Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 Carolinus

Carolinus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 25 February 2012 - 12:36 AM

I have a really nasty Browser Redirect Virus. I have removed others manually, so I am not a stranger to this sort of thing, but this one has me stumped.

Any help is greatly appreciated. Below is a HijackThis log.

Carolinus


--------------------------


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:33:14 AM, on 2/25/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Nero\Tools\InCD\InCD.exe
C:\Program Files\Nero\Tools\InCD\NBHGui.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Rainlender\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Vector Clocks\VectorClock-CrossGL.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Numlocker\NumLocker.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
G:\Launch\Launch.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\PortableApps\Launch\Launch.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\PuzzleCollectionPortable\PuzzleCollectionPortable.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\JavaRa\JavaRa.exe
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
R3 - URLSearchHook: (no name) - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Search-Results Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Tools\InCD\InCD.exe
O4 - HKLM\..\Run: [NBHGui] C:\Program Files\Nero\Tools\InCD\NBHGui.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlender\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Vector Clocks\Vector-Clock_VectorClock-CrossGL] "C:\Program Files\Free Vector Clocks\VectorClock-CrossGL.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Anthony Parise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
O4 - Startup: NumLocker.lnk = C:\Program Files\Numlocker\NumLocker.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.1
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDSrv) - Nero AG - C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe

--
End of file - 8951 bytes

Edited by Orange Blossom, 25 February 2012 - 02:30 AM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:26 AM

Posted 25 February 2012 - 03:08 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Carolinus

Carolinus
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 25 February 2012 - 06:09 PM

Thanks in advance for your help.

