Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked with Datingpuma.com


  • This topic is locked This topic is locked
25 replies to this topic

#1 Smiley79

Smiley79

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 26 January 2012 - 06:32 PM

For any Google search that's done, any result that is clicked on redirects to "Datingpuma.com" instead of the desired search result. Also with Anti-Malware's malicious website protection activated, a website address is constantly being blocked.

I was unable to create the DDS files. The program would run and complete, but would not create any log files (from within Windows or safe mode). I attached the GMER log.

Attached Files

  • Attached File  ark.txt   660bytes   2 downloads


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:31 AM

Posted 27 January 2012 - 09:39 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

IT looks like you maybe infected with a rootkit.

Lets run some scans to check for them.


Running aswMBR.exe

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. aswMBR.exe log file.
3. OTL & Extras.txt logs.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 Smiley79

Smiley79
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 30 January 2012 - 07:13 AM

1. I had one quick question. Is it alright to run these tools in Safe Mode? If not, I'll have to run them again.

2.
aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-30 05:50:43
-----------------------------
05:50:43.484 OS Version: Windows 5.1.2600 Service Pack 3
05:50:43.484 Number of processors: 1 586 0x209
05:50:43.531 ComputerName: NONE-77E94F5610 UserName: Jonah
05:50:46.437 Initialize success
05:51:11.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
05:51:11.453 Disk 0 Vendor: WDC_WD400BB-75DEA0 05.03E05 Size: 38146MB BusType: 3
05:51:11.484 Device \Driver\atapi -> DriverStartIo 82a7d2e0
05:51:11.515 Disk 0 MBR read successfully
05:51:11.546 Disk 0 MBR scan
05:51:11.562 Disk 0 Windows XP default MBR code found via API
05:51:11.578 Disk 0 unknown MBR code
05:51:11.593 Disk 0 MBR hidden
05:51:11.625 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38138 MB offset 63
05:51:11.640 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**
05:51:11.656 Disk 0 trace - called modules:
05:51:11.687 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82a7d4c0]<<
05:51:11.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82b8aab8]
05:51:11.734 3 CLASSPNP.SYS[f85b6fd7] -> nt!IofCallDriver -> [0x82ba8e80]
05:51:13.609 \Driver\atapi[0x82b2dbb8] -> IRP_MJ_CREATE -> 0x82a7d4c0
05:51:13.718 Scan finished successfully
05:51:51.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jonah\Desktop\MBR.dat"
05:51:51.281 The log file has been saved successfully to "C:\Documents and Settings\Jonah\Desktop\aswMBR.txt"



3. OTL.log

OTL logfile created on: 1/30/2012 5:52:35 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Jonah\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 91.28 Mb Available Physical Memory | 17.86% Memory free
1.93 Gb Paging File | 1.26 Gb Available in Paging File | 65.23% Paging File free
Paging file location(s): C:\pagefile.sys 1500 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 14.73 Gb Free Space | 39.56% Space Free | Partition Type: NTFS

Computer Name: NONE-77E94F5610 | User Name: Jonah | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/30 05:50:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jonah\Desktop\OTL.exe
PRC - [2012/01/20 14:04:56 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/20 14:04:49 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/11/06 11:23:33 | 008,522,400 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2009/08/27 06:50:02 | 000,190,976 | ---- | M] () -- C:\WINDOWS\system32\WgaLogon.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/02/24 20:08:34 | 000,566,688 | ---- | M] (Affinegy, Inc.) [Auto | Stopped] -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService)
SRV - [2011/01/27 15:13:50 | 000,226,624 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe -- (MotoHelper)
SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/02/08 16:50:33 | 000,537,520 | ---- | M] ( ) [Auto | Stopped] -- C:\WINDOWS\System32\lxczcoms.exe -- (lxcz_device)


========== Driver Services (SafeList) ==========

DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/02/15 12:17:12 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AFGSp50.sys -- (AFGSp50)
DRV - [2010/12/03 14:03:08 | 000,020,352 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2010/09/29 17:13:46 | 000,024,064 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2010/09/02 16:49:06 | 000,013,312 | ---- | M] (June Fabrics Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pneteth.sys -- (pneteth)
DRV - [2010/04/01 13:31:50 | 000,023,424 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Motousbnet.sys -- (Motousbnet)
DRV - [2010/01/25 18:56:44 | 000,009,472 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motusbdevice.sys -- (motusbdevice)
DRV - [2009/01/29 16:18:00 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2009/01/29 16:11:20 | 000,006,016 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motfilt.sys -- (BTCFilterService)
DRV - [2008/04/13 12:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/11/02 14:51:30 | 000,006,400 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motswch.sys -- (MotoSwitchService)
DRV - [2006/11/02 06:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2003/09/22 11:43:06 | 001,330,048 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2003/09/22 07:48:06 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 07:47:38 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/03/05 11:19:28 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-329068152-1580818891-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.courierpress.com/
IE - HKU\S-1-5-21-329068152-1580818891-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..browser.search.order.2: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.courierpress.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {66C295A2-E753-4EFB-A01D-AEB5276436DE}:1.9.1
FF - prefs.js..extensions.enabledItems: {8C074AA7-95A1-4946-92BC-F185D8ABD107}:1.9.1
FF - prefs.js..extensions.enabledItems: {88c7f2aa-f93f-432c-8f0e-b7d85967a527}:3.3.3.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..keyword.URL: "chrome://browser-region/locale/region.properties"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{66C295A2-E753-4EFB-A01D-AEB5276436DE}: C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\{66C295A2-E753-4EFB-A01D-AEB5276436DE} [2010/09/11 01:03:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{8C074AA7-95A1-4946-92BC-F185D8ABD107}: C:\Documents and Settings\Marvin\Local Settings\Application Data\{8C074AA7-95A1-4946-92BC-F185D8ABD107} [2010/09/13 08:41:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/20 14:05:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/10 09:20:10 | 000,000,000 | ---D | M]

