Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with XP Home Security 2012 Virus


  • This topic is locked This topic is locked
39 replies to this topic

#1 Lothior

Lothior

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 17 January 2012 - 10:57 AM

Hello.

I've got a PC running WinXP Pro SP3 with XP Home Security 2012 virus on it. No idea how it got there and I've spent an awful long time trying to get rid of it. First I will list what I've tried.

Starting with the tutorial here: http://www.bleepingcomputer.com/virus-removal/remove-xp-home-security-2012

I've followed every step of that and run through the entire process twice. I seem to be able to "eliminate" the virus in Safe Mode (under Administrator) however no matter what I do, it comes back in Normal boot up (or Safe Mode logged in as User). I've gotten through every step in the tutorial, MalwareBytes Anti-Malware I've been able to update to it's newest version and database and run the scans. I'll list what it has found when I ran the scans (two so far.)

Result 1:
C:\Windows\Temp\gdfyghret.exe (Trojan.CryptPro.Gen) - Quarantined and deleted successfully.
C:\Windows\Temp\tue0.48318695555482283.exe (Trojan.CryptPro.Gen) - Quarantined and deleted successfully.
C:\Windows\Temp\tue0.7966543721667007.exe (Trojan.CryptPro.Gen) - Quarantined and deleted successfully.
C:\Windows\Temp\tue0.9654599823339141.exe (Trojan.CryptPro.Gen) - Quarantined and deleted successfully.
C:\My Documents\Downloads\RadioPI.exe (Adware.FunWeb) - Quarantined and deleted successfully.

At this point I restarted the computer as instructed once MBAM finished, letting it go to Normal WinXP mode. XP Home Security 2012 jumped up on the screen immediately upon hitting Windows. So I went through the whole process again. This time also insuring that the locations listed for possible files of the virus and registry entries were not still hanging around (see the end of the tutorial for those). My search came up empty. I ran through the entire tutorial a second time. Got to the MBAM step and here are my results.

Result 2:
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\b491ca2-5b793cd9 (Trojan.Gbot) - Quarantined and deleted successfully.

Rebooted the computer as instructed again. Normal Windows. Bam, another pop up. So I went to Safe Mode, accidently logging in as the User instead of Adminstrator. Oddly enough XP Home Security 2012 will still function in Safe Mode as the normal user, but NOT in Administrator. Some other things to note, I tried to get rid of some of the junk on this PC running System Ninja and each time it would run to a specific # of files and then stop. It wouldn't crash but the scanner would just hang. I think it hit the virus and got stung.

At one point in my search (the first of two), Rkill came up with a hit on: Rootkit.Win32.ZAccess.aml

It seemed to be able to handle the file and get rid of it because subsequent runnings of Rkill are not producing any results.

A run of Secunia PSI (as listed in the tutorial as a last step [Ideally when PC was cured] resulted in):

Would not run. Unable to ascertain why.



During Safe Mode as Administrator, my antivirus software (Microsoft Security Essentials) is actually running. The MsMpEng.exe is in Process Explorer. I don't however see anything unusual in Safe Mode as Administrator. Just figured this was interesting to note. However, the real time protection is turned off. And fails to be turned on giving error:
Error Code: 0x800705b4

The error is essentially a timeout error.



I have DDS and GMER downloaded and ready to run if someone deems them necessary. I ran them once to familiarize myself with them under Safe Mode Administrator (the only place they run, even DDS.scr). So their usefulness may be suspect. But I'm willing to try if someone knows a way around.


I've been working on this for about two days solid and not made any headway. I'd appreciate any suggestions or advice. I'd also like to know a little more about what this virus is doing to my system, IE collecting info and sending it to a bad guy, or just messing around. And if any external drives or thumb flash drives are at risk. This PC has My Documents redirected to an external hard drive (and if you'll remember I found a Trojan on that drive). I've included it in each scan I've run to be safe. I'd like the peace of mind knowing my data is safe, or if I need to take steps to ensure that it will be safe in case it was compromised. Thank you for you time, I really, really appreciate it.