No problems running either program. Logs are below:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Anthony Parise at 18:00:10 on 2012-02-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1853 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\PuzzleCollectionPortable\PuzzleCollectionPortable.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Nero\Tools\InCD\InCD.exe
C:\Program Files\Nero\Tools\InCD\NBHGui.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Rainlender\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Free Vector Clocks\VectorClock-CrossGL.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Numlocker\NumLocker.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\gringo\Defogger.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} -
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} -
uRun: [Rainlendar2] c:\program files\rainlender\Rainlendar2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Free Vector Clocks\Vector-Clock_VectorClock-CrossGL] "c:\program files\free vector clocks\VectorClock-CrossGL.exe"
uRun: [Google Update] "c:\documents and settings\anthony parise\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [InCD] c:\program files\nero\tools\incd\InCD.exe
mRun: [NBHGui] c:\program files\nero\tools\incd\NBHGui.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
StartupFolder: c:\docume~1\anthon~1\startm~1\programs\startup\numloc~1.lnk - c:\program files\numlocker\NumLocker.exe
StartupFolder: c:\docume~1\anthon~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\anthon~1\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
uPolicies-explorer: NoChangeStartMenu = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{6E3A1909-F844-43F6-8B0F-864EC0BD7D61} : DhcpNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\anthony parise\application data\mozilla\firefox\profiles\6gtwqq77.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\anthony parise\application data\mozilla\firefox\profiles\6gtwqq77.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\documents and settings\anthony parise\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\anthony parise\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-9-17 14776]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2010-4-10 154416]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2010-4-10 33072]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2010-3-23 68136]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\tools\incd\NBHRegInCDSrv.exe [2009-10-16 53560]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-7-3 22016]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-3-25 101680]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-7-15 113456]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 136176]
S2 TVService;TVService;c:\program files\team mediaportal\mediaportal tv server\TvService.exe [2009-5-8 192512]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2010-7-3 20160]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\anthon~1\locals~1\temp\alsysio.sys --> c:\docume~1\anthon~1\locals~1\temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-3-23 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 136176]
S3 PORTMON;PORTMON;\??\c:\program files\portmon\portmsys.sys --> c:\program files\portmon\PORTMSYS.SYS [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-7-3 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-7-3 17536]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2011-7-31 47176]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2011-7-31 58112]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [2010-3-29 49656]
.
=============== Created Last 30 ================
.
2012-02-25 05:19:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-25 01:26:57 -------- d-----w- c:\documents and settings\anthony parise\application data\Curiolab
2012-02-24 00:41:26 -------- d-----w- c:\documents and settings\anthony parise\local settings\application data\NPE
2012-02-23 22:42:27 -------- d-----w- c:\windows\pss
2012-02-22 23:32:06 -------- d-----w- c:\program files\VS Revo Group
2012-02-13 04:08:13 -------- d-----w- c:\documents and settings\anthony parise\application data\7plus
2012-02-13 04:07:45 -------- d-----w- c:\program files\7Plus
.
==================== Find3M ====================
.
2012-02-25 22:38:26 17488 ----a-w- c:\windows\gdrv.sys
2012-02-25 05:18:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-08 17:06:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 18:01:55.25 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/23/2010 4:54:16 AM
System Uptime: 2/25/2012 5:36:35 PM (1 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA790GPT-UD3H
Processor: AMD Athlon™ II X4 620 Processor | Socket M2 | 783/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 456 GiB total, 398.858 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP616: 11/27/2011 10:09:58 PM - System Checkpoint
RP617: 11/28/2011 10:47:55 PM - System Checkpoint
RP618: 11/30/2011 4:06:22 PM - System Checkpoint
RP619: 12/1/2011 7:16:22 PM - System Checkpoint
RP620: 12/2/2011 9:15:34 PM - System Checkpoint
RP621: 12/4/2011 7:35:57 PM - System Checkpoint
RP622: 12/5/2011 8:21:15 PM - System Checkpoint
RP623: 12/6/2011 9:14:45 PM - System Checkpoint
RP624: 12/7/2011 9:30:23 PM - System Checkpoint
RP625: 12/8/2011 10:01:12 PM - System Checkpoint
RP626: 12/9/2011 10:29:39 PM - System Checkpoint
RP627: 12/10/2011 11:55:13 PM - System Checkpoint
RP628: 12/12/2011 5:34:27 PM - System Checkpoint
RP629: 12/13/2011 6:08:54 PM - System Checkpoint
RP630: 12/14/2011 7:07:48 PM - System Checkpoint
RP631: 12/15/2011 7:31:43 PM - System Checkpoint
RP632: 12/16/2011 8:35:07 PM - System Checkpoint
RP633: 12/17/2011 8:44:59 PM - System Checkpoint
RP634: 12/18/2011 9:10:08 PM - System Checkpoint
RP635: 12/19/2011 9:30:45 PM - System Checkpoint
RP636: 12/20/2011 10:33:58 PM - System Checkpoint
RP637: 12/21/2011 11:04:59 PM - System Checkpoint
RP638: 12/23/2011 6:06:11 PM - System Checkpoint
RP639: 12/24/2011 6:45:39 PM - System Checkpoint
RP640: 12/25/2011 7:17:21 PM - System Checkpoint
RP641: 12/26/2011 8:12:40 PM - System Checkpoint
RP642: 12/27/2011 8:16:09 PM - System Checkpoint
RP643: 12/28/2011 9:16:17 PM - System Checkpoint
RP644: 12/29/2011 9:18:43 PM - System Checkpoint
RP645: 12/30/2011 10:10:27 PM - System Checkpoint
RP646: 12/31/2011 11:40:35 PM - System Checkpoint
RP647: 1/1/2012 11:50:23 PM - System Checkpoint
RP648: 1/2/2012 4:47:00 PM - Installed ARCP-480
RP649: 1/3/2012 5:00:01 PM - System Checkpoint
RP650: 1/4/2012 6:20:13 PM - System Checkpoint
RP651: 1/5/2012 6:50:06 PM - System Checkpoint
RP652: 1/6/2012 7:15:21 PM - System Checkpoint
RP653: 1/7/2012 8:11:22 PM - System Checkpoint
RP654: 1/9/2012 4:50:06 PM - System Checkpoint
RP655: 1/10/2012 5:25:47 PM - System Checkpoint
RP656: 1/11/2012 7:16:29 PM - System Checkpoint
RP657: 1/12/2012 7:17:02 PM - System Checkpoint
RP658: 1/13/2012 8:59:24 PM - System Checkpoint
RP659: 1/14/2012 9:24:47 PM - System Checkpoint
RP660: 1/16/2012 7:11:22 PM - System Checkpoint
RP661: 1/17/2012 8:11:47 PM - System Checkpoint
RP662: 1/18/2012 9:16:03 PM - System Checkpoint
RP663: 1/19/2012 9:58:13 PM - System Checkpoint
RP664: 1/20/2012 10:31:59 PM - System Checkpoint
RP665: 1/22/2012 1:04:41 PM - System Checkpoint
RP666: 1/23/2012 7:17:05 PM - System Checkpoint
RP667: 1/24/2012 7:24:55 PM - System Checkpoint
RP668: 1/25/2012 9:15:45 PM - System Checkpoint
RP669: 1/26/2012 9:51:37 PM - System Checkpoint
RP670: 1/28/2012 7:25:11 PM - System Checkpoint
RP671: 1/29/2012 8:19:45 PM - System Checkpoint
RP672: 1/30/2012 9:02:40 PM - System Checkpoint
RP673: 1/31/2012 10:12:47 PM - System Checkpoint
RP674: 2/2/2012 11:33:34 AM - System Checkpoint
RP675: 2/3/2012 7:23:09 PM - System Checkpoint
RP676: 2/4/2012 9:46:19 PM - System Checkpoint
RP677: 2/5/2012 9:50:40 PM - System Checkpoint
RP678: 2/6/2012 10:22:45 PM - System Checkpoint
RP679: 2/8/2012 10:05:37 AM - System Checkpoint
RP680: 2/9/2012 7:13:41 PM - System Checkpoint
RP681: 2/10/2012 9:01:23 PM - System Checkpoint
RP682: 2/11/2012 9:54:26 PM - System Checkpoint
RP683: 2/13/2012 3:56:18 PM - System Checkpoint
RP684: 2/14/2012 6:49:53 PM - System Checkpoint
RP685: 2/15/2012 9:09:47 PM - System Checkpoint
RP686: 2/16/2012 9:15:05 PM - System Checkpoint
RP687: 2/17/2012 9:20:11 PM - System Checkpoint
RP688: 2/19/2012 7:07:03 PM - System Checkpoint
RP689: 2/20/2012 7:22:02 PM - System Checkpoint
RP690: 2/21/2012 10:27:53 PM - System Checkpoint
RP691: 2/23/2012 12:31:28 AM - System Checkpoint
RP692: 2/23/2012 8:31:38 PM - Norton_Power_Eraser_20120223203118640
RP693: 2/24/2012 10:45:30 PM - System Checkpoint
RP694: 2/25/2012 12:17:29 AM - Removed Java™ 6 Update 23
.
==== Installed Programs ======================
.
7-Zip 4.65
7plus V.2.4.0.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
AGEIA PhysX v6.12.02
AMD Processor Driver
Android SDK Tools
ArcSoft Panorama Maker 3
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Catalyst Install Manager
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVG 2012
bcc32pch 2.79
Borland Developer Studio 2006
Brain Workshop 4.8.1
Browser Configuration Utility
bubblez
CaliberRM SDK
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
ClassBuilder Open Source version 2.5.5 PR510-F
CmdHere Powertoy For Windows XP
ComponentOne Studio Enterprise™
CrypTool 1.4.30
DD Thought Tickler 5.5
Detours Express 2.1
Diagnostic Utility
DigiPan 2.0
Download Updater (AOL LLC)
DX4WIN version 8.05
EasySaver B9.0904.1
EchoLink
eReg
Exifer
EZNEC+
Free Vector Clocks version 2.30 - 2010.12.2
Free Window Registry Repair
GExperts for BDS 2006
GIMP 2.6.8
GnuCash 2.2.9
Google Chrome
Google Earth
Google SketchUp 7
Google Update Helper
Greeting Card Creator 32
Ham Radio Deluxe
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB944043-v3)
Hotfix for Windows XP (KB951830)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB979306)
HP Memories Disc
HP Photo and Imaging 2.3 - Scanjet 4600 Series
HTML Help Workshop
InCD EasyWrite Reader (Ahead Software)
Java DB 10.5.3.0
Java Runtime 1.5.0_03 for Borland COM APIs
Java™ 6 Update 31
Java™ SE Development Kit 6 Update 23
Just Great Software HelpScribble 7.8.0
KENWOOD ARCP-480
Liberty BASIC v4.04
link700 1.1.4.6
LinuxLive USB Creator
Logitech iTouch Software
Logitech SetPoint 6.0
LTspice IV
MagicTune Premium
Malwarebytes Anti-Malware version 1.60.1.1000
MCP-2A (Remove only)
MCP-4A
MediaPortal
MediaPortal TV Server / Client
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework SDK (English) 1.1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual J# .NET Redistributable Package 1.1
mini Ring Core Calculator 1.2
MMANA-GAL 1.2
MMANA-GAL_Basic version 3
MMSSTV version 1.13A
Mozilla Firefox 10.0.2 (x86 en-US)
Mozilla Thunderbird 10.0.2 (x86 en-US)
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6.0 Parser
Nero - Burning Rom
Nero BurnLite 10
Nero Control Center 10
Nero ControlCenter 10 Help (CHM)
Nero Core Components 10
Nero InCD
Nero Update
neroxml
NetBeans IDE 6.9
nLite 1.4.9.1
Notepad++
Null-modem emulator (com0com)
Nullsoft Install System
NumLocker 1.0
NUnit 2.2
OpenAL
OpenOffice.org 3.2
Oracle VM VirtualBox 3.2.8
Oracle VM VirtualBox 4.0.12
Pad2Pad 1.9.63
Palm Desktop by ACCESS
PDF-Viewer
Pegasus Mail
Pidgin
PokerStove version 1.23
Precision Helper 1.1
Python 2.7 PIL-1.1.7
Python 2.7.1
RadioSure
Rave Reports 6.5 BE
Readiris Pro 8
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Search-Results Toolbar
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955417)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975254)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
ShareIns
Sherlock Holmes Nemesis
SideSlide 3.5.10
Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
Silicon Laboratories CP210x VCP Drivers for Windows XP/2003 Server/Vista/7
Skins
Smart Defrag 2
Sophos Anti-Rootkit 1.5.4
SUPERAntiSpyware
The Lord of the Rings FREE Trial
TravelPlus for Repeaters 12.0
Tweak UI
Type light
U232 P9/P25 V7.2.98
UBCD4Win 3.60
UltraVNC 1.0.8.2
Unity Web Player
Update for Microsoft Windows (KB971513)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB958752)
Update for Windows XP (KB961503)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VLC media player 1.1.8
WebFldrs XP
WikidPad 2.0rc10_1
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
WinRAR archiver
Winsonar - build 9.03.01 - If an older version of DeskDuster is
Wise Owl Demeanor for .NET, Personal Edition
wxDev-C++ Web-based Installer
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
2/23/2012 8:39:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TVService service to connect.
2/23/2012 8:39:07 PM, error: Service Control Manager [7000] - The TVService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/23/2012 11:22:10 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer KARLA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6E3A1909-F844-43F6-. The master browser is stopping or an election is being forced.
2/20/2012 3:30:54 PM, error: Service Control Manager [7001] - The CyberLink Task Scheduler (CTS) service depends on the CyberLink Background Capture Service (CBCS) service which failed to start because of the following error: After starting, the service hung in a start-pending state.
2/20/2012 3:30:33 PM, error: Service Control Manager [7022] - The CyberLink Background Capture Service (CBCS) service hung on starting.
2/19/2012 11:20:39 PM, error: Service Control Manager [7034] - The MagicTuneEngine service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:26 AM