[2010/11/01 14:09:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Extensions
[2010/09/03 14:52:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2012/01/25 13:17:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\extensions
[2011/04/04 07:34:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/06 07:23:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/01/25 13:17:05 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2011/07/18 10:06:45 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2011/08/25 08:34:14 | 000,000,000 | ---D | M] (Yontoo Layers) -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\extensions\plugin@yontoo.com
[2010/09/03 14:53:47 | 000,002,425 | ---- | M] () -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\searchplugins\askcom.xml
[2010/09/14 06:41:12 | 000,002,506 | ---- | M] () -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\searchplugins\BearShareWebSearch.xml
[2010/10/19 13:19:29 | 000,001,919 | ---- | M] () -- C:\Documents and Settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\searchplugins\bing-zugo.xml
[2012/01/20 14:05:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\JONAH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\E6UBN7UH.DEFAULT\EXTENSIONS\COMPATIBILITY@ADDONS.MOZILLA.ORG.XPI
[2012/01/20 14:04:58 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/09/14 06:41:12 | 000,002,506 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml
[2012/01/20 14:04:38 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/20 14:04:38 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2010/08/20 12:44:06 | 000,000,781 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (UrlHelper Class) - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll File not found
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers\YontooIEClient.dll (Yontoo LLC)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll File not found
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-329068152-1580818891-725345543-1005\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKU\S-1-5-21-329068152-1580818891-725345543-1005..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11c_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\Marvin\Start Menu\Programs\Startup\LimeWire On Startup.lnk = File not found
F3 - HKU\.DEFAULT WinNT: Load - (C:\WINDOWS\Temp\{87776~1.EXE) - File not found
F3 - HKU\S-1-5-18 WinNT: Load - (C:\WINDOWS\Temp\{87776~1.EXE) - File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-329068152-1580818891-725345543-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-329068152-1580818891-725345543-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Jonah\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm ()
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\Jonah\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282330085093 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282330123328 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Jonah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jonah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/08/20 05:39:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/30 05:47:43 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jonah\Desktop\OTL.exe
[2012/01/30 05:36:59 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Jonah\Desktop\aswMBR.exe
[2012/01/26 13:03:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/01/25 13:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jonah\Desktop\gmer
[2012/01/25 13:20:14 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Jonah\Desktop\dds.scr
[2011/07/27 11:45:25 | 001,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczserv.dll
[2011/07/27 11:45:25 | 000,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczusb1.dll
[2011/07/27 11:45:25 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczinpa.dll
[2011/07/27 11:45:25 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcziesc.dll
[2011/07/27 11:45:25 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXCZhcp.dll
[2011/07/27 11:45:24 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczpmui.dll
[2011/07/27 11:45:24 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczlmpm.dll
[2011/07/27 11:45:24 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczprox.dll
[2011/07/27 11:45:24 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczpplc.dll
[2011/07/27 11:45:23 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczhbn3.dll
[2011/07/27 11:45:23 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcomc.dll
[2011/07/27 11:45:23 | 000,537,520 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcoms.exe
[2011/07/27 11:45:23 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcomm.dll
[2011/07/27 11:45:23 | 000,385,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczih.exe
[2011/07/27 11:45:22 | 000,381,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcfg.exe
[2010/08/20 12:26:47 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/30 05:51:51 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Jonah\Desktop\MBR.dat
[2012/01/30 05:50:27 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Jonah\Desktop\aswMBR.exe
[2012/01/30 05:50:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jonah\Desktop\OTL.exe
[2012/01/30 05:44:54 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/30 05:33:57 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/30 05:28:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/30 05:28:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/26 16:32:10 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/26 01:32:13 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/25 19:57:03 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\MotoHelper MUM.job
[2012/01/25 19:57:03 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\MotoHelper Routing.job
[2012/01/25 19:57:02 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\MotoHelper Update.job
[2012/01/25 13:20:57 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Jonah\Desktop\gmer.zip
[2012/01/25 13:20:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Jonah\Desktop\dds.scr
[2012/01/25 13:19:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Jonah\defogger_reenable
[2012/01/25 13:19:06 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Jonah\Desktop\Defogger.exe
[2012/01/25 13:09:03 | 000,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/01/22 10:25:33 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/19 20:26:15 | 000,000,441 | ---- | M] () -- C:\WINDOWS\Lexstat.ini
[2012/01/11 23:22:24 | 000,505,542 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/11 23:22:24 | 000,089,006 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/30 05:51:51 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Jonah\Desktop\MBR.dat
[2012/01/25 13:20:45 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Jonah\Desktop\gmer.zip
[2012/01/25 13:19:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jonah\defogger_reenable
[2012/01/25 13:18:42 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Jonah\Desktop\Defogger.exe
[2012/01/22 10:25:33 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/11/24 16:32:56 | 000,000,240 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~QSgDbcCWoDoYcYr
[2011/11/24 16:32:55 | 000,000,312 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~QSgDbcCWoDoYcY
[2011/11/24 16:32:35 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QSgDbcCWoDoYcY
[2011/11/18 23:57:08 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1VklUEKnysnV8C
[2011/07/27 12:04:47 | 000,302,592 | ---- | C] () -- C:\WINDOWS\System32\pgp.dll
[2011/07/27 12:04:47 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\keydb.dll
[2011/07/27 12:04:47 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\simple.dll
[2011/07/27 12:04:47 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\bn.dll
[2011/07/27 12:03:01 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2011/07/27 12:03:00 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2011/07/27 12:02:54 | 001,483,776 | ---- | C] () -- C:\WINDOWS\MGXRDR32.DLL
[2011/07/27 12:00:57 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\lex_psu.exe
[2011/07/27 12:00:55 | 000,328,704 | ---- | C] () -- C:\WINDOWS\System32\dosfnt32.dll
[2011/07/27 12:00:55 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\ldepcl32.dll
[2011/07/27 11:48:41 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2011/07/27 11:48:41 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2011/07/27 11:46:41 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.dll
[2011/07/27 11:46:41 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2011/07/27 11:46:28 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv4.dll
[2011/07/27 11:45:25 | 000,413,696 | ---- | C] () -- C:\WINDOWS\System32\lxczutil.dll
[2011/07/27 11:45:25 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\LXCZinst.dll
[2011/06/07 12:27:04 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20438820r
[2011/06/07 12:27:04 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~20438820
[2011/06/07 12:26:53 | 000,000,400 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\20438820
[2010/09/20 16:03:39 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Jonah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/11 01:03:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Vminisequpalirik.bin
[2010/09/11 01:03:36 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Udutiten.dat
[2010/09/10 14:27:51 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/06 21:58:40 | 000,000,441 | ---- | C] () -- C:\WINDOWS\Lexstat.ini
[2010/09/03 19:30:33 | 000,039,899 | R--- | C] () -- C:\WINDOWS\System32\rtsicis.ini
[2010/08/20 12:39:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/08/20 12:27:11 | 000,000,066 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2010/08/20 12:26:47 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2010/08/20 12:26:47 | 000,002,696 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2010/08/20 12:26:47 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2010/08/20 12:26:47 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2010/08/20 05:42:48 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/08/20 05:35:42 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/08/20 00:28:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/08/20 00:26:59 | 000,305,216 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/03 14:07:42 | 000,667,136 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/03/10 21:18:14 | 000,414,208 | ---- | C] () -- C:\WINDOWS\System32\WgaTray.exe
[2009/03/10 21:18:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\System32\WgaLogon.dll
[2008/05/16 13:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 13:01:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/05/16 13:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 13:01:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/05/16 13:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/07 12:23:04 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv7.dll
[2006/03/07 10:59:04 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv6.dll
[2006/01/10 16:11:05 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv5.dll
[2004/08/04 00:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/07/28 14:19:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2003/07/28 14:19:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2003/07/28 14:19:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2003/07/28 14:19:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2001/08/23 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 06:00:00 | 000,505,542 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 06:00:00 | 000,089,006 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >


"extras.log"
OTL Extras logfile created on: 1/30/2012 5:52:35 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Jonah\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 91.28 Mb Available Physical Memory | 17.86% Memory free
1.93 Gb Paging File | 1.26 Gb Available in Paging File | 65.23% Paging File free
Paging file location(s): C:\pagefile.sys 1500 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 14.73 Gb Free Space | 39.56% Space Free | Partition Type: NTFS

Computer Name: NONE-77E94F5610 | User Name: Jonah | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-329068152-1580818891-725345543-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe" = C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare
"C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe" = C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe:LocalSubNet:Enabled:Belkin Setup -- (Affinegy, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\lxczcoms.exe" = C:\WINDOWS\system32\lxczcoms.exe:*:Enabled:1200 Series Server -- ( )
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Documents and Settings\Jonah\My Documents\Downloads\AudioConverter_Setup.exe" = C:\Documents and Settings\Jonah\My Documents\Downloads\AudioConverter_Setup.exe:*:Enabled:Audio Converter
"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe" = C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe:LocalSubNet:Enabled:Belkin Setup -- (Affinegy, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1266764D-FC4F-4FA7-B63B-884D53B1680F}" = NetAssistant
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.6.1
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 26
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{32A3A4F4-B792-11D6-A78A-00B0D0160230}" = Java™ SE Development Kit 6 Update 23
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{730E03E4-350E-48E5-9D3E-4329903D454D}" = Itibiti RTC
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo Layers 1.10.01
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Live!
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c6c214df-2922-4809-94aa-f4d67d4451ec}" = Music Oasis
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{FB29B583-945C-4094-BB4B-3A405574C560}" = Motorola Mobile Drivers Installation 5.0.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Belkin Setup and Router Monitor_is1" = Belkin Setup and Router Monitor
"BitTorrent" = BitTorrent
"CCleaner" = CCleaner
"CreataCard Special Edition - Lexmark 2" = CreataCard Special Edition - Lexmark 2
"Doxillion" = Doxillion Document Converter
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ExpressBurn" = Express Burn Disc Burning Software
"ExpressRip" = Express Rip
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.4.7
"Free YouTube Download_is1" = Free YouTube Download version 2.10.30
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.10.1.715
"ie8" = Windows Internet Explorer 8
"Lexmark 1200 Series" = Lexmark 1200 Series
"Lexmark Fax Solutions" = Lexmark Fax Solutions
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"MotoHelper" = MotoHelper 2.0.45 Driver 5.0.0
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"Prism" = Prism Video Converter
"PROSet" = Intel® PRO Network Connections Drivers
"Search Toolbar" = Search Toolbar
"Switch" = Switch Sound File Converter
"Uninstall_is1" = Uninstall 1.0.0.1
"VideoPad" = VideoPad Video Editor
"VLC media player" = VLC media player 1.1.3
"WavePad" = WavePad Sound Editor
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WindowsDraw6" = Micrografx Windows Draw 6 LE
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/25/2012 2:45:41 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/25/2012 2:46:26 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/25/2012 2:46:31 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/25/2012 3:38:27 PM | Computer Name = NONE-77E94F5610 | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15641, faulting module
gmer.exe, version 1.0.15.15641, fault address 0x0000c676.

Error - 1/25/2012 3:39:58 PM | Computer Name = NONE-77E94F5610 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 3:40:32 PM | Computer Name = NONE-77E94F5610 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 3:03:23 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/26/2012 3:08:04 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/26/2012 7:12:28 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/30/2012 7:42:02 AM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

[ Application Events ]
Error - 1/25/2012 2:45:41 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/25/2012 2:46:26 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/25/2012 2:46:31 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/25/2012 3:38:27 PM | Computer Name = NONE-77E94F5610 | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15641, faulting module
gmer.exe, version 1.0.15.15641, fault address 0x0000c676.

Error - 1/25/2012 3:39:58 PM | Computer Name = NONE-77E94F5610 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 3:40:32 PM | Computer Name = NONE-77E94F5610 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 3:03:23 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/26/2012 3:08:04 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/26/2012 7:12:28 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/30/2012 7:42:02 AM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

[ Application Events ]
Error - 1/25/2012 2:45:41 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/25/2012 2:46:26 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/25/2012 2:46:31 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/25/2012 3:38:27 PM | Computer Name = NONE-77E94F5610 | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15641, faulting module
gmer.exe, version 1.0.15.15641, fault address 0x0000c676.

Error - 1/25/2012 3:39:58 PM | Computer Name = NONE-77E94F5610 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 3:40:32 PM | Computer Name = NONE-77E94F5610 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 3:03:23 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/26/2012 3:08:04 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/26/2012 7:12:28 PM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/30/2012 7:42:02 AM | Computer Name = NONE-77E94F5610 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 1/26/2012 7:12:27 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/26/2012 7:12:27 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/26/2012 7:12:27 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.119.564.0 Update Source: %%859 Update Stage:
%%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8007043c Error
description: This service cannot be started in Safe Mode

Error - 1/26/2012 7:20:25 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/26/2012 7:49:56 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/30/2012 7:30:11 AM | Computer Name = NONE-77E94F5610 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm MpFilter

Error - 1/30/2012 7:31:01 AM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/30/2012 7:41:20 AM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/30/2012 7:41:21 AM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/30/2012 7:41:23 AM | Computer Name = NONE-77E94F5610 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.119.564.0 Update Source: %%859 Update Stage:
%%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8007043c Error
description: This service cannot be started in Safe Mode

[ System Events ]
Error - 1/26/2012 7:12:27 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/26/2012 7:12:27 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/26/2012 7:12:27 PM | Computer Name = NONE-77E94F5610 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.119.564.0 Update Source: %%859 Update Stage:
%%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8007043c Error
description: This service cannot be started in Safe Mode

Error - 1/26/2012 7:20:25 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/26/2012 7:49:56 PM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/30/2012 7:30:11 AM | Computer Name = NONE-77E94F5610 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm MpFilter

Error - 1/30/2012 7:31:01 AM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/30/2012 7:41:20 AM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/30/2012 7:41:21 AM | Computer Name = NONE-77E94F5610 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 1/30/2012 7:41:23 AM | Computer Name = NONE-77E94F5610 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.119.564.0 Update Source: %%859 Update Stage:
%%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8007043c Error
description: This service cannot be started in Safe Mode


< End of report >

4. The computer is running pretty much the same as before. Very sluggish, can't do Google searches without being redirected, constant website blocks by Malwarebytes' Anti-Malware (when in normal Windows mode).

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:31 AM

Posted 31 January 2012 - 01:38 AM

Hi Smiley79!