Edited by Lothior, 17 January 2012 - 10:58 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:16 PM

Posted 17 January 2012 - 11:25 AM

Run them and post those 2 logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Lothior

Lothior
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 17 January 2012 - 11:32 AM

Will do, but as I said it only runs under Administrator in Safe Mode so the results might not be very helpful. I will post those logs momentarily.


First DDS log file. Attaching the "Attach.txt" output as directed in one of the many FAQs on the site. Below the DDS file (separated by a line) is the GMER log. I have scanned the all the logs with MBAM and Microsoft Security Essentials and they came up clean. So hopefully they are. Again thank you for taking the time to review this.

Update: I removed the attach.txt and just posted it as clear text, it seems even though the FAQ said otherwise that many people don't like that method? Either way, it's there now.

============================================================================
DDS log file
============================================================================

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 8:54:48 on 2012-01-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1662 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Folder\fq2xx3nt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
{0b4d6b1c-d1a6-4b21-9412-cc846ebfa818}
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {e86e69ac-a2ce-415a-967e-70ded47d72e2}: 1 (0x1)
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
{10834e9a-d475-4a24-ad01-f3f24f71b28e}
TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ShowLOMControl] 1 (0x1)
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://imail.ashland.com/dwa85W.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257613010015
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://imail.ashland.com/dwa85W.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://imail.ashland.com/dwa7W.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
S1 MpKsl06e86bee;MpKsl06e86bee;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e81edaa3-bfc6-47fc-8d69-5fc8e082b3c1}\mpksl06e86bee.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e81edaa3-bfc6-47fc-8d69-5fc8e082b3c1}\MpKsl06e86bee.sys [?]
S1 MpKslac9071c3;MpKslac9071c3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41ea2eb9-243d-4087-ae8a-5b5b592758fe}\mpkslac9071c3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41ea2eb9-243d-4087-ae8a-5b5b592758fe}\MpKslac9071c3.sys [?]
S1 MpKslcf4fc336;MpKslcf4fc336;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1c2af5f3-4bde-4494-8621-a3e874a82db6}\mpkslcf4fc336.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1c2af5f3-4bde-4494-8621-a3e874a82db6}\MpKslcf4fc336.sys [?]
S1 MpKslf9e5f9e1;MpKslf9e5f9e1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{979f1944-58fe-4f0e-a3b6-79537c84129b}\mpkslf9e5f9e1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{979f1944-58fe-4f0e-a3b6-79537c84129b}\MpKslf9e5f9e1.sys [?]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-11 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca5da31dcfc10c;Google Update Service (gupdate1ca5da31dcfc10c);c:\program files\google\update\GoogleUpdate.exe [2009-11-4 133104]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-28 652872]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
S2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-7-13 21096]
S2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [2009-7-13 25448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-11-4 133104]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-28 20464]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
S4 SessionLauncher;SessionLauncher;c:\docume~1\vito\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\vito\locals~1\temp\dx9\SessionLauncher.exe [?]
.
=============== Created Last 30 ================
.
2012-01-17 00:50:19 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac2889a4-dd55-44ce-831c-3c5b06b72aba}\offreg.dll
2012-01-17 00:27:26 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Secunia PSI
2012-01-17 00:26:48 -------- d-----w- c:\program files\Secunia
2012-01-16 19:05:05 -------- d-----w- c:\program files\System Ninja
2012-01-16 18:38:01 -------- d-----w- c:\documents and settings\administrator\application data\Windows Search
2012-01-16 18:36:20 -------- d-----w- C:\Folder
2012-01-16 13:59:10 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-16 13:40:09 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac2889a4-dd55-44ce-831c-3c5b06b72aba}\MpKslcfda6f7c.sys
2012-01-16 11:56:59 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac2889a4-dd55-44ce-831c-3c5b06b72aba}\MpKsl1af4aa49.sys
2012-01-15 14:30:52 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2012-01-15 13:53:19 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google
2012-01-15 13:23:38 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-15 13:17:50 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2012-01-15 05:51:56 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac2889a4-dd55-44ce-831c-3c5b06b72aba}\mpengine.dll
2012-01-12 03:19:16 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-12 03:19:16 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-12 03:19:16 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-12 03:19:16 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-24 05:40:59 -------- d-----w- c:\program files\iPod
2011-12-24 05:40:54 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-01-16 14:39:21 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 16:23:34 22784 ----a-w- c:\windows\system32\drivers\RimUsb.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-25 03:38:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-21 22:38:08 713472 ----a-w- C:\RealPlayer.exe
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ------w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 8:55:28.87 ===============





