Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR infected


  • This topic is locked This topic is locked
15 replies to this topic

#1 Computer Rock

Computer Rock

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 31 January 2012 - 12:08 AM

Hi there

I have recently been having popups appearing from AVG telling me that some file is infected. At first I thought it was nothing but then it came up a few times and sometimes states different infections. Around the same time as I got these popups my internet has been running fairly slow. I'm not sure if this is connected to the infections notified to me by AVG.
NOTE: At this point I have not seen any more popups from AVG however my interet is running very slow.

I have done nothing to resolve this issue on my own however I have had help in a different topic. This is a link to that topic: http://www.bleepingcomputer.com/forums/topic440439.html/page__gopid__2578280#entry2578280

I was advised by "Broni" to use the following programs: Security Check, Farbar Service Scanner, MiniToolKit, Malwarebytes' Anti-Malware and aswMBR. He also told me to follow the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" starting at step 6. I will post all the logs produced from the above programs and the programs DDS and GMER (from the guide).

Thank you very much for your time.


Security check (checkup.txt)

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Microsoft VM for Java
Java™ 6 Update 21
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````



Farbar Service Scanner (FSS.txt)

Farbar Service Scanner Version: 18-01-2012 01
Ran by Alex P (administrator) on 30-01-2012 at 23:51:19
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2006-02-28 23:00] - [2008-08-14 20:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2006-02-28 23:00] - [2006-02-28 23:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-02-28 23:00] - [2008-06-20 21:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2006-02-28 23:00] - [2006-02-28 23:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2006-02-28 23:00] - [2006-02-28 23:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll
[2006-02-28 23:00] - [2006-02-28 23:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2006-02-28 23:00] - [2006-02-28 23:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-02-11 23:04] - [2006-02-28 23:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2010-02-11 23:05] - [2006-02-28 23:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2010-02-11 23:05] - [2006-02-28 23:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2006-02-28 23:00] - [2006-02-28 23:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-02-11 23:04] - [2006-02-28 23:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll
[2010-02-11 23:05] - [2006-02-28 23:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll
[2010-02-11 23:05] - [2006-02-28 23:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll
[2006-02-28 23:00] - [2008-07-08 07:32] - 0253952 ____A (Microsoft Corporation) 60D1A6342238378BFB7545C81EE3606C

C:\WINDOWS\system32\cryptsvc.dll
[2006-02-28 23:00] - [2006-02-28 23:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe
[2006-02-28 23:00] - [2006-02-28 23:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2006-02-28 23:00] - [2009-02-09 21:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

C:\WINDOWS\system32\services.exe
[2006-02-28 23:00] - [2009-02-07 04:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE


Extra List:
=======
AegisP(8) AvgTdiX(86) Gpc(3) IPSec(5) irda(9) NetBT(6) PSched(7) Tcpip(4) xcpip(4) xpsec(5)
0x0A00000005000000010000000200000003000000040000005600000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****



Mini Tool Box

MiniToolBox by Farbar Version: 18-01-2012
Ran by Alex P (administrator) on 30-01-2012 at 23:54:56
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
# Any other entries you had go here (new line no # no space);
127.0.0.1 localhost
127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

========================= IP Configuration: ================================

NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter = Wireless Network Connection 2 (Connected)
Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection 2"

set address name="Wireless Network Connection 2" source=dhcp
set dns name="Wireless Network Connection 2" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection 2" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : marvel

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : WAG320N



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller

Physical Address. . . . . . . . . : 00-1D-60-78-94-AE



Ethernet adapter Wireless Network Connection 2:



Connection-specific DNS Suffix . : WAG320N

Description . . . . . . . . . . . : NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter #2

Physical Address. . . . . . . . . : 00-22-3F-E9-5F-52

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.105

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 203.12.160.35

203.12.160.36

Lease Obtained. . . . . . . . . . : Monday, 30 January 2012 7:33:30 PM

Lease Expires . . . . . . . . . . : Tuesday, 31 January 2012 7:33:30 PM

Server: dns1.tpgi.com.au
Address: 203.12.160.35

Name: google.com
Addresses: 74.125.237.16, 74.125.237.18, 74.125.237.19, 74.125.237.17
74.125.237.20



Pinging google.com [74.125.237.16] with 32 bytes of data:



Reply from 74.125.237.16: bytes=32 time=21ms TTL=57

Reply from 74.125.237.16: bytes=32 time=22ms TTL=57



Ping statistics for 74.125.237.16:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 21ms, Maximum = 22ms, Average = 21ms

Server: dns1.tpgi.com.au
Address: 203.12.160.35

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 98.139.180.149



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=242ms TTL=52

Reply from 209.191.122.70: bytes=32 time=245ms TTL=52



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 242ms, Maximum = 245ms, Average = 243ms

Server: dns1.tpgi.com.au
Address: 203.12.160.35

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1d 60 78 94 ae ...... Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
0x10004 ...00 22 3f e9 5f 52 ...... NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.105 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.2.105 192.168.2.105 20
192.168.2.0 255.255.255.0 192.168.2.105 192.168.2.105 25
192.168.2.105 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.2.255 255.255.255.255 192.168.2.105 192.168.2.105 25
224.0.0.0 240.0.0.0 192.168.2.105 192.168.2.105 25
255.255.255.255 255.255.255.255 192.168.2.105 2 1
255.255.255.255 255.255.255.255 192.168.2.105 192.168.2.105 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/19/2011 11:37:10 AM) (Source: Application Error) (User: )
Description: Faulting application youtubedownloader.exe, version 3.4.0.2, faulting module youtubedownloader.exe, version 3.4.0.2, fault address 0x000145e5.
Processing media-specific event for [youtubedownloader.exe!ws!]

Error: (11/30/2011 01:51:40 AM) (Source: Application Error) (User: )
Description: Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module nevideo.ax, version 2.0.1.4, fault address 0x0000b503.
Processing media-specific event for [wmplayer.exe!ws!]

Error: (11/30/2011 01:29:46 AM) (Source: ESENT) (User: )
Description: Catalog Database (1276) Database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb is partially attached. Attachment stage: 3. Error: -1032.

Error: (11/30/2011 01:29:46 AM) (Source: ESENT) (User: )
Description: svchost (1276) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (11/21/2011 00:19:31 PM) (Source: Application Hang) (User: )
Description: Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/20/2011 01:24:35 AM) (Source: Application Hang) (User: )
Description: Hanging application WinRAR.exe, version 3.91.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/20/2011 01:24:35 AM) (Source: Application Hang) (User: )
Description: Hanging application WinRAR.exe, version 3.91.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/20/2011 01:24:34 AM) (Source: Application Error) (User: )
Description: Faulting application winrar.exe, version 3.91.0.0, faulting module ace.fmt, version 3.91.0.0, fault address 0x0000d03a.
Processing media-specific event for [winrar.exe!ws!]