Posted 25 February 2012 - 08:09 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Carolinus

Carolinus
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 25 February 2012 - 10:54 PM

No problems running the software as per instructions.

Redirect virus still present.

Log is below:





ComboFix 12-02-25.02 - Anthony Parise 02/25/2012 22:13:16.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1531 [GMT -5:00]
Running from: c:\documents and settings\Anthony Parise\My Documents\Downloads\gringo\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Anthony Parise\kujxwdhcln.tmp
c:\documents and settings\Anthony Parise\My Documents\Downloads\PowerPointViewer.exe
c:\documents and settings\Anthony Parise\My Documents\DPE.DUS
c:\documents and settings\Anthony Parise\My Documents\Readiris.DUS
c:\documents and settings\Anthony Parise\WINDOWS
C:\LOG93.tmp
c:\program files\Puff
c:\program files\Puff\html\PUFF_BODY.HTM
c:\program files\Puff\html\PUFF_INDEX.HTM
c:\program files\Puff\html\puff_tntvillage.jpg
c:\program files\Puff\html\puff_wikidot.jpg
c:\program files\Puff\html\puff_wikipedia.jpg
c:\program files\Puff\html\puff3_icon.jpg
c:\program files\Puff\html\puff3_pad.xml
c:\program files\Puff\html\puff3_screenshot.jpg
c:\program files\Puff\html\PUFFV300.HTM
c:\program files\Puff\OpenPuffv310.exe
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\SET71.tmp
c:\windows\system32\SET75.tmp
c:\windows\system32\SET7D.tmp
c:\windows\XSxS
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-26 to 2012-02-26 )))))))))))))))))))))))))))))))
.
.
2012-02-25 05:20 . 2012-02-25 05:20 -------- d-----w- c:\program files\Common Files\Java
2012-02-25 05:19 . 2012-02-25 05:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-25 01:26 . 2012-02-25 01:26 -------- d-----w- c:\documents and settings\Anthony Parise\Application Data\Curiolab
2012-02-24 00:41 . 2012-02-24 01:44 -------- d-----w- c:\documents and settings\Anthony Parise\Local Settings\Application Data\NPE
2012-02-22 23:32 . 2012-02-22 23:33 -------- d-----w- c:\program files\VS Revo Group
2012-02-13 04:08 . 2012-02-13 04:16 -------- d-----w- c:\documents and settings\Anthony Parise\Application Data\7plus
2012-02-13 04:07 . 2012-02-13 04:17 -------- d-----w- c:\program files\7Plus
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-26 03:33 . 2010-03-23 09:32 17488 ----a-w- c:\windows\gdrv.sys
2012-02-25 05:18 . 2010-06-24 07:16 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-10 20:24 . 2010-06-07 04:45 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-08 17:06 . 2011-05-30 17:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-18 21:42 . 2011-04-10 04:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2009-10-16 14:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlender\Rainlendar2.exe" [2010-07-11 2199040]
"Free Vector Clocks\Vector-Clock_VectorClock-CrossGL"="c:\program files\Free Vector Clocks\VectorClock-CrossGL.exe" [2010-12-13 1120624]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
"NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
.
c:\documents and settings\Anthony Parise\Start Menu\Programs\Startup\
NumLocker.lnk - c:\program files\Numlocker\NumLocker.exe [2008-8-23 230891]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2010-8-10 49321]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-3-28 36864]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-11 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Documents and Settings\\Anthony Parise\\My Documents\\Downloads\\portable\\hfs.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Palm\\Hotsync.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\MirandaPortable\\App\\miranda\\miranda32.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"g:\\PortableApps\\Simple Port Forwarding\\spf.exe"=
"e:\\PortableApps\\Simple Port Forwarding\\spf.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5190:TCP"= 5190:TCP:AIM
"4504:TCP"= 4504:TCP:Miranda1
"4505:TCP"= 4505:TCP:Miranda2
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [9/17/2011 10:46 PM 14776]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [4/10/2010 3:18 PM 154416]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [4/10/2010 3:17 PM 33072]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [3/23/2010 4:19 AM 68136]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 11:07 AM 503080]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [10/16/2009 9:44 AM 53560]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [7/3/2010 3:56 PM 22016]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [3/25/2010 7:06 PM 101680]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [7/15/2011 5:08 PM 113456]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2010 7:27 PM 136176]
S2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [5/8/2009 5:36 PM 192512]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/3/2010 3:37 PM 20160]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\ANTHON~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\ANTHON~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/23/2010 4:24 AM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2010 7:27 PM 136176]
S3 PORTMON;PORTMON;\??\c:\program files\portmon\PORTMSYS.SYS --> c:\program files\portmon\PORTMSYS.SYS [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [7/3/2010 3:56 PM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [7/3/2010 3:56 PM 17536]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [7/31/2011 11:30 AM 47176]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [7/31/2011 11:30 AM 58112]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [3/29/2010 7:25 PM 49656]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-06 00:27]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-06 00:27]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1220945662-839522115-1003Core.job
- c:\documents and settings\Anthony Parise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:42]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1220945662-839522115-1003UA.job
- c:\documents and settings\Anthony Parise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:42]
.
2012-02-26 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-09-18 14:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Anthony Parise\Application Data\Mozilla\Firefox\Profiles\6gtwqq77.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-SLABCOMM&10C4&EA60 - c:\program files\Silabs\MCU\CP210x\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-25 22:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,f5,b9,34,be,ad,0f,46,87,4b,90,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,f5,b9,34,be,ad,0f,46,87,4b,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1088)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3360)
c:\program files\Nero\Tools\InCD\NBHshx.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Nero\Tools\InCD\InCDSrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
c:\program files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\RTHDCPL.EXE
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\MagicTune Premium\MagicTune.exe
c:\program files\AVG\AVG2012\avgui.exe
.
**************************************************************************
.
Completion time: 2012-02-25 22:46:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-26 03:46
.
Pre-Run: 428,700,897,280 bytes free
Post-Run: 431,893,577,728 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
[spybotsd]
timeout.old=30
.
- - End Of File - - 22BDCBD7BEB17C69EDDEAFD0A8E61787

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:26 AM

Posted 26 February 2012 - 12:09 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Carolinus

Carolinus
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 26 February 2012 - 01:26 AM

OK, well it now seems that the virus is gone, although I think both these logs say they found nothing.

