-01 22:33:21 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-12-01 22:33:20 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-11-28 22:45:15 471552 --sha-w- C:\EUMONBMP.SYS
2011-11-28 22:38:01 42376 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
.
==================== Find3M ====================
.
2011-11-28 22:33:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ------w- c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ------w- c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-22 04:46:48 16008 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2011-10-22 04:46:46 38920 ----a-w- c:\windows\system32\drivers\eubakup.sys
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 8:43:33.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:21 PM

Posted 21 December 2011 - 10:42 AM

Hi

Please physically connect your machine to the internet so the tool can determine what service is failing and run the following:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 11:04 AM

Thank You soooo much for your support CatByet!! Here is the requested scan with the default "Internet Services" selected:

Farbar Service Scanner
Ran by LaNell and Marty (administrator) on 21-12-2011 at 10:01:45
Microsoft Windows XP Home Edition Service Pack 3 (X86)
********************************************************

Internet Services:
=================
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open Nsi registry key. The service key does not exist.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of afd. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of afd. The value does not exist.


Connection Status:
=================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
==========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

**** End of log ****

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:21 PM

Posted 21 December 2011 - 11:25 AM

Please re-run Farbar Service Scanner

copy/paste the following into the search window

Nsi
Afd

press the "Export Service" button

post the results of the FSS.txt in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 12:00 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Afd]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Afd\Parameters]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Afd\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Afd]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Afd\0000]
"Service"="AFD"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="AFD"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0001"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Afd\0000\LogConf]

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:21 PM

Posted 21 December 2011 - 02:15 PM

Hi

Please run the following registry fix, then run a scan with farbar's Service Scanner

Backup Your Registry:
Download ERUNT to your Desktop (right-click the link, select Save Link/Target As..., select your Desktop and press Save)
Right-click erunt.zip, choose Extract All… and follow the prompts to unzip the program.
Open the erunt folder on your Desktop and double-click ERUNT.exe to start the program
Click OK for all the prompts to back up your registry to the default location.
Note: if it becomes necessary to restore the registry, open the backup folder and start ERDNT.exe


NEXT



Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad



Registry Fix edited as it was designed specifically for this user


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.

Edited by CatByte, 25 December 2011 - 03:26 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 02:28 PM

Done, should I do a reboot after the merge?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:21 PM

Posted 21 December 2011 - 02:36 PM

yes please, then run the farbar service scanner once more (just a regular scan)

Edited by CatByte, 21 December 2011 - 02:36 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 02:55 PM

Wow! You rock CatByte!!!! Network access has been restored. Here is the farbar service scanner log:

Farbar Service Scanner
Ran by LaNell and Marty (administrator) on 21-12-2011 at 13:51:15
Microsoft Windows XP Home Edition Service Pack 3 (X86)
********************************************************

Internet Services:
=================

Connection Status:
=================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
==========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:21 PM

Posted 21 December 2011 - 03:01 PM

good news,

OK, let's do a couple more scans to make sure there aren't any leftovers.

please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 03:59 PM

Thanks again for all your help CatByte! MBAM updated its 20 day old database and the scan came back clean. ESET is currently scanning but will take some time, started 35 minutes ago and at 25% complete. I will update with both logs once finished. Can't thank you enough for your help.

#12 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 06:18 PM

Although MBAM was clean it does Look like ESET did find something. Logs as requested:

****MBAM LOG START****
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122105

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/21/2011 2:08:28 PM
mbam-log-2011-12-21 (14-08-28).txt

Scan type: Quick scan
Objects scanned: 194053
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
****MBAM LOG END****


****ESET LOG START****
C:\Documents and Settings\LaNell and Marty\My Documents\Downloads\SoftonicDownloader_for_winrar.exe a variant of Win32/SoftonicDownloader.A application
****ESET LOG END****

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:21 PM

Posted 21 December 2011 - 06:27 PM

Hi,

The file found is not a threat ESET is just reporting the type of file that it is.

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 23 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 07:54 PM