Error: (11/20/2011 01:24:08 AM) (Source: Application Error) (User: )
Description: Faulting application divx plus player.exe, version 10.2.1.20, faulting module qtcore4.dll, version 4.5.0.0, fault address 0x000e1b16.
Processing media-specific event for [divx plus player.exe!ws!]

Error: (11/20/2011 01:24:01 AM) (Source: Application Hang) (User: )
Description: Hanging application WinRAR.exe, version 3.91.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (01/29/2012 10:23:07 PM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126

Error: (01/27/2012 11:49:04 PM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126

Error: (01/26/2012 09:07:48 AM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126

Error: (01/26/2012 08:43:01 AM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126

Error: (01/25/2012 04:36:52 AM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

2007 Microsoft Office system (Version: 12.0.6425.1000)
Adobe Common File Installer (Version: 1.00.0000)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.26)
Adobe Reader 9.3.4 (Version: 9.3.4)
Amnesia - The Dark Descent (Version: 1.0.0)
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
Atheros Communications Inc.® L1 Gigabit Ethernet Driver (Version: 1.0.11.1)
ATI AVIVO Codecs (Version: 10.0.0.40103)
ATI Catalyst Install Manager (Version: 3.0.745.0)
AVG Free 9.0
Battlefield Heroes
BioShock 2 (Version: 1.0.0003.131)
Bonjour (Version: 3.0.0.2)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.0914.2131.36822)
Catalyst Control Center Graphics Full Existing (Version: 2009.0914.2131.36822)
Catalyst Control Center Graphics Full New (Version: 2009.0914.2131.36822)
Catalyst Control Center Graphics Light (Version: 2009.0914.2131.36822)
Catalyst Control Center Graphics Previews Common (Version: 2009.0914.2131.36822)
Catalyst Control Center InstallProxy (Version: 2009.0914.2131.36822)
Catalyst Control Center Localization All (Version: 2009.0914.2131.36822)
ccc-core-preinstall (Version: 2009.0914.2131.36822)
ccc-core-static (Version: 2009.0914.2131.36822)
ccc-utility (Version: 2009.0914.2131.36822)
CCC Help Chinese Standard (Version: 2009.0914.2130.36822)
CCC Help Chinese Traditional (Version: 2009.0914.2130.36822)
CCC Help Danish (Version: 2009.0914.2130.36822)
CCC Help Dutch (Version: 2009.0914.2130.36822)
CCC Help English (Version: 2009.0914.2130.36822)
CCC Help Finnish (Version: 2009.0914.2130.36822)
CCC Help French (Version: 2009.0914.2130.36822)
CCC Help German (Version: 2009.0914.2130.36822)
CCC Help Italian (Version: 2009.0914.2130.36822)
CCC Help Japanese (Version: 2009.0914.2130.36822)
CCC Help Norwegian (Version: 2009.0914.2130.36822)
CCC Help Spanish (Version: 2009.0914.2130.36822)
CCC Help Swedish (Version: 2009.0914.2130.36822)
City of Heroes
Crysis WARHEAD® (Version: 1.0)
Crysis Wars®
Crysis Wars® (Version: 1.0)
Crysis® (Version: 1.00.0000)
DivX Setup (Version: 2.1.2.2)
ESET Online Scanner v3
Final Fantasy VII - Ultima Edition
Freelancer
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
iTunes (Version: 10.4.1.10)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 21 (Version: 6.0.210)
Jungle Games
Junk Mail filter update (Version: 14.0.8117.416)
Malwarebytes' Anti-Malware
Mass Effect (Version: 1.00)
Megaupload Downloader
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Age of Empires Gold
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Game Studios Common Redistributables Pack 1 (Version: 1.0.0)
Microsoft Games for Windows - LIVE (Version: 3.1.186.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.2.3.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Office Professional Hybrid 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Visio Professional 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual J# .NET Redistributable Package 1.1 (Version: 1.1.4322)
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft VM for Java
Microsoft Web Publishing Wizard 1.53
Microsoft XML Parser (Version: 8.20.8730.4)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
NCsoft Launcher (Version: 1.5.25.1)
Nero OEM
Nero Suite
neroxml (Version: 1.0.0)
NETGEAR WG111v3 wireless USB 2.0 adapter (Version: 1.01.10)
NVIDIA PhysX (Version: 9.09.0720)
Project64 1.6 (Version: 1.6)
PunkBuster Services (Version: 0.990)
QuickTime (Version: 7.70.80.34)
Realtek High Definition Audio Driver (Version: 5.10.0.5404)
SDFormatter
Segoe UI (Version: 14.0.4327.805)
Skins (Version: 2009.0914.2131.36822)
Skype Toolbars (Version: 1.0.4051)
Skype™ 4.2 (Version: 4.2.187)
SpywareBlaster 4.4 (Version: 4.4.0)
Star Wars Battlefront II (Version: 1.0)
Star Wars®: Knights of the Old Republic ™
System Requirements Lab (Version: 4.1.72.0)
Ultimate Spider-Man ™ (Version: 1.00.0000)
USB2.0 PC Camera (SN9C201&202) (Version: 5.4.0.0)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
YouTube Downloader 3.5

========================= Memory info: ===================================

Percentage of memory in use: 91%
Total physical RAM: 2047.11 MB
Available physical RAM: 182.31 MB
Total Pagefile: 5985.25 MB
Available Pagefile: 3870.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.73 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:73.34 GB) (Free:11.81 GB) NTFS
2 Drive d: (Local Disk) (Fixed) (Total:75.71 GB) (Free:42.4 GB) NTFS

========================= Users: ========================================

User accounts for \\MARVEL

Administrator Alex P ASPNET
Guest HelpAssistant Joe
Rose SUPPORT_388945a0 VUSR_MARVEL


**** End of log ****



Malwarebytes' Anti-Malware

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.30.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Alex P :: MARVEL [administrator]