1. I had one quick question. Is it alright to run these tools in Safe Mode? If not, I'll have to run them again.

If you're only able to boot up into Safe Mode right now, then yes, it's fine that you're running these tools from there.

Please run these scans for me:

WVCheck

WVCheck
Please download WVCheck from Artellos.com.
  • Double click WVCheck.exe. (If you downloaded the zipped version you will need to extract it.)
  • As indicated by the prompt, This program can take a while depending on your hard drive space.
  • Once the program is done, copy the contents of the notepad file as a reply.


NEXT:



Running MGA Diagnostic
Please run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 Smiley79

Smiley79
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 31 January 2012 - 07:22 AM

1. WVCheck

Windows Validation Check
Version: 1.9.12.5
Log Created On: 0532_31-01-2012
-----------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 3
Windows Mode: Normal
Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
-----------------------
Last Success Time for Update Detection: 2012-01-25 19:17:11
Last Success Time for Update Download: 2012-01-12 02:28:29
Last Success Time for Update Installation: 2012-01-12 05:32:44


WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------


WVCheck's File Dump
-----------------------
WVCheck found no known bad files.


WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.


WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.


WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.


WVCheck's HOSTS File Check
-----------------------
Line: 127.0.0.1 mpa.one.microsoft.com
Matched: *microsoft.com*
-----------------------


WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - b26b135ff1b9f60c9388b4a7d16f600b


-------- End of File, program close at 0558_31-01-2012 --------



2. MGADiag

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-PFDX7-JPBKK-VGWBQ
Windows Product Key Hash: 5Js0/R4YptjlPJmh5prbSdgKXEA=
Windows Product ID: 55274-640-1975733-23395
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {BBFCA3C5-4744-4621-A5BC-46B969E75BE7}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80004005
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: N/A, hr = 0x80004005
WgaLogon.dll Signed By: N/A, hr = 0x80004005

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: N/A, hr = 0x80004005
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BBFCA3C5-4744-4621-A5BC-46B969E75BE7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-VGWBQ</PKey><PID>55274-640-1975733-23395</PID><PIDType>1</PIDType><SID>S-1-5-21-329068152-1580818891-725345543</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 4600i </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A07</Version><SMBIOSVersion major="2" minor="3"/><Date>20031106000000.000000+000</Date></BIOS><HWID>00BA306F01008053</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>7480B9502DF0D86</Val><Hash>oYWOW5ayFE3pZ+jvTpuXYsY64JE=</Hash><Pid>89388-707-8722531-65121</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1B1D6:Dell Inc|1B1D6:Microsoft Corporation
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:31 AM

Posted 31 January 2012 - 08:27 AM

Hi!

Thanks for running those scans.

Please run this utility next:


Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
    Posted Image
    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 Smiley79

Smiley79
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 31 January 2012 - 02:50 PM

The computer is still blocking websites constantly. When it's not connected to the internet, it seems to run fine. But there's just something that continuously tries to connect (and Malwarebytes' Anti-Malware blocks it). Here's the Combofix log:


ComboFix 12-01-30.02 - Jonah 01/31/2012 13:12:30.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.4 [GMT -6:00]
Running from: c:\documents and settings\Jonah\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\Jonah\WINDOWS
c:\documents and settings\Marvin\Application Data\PriceGong
c:\documents and settings\Marvin\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Marvin\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Marvin\Local Settings\Application Data\{8C074AA7-95A1-4946-92BC-F185D8ABD107}
c:\documents and settings\Marvin\Local Settings\Application Data\{8C074AA7-95A1-4946-92BC-F185D8ABD107}\chrome.manifest
c:\documents and settings\Marvin\Local Settings\Application Data\{8C074AA7-95A1-4946-92BC-F185D8ABD107}\chrome\content\overlay.xul
c:\documents and settings\Marvin\Local Settings\Application Data\{8C074AA7-95A1-4946-92BC-F185D8ABD107}\install.rdf
c:\documents and settings\Mom and Dad\Local Settings\Application Data\{66C295A2-E753-4EFB-A01D-AEB5276436DE}
c:\documents and settings\Mom and Dad\Local Settings\Application Data\{66C295A2-E753-4EFB-A01D-AEB5276436DE}\chrome.manifest
c:\documents and settings\Mom and Dad\Local Settings\Application Data\{66C295A2-E753-4EFB-A01D-AEB5276436DE}\chrome\content\overlay.xul
c:\documents and settings\Mom and Dad\Local Settings\Application Data\{66C295A2-E753-4EFB-A01D-AEB5276436DE}\install.rdf
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 12:07 . 2012-01-31 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-01-31 11:27 . 2012-01-31 11:27 -------- d-----w- c:\windows\LastGood
2012-01-31 11:21 . 2012-01-31 11:21 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AC3207A-968F-45F4-BAD5-7D808620EB19}\offreg.dll
2012-01-26 19:03 . 2012-01-26 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-25 19:34 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AC3207A-968F-45F4-BAD5-7D808620EB19}\mpengine.dll
2012-01-25 18:45 . 2012-01-25 18:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-01-22 20:03 . 2012-01-22 20:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-20 20:05 . 2012-01-20 20:05 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 04:19 . 2011-08-27 13:59 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-10 21:24 . 2011-12-26 03:35 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-06 17:23 . 2011-06-13 19:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-20 20:04 . 2012-01-20 20:04 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-05-18 21:25 194912 ------w- c:\program files\Yontoo Layers\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Marvin\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mom and Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Mom and Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 -c--a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 10:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 06:01 135264 -c--a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-02-08 22:56 295856 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstaLAN]
2011-02-25 02:08 1770400 ----a-w- c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]
2007-02-08 22:52 74672 ----a-w- c:\program files\Lexmark 1200 Series\LXCZbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 19:01 1630208 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/25/2011 9:35 PM 652872]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [1/27/2011 3:13 PM 226624]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/25/2011 9:35 PM 20464]
S0 nwav;nwav;c:\windows\system32\drivers\nbvewhw.sys --> c:\windows\system32\drivers\nbvewhw.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2010 3:01 PM 136176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [12/26/2011 7:59 PM 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2010 3:01 PM 136176]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys --> c:\windows\system32\Drivers\motoandroid.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/26/2011 7:59 PM 20352]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/26/2011 7:59 PM 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [12/26/2011 7:59 PM 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [12/26/2011 7:59 PM 9472]
S3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [10/18/2010 3:38 PM 13312]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/3/2004 11:56 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-05 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-08-02 00:27]
.
2011-06-05 c:\windows\Tasks\expressburnSevenDays.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-06-05 21:57]
.
2011-06-05 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-06-05 21:57]
.
2011-06-05 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-09-21 00:23]
.
2011-06-14 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-09-21 00:23]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 21:01]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 21:01]
.
2012-01-26 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]
.
2012-01-26 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]
.
2012-01-26 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]
.
2012-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-06-05 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-06-05 21:57]
.
2011-06-05 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-06-05 21:57]
.
2010-09-21 c:\windows\Tasks\videopadSevenDays.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-09-21 00:24]
.
2010-09-21 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-09-21 00:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.courierpress.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Jonah\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Jonah\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Jonah\Application Data\Mozilla\Firefox\Profiles\e6ubn7uh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.courierpress.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: extentions.y2layers.installId - efd580dd-d987-4727-8447-3fb4d390ef66
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
BHO-{74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 13:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75DEA0 rev.05.03E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x820F82E0
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\t*A~\DefaultIcon]
@="c:\\Program Files\\TinyBurn\\TinyBurn.exe,5\00\00\00\00\00\00???\12????\00\00??\00\00?????\12?\12?\12???????????\13\00\00?\12???????\1b???\1b\00\00?\12???\1b\00\00?\13\01\00\00\00??\00\00?\12?\12?\12?? \00?\12??"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-31 13:43:11
ComboFix-quarantined-files.txt 2012-01-31 19:43
.
Pre-Run: 16,566,931,456 bytes free
Post-Run: 17,572,986,880 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 62AD6622D7CC4B9AD9928CDA23D1802D