======================================================================
GMER Log File
======================================================================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-17 08:54:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980815A rev.3.ADE
Running: fq2xx3nt.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwlyapob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B951DD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB4411$\3215371933 0 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\bckfg.tmp 850 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\L 0 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\L\iahonoel 75264 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\U 0 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB4411$\3215371933\U\80000032.@ 77312 bytes
File C:\WINDOWS\$NtUninstallKB4411$\4124000599 0 bytes

---- EOF - GMER 1.0.15 ----




=============================
Attach.txt
=============================
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/4/2009 3:47:39 PM
System Uptime: 1/16/2012 7:49:36 PM (13 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel® Pentium® M processor 2.00GHz | Microprocessor | 1028/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 31.76 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Service: bcm4sbxp
.
Class GUID:
Description:
Device ID: ROOT\LEGACY_PROCEXP113\SYSTEM
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_PROCEXP113\SYSTEM
Service:
.
==== System Restore Points ===================
.
RP1024: 11/16/2011 4:30:33 PM - System Checkpoint
RP1025: 11/16/2011 6:59:46 PM - Software Distribution Service 3.0
RP1026: 11/17/2011 10:13:22 PM - Software Distribution Service 3.0
RP1027: 11/19/2011 2:11:04 AM - Software Distribution Service 3.0
RP1028: 11/19/2011 10:32:01 PM - Software Distribution Service 3.0
RP1029: 11/20/2011 8:43:48 AM - Software Distribution Service 3.0
RP1030: 11/20/2011 12:42:15 PM - Software Distribution Service 3.0
RP1031: 11/21/2011 1:20:30 PM - Software Distribution Service 3.0
RP1032: 11/22/2011 3:23:15 PM - System Checkpoint
RP1033: 11/22/2011 5:53:40 PM - Software Distribution Service 3.0
RP1034: 11/23/2011 9:59:09 PM - System Checkpoint
RP1035: 11/23/2011 10:16:20 PM - Software Distribution Service 3.0
RP1036: 11/24/2011 10:20:05 PM - Software Distribution Service 3.0
RP1037: 11/26/2011 12:33:39 AM - Software Distribution Service 3.0
RP1038: 11/26/2011 11:01:45 PM - Software Distribution Service 3.0
RP1039: 11/27/2011 9:29:46 AM - Software Distribution Service 3.0
RP1040: 11/28/2011 12:12:50 PM - Software Distribution Service 3.0
RP1041: 11/29/2011 7:53:57 PM - Software Distribution Service 3.0
RP1042: 11/30/2011 8:12:12 PM - Software Distribution Service 3.0
RP1043: 12/1/2011 11:00:05 PM - Software Distribution Service 3.0
RP1044: 12/3/2011 9:19:52 AM - System Checkpoint
RP1045: 12/3/2011 9:22:45 AM - Software Distribution Service 3.0
RP1046: 12/4/2011 6:48:31 PM - Software Distribution Service 3.0
RP1047: 12/5/2011 8:16:25 PM - System Checkpoint
RP1048: 12/6/2011 9:06:41 PM - Software Distribution Service 3.0
RP1049: 12/7/2011 7:06:22 PM - Software Distribution Service 3.0
RP1050: 12/8/2011 7:06:45 PM - System Checkpoint
RP1051: 12/8/2011 10:37:08 PM - Software Distribution Service 3.0
RP1052: 12/9/2011 11:01:15 PM - System Checkpoint
RP1053: 12/10/2011 12:27:41 PM - Software Distribution Service 3.0