31/01/2012 12:05:05 AM
mbam-log-2012-01-31 (00-05-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240218
Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|1E1CB3CAFC3EFBDB (Trojan.SpyEyes) -> Data: C:\sysapp\sysapp.exe /q -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



aswMBR

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-31 00:27:07
-----------------------------
00:27:07.421 OS Version: Windows 5.1.2600 Service Pack 2
00:27:07.421 Number of processors: 4 586 0xF0B
00:27:07.421 ComputerName: MARVEL UserName: Alex P
00:27:09.000 Initialize success
00:40:13.687 AVAST engine defs: 12013000
00:41:15.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
00:41:15.984 Disk 0 Vendor: ST3160815AS 3.AAD Size: 152627MB BusType: 3
00:41:15.984 Device \Driver\atapi -> MajorFunction 8a4361f8
00:41:16.000 Disk 0 MBR read successfully
00:41:16.000 Disk 0 MBR scan
00:41:16.046 Disk 0 Win32:MBRoot-J [Trj]
00:41:16.046 Disk 0 Windows XP default MBR code found via API
00:41:16.046 Disk 0 MBR hidden
00:41:16.046 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 75100 MB offset 63
00:41:16.078 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 77524 MB offset 153806310
00:41:16.078 Disk 0 MBR [Win32:MBRoot] **ROOTKIT**
00:41:16.078 Disk 0 trace - called modules:
00:41:16.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a0b9e70]<<
00:41:16.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a35aab8]
00:41:16.093 3 CLASSPNP.SYS[f74c805b] -> nt!IofCallDriver -> \Device\00000070[0x8a390318]
00:41:16.093 5 ACPI.sys[f7253620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x8a423940]
00:41:16.093 \Driver\atapi[0x8a397878] -> IRP_MJ_CREATE -> 0x8a4361f8
00:41:18.234 AVAST engine scan C:\WINDOWS
00:41:32.125 AVAST engine scan C:\WINDOWS\system32
00:45:30.875 AVAST engine scan C:\WINDOWS\system32\drivers
00:45:45.593 AVAST engine scan C:\Documents and Settings\Alex P
00:50:42.718 AVAST engine scan C:\Documents and Settings\All Users
00:53:07.109 Scan finished successfully
00:55:52.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Alex P\Desktop\MBR.dat"
00:55:52.015 The log file has been saved successfully to "C:\Documents and Settings\Alex P\Desktop\aswMBR.txt"



DDS (dds.txt)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Alex P at 13:28:51 on 2012-01-31
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2047.1269 [GMT 11:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [NCsoft]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxp://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.127.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 203.12.160.35 203.12.160.36
TCP: Interfaces\{138BF1E6-A17C-428F-A873-E899A839B98D} : DhcpNameServer = 203.12.160.35 203.12.160.36
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-7 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-7 29712]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-7 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-7 308136]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-4-6 39424]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S3 fk88o.sys;fk88o.sys;\??\c:\windows\system32\drivers\fk88o.sys --> c:\windows\system32\drivers\fk88o.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\r:\ntglm7x.sys --> r:\NTGLM7X.sys [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-12-10 04:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 13:45:37 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-20 13:45:27 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-11-20 13:45:27 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-11-20 13:36:40 138056 ----a-w- c:\documents and settings\alex p\application data\PnkBstrK.sys
2011-11-20 13:36:27 189248 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-11-20 13:36:17 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
.
============= FINISH: 13:29:29.21 ===============



DDS (attach.txt)

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/02/2010 11:08:31 PM
System Uptime: 31/01/2012 1:23:46 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5KPL-E
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2399/267mhz
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/267mhz
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/267mhz
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/267mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 73 GiB total, 11.773 GiB free.
D: is FIXED (NTFS) - 76 GiB total, 42.399 GiB free.
R: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
2007 Microsoft Office system
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.4
Amnesia - The Dark Descent
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.® L1 Gigabit Ethernet Driver
ATI AVIVO Codecs
ATI Catalyst Install Manager
AVG Free 9.0
Battlefield Heroes
BioShock 2
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Norwegian
CCC Help Spanish
CCC Help Swedish
City of Heroes
Crysis WARHEAD®
Crysis Wars®
Crysis®
DivX Setup
ESET Online Scanner v3
Final Fantasy VII - Ultima Edition
Freelancer
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iTunes
Java Auto Updater
Java™ 6 Update 21
Jungle Games
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.0.1800
Mass Effect
Megaupload Downloader
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft VM for Java
Microsoft Web Publishing Wizard 1.53
Microsoft XML Parser
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
NCsoft Launcher
Nero OEM
Nero Suite
neroxml
NETGEAR WG111v3 wireless USB 2.0 adapter
NVIDIA PhysX
Project64 1.6
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
SDFormatter
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB2553010)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
Skins
Skype Toolbars
Skype™ 4.2
SpywareBlaster 4.4
Star Wars Battlefront II
Star Wars®: Knights of the Old Republic ™
System Requirements Lab
Ultimate Spider-Man ™
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB911164)
Update for Windows XP (KB925720)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 PC Camera (SN9C201&202)
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
YouTube Downloader 3.5
.
==== Event Viewer Messages From Past Week ========
.
29/01/2012 10:23:07 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================



GMER (ark.txt)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-31 15:53:55
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3160815AS rev.3.AAD
Running: gmer.exe; Driver: C:\DOCUME~1\ALEXP~1\LOCALS~1\Temp\uwtdypod.sys