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:31 AM

Posted 01 February 2012 - 12:41 AM

Hi!

The computer is still blocking websites constantly. When it's not connected to the internet, it seems to run fine. But there's just something that continuously tries to connect (and Malwarebytes' Anti-Malware blocks it). Here's the Combofix log:


Okay, thanks for that information.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Driver::
nwav
File::
c:\windows\system32\drivers\nbvewhw.sys
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\t*A~\DefaultIcon]
ClearJavaCache::
Suspect::[102]
C:\Documents and Settings\Jonah\Desktop\MBR.dat

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 Smiley79

Smiley79
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 01 February 2012 - 02:00 PM

Had a quick question. While I was performing the latest ComboFix scan, my computer froze on a blue, blank screen (with complete control over the mouse). I just thought it was moving sluggish again, so I allowed it to sit for a few hours. But when I came back to it, the same blue screen is present with complete control over the mouse. Should I just reboot and try the same scan again (with the script) or should I do something else?

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:31 AM

Posted 02 February 2012 - 12:42 AM

Hi!

Sorry to hear you encountered issues while running the ComboFix scan.

Please try to re-run the ComboFix script. If it still gives you issues, please try running it in Safe Mode.

Let me know how that goes.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 Smiley79

Smiley79
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 02 February 2012 - 07:14 AM

After rebooting, I tried running the CFScript with Combofix again and ran into other problems. After Combofix updates itself, the window closes and never comes back on. The one thing that I notice is that the Combofix icon changes (from the red logo to the generic Windows executable icon). I tried to run the script in safe mode twice, as you suggested. I went back to the links you originally posted and downloaded ComboFix again, recreated another CFScript in notepad again, and received the same results. After the window closes (and letting the computer sit for hours), I tried using the script again. A black window comes up for a second, then goes away. I've monitored processes in Task Manager (to see if anything is using all of the system's resources), and nothing different is showing up.

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:31 AM

Posted 02 February 2012 - 08:23 AM

Hi!

Apologizes for that.

Can you please try download a new copy of ComboFix from this link here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe and see if you're able to run the ComboFix script then?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 Smiley79

Smiley79
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 02 February 2012 - 06:17 PM

Using that new link did the trick. I was able to use the script for ComboFix in Safe Mode. Here is the log:

ComboFix 12-02-02.02 - Administrator 02/02/2012 13:50:44.2.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\nbvewhw.sys"
.
file zipped: c:\documents and settings\Jonah\Desktop\MBR.dat
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_nwav
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-02-02 06:28 . 2012-02-02 06:28 -------- d--h--w- c:\windows\PIF
2012-02-02 05:59 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96743483-7E55-4296-8E02-65EE41532ED3}\mpengine.dll
2012-01-31 12:07 . 2012-01-31 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-01-26 19:03 . 2012-01-26 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-25 18:45 . 2012-01-25 18:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-01-22 20:03 . 2012-01-22 20:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-20 20:05 . 2012-01-20 20:05 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2010-08-20 19:12 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-06 04:19 . 2011-08-27 13:59 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-10 21:24 . 2011-12-26 03:35 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-06 17:23 . 2011-06-13 19:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-20 20:04 . 2012-01-20 20:04 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-31_19.36.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-02 20:11 . 2012-02-02 20:11 16384 c:\windows\Temp\Perflib_Perfdata_6f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-05-18 21:25 194912 ------w- c:\program files\Yontoo Layers\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Marvin\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mom and Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Mom and Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 -c--a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 10:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 06:01 135264 -c--a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-02-08 22:56 295856 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstaLAN]
2011-02-25 02:08 1770400 ----a-w- c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]
2007-02-08 22:52 74672 ----a-w- c:\program files\Lexmark 1200 Series\LXCZbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 19:01 1630208 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/25/2011 9:35 PM 652872]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [1/27/2011 3:13 PM 226624]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/25/2011 9:35 PM 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2010 3:01 PM 136176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [12/26/2011 7:59 PM 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2010 3:01 PM 136176]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys --> c:\windows\system32\Drivers\motoandroid.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/26/2011 7:59 PM 20352]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/26/2011 7:59 PM 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [12/26/2011 7:59 PM 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [12/26/2011 7:59 PM 9472]
S3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [10/18/2010 3:38 PM 13312]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/3/2004 11:56 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-05 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-08-02 00:27]
.
2011-06-05 c:\windows\Tasks\expressburnSevenDays.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-06-05 21:57]
.
2011-06-05 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-06-05 21:57]
.
2011-06-05 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-09-21 00:23]
.
2011-06-14 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-09-21 00:23]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 21:01]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 21:01]
.
2012-02-02 c:\windows\Tasks\MotoHelper Initial Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]
.
2012-01-26 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]
.
2012-02-01 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]
.
2012-01-26 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]
.
2012-02-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-06-05 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-06-05 21:57]
.
2011-06-05 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-06-05 21:57]
.
2010-09-21 c:\windows\Tasks\videopadSevenDays.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-09-21 00:24]
.
2010-09-21 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-09-21 00:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.courierpress.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Jonah\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Jonah\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x13k3rb6.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-02 17:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75DEA0 rev.05.03E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x824B02E0
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\t*A~\DefaultIcon]
@="c:\\Program Files\\TinyBurn\\TinyBurn.exe,5\00\00\00\00\00\00???\12????\00\00??\00\00?????\12?\12?\12???????????\13\00\00?\12???????\1b???\1b\00\00?\12???\1b\00\00?\13\01\00\00\00??\00\00?\12?\12?\12?? \00?\12??"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(700)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-02 17:08:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-02 23:08
ComboFix2.txt 2012-01-31 19:43
.
Pre-Run: 16,698,499,072 bytes free
Post-Run: 17,310,232,576 bytes free
.
- - End Of File - - 45FB2B6B508F9230DDC7514B0264E34E
Upload was successful

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:31 AM

Posted 03 February 2012 - 02:32 AM

Hi!