It definitely was there the last time I said so, it wasn't an error, but now it seems to have disappeared.

You can wrap things up if you wish, and thanks again for your help.


The logs follow; since I ran the programs I might as well pass on the logs.


-----------------------------------


00:24:55.0984 2896 TDSS rootkit removing tool 2.7.14.0 Feb 22 2012 16:54:49
00:24:56.0406 2896 ============================================================
00:24:56.0406 2896 Current date / time: 2012/02/26 00:24:56.0406
00:24:56.0406 2896 SystemInfo:
00:24:56.0406 2896
00:24:56.0406 2896 OS Version: 5.1.2600 ServicePack: 3.0
00:24:56.0406 2896 Product type: Workstation
00:24:56.0406 2896 ComputerName: POSEIDON
00:24:56.0406 2896 UserName: Anthony Parise
00:24:56.0406 2896 Windows directory: C:\WINDOWS
00:24:56.0406 2896 System windows directory: C:\WINDOWS
00:24:56.0406 2896 Processor architecture: Intel x86
00:24:56.0406 2896 Number of processors: 4
00:24:56.0406 2896 Page size: 0x1000
00:24:56.0406 2896 Boot type: Normal boot
00:24:56.0406 2896 ============================================================
00:25:01.0531 2896 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
00:25:01.0531 2896 Drive \Device\Harddisk1\DR2 - Size: 0xEF000000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E7, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
00:25:01.0531 2896 Drive \Device\Harddisk3\DR4 - Size: 0x1E3000000 (7.55 Gb), SectorSize: 0x200, Cylinders: 0x3D9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
00:25:01.0546 2896 \Device\Harddisk0\DR0:
00:25:01.0546 2896 MBR used
00:25:01.0546 2896 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x38FF8206
00:25:01.0546 2896 \Device\Harddisk1\DR2:
00:25:01.0546 2896 MBR used
00:25:01.0546 2896 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0x776080
00:25:01.0546 2896 \Device\Harddisk3\DR4:
00:25:01.0546 2896 MBR used
00:25:01.0546 2896 \Device\Harddisk3\DR4\Partition0: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0xF17FC1
00:25:01.0562 2896 Initialize success
00:25:01.0562 2896 ============================================================
00:25:05.0796 5244 ============================================================
00:25:05.0796 5244 Scan started
00:25:05.0796 5244 Mode: Manual;
00:25:05.0796 5244 ============================================================
00:25:07.0953 5244 Abiosdsk - ok
00:25:07.0968 5244 abp480n5 - ok
00:25:08.0000 5244 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:25:08.0015 5244 ACPI - ok
00:25:08.0046 5244 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
00:25:08.0046 5244 ACPIEC - ok
00:25:08.0078 5244 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
00:25:08.0109 5244 ADM8511 - ok
00:25:08.0125 5244 adpu160m - ok
00:25:08.0156 5244 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
00:25:08.0171 5244 aec - ok
00:25:08.0203 5244 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
00:25:08.0234 5244 AFD - ok
00:25:08.0281 5244 AFS2K (b34b1ab0a7690a0e2301fec6d17b2fc1) C:\WINDOWS\system32\drivers\AFS2K.sys
00:25:08.0281 5244 AFS2K - ok
00:25:08.0296 5244 Aha154x - ok
00:25:08.0312 5244 aic78u2 - ok
00:25:08.0359 5244 aic78xx - ok
00:25:08.0375 5244 AliIde - ok
00:25:08.0484 5244 ALSysIO - ok
00:25:08.0593 5244 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
00:25:08.0656 5244 Ambfilt - ok
00:25:08.0687 5244 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
00:25:08.0687 5244 AmdPPM - ok
00:25:08.0703 5244 amsint - ok
00:25:08.0750 5244 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
00:25:08.0750 5244 Arp1394 - ok
00:25:08.0765 5244 asc - ok
00:25:08.0781 5244 asc3350p - ok
00:25:08.0796 5244 asc3550 - ok
00:25:08.0843 5244 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:25:08.0859 5244 AsyncMac - ok
00:25:09.0031 5244 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:25:09.0031 5244 atapi - ok
00:25:09.0031 5244 Atdisk - ok
00:25:09.0156 5244 ati2mtag (e43a7639be410b67059e48d3dd0ad405) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
00:25:09.0312 5244 ati2mtag - ok
00:25:09.0343 5244 ATIAVPCI (bb1dff7334a8a0ddd27c84ccff36ecbc) C:\WINDOWS\system32\DRIVERS\atinavrr.sys
00:25:09.0359 5244 ATIAVPCI - ok
00:25:09.0406 5244 atksgt (72bc628af75c4c3250f2a3bac260265a) C:\WINDOWS\system32\DRIVERS\atksgt.sys
00:25:09.0421 5244 atksgt - ok
00:25:09.0468 5244 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:25:09.0484 5244 Atmarpc - ok
00:25:09.0562 5244 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:25:09.0562 5244 audstub - ok
00:25:09.0609 5244 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
00:25:09.0609 5244 AVGIDSDriver - ok
00:25:09.0656 5244 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
00:25:09.0656 5244 AVGIDSEH - ok
00:25:09.0671 5244 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
00:25:09.0671 5244 AVGIDSFilter - ok
00:25:09.0703 5244 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
00:25:09.0703 5244 AVGIDSShim - ok
00:25:09.0765 5244 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
00:25:09.0781 5244 Avgldx86 - ok
00:25:09.0796 5244 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
00:25:09.0796 5244 Avgmfx86 - ok
00:25:09.0828 5244 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
00:25:09.0843 5244 Avgrkx86 - ok
00:25:09.0921 5244 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
00:25:09.0953 5244 Avgtdix - ok
00:25:10.0000 5244 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:25:10.0000 5244 Beep - ok
00:25:10.0015 5244 catchme - ok
00:25:10.0062 5244 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:25:10.0062 5244 cbidf2k - ok
00:25:10.0078 5244 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:25:10.0093 5244 CCDECODE - ok
00:25:10.0093 5244 cd20xrnt - ok
00:25:10.0125 5244 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:25:10.0125 5244 Cdaudio - ok
00:25:10.0140 5244 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
00:25:10.0156 5244 Cdfs - ok
00:25:10.0203 5244 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:25:10.0203 5244 Cdrom - ok
00:25:10.0218 5244 Changer - ok
00:25:10.0250 5244 CmdIde - ok
00:25:10.0296 5244 com0com (fb73639cda1af7145b92361d8f3c2c55) C:\WINDOWS\system32\DRIVERS\com0com.sys
00:25:10.0296 5244 com0com - ok
00:25:10.0312 5244 Cpqarray - ok
00:25:10.0343 5244 dac2w2k - ok
00:25:10.0359 5244 dac960nt - ok
00:25:10.0390 5244 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
00:25:10.0390 5244 Disk - ok
00:25:10.0453 5244 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
00:25:10.0468 5244 dmboot - ok
00:25:10.0500 5244 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
00:25:10.0515 5244 dmio - ok
00:25:10.0531 5244 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:25:10.0531 5244 dmload - ok
00:25:10.0562 5244 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
00:25:10.0562 5244 DMusic - ok
00:25:10.0593 5244 dpti2o - ok
00:25:10.0609 5244 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
00:25:10.0609 5244 drmkaud - ok
00:25:10.0671 5244 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
00:25:10.0671 5244 Fastfat - ok
00:25:10.0687 5244 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
00:25:10.0703 5244 Fdc - ok
00:25:10.0718 5244 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
00:25:10.0718 5244 Fips - ok
00:25:10.0750 5244 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
00:25:10.0765 5244 Flpydisk - ok
00:25:10.0781 5244 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
00:25:10.0796 5244 FltMgr - ok
00:25:10.0812 5244 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:25:10.0812 5244 Fs_Rec - ok
00:25:10.0828 5244 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:25:10.0828 5244 Ftdisk - ok
00:25:10.0875 5244 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
00:25:11.0109 5244 gdrv - ok
00:25:11.0140 5244 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:25:11.0140 5244 Gpc - ok
00:25:11.0203 5244 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:25:11.0203 5244 HDAudBus - ok
00:25:11.0312 5244 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:25:11.0328 5244 hidusb - ok
00:25:11.0343 5244 hpn - ok
00:25:11.0375 5244 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
00:25:11.0406 5244 HTTP - ok
00:25:11.0421 5244 i2omgmt - ok
00:25:11.0437 5244 i2omp - ok
00:25:11.0453 5244 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:25:11.0453 5244 i8042prt - ok
00:25:11.0484 5244 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:25:11.0500 5244 Imapi - ok
00:25:11.0531 5244 InCDFs (26f2d2aa8c5942ebc5f4c626c4b37794) C:\WINDOWS\system32\DRIVERS\InCDFs.sys
00:25:11.0531 5244 InCDFs - ok
00:25:11.0562 5244 InCDPass (4c5e4899d0fda39292d8e6e13a7148ee) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
00:25:11.0562 5244 InCDPass - ok
00:25:11.0578 5244 InCDRec (a08d75215a7852f7d496b6fc0df30361) C:\WINDOWS\system32\DRIVERS\InCDRec.sys
00:25:11.0578 5244 InCDRec - ok
00:25:11.0593 5244 incdrm (6f05034230ad665b8ad80214a3a9bc57) C:\WINDOWS\system32\drivers\incdrm.sys
00:25:11.0609 5244 incdrm - ok
00:25:11.0625 5244 ini910u - ok
00:25:11.0812 5244 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
00:25:12.0062 5244 IntcAzAudAddService - ok
00:25:12.0078 5244 IntelIde - ok
00:25:12.0125 5244 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
00:25:12.0125 5244 Ip6Fw - ok
00:25:12.0156 5244 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:25:12.0156 5244 IpFilterDriver - ok
00:25:12.0171 5244 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:25:12.0171 5244 IpInIp - ok
00:25:12.0203 5244 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:25:12.0265 5244 IpNat - ok
00:25:12.0296 5244 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:25:12.0296 5244 IPSec - ok
00:25:12.0328 5244 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:25:12.0328 5244 IRENUM - ok
00:25:12.0343 5244 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:25:12.0343 5244 isapnp - ok
00:25:12.0375 5244 itchfltr (8f1ba487b35f0c8f637e05113aa815f8) C:\WINDOWS\system32\DRIVERS\itchfltr.sys
00:25:12.0375 5244 itchfltr - ok
00:25:12.0390 5244 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:25:12.0406 5244 Kbdclass - ok
00:25:12.0421 5244 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:25:12.0421 5244 kbdhid - ok
00:25:12.0468 5244 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
00:25:12.0468 5244 kmixer - ok
00:25:12.0500 5244 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
00:25:12.0500 5244 KSecDD - ok
00:25:12.0546 5244 LCcfltr (fb5e7a5c86c0b58aa155487b141b8457) C:\WINDOWS\system32\drivers\lccfltr.sys
00:25:12.0546 5244 LCcfltr - ok
00:25:12.0593 5244 LHidFilt (f5e165b4e3df145f6e8bf3c0573f94d8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
00:25:12.0609 5244 LHidFilt - ok
00:25:12.0640 5244 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
00:25:12.0671 5244 lirsgt - ok
00:25:12.0687 5244 LMouFilt (b46e39b8ae439d7ce75a923e7f950040) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
00:25:12.0687 5244 LMouFilt - ok
00:25:12.0734 5244 LUsbFilt (9bbd8674c1d3811b851c8cf8a8e30e2c) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
00:25:12.0734 5244 LUsbFilt - ok
00:25:12.0781 5244 MagicTune (f650ead361bcad08d544db5bbe7e8f35) C:\WINDOWS\system32\drivers\MTiCtwl.sys
00:25:12.0781 5244 MagicTune - ok
00:25:12.0812 5244 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:25:12.0812 5244 mnmdd - ok
00:25:12.0843 5244 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
00:25:12.0859 5244 Modem - ok
00:25:12.0937 5244 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
00:25:12.0984 5244 Monfilt - ok
00:25:13.0000 5244 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:25:13.0015 5244 Mouclass - ok
00:25:13.0031 5244 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:25:13.0031 5244 mouhid - ok
00:25:13.0046 5244 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
00:25:13.0046 5244 MountMgr - ok
00:25:13.0078 5244 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
00:25:13.0093 5244 MPE - ok
00:25:13.0109 5244 mraid35x - ok
00:25:13.0125 5244 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:25:13.0125 5244 MRxDAV - ok