---- Kernel code sections - GMER 1.0.15 ----

? RGRCZ@J@ The filename, directory name, or volume label syntax is incorrect. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF65D9000, 0x29C9F0, 0xE8000020]
? system32\drivers\xpsec.sys The system cannot find the path specified. !
? system32\drivers\xcpip.sys The system cannot find the path specified. !
? C:\DOCUME~1\ALEXP~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[180] WS2_32.dll!send 71AB428A 5 Bytes JMP 00D598A2
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[180] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00D59C28
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[180] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00D599F4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[180] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00D59AC7
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[180] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00D59D76
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[220] WS2_32.dll!send 71AB428A 5 Bytes JMP 023F98A2
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[220] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 023F9C28
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[220] WS2_32.dll!recv 71AB615A 5 Bytes JMP 023F99F4
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[220] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 023F9AC7
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[220] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 023F9D76
.text C:\Program Files\iPod\bin\iPodService.exe[704] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BD98A2
.text C:\Program Files\iPod\bin\iPodService.exe[704] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00BD9C28
.text C:\Program Files\iPod\bin\iPodService.exe[704] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00BD99F4
.text C:\Program Files\iPod\bin\iPodService.exe[704] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00BD9AC7
.text C:\Program Files\iPod\bin\iPodService.exe[704] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BD9D76
.text C:\WINDOWS\system32\winlogon.exe[932] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 014D2C81
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] ADVAPI32.dll!CryptHashData 77DE9C42 7 Bytes JMP 01C2A911
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01C2A36D
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01C2A43E
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 01C29F0E
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01C29E28
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01C2A132
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01C29FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] ws2_32.dll!send 71AB428A 5 Bytes JMP 01C298A2
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01C29C28
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] ws2_32.dll!recv 71AB615A 5 Bytes JMP 01C299F4
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 01C29AC7
.text C:\Program Files\Internet Explorer\iexplore.exe[1428] ws2_32.dll!closesocket 71AB9639 5 Bytes JMP 01C29D76
.text C:\WINDOWS\System32\alg.exe[2712] WS2_32.dll!send 71AB428A 5 Bytes JMP 008B98A2
.text C:\WINDOWS\System32\alg.exe[2712] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 008B9C28
.text C:\WINDOWS\System32\alg.exe[2712] WS2_32.dll!recv 71AB615A 5 Bytes JMP 008B99F4
.text C:\WINDOWS\System32\alg.exe[2712] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 008B9AC7
.text C:\WINDOWS\System32\alg.exe[2712] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 008B9D76
.text C:\WINDOWS\Explorer.EXE[3144] USER32.dll!DisplayExitWindowsWarnings 77D89B89 5 Bytes JMP 01942A93
.text C:\WINDOWS\Explorer.EXE[3144] WS2_32.dll!send 71AB428A 5 Bytes JMP 018698A2
.text C:\WINDOWS\Explorer.EXE[3144] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01869C28
.text C:\WINDOWS\Explorer.EXE[3144] WS2_32.dll!recv 71AB615A 5 Bytes JMP 018699F4
.text C:\WINDOWS\Explorer.EXE[3144] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01869AC7
.text C:\WINDOWS\Explorer.EXE[3144] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01869D76
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3676] WS2_32.dll!send 71AB428A 5 Bytes JMP 00FE98A2
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3676] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00FE9C28
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3676] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00FE99F4
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3676] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00FE9AC7
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3676] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00FE9D76
.text C:\Program Files\iTunes\iTunesHelper.exe[3716] WS2_32.dll!send 71AB428A 5 Bytes JMP 01D498A2
.text C:\Program Files\iTunes\iTunesHelper.exe[3716] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01D49C28
.text C:\Program Files\iTunes\iTunesHelper.exe[3716] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01D499F4
.text C:\Program Files\iTunes\iTunesHelper.exe[3716] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01D49AC7
.text C:\Program Files\iTunes\iTunesHelper.exe[3716] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01D49D76
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3752] WS2_32.dll!send 71AB428A 5 Bytes JMP 013998A2
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3752] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01399C28
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3752] WS2_32.dll!recv 71AB615A 5 Bytes JMP 013999F4
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3752] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01399AC7
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3752] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01399D76
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3884] WS2_32.dll!send 71AB428A 5 Bytes JMP 029F98A2
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3884] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 029F9C28
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3884] WS2_32.dll!recv 71AB615A 5 Bytes JMP 029F99F4
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3884] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 029F9AC7
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3884] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 029F9D76
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ADVAPI32.dll!CryptHashData 77DE9C42 7 Bytes JMP 03C8A911
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ole32.dll!OleLoadFromStream 77518C62 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 03C8A36D
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 03C8A43E
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 03C89F0E
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 03C89E28
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 03C8A132
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 03C89FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ws2_32.dll!send 71AB428A 5 Bytes JMP 03C898A2
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 03C89C28
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ws2_32.dll!recv 71AB615A 5 Bytes JMP 03C899F4
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 03C89AC7
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ws2_32.dll!closesocket 71AB9639 5 Bytes JMP 03C89D76
.text C:\WINDOWS\system32\wuauclt.exe[4976] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BF98A2
.text C:\WINDOWS\system32\wuauclt.exe[4976] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00BF9C28
.text C:\WINDOWS\system32\wuauclt.exe[4976] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00BF99F4
.text C:\WINDOWS\system32\wuauclt.exe[4976] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00BF9AC7
.text C:\WINDOWS\system32\wuauclt.exe[4976] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BF9D76
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ADVAPI32.dll!CryptHashData 77DE9C42 7 Bytes JMP 028AA911
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ole32.dll!OleLoadFromStream 77518C62 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 028AA36D
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 028AA43E
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 028A9F0E
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 028A9E28
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 028AA132
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 028A9FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ws2_32.dll!send 71AB428A 5 Bytes JMP 028A98A2
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 028A9C28
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ws2_32.dll!recv 71AB615A 5 Bytes JMP 028A99F4
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 028A9AC7
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] ws2_32.dll!closesocket 71AB9639 5 Bytes JMP 028A9D76

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device owAZEVAoRGRCZ \Device\Ide\IdePort0 RGRCZ@J@
Device owAZEVAoRGRCZ \Device\Ide\IdeDeviceP2T0L0-5 RGRCZ@J@
Device owAZEVAoRGRCZ \Device\Ide\IdePort1 RGRCZ@J@
Device owAZEVAoRGRCZ \Device\Ide\IdePort2 RGRCZ@J@
Device owAZEVAoRGRCZ \Device\Ide\IdePort3 RGRCZ@J@
Device owAZEVAoRGRCZ \Device\Ide\IdeDeviceP3T0L0-10 RGRCZ@J@

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5F 0x26 0xA7 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8D 0xDA 0x01 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA0 0x5B 0x76 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5F 0x26 0xA7 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8D 0xDA 0x01 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA0 0x5B 0x76 0xCA ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Alex P\Cookies\alex_p@bleepingcomputer[1].txt 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 31 January 2012 - 02:28 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Computer Rock

Computer Rock
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 31 January 2012 - 06:47 AM

Here is the log from combofix.