RP1054: 12/10/2011 7:07:39 PM - Software Distribution Service 3.0
RP1055: 12/11/2011 8:44:15 AM - Software Distribution Service 3.0
RP1056: 12/12/2011 6:26:34 PM - Software Distribution Service 3.0
RP1057: 12/13/2011 6:31:10 PM - System Checkpoint
RP1058: 12/13/2011 10:20:37 PM - Software Distribution Service 3.0
RP1059: 12/14/2011 5:55:45 PM - Software Distribution Service 3.0
RP1060: 12/15/2011 6:00:12 PM - System Checkpoint
RP1061: 12/16/2011 8:51:25 PM - Software Distribution Service 3.0
RP1062: 12/17/2011 9:45:29 PM - System Checkpoint
RP1063: 12/17/2011 10:38:18 PM - Installed BlackBerry App World Browser Plugin
RP1064: 12/18/2011 12:08:28 AM - Software Distribution Service 3.0
RP1065: 12/19/2011 6:04:31 PM - Software Distribution Service 3.0
RP1066: 12/20/2011 6:20:57 PM - System Checkpoint
RP1067: 12/21/2011 5:47:47 PM - Software Distribution Service 3.0
RP1068: 12/22/2011 6:13:28 PM - Software Distribution Service 3.0
RP1069: 12/23/2011 6:46:27 PM - System Checkpoint
RP1070: 12/24/2011 5:21:00 AM - Software Distribution Service 3.0
RP1071: 12/25/2011 2:06:15 PM - Software Distribution Service 3.0
RP1072: 12/26/2011 7:01:34 PM - Software Distribution Service 3.0
RP1073: 12/27/2011 7:22:13 PM - Software Distribution Service 3.0
RP1074: 12/29/2011 6:22:05 PM - Software Distribution Service 3.0
RP1075: 12/30/2011 8:26:14 PM - System Checkpoint
RP1076: 12/31/2011 8:13:20 AM - Software Distribution Service 3.0
RP1077: 1/1/2012 5:22:09 PM - Software Distribution Service 3.0
RP1078: 1/2/2012 6:04:55 PM - System Checkpoint
RP1079: 1/3/2012 5:53:00 PM - Software Distribution Service 3.0
RP1080: 1/4/2012 7:26:47 PM - Software Distribution Service 3.0
RP1081: 1/6/2012 6:23:12 PM - Software Distribution Service 3.0
RP1082: 1/7/2012 6:49:47 PM - System Checkpoint
RP1083: 1/8/2012 8:13:48 AM - Software Distribution Service 3.0
RP1084: 1/8/2012 9:30:05 AM - Software Distribution Service 3.0
RP1085: 1/8/2012 6:19:24 PM - Software Distribution Service 3.0
RP1086: 1/11/2012 9:49:54 PM - Software Distribution Service 3.0
RP1087: 1/11/2012 11:36:14 PM - Software Distribution Service 3.0
RP1088: 1/13/2012 6:24:59 PM - Software Distribution Service 3.0
RP1089: 1/15/2012 12:51:33 AM - Software Distribution Service 3.0
RP1090: 1/15/2012 1:27:01 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
Adobe Shockwave Player 11.5
AiO_Scan_CDA
AiOSoftwareNPI
Akamai NetSession Interface
ALPS Touch Pad Driver
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASPprep V4.1
ATI Control Panel
ATI Display Driver
Auslogics Disk Defrag
BE Limited
Belarc Advisor 8.1
BlackBerry App World Browser Plugin
Bluetooth Stack for Windows by Toshiba
BoneLab
Bonjour
Book Of Chemical Lists
Broadcom Management Programs 2
BufferChm
C4100
c4100_Help
CCleaner
CHMMprep V3.0
CIHprep V9.0
Compatibility Pack for the 2007 Office system
Complete Care Consumer Service Agreement
Conexant D110 MDC V.9x Modem
Coupon Printer for Windows
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Destinations
DeviceManagementQFolder
Digital Line Detect
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
e-Sword
e-Sword Bible Screen Saver
e-Sword Macros for Word 2003
e-Sword Training Demos
EBSCO Publishing Download Manager
eDeco
Educated Investor Guide to Investing
eLecta Live Virtual Room 7.2
eLecta Live Virtual Room 7.3
ERG 2008
eSupportQFolder
Fax_CDA
Foxit Creator
Foxit PDF Editor
Foxit Phantom
Foxit Reader 5.1
Free Desktop Clock 2.3