Updates and cache clear completed. Also updated Firefox and reset windows firewall to default settings since I noticed that the owner of the system had a bunch of items in the exception list. Reinstalled Avast and msconfig'd to check startup items and all appears to look and run well. One item of note is that when opening the task manager the window does not have the top menu bar, only a listing of tasks along with their status and the three buttons at the bottom. Not a critical issue as I doubt the owner of this system even knows about the task manager but I wanted to at least bring it up to ensure we weren't missing something. Here is the fresh DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_30
Run by LaNell and Marty at 18:38:06 on 2011-12-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1618 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://by127w.bay127.mail.live.com/mail/TodayLight.aspx?&n=330886464
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230102897890
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{0B17E038-DE23-4C14-AC25-9BA2E8C019D7} : DhcpNameServer = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\lanell and marty\application data\mozilla\firefox\profiles\6a31v703.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.live.com/default.aspx?wa=wsignin1.0
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WBG&o=15136&locale=en_US&apn_uid=8052DDB2-0D1F-4D92-9763-6929054D4E00&apn_ptnrs=RS&apn_sauid=7D367AF9-F945-4C80-8846-B4D015126C68&apn_dtid=&q=
FF - plugin: c:\documents and settings\lanell and marty\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\lanell and marty\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\lanell and marty\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\lanell and marty\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-15 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-15 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 44768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-24 24652]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-17 435032]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca1b18fce9fd9e;Google Update Service (gupdate1ca1b18fce9fd9e);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2009-11-8 29184]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-22 00:18:51 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-22 00:18:49 814040 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-22 00:18:49 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-22 00:18:49 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-22 00:18:49 486360 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-22 00:18:49 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-22 00:18:49 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-22 00:18:49 2124760 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-22 00:18:49 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-22 00:18:48 97240 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-22 00:18:48 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-22 00:18:48 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-21 23:50:43 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-12-21 20:16:51 -------- d-----w- c:\program files\ESET
2011-12-19 02:07:13 -------- d-sha-r- C:\cmdcons
2011-12-19 02:07:13 -------- d-----w- c:\windows\setup.pss
2011-12-19 00:37:07 98816 ----a-w- c:\windows\sed.exe
2011-12-19 00:37:07 518144 ----a-w- c:\windows\SWREG.exe
2011-12-19 00:37:07 256000 ----a-w- c:\windows\PEV.exe
2011-12-19 00:37:07 208896 ----a-w- c:\windows\MBR.exe
2011-12-18 19:55:44 184072 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2011-12-17 22:02:55 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2011-12-17 22:01:56 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2011-12-17 22:00:59 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2011-12-17 21:59:57 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2011-12-17 21:58:58 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2011-12-17 21:57:57 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2011-12-17 21:56:57 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2011-12-17 21:55:59 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2011-12-17 21:54:57 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2011-12-17 21:53:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2011-12-17 21:52:59 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2011-12-17 21:51:59 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2011-12-17 21:50:57 27296 -c--a-w- c:\windows\system32\dllcache\perc2.sys
2011-12-17 21:49:57 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2011-12-17 21:48:58 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2011-12-17 21:47:52 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2011-12-17 21:47:51 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-12-17 21:47:47 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2011-12-17 21:47:37 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2011-12-17 21:47:36 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-12-17 21:47:25 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-12-17 21:47:21 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-12-17 21:47:20 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2011-12-17 21:47:13 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-12-17 21:47:12 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2011-12-17 21:47:07 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2011-12-17 21:45:59 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2011-12-17 21:44:57 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2011-12-17 21:43:58 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2011-12-17 21:42:59 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2011-12-17 21:41:58 119296 -c--a-w- c:\windows\system32\dllcache\hpdigwia.dll
2011-12-17 21:40:54 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2011-12-17 21:39:58 114944 -c--a-w- c:\windows\system32\dllcache\epstw2k.sys
2011-12-17 21:38:59 26698 -c--a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
2011-12-17 21:37:58 28672 -c--a-w- c:\windows\system32\dllcache\cyycoins.dll
2011-12-17 21:36:58 74240 -c--a-w- c:\windows\system32\dllcache\camexo20.dll
2011-12-17 21:35:59 26624 -c--a-w- c:\windows\system32\dllcache\ativxbar.sys
2011-12-17 21:29:36 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-12-17 20:32:53 -------- d-----w- C:\ERDNT
2011-12-13 08:25:27 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{0fae90d2-fc9c-458c-a2be-8913ce9f6672}\mpengine.dll
2011-12-01 23:00:00 -------- d-----w- c:\program files\Microsoft XNA
2011-12-01 22:33:21 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-12-01 22:33:21 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-12-01 22:33:21 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-12-01 22:33:20 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-11-28 22:45:15 471552 --sha-w- C:\EUMONBMP.SYS
2011-11-28 22:38:01 42376 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
.
==================== Find3M ====================
.
2011-11-28 22:33:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 11:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 09:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ------w- c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ------w- c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-22 04:46:48 16008 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2011-10-22 04:46:46 38920 ----a-w- c:\windows\system32\drivers\eubakup.sys
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 18:41:45.70 ===============

#15 atraum

atraum
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 21 December 2011 - 07:57 PM

Ugh, knew I should have googled it first. Didn't know you could double click an empty space in the top border to make it re-appear. Guess I've been away from XP for too long! Thanks again for all your assistance!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users