ComboFix 12-01-30.02 - Alex P 31/01/2012 22:22:09.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2047.1274 [GMT 11:00]
Running from: c:\documents and settings\Alex P\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Alex P\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Alex P\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
C:\sysapp
c:\windows\system\VI30AUT.DLL
c:\windows\WindowsXP-KB822603-x86.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_xcpip
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 05:19 . 2012-01-31 05:27 -------- d-----w- C:\KH2FM
2012-01-31 04:55 . 2012-01-31 05:34 -------- d-----w- c:\documents and settings\Alex P\Application Data\ImgBurn
2012-01-31 04:45 . 2012-01-31 04:45 -------- d-----w- c:\program files\ImgBurn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 04:24 . 2010-08-27 09:18 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 13:45 . 2011-06-17 13:29 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-20 13:45 . 2011-06-17 13:29 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-11-20 13:45 . 2010-12-08 09:29 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-11-20 13:36 . 2011-06-17 13:29 138056 ----a-w- c:\documents and settings\Alex P\Application Data\PnkBstrK.sys
2011-11-20 13:36 . 2010-12-08 09:09 189248 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-11-20 13:36 . 2011-06-17 13:29 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-18 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-07 03:47 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\eymblpa\\runblack.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"d:\\SW.Galactic.battleground\\SWGB\\Game\\Battlegrounds.exe"=
"d:\\Star.Wars.G.B.CC\\Star Wars - Galactic battlegrounds - clone campaigns\\Game\\battlegrounds_x1.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/07/2010 2:47 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/07/2010 2:47 PM 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/07/2010 2:46 PM 308136]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/10/2007 1:13 PM 38144]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [6/04/2009 6:40 AM 39424]
R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S3 fk88o.sys;fk88o.sys;\??\c:\windows\system32\drivers\fk88o.sys --> c:\windows\system32\drivers\fk88o.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [28/12/2007 3:02 PM 287232]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\r:\ntglm7x.sys --> r:\NTGLM7X.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/03/2010 4:40 PM 691696]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - xcpip
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{AB342D3E-E83D-463B-B9F4-65E23BBDDB16}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:31]
.
2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{F40EB745-0FEB-47DB-9A4F-846E4DA04511}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.12.160.35 203.12.160.36
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
Toolbar-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKCU-Run-NCsoft - (no file)
AddRemove-Megaupload Downloader - c:\program files\Megaupload Downloader\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 22:38
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-31 22:41:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-31 11:41
.
Pre-Run: 8,071,348,224 bytes free
Post-Run: 8,149,336,064 bytes free
.
- - End Of File - - F0D707F5264D240BDB31DA080B17F154


I experienced no problems while running the program.
My internet browser however is very slow and now freezes a lot. I also get runtime errors.
I might also mention that my computer has frozen a few times when it gets to the login screen. This happened once when combofix rebooted the computer. I forced a reboot and when it got to the login screen it froze again. Then I rebooted again and I got through.]


And also thanks a lot for your help. It is greatly appreciated.


EDIT: After I rebooted from combofix my internet seems to run a lot smoother however I don't think the problem is completely solved yet.

Edited by Computer Rock, 31 January 2012 - 06:54 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 31 January 2012 - 08:33 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Computer Rock

Computer Rock
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 31 January 2012 - 10:04 AM