00:25:13.0171 5244 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:25:13.0203 5244 MRxSmb - ok
00:25:13.0359 5244 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
00:25:13.0359 5244 Msfs - ok
00:25:13.0390 5244 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:25:13.0390 5244 MSKSSRV - ok
00:25:13.0406 5244 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:25:13.0406 5244 MSPCLOCK - ok
00:25:13.0437 5244 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
00:25:13.0437 5244 MSPQM - ok
00:25:13.0468 5244 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:25:13.0468 5244 mssmbios - ok
00:25:13.0500 5244 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
00:25:13.0500 5244 MSTEE - ok
00:25:13.0515 5244 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
00:25:13.0531 5244 Mup - ok
00:25:13.0562 5244 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:25:13.0562 5244 NABTSFEC - ok
00:25:13.0593 5244 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
00:25:13.0593 5244 NDIS - ok
00:25:13.0609 5244 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:25:13.0609 5244 NdisIP - ok
00:25:13.0656 5244 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:25:13.0656 5244 NdisTapi - ok
00:25:13.0671 5244 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:25:13.0671 5244 Ndisuio - ok
00:25:13.0687 5244 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:25:13.0687 5244 NdisWan - ok
00:25:13.0718 5244 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
00:25:13.0718 5244 NDProxy - ok
00:25:13.0734 5244 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:25:13.0734 5244 NetBIOS - ok
00:25:13.0765 5244 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:25:13.0765 5244 NetBT - ok
00:25:13.0812 5244 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
00:25:13.0812 5244 NIC1394 - ok
00:25:13.0828 5244 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
00:25:13.0843 5244 Npfs - ok
00:25:13.0875 5244 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
00:25:13.0890 5244 Ntfs - ok
00:25:13.0937 5244 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:25:13.0937 5244 Null - ok
00:25:13.0984 5244 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:25:14.0000 5244 NwlnkFlt - ok
00:25:14.0031 5244 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:25:14.0031 5244 NwlnkFwd - ok
00:25:14.0046 5244 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
00:25:14.0046 5244 ohci1394 - ok
00:25:14.0078 5244 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
00:25:14.0093 5244 Parport - ok
00:25:14.0093 5244 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
00:25:14.0109 5244 PartMgr - ok
00:25:14.0109 5244 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:25:14.0125 5244 ParVdm - ok
00:25:14.0140 5244 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
00:25:14.0140 5244 PCI - ok
00:25:14.0156 5244 PCIDump - ok
00:25:14.0187 5244 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:25:14.0187 5244 PCIIde - ok
00:25:14.0203 5244 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
00:25:14.0203 5244 Pcmcia - ok
00:25:14.0281 5244 PDCOMP - ok
00:25:14.0328 5244 PDFRAME - ok
00:25:14.0343 5244 PDRELI - ok
00:25:14.0359 5244 PDRFRAME - ok
00:25:14.0375 5244 perc2 - ok
00:25:14.0390 5244 perc2hib - ok
00:25:14.0437 5244 PORTMON - ok
00:25:14.0468 5244 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:25:14.0468 5244 PptpMiniport - ok
00:25:14.0484 5244 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
00:25:14.0484 5244 Processor - ok
00:25:14.0500 5244 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
00:25:14.0500 5244 PSched - ok
00:25:14.0531 5244 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:25:14.0531 5244 Ptilink - ok
00:25:14.0546 5244 ql1080 - ok
00:25:14.0562 5244 Ql10wnt - ok
00:25:14.0578 5244 ql12160 - ok
00:25:14.0593 5244 ql1240 - ok
00:25:14.0609 5244 ql1280 - ok
00:25:14.0640 5244 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:25:14.0640 5244 RasAcd - ok
00:25:14.0671 5244 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:25:14.0671 5244 Rasl2tp - ok
00:25:14.0687 5244 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:25:14.0687 5244 RasPppoe - ok
00:25:14.0703 5244 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:25:14.0703 5244 Raspti - ok
00:25:14.0718 5244 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:25:14.0734 5244 Rdbss - ok
00:25:14.0750 5244 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:25:14.0750 5244 RDPCDD - ok
00:25:14.0796 5244 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:25:14.0796 5244 rdpdr - ok
00:25:14.0812 5244 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
00:25:14.0828 5244 RDPWD - ok
00:25:14.0843 5244 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:25:14.0859 5244 redbook - ok
00:25:15.0015 5244 RTHDMIAzAudService (3cf6631543c743c29a369287ea67ffe6) C:\WINDOWS\system32\drivers\RtKHDMI.sys
00:25:15.0125 5244 RTHDMIAzAudService - ok
00:25:15.0171 5244 RTLE8023xp (c48e7bbc6a17a0676079e11a13e82549) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
00:25:15.0187 5244 RTLE8023xp - ok
00:25:15.0218 5244 RTLTEAMING (376218d4209b1e749953f9edef0cef2e) C:\WINDOWS\system32\DRIVERS\RTLTEAMING.SYS
00:25:15.0281 5244 RTLTEAMING - ok
00:25:15.0375 5244 RTLVLAN (6ec43dc18746bb9b6ddec4c99b15b6fc) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
00:25:15.0375 5244 RTLVLAN - ok
00:25:15.0421 5244 RtNdPt5x (5ffd2aaf467b80fab34929afb7702060) C:\WINDOWS\system32\DRIVERS\RtNdPt5x.sys
00:25:15.0421 5244 RtNdPt5x - ok
00:25:15.0515 5244 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
00:25:15.0515 5244 SASDIFSV - ok
00:25:15.0531 5244 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
00:25:15.0531 5244 SASKUTIL - ok
00:25:15.0562 5244 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:25:15.0562 5244 Secdrv - ok
00:25:15.0593 5244 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
00:25:15.0593 5244 serenum - ok
00:25:15.0609 5244 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
00:25:15.0609 5244 Serial - ok
00:25:15.0656 5244 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:25:15.0656 5244 Sfloppy - ok
00:25:15.0703 5244 silabenm (3ead8e1668ce42a0afe41d56e7157bcf) C:\WINDOWS\system32\DRIVERS\silabenm.sys
00:25:15.0703 5244 silabenm - ok
00:25:15.0750 5244 silabser (5ec84546635d8f6e306f9c80fe09433d) C:\WINDOWS\system32\DRIVERS\silabser.sys
00:25:15.0765 5244 silabser - ok
00:25:15.0765 5244 Simbad - ok
00:25:15.0812 5244 SIVDRIVER (5fa063ca4338ff6607475245ab876a84) C:\WINDOWS\system32\Drivers\SIVX32.sys
00:25:15.0812 5244 SIVDRIVER - ok
00:25:15.0828 5244 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:25:15.0843 5244 SLIP - ok
00:25:15.0906 5244 SmartDefragDriver (14bb60a4f1c5291217a05d5728c403e6) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys
00:25:15.0953 5244 SmartDefragDriver - ok
00:25:15.0968 5244 Sparrow - ok
00:25:16.0000 5244 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
00:25:16.0000 5244 splitter - ok
00:25:16.0046 5244 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
00:25:16.0046 5244 sr - ok
00:25:16.0078 5244 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
00:25:16.0093 5244 Srv - ok
00:25:16.0125 5244 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:25:16.0140 5244 streamip - ok
00:25:16.0156 5244 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:25:16.0171 5244 swenum - ok
00:25:16.0187 5244 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
00:25:16.0187 5244 swmidi - ok
00:25:16.0203 5244 symc810 - ok
00:25:16.0281 5244 symc8xx - ok
00:25:16.0296 5244 sym_hi - ok
00:25:16.0312 5244 sym_u3 - ok
00:25:16.0343 5244 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
00:25:16.0343 5244 sysaudio - ok
00:25:16.0406 5244 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:25:16.0421 5244 Tcpip - ok
00:25:16.0468 5244 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:25:16.0468 5244 TDPIPE - ok
00:25:16.0500 5244 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
00:25:16.0515 5244 TDTCP - ok
00:25:16.0546 5244 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:25:16.0546 5244 TermDD - ok
00:25:16.0578 5244 TosIde - ok
00:25:16.0609 5244 TVICHW32 - ok
00:25:16.0656 5244 U2SP (228d8e60bc9c5238587b0bf1654ec580) C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys
00:25:16.0671 5244 U2SP - ok
00:25:16.0718 5244 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
00:25:16.0718 5244 Udfs - ok
00:25:16.0734 5244 ultra - ok
00:25:16.0765 5244 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
00:25:16.0796 5244 Update - ok
00:25:16.0875 5244 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:25:16.0875 5244 usbccgp - ok
00:25:16.0906 5244 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:25:16.0906 5244 usbehci - ok
00:25:16.0921 5244 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:25:16.0921 5244 usbhub - ok
00:25:16.0953 5244 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
00:25:16.0953 5244 usbohci - ok
00:25:16.0984 5244 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:25:17.0015 5244 usbprint - ok
00:25:17.0046 5244 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:25:17.0062 5244 usbscan - ok
00:25:17.0093 5244 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:25:17.0093 5244 USBSTOR - ok
00:25:17.0140 5244 VBoxDrv (fbc88ad8c79880ac987a67f4ffb1dddf) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
00:25:17.0140 5244 VBoxDrv - ok
00:25:17.0156 5244 VBoxNetAdp (2d1d7dfbf0b5e93f4bf3d73c57b1ce70) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
00:25:17.0171 5244 VBoxNetAdp - ok
00:25:17.0187 5244 VBoxNetFlt (02a746d80f929c146a2480e377d07f95) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
00:25:17.0187 5244 VBoxNetFlt - ok
00:25:17.0281 5244 VBoxUSBMon (64d26ce37ab1cd12360d344ba624aeaf) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
00:25:17.0296 5244 VBoxUSBMon - ok
00:25:17.0312 5244 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
00:25:17.0312 5244 VgaSave - ok
00:25:17.0328 5244 ViaIde - ok
00:25:17.0343 5244 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
00:25:17.0343 5244 VolSnap - ok
00:25:17.0390 5244 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:25:17.0390 5244 Wanarp - ok
00:25:17.0468 5244 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
00:25:17.0484 5244 Wdf01000 - ok
00:25:17.0484 5244 WDICA - ok
00:25:17.0515 5244 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
00:25:17.0515 5244 wdmaud - ok
00:25:17.0562 5244 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
00:25:17.0578 5244 WmiAcpi - ok
00:25:17.0640 5244 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
00:25:17.0640 5244 WS2IFSL - ok
00:25:17.0671 5244 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:25:17.0671 5244 WSTCODEC - ok
00:25:17.0703 5244 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:25:17.0703 5244 WudfPf - ok
00:25:17.0734 5244 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:25:17.0734 5244 WudfRd - ok
00:25:17.0781 5244 MBR (0x1B8) (cc7f04064f79d55f0b1c09c954115345) \Device\Harddisk0\DR0
00:25:17.0937 5244 \Device\Harddisk0\DR0 - ok
00:25:17.0953 5244 MBR (0x1B8) (0958e97b3ab14a63b915efe6013a9d24) \Device\Harddisk1\DR2
00:25:25.0781 5244 \Device\Harddisk1\DR2 - ok
00:25:25.0781 5244 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk3\DR4
00:25:30.0609 5244 \Device\Harddisk3\DR4 - ok
00:25:30.0640 5244 Boot (0x1200) (0743fc59c41a81bb6abfb965b49a92b0) \Device\Harddisk0\DR0\Partition0
00:25:30.0640 5244 \Device\Harddisk0\DR0\Partition0 - ok
00:25:30.0640 5244 Boot (0x1200) (8965ffcd96dbac83447e8545417c88e7) \Device\Harddisk1\DR2\Partition0
00:25:30.0640 5244 \Device\Harddisk1\DR2\Partition0 - ok
00:25:30.0656 5244 Boot (0x1200) (381f2f700590b301e95bb73af945b73f) \Device\Harddisk3\DR4\Partition0
00:25:30.0656 5244 \Device\Harddisk3\DR4\Partition0 - ok
00:25:30.0656 5244 ============================================================
00:25:30.0656 5244 Scan finished
00:25:30.0656 5244 ============================================================
00:25:30.0671 4636 Detected object count: 0
00:25:30.0671 4636 Actual detected object count: 0



aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-26 00:28:48
-----------------------------
00:28:48.734 OS Version: Windows 5.1.2600 Service Pack 3
00:28:48.734 Number of processors: 4 586 0x502
00:28:48.734 ComputerName: POSEIDON UserName:
00:28:51.156 Initialize success
00:38:57.343 AVAST engine defs: 12022600
00:41:47.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
00:41:47.687 Disk 0 Vendor: WDC_WD5000AAKB-00H8A0 05.04E05 Size: 476940MB BusType: 3
00:41:47.718 Disk 0 MBR read successfully
00:41:47.718 Disk 0 MBR scan
00:41:47.765 Disk 0 Windows XP default MBR code
00:41:47.765 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 466928 MB offset 63
00:41:47.765 Disk 0 scanning sectors +956269125
00:41:47.828 Disk 0 scanning C:\WINDOWS\system32\drivers
00:42:05.296 Service scanning
00:42:39.250 Modules scanning
00:42:46.640 Disk 0 trace - called modules:
00:42:46.656 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:42:46.656 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a889ab8]
00:42:46.656 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000007f[0x8a893030]
00:42:46.671 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8a88dd98]
00:42:50.265 AVAST engine scan C:\WINDOWS
00:43:07.640 AVAST engine scan C:\WINDOWS\system32
00:49:18.843 AVAST engine scan C:\WINDOWS\system32\drivers
00:49:51.796 AVAST engine scan C:\Documents and Settings\Anthony Parise
00:58:41.015 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\gringo\MBR.dat"
00:58:41.156 The log file has been saved successfully to "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\gringo\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:26 AM