Thanks for running that ComboFix script, and I apologize for the issue with the ComboFix file before. It looks like there was an issue with the file.

I had you submit a file to me when you ran the ComboFix script. It's showing me that you have an infected MBR.

Lets try running TDSSKiller and see if that can take care of it, or if we will need to fix it manually.

Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 Smiley79

Smiley79
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 03 February 2012 - 06:57 AM

TDSSkiller log:


05:45:06.0468 3052 TDSS rootkit removing tool 2.7.9.0 Feb 1 2012 09:28:49
05:45:06.0765 3052 ============================================================
05:45:06.0765 3052 Current date / time: 2012/02/03 05:45:06.0765
05:45:06.0765 3052 SystemInfo:
05:45:06.0765 3052
05:45:06.0765 3052 OS Version: 5.1.2600 ServicePack: 3.0
05:45:06.0765 3052 Product type: Workstation
05:45:06.0765 3052 ComputerName: NONE-77E94F5610
05:45:06.0765 3052 UserName: Jonah
05:45:06.0765 3052 Windows directory: C:\WINDOWS
05:45:06.0765 3052 System windows directory: C:\WINDOWS
05:45:06.0765 3052 Processor architecture: Intel x86
05:45:06.0765 3052 Number of processors: 1
05:45:06.0765 3052 Page size: 0x1000
05:45:06.0765 3052 Boot type: Normal boot
05:45:06.0765 3052 ============================================================
05:45:09.0984 3052 Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000 (37.25 Gb), SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
05:45:10.0031 3052 \Device\Harddisk0\DR0:
05:45:10.0031 3052 MBR used
05:45:10.0031 3052 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A7D53F
05:45:10.0078 3052 Initialize success
05:45:10.0078 3052 ============================================================
05:46:24.0484 2480 ============================================================
05:46:24.0484 2480 Scan started
05:46:24.0484 2480 Mode: Manual; SigCheck; TDLFS;
05:46:24.0484 2480 ============================================================
05:46:24.0828 2480 Abiosdsk - ok
05:46:24.0937 2480 abp480n5 - ok
05:46:25.0140 2480 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
05:46:27.0437 2480 ACPI - ok
05:46:27.0671 2480 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
05:46:27.0843 2480 ACPIEC - ok
05:46:28.0000 2480 adpu160m - ok
05:46:28.0171 2480 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
05:46:28.0359 2480 aec - ok
05:46:28.0562 2480 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
05:46:28.0718 2480 AFD - ok
05:46:28.0859 2480 AFGMp50 - ok
05:46:29.0031 2480 AFGSp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\AFGSp50.sys
05:46:29.0093 2480 AFGSp50 - ok
05:46:29.0281 2480 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
05:46:29.0437 2480 agp440 - ok
05:46:29.0593 2480 Aha154x - ok
05:46:29.0750 2480 aic78u2 - ok
05:46:29.0875 2480 aic78xx - ok
05:46:30.0015 2480 AliIde - ok
05:46:30.0156 2480 amsint - ok
05:46:30.0296 2480 asc - ok
05:46:30.0437 2480 asc3350p - ok
05:46:30.0562 2480 asc3550 - ok
05:46:30.0828 2480 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
05:46:30.0984 2480 AsyncMac - ok
05:46:31.0187 2480 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
05:46:31.0343 2480 atapi - ok
05:46:31.0500 2480 Atdisk - ok
05:46:31.0671 2480 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
05:46:31.0812 2480 Atmarpc - ok
05:46:32.0031 2480 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
05:46:32.0203 2480 audstub - ok
05:46:32.0453 2480 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
05:46:32.0656 2480 BCMModem - ok
05:46:33.0015 2480 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
05:46:33.0187 2480 Beep - ok
05:46:33.0406 2480 BTCFilterService (4813df77ede536a52e3737971f910baa) C:\WINDOWS\system32\DRIVERS\motfilt.sys
05:46:33.0703 2480 BTCFilterService - ok
05:46:33.0718 2480 catchme - ok
05:46:33.0968 2480 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
05:46:34.0156 2480 cbidf2k - ok
05:46:34.0343 2480 cd20xrnt - ok
05:46:34.0453 2480 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
05:46:34.0640 2480 Cdaudio - ok
05:46:34.0859 2480 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
05:46:35.0031 2480 Cdfs - ok
05:46:35.0468 2480 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
05:46:35.0671 2480 Cdrom - ok
05:46:35.0828 2480 Changer - ok
05:46:36.0000 2480 CmdIde - ok
05:46:36.0062 2480 Cpqarray - ok
05:46:36.0156 2480 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
05:46:36.0234 2480 ctsfm2k - ok
05:46:36.0421 2480 dac2w2k - ok
05:46:36.0578 2480 dac960nt - ok
05:46:36.0828 2480 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
05:46:37.0015 2480 Disk - ok
05:46:37.0234 2480 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
05:46:37.0437 2480 dmboot - ok
05:46:37.0640 2480 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
05:46:37.0828 2480 dmio - ok
05:46:38.0078 2480 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
05:46:38.0265 2480 dmload - ok
05:46:38.0484 2480 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
05:46:38.0656 2480 DMusic - ok
05:46:38.0796 2480 dpti2o - ok
05:46:39.0000 2480 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
05:46:39.0156 2480 drmkaud - ok
05:46:39.0406 2480 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
05:46:39.0468 2480 E100B - ok
05:46:39.0687 2480 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
05:46:39.0859 2480 Fastfat - ok
05:46:40.0093 2480 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
05:46:40.0281 2480 Fdc - ok
05:46:40.0453 2480 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
05:46:40.0640 2480 Fips - ok
05:46:40.0843 2480 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
05:46:40.0984 2480 Flpydisk - ok
05:46:41.0203 2480 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
05:46:41.0375 2480 FltMgr - ok
05:46:41.0578 2480 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
05:46:41.0734 2480 Fs_Rec - ok
05:46:41.0937 2480 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
05:46:42.0125 2480 Ftdisk - ok
05:46:42.0328 2480 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
05:46:42.0500 2480 gameenum - ok
05:46:42.0703 2480 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
05:46:42.0890 2480 Gpc - ok
05:46:43.0140 2480 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
05:46:43.0328 2480 hidusb - ok
05:46:43.0500 2480 hpn - ok
05:46:43.0687 2480 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
05:46:43.0812 2480 HTTP - ok
05:46:43.0984 2480 i2omgmt - ok
05:46:44.0109 2480 i2omp - ok
05:46:44.0281 2480 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
05:46:44.0468 2480 i8042prt - ok
05:46:44.0671 2480 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
05:46:44.0843 2480 Imapi - ok
05:46:45.0031 2480 ini910u - ok
05:46:45.0281 2480 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
05:46:45.0453 2480 IntelIde - ok
05:46:45.0656 2480 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
05:46:45.0875 2480 intelppm - ok
05:46:46.0078 2480 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