Free Family Games FileBulldog Toolbar
Free Spider Solitaire 2010 v2.1
FullDPAppQFolder
Google Calendar Sync
Google Chrome
Google Earth Plug-in
Google Update Helper
GPL Ghostscript 8.63
Holy Land Tour Screen Saver
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
Intel® PROSet/Wireless Software
Internal Network Card Power Management
iSEEK AnswerWorks English Runtime
iTunes
Java Auto Updater
Java™ 6 Update 24
Java™ 6 Update 5
Josephs Story 1.0
lenmus v4.1.1
LibreOffice 3.3
MakeitOne - MP3AlbumMaker
Malwarebytes Anti-Malware version 1.60.0.1800
MarketResearch
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft ActiveSync
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office File Validation Add-In
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft Reader
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Sync Framework Runtime v1.0 (x86)
Microsoft Sync Framework Services v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIWA
mIWCA
mLogView
mMHouse
Mnemosyne 1.2.2
MobileMe Control Panel
Modem Helper
MovieTracer
Mozilla Firefox 9.0.1 (x86 en-US)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
mToolkit
mWlsSafe
mXML
mZConfig
National Fire Codes - 2003 May Meeting Edition
National Fire Protection Association National Electrical Code Handbook 2002 Edition
NET Bible for e-Sword (version 9.x)
NetWaiting
NewCopy_CDA
OCR Software by I.R.I.S 7.0
OGA Notifier 2.0.0048.0
Opera 10.61
PanoStandAlone
Party Booth
PDFill PDF Editor with FREE PDF Writer and Tools
PhotoGallery
PMB
PowerDVD 5.5
ProductContextNPI
QualXServ Service Agreement
QuickBible - Amplified 1.0
QuickBible - NASB 1.0
Quicken 2010
Quicken WillMaker Plus 2010
QuickSet
QuickTime
QuickVerse 2008
QuickVerse 6.0
QuickVerse 7.0
QuickVerse Library 2.0
RandMap
Readme
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
RMP*Comp
Safari
Scan
ScannerCopy
Secunia PSI (2.0.0.4003)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
SlideShow
SolutionCenter
Sonic_PrimoSDK
Status
SyncToy 2.0 (x86)
System Ninja version 2.2.1.1
Teknia Language Tools (Hebrew)
TeraCopy 2.12
Toolbox
TRANE HDPsyChart
TrayApp
TurboTax 2009
TurboTax 2009 wdeiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 wdeiper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
UxStyle Core Beta
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WealthBuilder
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WORDsearch
Yahoo! Install Manager
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
1/16/2012 7:10:17 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2920.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/16/2012 7:01:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm MpFilter Tosrfcom
1/16/2012 2:32:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.2920.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
1/16/2012 1:35:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/16/2012 1:29:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
1/16/2012 1:25:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/15/2012 6:00:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}
1/15/2012 5:11:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
1/14/2012 11:46:42 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the w32time service.
1/12/2012 11:25:54 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/11/2012 9:33:14 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
.
==== End Of File ===========================