01:54:17.0234 5028 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
01:54:18.0296 5028 ============================================================
01:54:18.0296 5028 Current date / time: 2012/02/01 01:54:18.0296
01:54:18.0296 5028 SystemInfo:
01:54:18.0296 5028
01:54:18.0296 5028 OS Version: 5.1.2600 ServicePack: 2.0
01:54:18.0296 5028 Product type: Workstation
01:54:18.0296 5028 ComputerName: MARVEL
01:54:18.0296 5028 UserName: Alex P
01:54:18.0296 5028 Windows directory: C:\WINDOWS
01:54:18.0296 5028 System windows directory: C:\WINDOWS
01:54:18.0296 5028 Processor architecture: Intel x86
01:54:18.0296 5028 Number of processors: 4
01:54:18.0296 5028 Page size: 0x1000
01:54:18.0296 5028 Boot type: Normal boot
01:54:18.0296 5028 ============================================================
01:54:20.0218 5028 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
01:54:20.0218 5028 \Device\Harddisk0\DR0:
01:54:20.0218 5028 MBR used
01:54:20.0218 5028 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x92AE5A7
01:54:20.0218 5028 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x92AE5E6, BlocksNum 0x976A4DB
01:54:20.0281 5028 Initialize success
01:54:20.0281 5028 ============================================================
01:54:24.0890 5176 ============================================================
01:54:24.0890 5176 Scan started
01:54:24.0890 5176 Mode: Manual;
01:54:24.0890 5176 ============================================================
01:54:25.0046 5176 Abiosdsk - ok
01:54:25.0062 5176 abp480n5 - ok
01:54:25.0109 5176 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:54:25.0125 5176 ACPI - ok
01:54:25.0171 5176 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
01:54:25.0171 5176 ACPIEC - ok
01:54:25.0187 5176 adpu160m - ok
01:54:25.0218 5176 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
01:54:25.0234 5176 aec - ok
01:54:25.0265 5176 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
01:54:25.0265 5176 AegisP - ok
01:54:25.0296 5176 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
01:54:25.0312 5176 AFD - ok
01:54:25.0328 5176 Aha154x - ok
01:54:25.0343 5176 aic78u2 - ok
01:54:25.0359 5176 aic78xx - ok
01:54:25.0375 5176 AliIde - ok
01:54:25.0375 5176 amsint - ok
01:54:25.0390 5176 asc - ok
01:54:25.0390 5176 asc3350p - ok
01:54:25.0390 5176 asc3550 - ok
01:54:25.0437 5176 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:54:25.0437 5176 AsyncMac - ok
01:54:25.0468 5176 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
01:54:25.0484 5176 atapi - ok
01:54:25.0500 5176 AtcL001 (cf63c4060f86350feb84555aef80ef6d) C:\WINDOWS\system32\DRIVERS\l151x86.sys
01:54:25.0515 5176 AtcL001 - ok
01:54:25.0515 5176 Atdisk - ok
01:54:25.0687 5176 ati2mtag (c2b6f2161abd498d2b453050ffc81812) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
01:54:25.0859 5176 ati2mtag - ok
01:54:25.0906 5176 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
01:54:25.0921 5176 AtiHdmiService - ok
01:54:25.0953 5176 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:54:25.0968 5176 Atmarpc - ok
01:54:25.0984 5176 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
01:54:25.0984 5176 audstub - ok
01:54:26.0093 5176 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
01:54:26.0093 5176 AvgLdx86 - ok
01:54:26.0140 5176 AvgMfx86 (80ff2b1b7eeda966394f0baa895bbf4b) C:\WINDOWS\system32\Drivers\avgmfx86.sys
01:54:26.0140 5176 AvgMfx86 - ok
01:54:26.0171 5176 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\system32\Drivers\avgtdix.sys
01:54:26.0171 5176 AvgTdiX - ok
01:54:26.0218 5176 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
01:54:26.0218 5176 Beep - ok
01:54:26.0218 5176 catchme - ok
01:54:26.0265 5176 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
01:54:26.0265 5176 cbidf2k - ok
01:54:26.0296 5176 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
01:54:26.0296 5176 CCDECODE - ok
01:54:26.0312 5176 cd20xrnt - ok
01:54:26.0312 5176 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
01:54:26.0328 5176 Cdaudio - ok
01:54:26.0359 5176 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
01:54:26.0359 5176 Cdfs - ok
01:54:26.0390 5176 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:54:26.0390 5176 Cdrom - ok
01:54:26.0406 5176 Changer - ok
01:54:26.0421 5176 CmdIde - ok
01:54:26.0437 5176 Cpqarray - ok
01:54:26.0453 5176 dac2w2k - ok
01:54:26.0453 5176 dac960nt - ok
01:54:26.0531 5176 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
01:54:26.0531 5176 Disk - ok
01:54:26.0578 5176 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
01:54:26.0625 5176 dmboot - ok
01:54:26.0671 5176 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
01:54:26.0687 5176 dmio - ok
01:54:26.0718 5176 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
01:54:26.0718 5176 dmload - ok
01:54:26.0781 5176 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
01:54:26.0781 5176 DMusic - ok
01:54:26.0812 5176 dpti2o - ok
01:54:26.0843 5176 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
01:54:26.0921 5176 drmkaud - ok
01:54:26.0984 5176 EAPPkt (c47e7c5e7410c7de98f7219e3008c23d) C:\WINDOWS\system32\DRIVERS\EAPPkt.sys
01:54:27.0000 5176 EAPPkt - ok
01:54:27.0031 5176 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
01:54:27.0031 5176 Fastfat - ok
01:54:27.0062 5176 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
01:54:27.0062 5176 Fdc - ok
01:54:27.0093 5176 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
01:54:27.0093 5176 Fips - ok
01:54:27.0109 5176 fk88o.sys - ok
01:54:27.0109 5176 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
01:54:27.0125 5176 Flpydisk - ok
01:54:27.0156 5176 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
01:54:27.0234 5176 FltMgr - ok
01:54:27.0281 5176 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:54:27.0296 5176 Fs_Rec - ok
01:54:27.0312 5176 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:54:27.0328 5176 Ftdisk - ok
01:54:27.0375 5176 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
01:54:27.0375 5176 GEARAspiWDM - ok
01:54:27.0375 5176 GMSIPCI - ok
01:54:27.0406 5176 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:54:27.0421 5176 Gpc - ok
01:54:27.0453 5176 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
01:54:27.0453 5176 HDAudBus - ok
01:54:27.0468 5176 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:54:27.0484 5176 hidusb - ok
01:54:27.0500 5176 hpn - ok
01:54:27.0531 5176 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
01:54:27.0546 5176 HTTP - ok
01:54:27.0546 5176 i2omgmt - ok
01:54:27.0562 5176 i2omp - ok
01:54:27.0593 5176 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys
01:54:27.0609 5176 i8042prt - ok
01:54:27.0656 5176 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
01:54:27.0656 5176 Imapi - ok
01:54:27.0703 5176 ini910u - ok
01:54:27.0812 5176 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
01:54:27.0953 5176 IntcAzAudAddService - ok
01:54:28.0015 5176 IntelIde - ok
01:54:28.0046 5176 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
01:54:28.0062 5176 intelppm - ok
01:54:28.0078 5176 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
01:54:28.0078 5176 Ip6Fw - ok
01:54:28.0125 5176 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:54:28.0125 5176 IpFilterDriver - ok
01:54:28.0156 5176 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:54:28.0171 5176 IpInIp - ok
01:54:28.0203 5176 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:54:28.0218 5176 IpNat - ok
01:54:28.0234 5176 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:54:28.0250 5176 IPSec - ok
01:54:28.0281 5176 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
01:54:28.0281 5176 irda - ok
01:54:28.0312 5176 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
01:54:28.0328 5176 IRENUM - ok
01:54:28.0359 5176 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
01:54:28.0359 5176 irsir - ok
01:54:28.0390 5176 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:54:28.0406 5176 isapnp - ok
01:54:28.0437 5176 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:54:28.0437 5176 Kbdclass - ok
01:54:28.0453 5176 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
01:54:28.0453 5176 kbdhid - ok
01:54:28.0500 5176 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
01:54:28.0515 5176 kmixer - ok
01:54:28.0546 5176 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
01:54:28.0578 5176 KSecDD - ok
01:54:28.0578 5176 lbrtfdc - ok
01:54:28.0625 5176 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
01:54:28.0625 5176 mnmdd - ok
01:54:28.0671 5176 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
01:54:28.0671 5176 Modem - ok
01:54:28.0718 5176 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:54:28.0718 5176 Mouclass - ok
01:54:28.0765 5176 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:54:28.0765 5176 mouhid - ok
01:54:28.0781 5176 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
01:54:28.0781 5176 MountMgr - ok
01:54:28.0796 5176 mraid35x - ok
01:54:28.0828 5176 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:54:28.0843 5176 MRxDAV - ok
01:54:28.0859 5176 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:54:28.0890 5176 MRxSmb - ok
01:54:28.0906 5176 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
01:54:28.0906 5176 Msfs - ok
01:54:28.0906 5176 MSICPL - ok
01:54:28.0937 5176 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:54:28.0953 5176 MSKSSRV - ok
01:54:28.0984 5176 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:54:28.0984 5176 MSPCLOCK - ok
01:54:29.0000 5176 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
01:54:29.0015 5176 MSPQM - ok
01:54:29.0062 5176 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:54:29.0062 5176 mssmbios - ok
01:54:29.0093 5176 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
01:54:29.0109 5176 MSTEE - ok