05:46:46.0234 2480 Ip6Fw - ok
05:46:46.0453 2480 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
05:46:46.0625 2480 IpFilterDriver - ok
05:46:46.0828 2480 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
05:46:47.0078 2480 IpInIp - ok
05:46:47.0312 2480 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
05:46:47.0500 2480 IpNat - ok
05:46:47.0703 2480 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
05:46:47.0906 2480 IPSec - ok
05:46:48.0359 2480 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
05:46:48.0515 2480 IRENUM - ok
05:46:48.0687 2480 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
05:46:48.0875 2480 isapnp - ok
05:46:49.0078 2480 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
05:46:49.0250 2480 Kbdclass - ok
05:46:49.0453 2480 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
05:46:49.0593 2480 kbdhid - ok
05:46:49.0765 2480 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
05:46:49.0937 2480 kmixer - ok
05:46:50.0140 2480 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
05:46:50.0250 2480 KSecDD - ok
05:46:50.0437 2480 lbrtfdc - ok
05:46:50.0625 2480 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
05:46:50.0640 2480 MBAMProtector - ok
05:46:50.0843 2480 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
05:46:51.0062 2480 mnmdd - ok
05:46:51.0312 2480 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
05:46:51.0468 2480 Modem - ok
05:46:51.0656 2480 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
05:46:51.0828 2480 MODEMCSA - ok
05:46:51.0968 2480 motandroidusb - ok
05:46:52.0125 2480 motccgp (1088f75c09ebb0a8b0f13b886fd67c52) C:\WINDOWS\system32\DRIVERS\motccgp.sys
05:46:52.0187 2480 motccgp - ok
05:46:52.0421 2480 motccgpfl (b812da6605caf02641312f1f65c75419) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
05:46:52.0484 2480 motccgpfl - ok
05:46:52.0687 2480 motmodem (8f408e9ed2feb8a8b8837c380faf7ad6) C:\WINDOWS\system32\DRIVERS\motmodem.sys
05:46:52.0750 2480 motmodem - ok
05:46:52.0953 2480 MotoSwitchService (fd8c2cef7ad8b23c6714103d621fac1f) C:\WINDOWS\system32\DRIVERS\motswch.sys
05:46:53.0031 2480 MotoSwitchService - ok
05:46:53.0234 2480 Motousbnet (ddc489d40b49f443787e7ffa75373522) C:\WINDOWS\system32\DRIVERS\Motousbnet.sys
05:46:53.0296 2480 Motousbnet - ok
05:46:53.0515 2480 motusbdevice (2136cca3d1bf7c0248e5366b1a6c24e3) C:\WINDOWS\system32\DRIVERS\motusbdevice.sys
05:46:53.0578 2480 motusbdevice - ok
05:46:53.0781 2480 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
05:46:53.0937 2480 Mouclass - ok
05:46:54.0140 2480 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
05:46:54.0328 2480 mouhid - ok
05:46:54.0546 2480 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
05:46:54.0703 2480 MountMgr - ok
05:46:54.0921 2480 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
05:46:54.0953 2480 MpFilter - ok
05:46:55.0078 2480 mraid35x - ok
05:46:55.0171 2480 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
05:46:55.0343 2480 MRxDAV - ok
05:46:55.0562 2480 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
05:46:55.0781 2480 MRxSmb - ok
05:46:56.0015 2480 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
05:46:56.0187 2480 Msfs - ok
05:46:56.0437 2480 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
05:46:56.0578 2480 MSKSSRV - ok
05:46:56.0765 2480 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
05:46:56.0921 2480 MSPCLOCK - ok
05:46:57.0125 2480 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
05:46:57.0265 2480 MSPQM - ok
05:46:57.0531 2480 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
05:46:57.0687 2480 mssmbios - ok
05:46:57.0906 2480 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
05:46:57.0984 2480 Mup - ok
05:46:58.0187 2480 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
05:46:58.0375 2480 NDIS - ok
05:46:58.0609 2480 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
05:46:58.0671 2480 NdisTapi - ok
05:46:58.0875 2480 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
05:46:59.0046 2480 Ndisuio - ok
05:46:59.0250 2480 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
05:46:59.0421 2480 NdisWan - ok
05:46:59.0656 2480 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
05:46:59.0734 2480 NDProxy - ok
05:46:59.0921 2480 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
05:47:00.0093 2480 NetBIOS - ok
05:47:00.0296 2480 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
05:47:00.0453 2480 NetBT - ok
05:47:00.0718 2480 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
05:47:00.0890 2480 Npfs - ok
05:47:01.0125 2480 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
05:47:01.0328 2480 Ntfs - ok
05:47:01.0562 2480 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
05:47:01.0750 2480 Null - ok
05:47:02.0218 2480 nv (9f4384aa43548ddd438f7b7825d11699) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
05:47:02.0828 2480 nv - ok
05:47:03.0171 2480 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
05:47:03.0343 2480 NwlnkFlt - ok
05:47:03.0546 2480 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
05:47:03.0734 2480 NwlnkFwd - ok
05:47:03.0953 2480 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
05:47:04.0000 2480 ossrv - ok
05:47:04.0265 2480 P16X (f051107ff80f132882e71e3a5d302ec1) C:\WINDOWS\system32\drivers\P16X.sys
05:47:04.0421 2480 P16X - ok
05:47:04.0640 2480 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
05:47:04.0812 2480 Parport - ok
05:47:05.0031 2480 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
05:47:05.0187 2480 PartMgr - ok
05:47:05.0406 2480 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
05:47:05.0593 2480 ParVdm - ok
05:47:05.0843 2480 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
05:47:06.0000 2480 PCI - ok
05:47:06.0156 2480 PCIDump - ok
05:47:06.0343 2480 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
05:47:06.0531 2480 PCIIde - ok
05:47:06.0750 2480 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
05:47:06.0890 2480 Pcmcia - ok
05:47:07.0109 2480 PDCOMP - ok
05:47:07.0328 2480 PDFRAME - ok
05:47:07.0531 2480 PDRELI - ok
05:47:07.0750 2480 PDRFRAME - ok
05:47:07.0921 2480 perc2 - ok
05:47:08.0140 2480 perc2hib - ok
05:47:08.0421 2480 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
05:47:08.0453 2480 PfModNT ( UnsignedFile.Multi.Generic ) - warning
05:47:08.0453 2480 PfModNT - detected UnsignedFile.Multi.Generic (1)
05:47:08.0687 2480 pneteth (088335b06f75adbcbb81575c7cae6c43) C:\WINDOWS\system32\DRIVERS\pneteth.sys
05:47:08.0703 2480 pneteth ( UnsignedFile.Multi.Generic ) - warning
05:47:08.0703 2480 pneteth - detected UnsignedFile.Multi.Generic (1)
05:47:09.0000 2480 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
05:47:09.0203 2480 PptpMiniport - ok
05:47:09.0421 2480 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
05:47:09.0593 2480 PSched - ok
05:47:09.0781 2480 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
05:47:09.0953 2480 Ptilink - ok
05:47:10.0109 2480 ql1080 - ok
05:47:10.0234 2480 Ql10wnt - ok
05:47:10.0312 2480 ql12160 - ok
05:47:10.0375 2480 ql1240 - ok