Posted 26 February 2012 - 01:39 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Carolinus

Carolinus
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 26 February 2012 - 04:09 PM

Log is below.

I got one error message that said a memory location could not be written, and that the program would be terminated, but ComboFix continued running.

Virus still seems to be gone.






ComboFix 12-02-25.02 - Anthony Parise 02/26/2012 15:45:48.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1994 [GMT -5:00]
Running from: c:\documents and settings\Anthony Parise\My Documents\Downloads\gringo\ComboFix.exe
Command switches used :: c:\documents and settings\Anthony Parise\My Documents\Downloads\gringo\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-26 to 2012-02-26 )))))))))))))))))))))))))))))))
.
.
2012-02-25 05:20 . 2012-02-25 05:20 -------- d-----w- c:\program files\Common Files\Java
2012-02-25 05:19 . 2012-02-25 05:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-25 01:26 . 2012-02-25 01:26 -------- d-----w- c:\documents and settings\Anthony Parise\Application Data\Curiolab
2012-02-24 00:41 . 2012-02-24 01:44 -------- d-----w- c:\documents and settings\Anthony Parise\Local Settings\Application Data\NPE
2012-02-22 23:32 . 2012-02-22 23:33 -------- d-----w- c:\program files\VS Revo Group
2012-02-13 04:08 . 2012-02-13 04:16 -------- d-----w- c:\documents and settings\Anthony Parise\Application Data\7plus
2012-02-13 04:07 . 2012-02-13 04:17 -------- d-----w- c:\program files\7Plus
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-26 20:22 . 2010-03-23 09:32 17488 ----a-w- c:\windows\gdrv.sys
2012-02-25 05:18 . 2010-06-24 07:16 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-10 20:24 . 2010-06-07 04:45 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-08 17:06 . 2011-05-30 17:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-18 21:42 . 2011-04-10 04:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2009-10-16 14:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlender\Rainlendar2.exe" [2010-07-11 2199040]
"Free Vector Clocks\Vector-Clock_VectorClock-CrossGL"="c:\program files\Free Vector Clocks\VectorClock-CrossGL.exe" [2010-12-13 1120624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
"NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
.
c:\documents and settings\Anthony Parise\Start Menu\Programs\Startup\
NumLocker.lnk - c:\program files\Numlocker\NumLocker.exe [2008-8-23 230891]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2010-8-10 49321]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-3-28 36864]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-11 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Documents and Settings\\Anthony Parise\\My Documents\\Downloads\\portable\\hfs.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Palm\\Hotsync.exe"=
"c:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"c:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\MirandaPortable\\App\\miranda\\miranda32.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"g:\\PortableApps\\Simple Port Forwarding\\spf.exe"=
"e:\\PortableApps\\Simple Port Forwarding\\spf.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5190:TCP"= 5190:TCP:AIM
"4504:TCP"= 4504:TCP:Miranda1
"4505:TCP"= 4505:TCP:Miranda2
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [9/17/2011 10:46 PM 14776]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [4/10/2010 3:18 PM 154416]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [4/10/2010 3:17 PM 33072]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [3/23/2010 4:19 AM 68136]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 11:07 AM 503080]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [10/16/2009 9:44 AM 53560]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [7/3/2010 3:56 PM 22016]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [3/25/2010 7:06 PM 101680]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [7/15/2011 5:08 PM 113456]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2010 7:27 PM 136176]
S2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [5/8/2009 5:36 PM 192512]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/3/2010 3:37 PM 20160]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\ANTHON~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\ANTHON~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/23/2010 4:24 AM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2010 7:27 PM 136176]
S3 PORTMON;PORTMON;\??\c:\program files\portmon\PORTMSYS.SYS --> c:\program files\portmon\PORTMSYS.SYS [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [7/3/2010 3:56 PM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [7/3/2010 3:56 PM 17536]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [7/31/2011 11:30 AM 47176]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [7/31/2011 11:30 AM 58112]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [3/29/2010 7:25 PM 49656]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-06 00:27]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-06 00:27]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1220945662-839522115-1003Core.job
- c:\documents and settings\Anthony Parise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:42]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1220945662-839522115-1003UA.job
- c:\documents and settings\Anthony Parise\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:42]
.
2012-02-26 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-09-18 14:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Anthony Parise\Application Data\Mozilla\Firefox\Profiles\6gtwqq77.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-26 15:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,f5,b9,34,be,ad,0f,46,87,4b,90,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,f5,b9,34,be,ad,0f,46,87,4b,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1084)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(1724)
c:\program files\Nero\Tools\InCD\NBHshx.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-26 16:02:40
ComboFix-quarantined-files.txt 2012-02-26 21:02
ComboFix2.txt 2012-02-26 03:46
.
Pre-Run: 431,865,937,920 bytes free
Post-Run: 431,950,196,736 bytes free
.
- - End Of File - - 9E12291AC08BE96AEA3931ED2DC6DA8D