Edited by Lothior, 17 January 2012 - 06:11 PM.


#4 Lothior

Lothior
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 21 January 2012 - 08:24 AM

Still having issues, I have updated logs to post in a few hours. Am able to get into Normal windows now and run all the scans. But still MBAM keeps picking up different infections each time it's run. So I'm not getting the real infection. Well, logs to come asap. Got a scan going right now in fact.

Update: First of the logs are coming in. What're completed as of (1-21-2012 10AM) is Rkill, TDSS, and DDS. I have GMER running currently and it will probably finish later this afternoon. After that I will have MBAM logs tomorrow morning.

Update 2: GMER crashed during the scan. I know MBAM will still report problems so I'm not going to bother running it yet.

===============
RKILL LOG
===============

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/21/2012 at 9:25:50.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Documents and Settings\Vito\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Vito\Local Settings\Application Data\Akamai\netsession_win.exe


Rkill completed on 01/21/2012 at 9:26:00.





============
TDSS Killer
============

No log file, nothing was found.




===========
DDS Log (Attach.txt is zipped and attached on the post)
===========

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Vito at 9:34:59 on 2012-01-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1488 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UnsignedThemesSvc.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
{0b4d6b1c-d1a6-4b21-9412-cc846ebfa818}
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {e86e69ac-a2ce-415a-967e-70ded47d72e2}: 1 (0x1)
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
{10834e9a-d475-4a24-ad01-f3f24f71b28e}
TB: {652853ad-5592-4231-88c6-706613a52e61} - No File
TB: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SkinClock] c:\program files\free desktop clock\DesktopClock.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Akamai NetSession Interface] "c:\documents and settings\vito\local settings\application data\akamai\netsession_win.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ShowLOMControl] 1 (0x1)
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://imail.ashland.com/dwa85W.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257613010015
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://imail.ashland.com/dwa85W.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://imail.ashland.com/dwa7W.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{CF9CA29D-973B-4AE1-90FD-96473A6050EA} : DhcpNameServer = 192.168.1.1 71.242.0.12
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\vito\application data\mozilla\firefox\profiles\vdzajpzg.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z133&form=ZGAADF&install_date=20111006&q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\vito\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\vito\application data\mozilla\firefox\profiles\vdzajpzg.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 MpKslc53af401;MpKslc53af401;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2097b7be-d4e0-4b7c-89a7-4b7f3899f3e9}\MpKslc53af401.sys [2012-1-21 29904]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-11 14336]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-28 652872]
R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-7-13 21096]
R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [2009-7-13 25448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-28 20464]
RUnknown MpKsl1f70399b;MpKsl1f70399b; [x]
S2 gupdate1ca5da31dcfc10c;Google Update Service (gupdate1ca5da31dcfc10c);c:\program files\google\update\GoogleUpdate.exe [2009-11-4 133104]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-11-4 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
S4 SessionLauncher;SessionLauncher;c:\docume~1\vito\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\vito\locals~1\temp\dx9\SessionLauncher.exe [?]
.
=============== Created Last 30 ================
.
2012-01-21 14:30:31 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2097b7be-d4e0-4b7c-89a7-4b7f3899f3e9}\MpKslc53af401.sys
2012-01-21 13:49:50 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2097b7be-d4e0-4b7c-89a7-4b7f3899f3e9}\mpengine.dll
2012-01-17 00:26:48 -------- d-----w- c:\program files\Secunia
2012-01-16 18:36:20 -------- d-----w- C:\Folder
2012-01-12 03:19:16 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-12 03:19:16 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-12 03:19:16 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-12 03:19:16 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-24 05:40:59 -------- d-----w- c:\program files\iPod
2011-12-24 05:40:54 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-01-16 14:39:21 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 16:23:34 22784 ----a-w- c:\windows\system32\drivers\RimUsb.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-25 03:38:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-21 22:38:08 713472 ----a-w- C:\RealPlayer.exe
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ------w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 9:39:35.26 ===============


================
Attach.txt
================
Attached File  attach.zip   5.61KB   1 downloads


================
GMER
================
Crashed during scan.

================



Update 3:Got finished running Kaspersky Rescue CD 10, found a trojan. Exploit.Java.CVE-2011-3544.dk

PC still infected though and it's looking like it's a lost cause atm. I'm looking for any ideas. Will reformat in 48 hrs. Will lose some data but the external drive that held most seems to be clean. I'd like to avoid the reformat in order to recover some data, but if there is the chance it is infected I don't want to bring it to a clean reformatted PC.