05:47:10.0437 2480 ql1280 - ok
05:47:10.0562 2480 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
05:47:10.0750 2480 RasAcd - ok
05:47:11.0015 2480 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
05:47:11.0171 2480 Rasl2tp - ok
05:47:11.0375 2480 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
05:47:11.0531 2480 RasPppoe - ok
05:47:11.0734 2480 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
05:47:11.0921 2480 Raspti - ok
05:47:12.0187 2480 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
05:47:12.0343 2480 Rdbss - ok
05:47:12.0531 2480 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
05:47:12.0718 2480 RDPCDD - ok
05:47:12.0953 2480 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
05:47:13.0125 2480 rdpdr - ok
05:47:13.0328 2480 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
05:47:13.0390 2480 RDPWD - ok
05:47:13.0625 2480 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
05:47:13.0781 2480 redbook - ok
05:47:14.0078 2480 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
05:47:14.0234 2480 Secdrv - ok
05:47:14.0453 2480 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
05:47:14.0609 2480 serenum - ok
05:47:14.0796 2480 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
05:47:14.0968 2480 Serial - ok
05:47:15.0187 2480 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
05:47:15.0359 2480 Sfloppy - ok
05:47:15.0500 2480 Simbad - ok
05:47:15.0625 2480 Sparrow - ok
05:47:15.0796 2480 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
05:47:15.0953 2480 splitter - ok
05:47:16.0203 2480 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
05:47:16.0375 2480 sr - ok
05:47:16.0609 2480 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
05:47:16.0765 2480 Srv - ok
05:47:17.0000 2480 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
05:47:17.0171 2480 swenum - ok
05:47:17.0406 2480 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
05:47:17.0562 2480 swmidi - ok
05:47:17.0718 2480 symc810 - ok
05:47:17.0828 2480 symc8xx - ok
05:47:17.0953 2480 sym_hi - ok
05:47:18.0171 2480 sym_u3 - ok
05:47:18.0328 2480 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
05:47:18.0484 2480 sysaudio - ok
05:47:18.0718 2480 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
05:47:18.0843 2480 Tcpip - ok
05:47:19.0109 2480 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
05:47:19.0265 2480 TDPIPE - ok
05:47:19.0453 2480 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
05:47:19.0593 2480 TDTCP - ok
05:47:19.0796 2480 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
05:47:19.0953 2480 TermDD - ok
05:47:20.0140 2480 TosIde - ok
05:47:20.0375 2480 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
05:47:20.0546 2480 Udfs - ok
05:47:20.0687 2480 ultra - ok
05:47:20.0906 2480 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
05:47:21.0093 2480 Update - ok
05:47:21.0359 2480 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
05:47:21.0515 2480 usbccgp - ok
05:47:21.0703 2480 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
05:47:21.0859 2480 usbehci - ok
05:47:22.0062 2480 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
05:47:22.0234 2480 usbhub - ok
05:47:22.0468 2480 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
05:47:22.0625 2480 usbprint - ok
05:47:22.0828 2480 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
05:47:22.0984 2480 usbscan - ok
05:47:23.0203 2480 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
05:47:23.0375 2480 USBSTOR - ok
05:47:23.0562 2480 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
05:47:23.0734 2480 usbuhci - ok
05:47:23.0921 2480 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
05:47:24.0078 2480 VgaSave - ok
05:47:24.0250 2480 ViaIde - ok
05:47:24.0484 2480 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
05:47:24.0640 2480 VolSnap - ok
05:47:24.0859 2480 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
05:47:25.0015 2480 Wanarp - ok
05:47:25.0203 2480 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
05:47:25.0250 2480 Wdf01000 - ok
05:47:25.0437 2480 WDICA - ok
05:47:25.0656 2480 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
05:47:25.0812 2480 wdmaud - ok
05:47:26.0062 2480 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
05:47:26.0078 2480 WinUSB - ok
05:47:26.0375 2480 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
05:47:26.0437 2480 WpdUsb - ok
05:47:26.0687 2480 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
05:47:26.0859 2480 WS2IFSL - ok
05:47:27.0062 2480 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
05:47:27.0156 2480 WudfPf - ok
05:47:27.0515 2480 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
05:47:27.0562 2480 WudfRd - ok
05:47:27.0593 2480 MBR (0x1B8) (cdac57608c39097805c8c958f1f73d97) \Device\Harddisk0\DR0
05:47:27.0625 2480 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - infected
05:47:27.0625 2480 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
05:47:27.0656 2480 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
05:47:27.0656 2480 \Device\Harddisk0\DR0 - detected TDSS File System (1)
05:47:27.0656 2480 Boot (0x1200) (fac3ca9937ab9afbcb959a6fa6e771fb) \Device\Harddisk0\DR0\Partition0
05:47:27.0656 2480 \Device\Harddisk0\DR0\Partition0 - ok
05:47:27.0671 2480 ============================================================
05:47:27.0671 2480 Scan finished
05:47:27.0671 2480 ============================================================
05:47:27.0781 3660 Detected object count: 4
05:47:27.0781 3660 Actual detected object count: 4
05:48:44.0968 3660 PfModNT ( UnsignedFile.Multi.Generic ) - skipped by user
05:48:44.0968 3660 PfModNT ( UnsignedFile.Multi.Generic ) - User select action: Skip
05:48:44.0968 3660 pneteth ( UnsignedFile.Multi.Generic ) - skipped by user
05:48:44.0984 3660 pneteth ( UnsignedFile.Multi.Generic ) - User select action: Skip
05:48:49.0078 3660 \Device\Harddisk0\DR0\# - copied to quarantine
05:48:49.0078 3660 \Device\Harddisk0\DR0 - copied to quarantine
05:48:51.0484 3660 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
05:48:51.0531 3660 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
05:48:52.0062 3660 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
05:48:52.0062 3660 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
05:48:52.0093 3660 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
05:48:52.0109 3660 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
05:48:52.0406 3660 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
05:48:53.0078 3660 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine
05:48:53.0203 3660 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - will be cured on reboot
05:48:53.0218 3660 \Device\Harddisk0\DR0 - ok
05:48:53.0218 3660 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - User select action: Cure
05:48:53.0218 3660 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
05:48:53.0218 3660 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
05:50:49.0046 2848 Deinitialize success




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users