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:26 AM

Posted 27 February 2012 - 12:18 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java DB 10.5.3.0
Java Runtime 1.5.0_03 for Borland COM APIs
Java™ 6 Update 31
Java™ SE Development Kit 6 Update 23
Search-Results Toolbar
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Carolinus

Carolinus
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 27 February 2012 - 03:58 PM

I was getting an error from the Java scheduler before removing and re-installing. Nothing since.

When TFC tried to reboot, the computer froze on the shut-down screen, and had to be manually restarted.


Logs follow:
-----------------------------------------------
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.27.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Anthony Parise :: POSEIDON [administrator]

2/27/2012 3:36:58 PM
mbam-log-2012-02-27 (15-36-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202616
Time elapsed: 13 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:51:50 PM, on 2/27/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Nero\Tools\InCD\InCD.exe
C:\Program Files\Nero\Tools\InCD\NBHGui.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Rainlender\Rainlendar2.exe
C:\Program Files\Free Vector Clocks\VectorClock-CrossGL.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Numlocker\NumLocker.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\PuzzleCollectionPortable\PuzzleCollectionPortable.exe
C:\Program Files\PuzzleCollectionPortable\App\Puzzles\pattern.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Tools\InCD\InCD.exe
O4 - HKLM\..\Run: [NBHGui] C:\Program Files\Nero\Tools\InCD\NBHGui.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlender\Rainlendar2.exe
O4 - HKCU\..\Run: [Free Vector Clocks\Vector-Clock_VectorClock-CrossGL] "C:\Program Files\Free Vector Clocks\VectorClock-CrossGL.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
O4 - Startup: NumLocker.lnk = C:\Program Files\Numlocker\NumLocker.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.1
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDSrv) - Nero AG - C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe

--
End of file - 8722 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:26 AM

Posted 27 February 2012 - 05:38 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
      O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
      O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Tools\InCD\InCD.exe
      O4 - HKLM\..\Run: [NBHGui] C:\Program Files\Nero\Tools\InCD\NBHGui.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlender\Rainlendar2.exe
      O4 - HKCU\..\Run: [Free Vector Clocks\Vector-Clock_VectorClock-CrossGL] "C:\Program Files\Free Vector Clocks\VectorClock-CrossGL.exe"
      O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
      O4 - Startup: NumLocker.lnk = C:\Program Files\Numlocker\NumLocker.exe
      O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
      O4 - Startup: pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
      O4 - Global Startup: GammaTray.lnk = ?
      O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Carolinus

Carolinus
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 28 February 2012 - 02:45 PM

I didn't remove any of the autorun programs, because I wanted some, and didn't have the time to deliberate on the others.

The ISET scan took a long time. I went to bed after 5 hours. The result follows:

------------------------------------------

C:\Documents and Settings\Anthony Parise\My Documents\Downloads\sd2-setup220.exe a variant of Win32/Toolbar.Widgi application
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\UBCD4WinV360.exe Win32/PrcView application
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\portable\hfs.exe a variant of Win32/Server-Web.HFS.A application
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\portable\picpick_inst.exe Win32/OpenCandy application
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\portable\ProcNetMonitor.zip a variant of Win32/SecurityXploded.A application
C:\Documents and Settings\Anthony Parise\My Documents\Downloads\SecurityExploded\SpyBHORemover.zip a variant of Win32/SecurityXploded.A application
C:\flash\Documents\Downloads\Spyware\SDFix.exe Win32/PrcView application
C:\flash\PortableApps\SpyBHORemover\SpyBHORemover.exe a variant of Win32/SecurityXploded.A application
C:\UBCD4Win\UBCD4WinBuilder.iso Win32/PrcView application
C:\UBCD4Win\BartPE\PROGRAMS\sdfix\SDFix.exe Win32/PrcView application
C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe Win32/PrcView application

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:26 AM

Posted 29 February 2012 - 08:17 AM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\sd2-setup220.exe"
    del /f /s /q "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\UBCD4WinV360.exe"
    del /f /s /q "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\portable\hfs.exe"
    del /f /s /q "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\portable\picpick_inst.exe"
    del /f /s /q "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\portable\ProcNetMonitor.zip"
    del /f /s /q "C:\Documents and Settings\Anthony Parise\My Documents\Downloads\SecurityExploded\SpyBHORemover.zip"
    del /f /s /q "C:\flash\Documents\Downloads\Spyware\SDFix.exe"
    del /f /s /q "C:\flash\PortableApps\SpyBHORemover\SpyBHORemover.exe"
    del /f /s /q "C:\UBCD4Win\UBCD4WinBuilder.iso"
    del /f /s /q "C:\UBCD4Win\BartPE\PROGRAMS\sdfix\SDFix.exe"
    del /f /s /q "C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Carolinus

Carolinus
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 29 February 2012 - 04:01 PM

I have an issue removing the following:


del /f /s /q "C:\UBCD4Win\UBCD4WinBuilder.iso"
del /f /s /q "C:\UBCD4Win\BartPE\PROGRAMS\sdfix\SDFix.exe"
del /f /s /q "C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe"

These are files used with the Ultimate Boot CD. Can I leave them alone?

One other issue, which I thought was unrelated. I have Borland Developer Studio and the Help system has stopped working when I was scanning prior to your help. Is this unrelated?


Carolinus




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users