Edited by Lothior, 21 January 2012 - 04:40 PM.


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:16 AM

Posted 22 January 2012 - 06:38 AM

Do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 Lothior

Lothior
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 22 January 2012 - 07:44 AM

I'd like to know if my PC is clean of viruses, it seems no matter what scan I run it detects a new one.

I've, since my previous post, run Kaspersky's Rescue CD 10 and it grabbed a trojan, Exploit.Java.CVE-2011-3544.dk. I let MBAM run overnight and it came up clean (a first). I let the same rescue CD run overnight on the external drive (this is the drive of most importance) and it picked up a trojan.script.iframer. I'm running MBAM on the external drive right now and can post results later.

Problems still exist on the PC. Normal mode Windows is getting worse in terms of speed and some stability. I think my best option is to 1) Rid the PC of any viruses so any files that need to be saved can be, 2) I think I'm left with no other option at that point other than to reformat.

Even if it seems like a waste of time to work on a drive that's destined to be reformatted, the files are what's important.

Therefore any help or advice you can offer on the situation would help tremendously, I've worked on ridding this PC of infections through various means for nearly a week now. And I would like to see it through to completion. If only then to turn around and reformat, but remember, it's the files! The external drive stores all of the important "historical" files shall we say (this drive was mapped as a new My Documents location for a long time). While the PC's main HD holds only a few.

Thank you for taking the time to respond!

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:16 AM

Posted 22 January 2012 - 09:18 AM

Hi Lothior and welcome to BC.

I do understand your frustrations, the decision whether you want to reformat or not is yours. It's your computer so it's your choice, I will just guide and assist you on the best possible way.

Is it possible for you to back-up all your important files before we begin?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 Lothior

Lothior
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 22 January 2012 - 10:22 AM

Hello and thank you.

I've got a backup solution but I need to go rip a hard drive out of an older PC and install it into this one to free up my external drive. We're working (on the PC with the virus) a 300GB and an 80GB drive. The 300GB (old My Docs) is virtually entirely full, while the 80GB (C:\) drive is about 3/4 full. So this backup will take some time.

For backing up the C:\ main drive of the laptop, any specific software you would have me use? I can dig around the net for some too if need be. Just seeing if there is a preference.

I must also warn you this whole backup will most likely take over 24hrs. The MBAM scan on the 300GB external drive is still running. So once that finishes I'll post the results, but in the mean time I'll be hoping to backup the C:\ drive.

So:

1) Getting backup drives in place, (ADD) backup the external drive that the laptop backups will be put on
2) Which backup software to use
3) Backing up main C:\ drive
4) Backing up external old My Docs drive (this is just a big copy/paste job)


That's my plan. I'll keep this thread/post updated with any new developments.

Update 1 (1/22) 10:47AM: Hard drives are in place to begin step 1, I'm getting the drive I'm going to use to backup the laptop ready. About 30-45min it will take to move the files.

Edited by Lothior, 22 January 2012 - 10:49 AM.


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:16 AM

Posted 22 January 2012 - 11:08 AM

Hi,

Don't worry we're not in the rush here, let's be prepared and try to fix things slowly but surely. I never use any back-up software because I do things manually but I do recommend Cobian Backup because it is very easy to use and effective.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Lothior

Lothior
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 22 January 2012 - 11:47 AM

Thanks, I'll get that software installed and the backup of the C:\ drive running ASAP. Will update as new info comes in.

Oh boy, this is all going to have to be run from the Normal desktop, instead of safe mode. It took 20 minutes last time to boot into the normal desktop. >< I will do my best.

Update: Backup has been started on the C:\ drive, still waiting for the external drive to finish the MBAM scan. Then I will back that up as well. [12:22PM 1/22/2012]

Update 2: Backup is about 10-15% done. It is now 3:17PM. Starting to look like this will be at least an overnight job.

Update 3: The MBAM scan on the external drive came back clean. Not totally sure if it's a correct reading or not. I guess by testing the C:\ drive the external drive can be tested at the same time again.