01:54:29.0140 5176 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
01:54:29.0156 5176 MTsensor - ok
01:54:29.0187 5176 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
01:54:29.0187 5176 Mup - ok
01:54:29.0218 5176 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
01:54:29.0234 5176 NABTSFEC - ok
01:54:29.0250 5176 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
01:54:29.0265 5176 NDIS - ok
01:54:29.0296 5176 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
01:54:29.0312 5176 NdisIP - ok
01:54:29.0328 5176 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:54:29.0328 5176 NdisTapi - ok
01:54:29.0359 5176 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:54:29.0375 5176 Ndisuio - ok
01:54:29.0406 5176 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:54:29.0421 5176 NdisWan - ok
01:54:29.0437 5176 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
01:54:29.0437 5176 NDProxy - ok
01:54:29.0453 5176 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
01:54:29.0453 5176 NetBIOS - ok
01:54:29.0500 5176 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
01:54:29.0500 5176 NetBT - ok
01:54:29.0531 5176 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
01:54:29.0531 5176 Npfs - ok
01:54:29.0531 5176 NTACCESS - ok
01:54:29.0593 5176 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
01:54:29.0640 5176 Ntfs - ok
01:54:29.0656 5176 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
01:54:29.0656 5176 Null - ok
01:54:29.0687 5176 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:54:29.0687 5176 NwlnkFlt - ok
01:54:29.0734 5176 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:54:29.0734 5176 NwlnkFwd - ok
01:54:29.0765 5176 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
01:54:29.0781 5176 Parport - ok
01:54:29.0796 5176 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
01:54:29.0796 5176 PartMgr - ok
01:54:29.0812 5176 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
01:54:29.0812 5176 ParVdm - ok
01:54:29.0843 5176 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
01:54:29.0843 5176 PCI - ok
01:54:29.0859 5176 PCIDump - ok
01:54:29.0890 5176 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
01:54:29.0890 5176 PCIIde - ok
01:54:30.0000 5176 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
01:54:30.0187 5176 Pcmcia - ok
01:54:30.0265 5176 PDCOMP - ok
01:54:30.0281 5176 PDFRAME - ok
01:54:30.0296 5176 PDRELI - ok
01:54:30.0296 5176 PDRFRAME - ok
01:54:30.0312 5176 perc2 - ok
01:54:30.0328 5176 perc2hib - ok
01:54:30.0375 5176 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:54:30.0375 5176 PptpMiniport - ok
01:54:30.0390 5176 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
01:54:30.0406 5176 PSched - ok
01:54:30.0406 5176 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:54:30.0421 5176 Ptilink - ok
01:54:30.0453 5176 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
01:54:30.0453 5176 PxHelp20 - ok
01:54:30.0468 5176 ql1080 - ok
01:54:30.0484 5176 Ql10wnt - ok
01:54:30.0484 5176 ql12160 - ok
01:54:30.0484 5176 ql1240 - ok
01:54:30.0500 5176 ql1280 - ok
01:54:30.0515 5176 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:54:30.0531 5176 RasAcd - ok
01:54:30.0562 5176 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
01:54:30.0578 5176 Rasirda - ok
01:54:30.0703 5176 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:54:30.0718 5176 Rasl2tp - ok
01:54:30.0781 5176 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:54:30.0796 5176 RasPppoe - ok
01:54:30.0828 5176 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
01:54:30.0828 5176 Raspti - ok
01:54:30.0859 5176 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:54:30.0859 5176 Rdbss - ok
01:54:30.0890 5176 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:54:30.0890 5176 RDPCDD - ok
01:54:30.0921 5176 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
01:54:30.0937 5176 rdpdr - ok
01:54:30.0984 5176 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
01:54:30.0984 5176 RDPWD - ok
01:54:31.0015 5176 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
01:54:31.0015 5176 redbook - ok
01:54:31.0062 5176 RTL8187B (60aecd4284317784111716bb88342f46) C:\WINDOWS\system32\DRIVERS\wg111v3.sys
01:54:31.0062 5176 RTL8187B - ok
01:54:31.0109 5176 Secdrv (c71394d99a04ca76484492f590c9cba5) C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:54:31.0109 5176 Secdrv - ok
01:54:31.0140 5176 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
01:54:31.0140 5176 serenum - ok
01:54:31.0171 5176 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
01:54:31.0187 5176 Serial - ok
01:54:31.0187 5176 SetupNTGLM7X - ok
01:54:31.0187 5176 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
01:54:31.0203 5176 Sfloppy - ok
01:54:31.0218 5176 Simbad - ok
01:54:31.0265 5176 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
01:54:31.0265 5176 SLIP - ok
01:54:31.0500 5176 SNP2STD (40debcd578b9b11cd41a9fd81008eed1) C:\WINDOWS\system32\DRIVERS\snp2sxp.sys
01:54:31.0828 5176 SNP2STD - ok
01:54:31.0875 5176 Sparrow - ok
01:54:31.0921 5176 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
01:54:31.0921 5176 splitter - ok
01:54:31.0968 5176 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\System32\Drivers\sptd.sys
01:54:32.0031 5176 sptd - ok
01:54:32.0062 5176 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
01:54:32.0343 5176 sr - ok
01:54:32.0390 5176 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
01:54:32.0406 5176 Srv - ok
01:54:32.0468 5176 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
01:54:32.0468 5176 streamip - ok
01:54:32.0515 5176 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
01:54:32.0515 5176 swenum - ok
01:54:32.0562 5176 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
01:54:32.0562 5176 swmidi - ok
01:54:32.0578 5176 symc810 - ok
01:54:32.0578 5176 symc8xx - ok
01:54:32.0593 5176 sym_hi - ok
01:54:32.0609 5176 sym_u3 - ok
01:54:32.0656 5176 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
01:54:32.0656 5176 sysaudio - ok
01:54:32.0703 5176 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:54:32.0718 5176 Tcpip - ok
01:54:32.0750 5176 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
01:54:32.0765 5176 TDPIPE - ok
01:54:32.0781 5176 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
01:54:32.0781 5176 TDTCP - ok
01:54:32.0812 5176 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
01:54:32.0828 5176 TermDD - ok
01:54:32.0828 5176 TosIde - ok
01:54:32.0859 5176 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
01:54:32.0859 5176 Udfs - ok
01:54:32.0875 5176 ultra - ok
01:54:32.0906 5176 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
01:54:32.0921 5176 Update - ok
01:54:32.0953 5176 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
01:54:32.0984 5176 USBAAPL - ok
01:54:33.0015 5176 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:54:33.0031 5176 usbccgp - ok
01:54:33.0046 5176 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:54:33.0062 5176 usbehci - ok
01:54:33.0078 5176 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:54:33.0078 5176 usbhub - ok
01:54:33.0125 5176 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
01:54:33.0140 5176 usbscan - ok
01:54:33.0156 5176 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:54:33.0171 5176 USBSTOR - ok
01:54:33.0203 5176 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
01:54:33.0203 5176 usbuhci - ok
01:54:33.0250 5176 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys
01:54:33.0250 5176 VClone - ok
01:54:33.0281 5176 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
01:54:33.0296 5176 VgaSave - ok
01:54:33.0312 5176 ViaIde - ok
01:54:33.0359 5176 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
01:54:33.0359 5176 VolSnap - ok
01:54:33.0406 5176 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:54:33.0421 5176 Wanarp - ok
01:54:33.0437 5176 WDICA - ok
01:54:33.0468 5176 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
01:54:33.0468 5176 wdmaud - ok
01:54:33.0531 5176 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
01:54:33.0546 5176 WpdUsb - ok
01:54:33.0578 5176 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
01:54:33.0578 5176 WS2IFSL - ok
01:54:33.0609 5176 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
01:54:33.0625 5176 WSTCODEC - ok
01:54:33.0656 5176 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
01:54:33.0671 5176 WudfPf - ok
01:54:33.0687 5176 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
01:54:33.0687 5176 WudfRd - ok
01:54:33.0718 5176 xcpip - ok
01:54:33.0718 5176 xpsec - ok
01:54:33.0750 5176 MBR (0x1B8) (f381baacfc1778337c007982b0c32d82) \Device\Harddisk0\DR0
01:54:33.0750 5176 \Device\Harddisk0\DR0 ( Backdoor.Win32.Sinowal.knf ) - infected
01:54:33.0750 5176 \Device\Harddisk0\DR0 - detected Backdoor.Win32.Sinowal.knf (0)
01:54:33.0750 5176 Boot (0x1200) (912788cd33408b7bbfff14eba22611b4) \Device\Harddisk0\DR0\Partition0
01:54:33.0750 5176 \Device\Harddisk0\DR0\Partition0 - ok
01:54:33.0781 5176 Boot (0x1200) (5882683aa9bcc508a6467ce53dda6bd7) \Device\Harddisk0\DR0\Partition1
01:54:33.0781 5176 \Device\Harddisk0\DR0\Partition1 - ok
01:54:33.0781 5176 ============================================================
01:54:33.0781 5176 Scan finished
01:54:33.0781 5176 ============================================================
01:54:33.0781 2400 Detected object count: 1
01:54:33.0781 2400 Actual detected object count: 1
01:54:42.0437 2400 \Device\Harddisk0\DR0\# - copied to quarantine
01:54:42.0437 2400 \Device\Harddisk0\DR0 - copied to quarantine
01:54:42.0437 2400 \Device\Harddisk0\DR0 ( Backdoor.Win32.Sinowal.knf ) - will be cured on reboot
01:54:42.0468 2400 \Device\Harddisk0\DR0 - ok
01:54:42.0468 2400 \Device\Harddisk0\DR0 ( Backdoor.Win32.Sinowal.knf ) - User select action: Cure
01:54:45.0546 5696 Deinitialize success


Just to let you know my internet is running slow again and keeps asking me if I want to stop running scripts.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 31 January 2012 - 04:29 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Computer Rock

Computer Rock
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 01 February 2012 - 01:56 AM

ComboFix 12-01-31.01 - Alex P 01/02/2012 15:00:40.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2047.1326 [GMT 11:00]
Running from: c:\documents and settings\Alex P\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alex P\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_xcpip
.
.
((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))
.
.
2012-01-31 14:54 . 2012-01-31 14:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-31 14:30 . 2012-01-31 14:31 -------- d-----w- C:\KH2FMpatcher
2012-01-31 04:55 . 2012-01-31 05:34 -------- d-----w- c:\documents and settings\Alex P\Application Data\ImgBurn
2012-01-31 04:45 . 2012-01-31 04:45 -------- d-----w- c:\program files\ImgBurn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 04:24 . 2010-08-27 09:18 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 13:45 . 2011-06-17 13:29 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-20 13:45 . 2011-06-17 13:29 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-11-20 13:45 . 2010-12-08 09:29 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-11-20 13:36 . 2011-06-17 13:29 138056 ----a-w- c:\documents and settings\Alex P\Application Data\PnkBstrK.sys
2011-11-20 13:36 . 2010-12-08 09:09 189248 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-11-20 13:36 . 2011-06-17 13:29 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-31_11.38.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-01 04:37 . 2012-02-01 04:37 16384 c:\windows\temp\Perflib_Perfdata_320.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-18 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-07 03:47 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\eymblpa\\runblack.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"d:\\SW.Galactic.battleground\\SWGB\\Game\\Battlegrounds.exe"=
"d:\\Star.Wars.G.B.CC\\Star Wars - Galactic battlegrounds - clone campaigns\\Game\\battlegrounds_x1.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/07/2010 2:47 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/07/2010 2:47 PM 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/07/2010 2:46 PM 308136]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/10/2007 1:13 PM 38144]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [6/04/2009 6:40 AM 39424]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [28/12/2007 3:02 PM 287232]
S3 fk88o.sys;fk88o.sys;\??\c:\windows\system32\drivers\fk88o.sys --> c:\windows\system32\drivers\fk88o.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\r:\ntglm7x.sys --> r:\NTGLM7X.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/03/2010 4:40 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-01 c:\windows\Tasks\User_Feed_Synchronization-{AB342D3E-E83D-463B-B9F4-65E23BBDDB16}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:31]
.
2012-02-01 c:\windows\Tasks\User_Feed_Synchronization-{F40EB745-0FEB-47DB-9A4F-846E4DA04511}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.12.160.35 203.12.160.36
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-01 15:37
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3556)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-02-01 15:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-01 04:40
ComboFix2.txt 2012-01-31 11:41
.
Pre-Run: 8,000,196,608 bytes free
Post-Run: 8,123,441,152 bytes free
.
- - End Of File - - F7F5B4FAA3DF2DD03AA76687CB854902


I had no problems while running the program.
So far my computer seems to run fine but I haven't given it a long enough try to see if it will freeze or if the internet runs slow again.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 01 February 2012 - 08:39 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.3.4
Java™ 6 Update 21
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Computer Rock

Computer Rock
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 03 February 2012 - 06:46 AM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.03.04

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Alex P :: MARVEL [administrator]

3/02/2012 9:39:52 PM
mbam-log-2012-02-03 (21-39-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240421
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:41:53 PM, on 3/02/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - http://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.127.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7020 bytes



The computer has not had any problems with the web browser, with freezing or anything else. It has been running perfectly.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 03 February 2012 - 08:00 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 05 February 2012 - 11:17 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Computer Rock

Computer Rock
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 07 February 2012 - 04:33 PM

I am really sorry for the delay. Here is the log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=d9ed8dffc76b4a4c87f52c413dfbd931
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-07 03:58:39
# local_time=2012-02-08 02:58:39 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 45882766 45882766 0 0
# compatibility_mode=1024 16777191 100 0 49318057 49318057 0 0
# compatibility_mode=8192 67108863 100 0 45716999 45716999 0 0
# scanned=132034
# found=1
# cleaned=0
# scan_time=6321
C:\Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exe probably a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 08 February 2012 - 11:47 AM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Computer Rock

Computer Rock
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 08 February 2012 - 07:59 PM

I have no more questions and everything seems to be working great.

Thank you so much your time and help.
I greatly appreciate it.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:42 AM

Posted 08 February 2012 - 08:40 PM

you are more than welcome and glad I was able to help


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users