Update 4: The backup of the C:\ drive proceeding as planned. I can't figure out if the right most bar or the second to right bar is the overall progress, because they seem to be moving with each other but are definitely not the same reading. One is Operation Progress, and the other Backup Progress. Right now at about 25% and 33% respectively. Ah the external drive might take two days to backup. I'll see if using the ZIP feature is appropriate. I have plenty of room on the drive I'm backing up to, it might speed things up if I don't zip the external (My Docs) drive.

Side note. I uninstalled Microsoft Security Essentials (The AV the laptop) uses for the time being because it likes to interfere with GMER. And we might (if you think we need to) run it. Strangely I couldn't simple turn off monitoring then start it again without restarting the PC.

Update 5 (1/23): The backup is only 50% completed. The software has quite a few steps before it even began working on the backup file. But, 50% is 50% further than we were before. Will keep updating.

Update 6:The backup will most likely finish sometime tonight. I didn't realize it, but there was a frequency (under "Schedule" in Cobian) option which defaulted to running daily...so it actually completed the full backup then started a new one at 12:01AM the next day. I changed the setting and once the task finishes that should be the point when I can begin backup of the external "My Docs" drive. From here on out I'm calling it the E:\ drive. I might also add that the Cobian Backup directions page could use an update. Cobian is on version 10 and the directions are for 8 although there is not much difference in the overall program though. And it seems the directions had planned to show how to restore, but it is not actually in the directions. Simple enough to figure out I'm sure, but just for consistency's sake.

Edited by Lothior, 23 January 2012 - 10:55 AM.


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:16 AM

Posted 22 January 2012 - 11:52 AM

:thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Lothior

Lothior
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 24 January 2012 - 07:31 AM

Hm, Cobian Backup failed. It ran for 45hrs and would've kept running but no backup would take that long. In the end all the archives it had created were corrupted. Searching for a new solution. In the mean time I'm going to start the E: drive copying. There are no installed programs on it, just files so it won't matter how it's backed up, so a 1:1 copy is fine.

Update: And to make matters worse the E drive is dying. Gives out that occasional click-click that's been signalling the end of HDs since I was a kid. It, think/hope, is not too far gone to save the data. I'm going to try to copy all those files like I said while I figure out what went wrong with Cobian, I might re-run Cobian with a few changed options.

Edited by Lothior, 24 January 2012 - 07:43 AM.


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:16 AM

Posted 24 January 2012 - 08:39 AM

Hi,

This is why in situation like this... I preferred to do back-up manually. Do you have a lot of important files to back-up?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 Lothior

Lothior
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 24 January 2012 - 09:46 AM

The E:\ external drive is all the important files. And that is being copied 1:1 from the external drive to the backup drive I'm using. (This is not my laptop btw, I do the backups manually too-_-). I'm going to then see if I can 1:1 copy the C:\ drive. Even if it's infected...hopefully it can be cleaned (either from the main source or from the backup once the virus has been identified.) And if you're asking about how many files to backup there is? The C:\ drive had 1.6 million files...the E:\ drive, possibly that many or more. So yes, there is a LOT of data. I've already told my Dad (whose PC it is). That he shouldn't expect miracles in the form of his data being recovered. But I told him I'm try my best. 33% done the ext drive backup btw.

Are there any flaws in my thinking of the backups? Like possible reinfection, etc?

There is also the thing to consider that the cleaning of the virus is ONLY so that the files can be saved and copied over after the PC is reformatted. Because the Windows installation is really nearing the point of self-destruction. Whether by the virus or other causes I'm not sure. I'm 100% convinced this PC will need a reformat. And while I could do that now and save all the time, trouble, etc of troubleshooting the virus I'd really appreciate it if we could try to tackle the virus so I can save the files I need to get saved.

Edited by Lothior, 24 January 2012 - 09:49 AM.


#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:16 AM

Posted 24 January 2012 - 09:55 AM

Yes, that is why you should not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files unless you're 100% sure that they are clean...The reason for this is because these files may be infected also or the source of the current infection. If you replace them after the re installation of OS, it will surely re-infect you again.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users