Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Curing My JS/Blacole Infection


  • This topic is locked This topic is locked
24 replies to this topic

#1 thaiguy

thaiguy

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 27 February 2012 - 07:11 PM

Hi Guys ! This is my first post, though my techie brother, has sent me to the forum before as a lurker when things got hairy with my computer.

I did a scan with my built in windows anti-virus (I'm on a borrowed old parental computer while visiting from out of town n can't install better software, as parents are old n confused easily)and found a few different problems. The first is the JS/Blacole threat. So far, I've followed the download n scan advice from this thread http://www.bleepingcomputer.com/forums/topic437970.html/page__st__15. That advice then sent me to this topic, and asked me to begin with Step #6 http://www.bleepingcomputer.com/forums/topic34773.html which asks that I perform some scans n then post results for further advice on how to remove the infection.

So here are my results, for which I'd appreciate advice on how to eliminate the invader.

1) Defogger found nothing
a) defogger_disable by jpshortstuff (23.02.10.1)
Log created at 00:35 on 27/02/2012 (MLW)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

B) defogger_enable by jpshortstuff (23.02.10.1)
Log created at 00:38 on 27/02/2012 (MLW)

Parsing file...

-=E.O.F=-

2) The DDS check

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by MLW at 0:39:28 on 2012-02-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.339 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Documents and Settings\MLW\Application Data\dplaysvr.exe
C:\WINDOWS\Temp\_ex-68.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MLW\Desktop\Defogger.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ww2.cox.com/myconnection/orangecounty/home.cox
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MozillaAgent] c:\windows\temp\_ex-68.exe
mRun: [MozillaAgent] c:\windows\temp\_ex-68.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255984811046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256004963406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{13E50CE5-435C-4C6D-85B9-C46B2E975B75} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{AC34C92C-EDA1-431D-9344-03A877F1AA11} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mlw\application data\mozilla\firefox\profiles\vt6z0ni7.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 MpKslffa294be;MpKslffa294be;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4890f7f0-4d1e-425f-bded-941ac0ee53b6}\MpKslffa294be.sys [2012-2-26 29904]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-2-25 50704]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-1-31 158856]
.
=============== Created Last 30 ================
.
2012-02-26 18:58:16 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4890f7f0-4d1e-425f-bded-941ac0ee53b6}\offreg.dll
2012-02-26 18:58:14 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4890f7f0-4d1e-425f-bded-941ac0ee53b6}\MpKslffa294be.sys
2012-02-26 04:32:44 41680 ----a-w- c:\windows\system32\drivers\dmuzhdia.sys
2012-02-26 04:30:23 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-02-26 04:30:23 281104 ----a-w- c:\windows\system32\wpcap.dll
2012-02-26 04:30:23 100880 ----a-w- c:\windows\system32\Packet.dll
2012-02-25 20:34:37 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4890f7f0-4d1e-425f-bded-941ac0ee53b6}\mpengine.dll
2012-02-09 07:11:01 -------- d-----w- c:\documents and settings\mlw\application data\Windows Search
2012-02-08 00:28:03 -------- d-----w- c:\program files\FLAC
2012-02-08 00:22:37 33540 ----a-w- c:\windows\system32\CoreFLACDecoder-uninstall.exe
2012-02-07 23:15:24 -------- d-----w- c:\program files\SlySoft
2012-02-07 23:13:40 -------- d-----w- c:\windows\system32\custom matrices
2012-02-07 23:13:28 -------- d-----w- c:\windows\system32\C2MP
2012-02-07 06:49:07 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-02-07 06:49:07 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-07 06:48:49 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-02-07 06:48:49 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2012-02-06 04:54:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-02-06 04:54:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-02-06 04:54:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-02-06 04:54:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-02-06 04:54:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-02-06 04:54:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-02-06 04:54:04 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-02-06 04:51:32 -------- d-----w- c:\documents and settings\mlw\local settings\application data\Apple
2012-02-06 04:51:07 -------- d-----w- c:\documents and settings\mlw\local settings\application data\Apple Computer
2012-02-03 07:43:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-02-03 07:43:40 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-03 01:48:53 -------- d-----w- c:\documents and settings\all users\application data\LogMeIn
2012-02-03 01:46:35 -------- d-----w- c:\program files\LogMeIn
2012-02-02 21:11:35 -------- d-----w- c:\documents and settings\mlw\application data\GetRightToGo
.
==================== Find3M ====================
.
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 10:02:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-09 20:03:22 3478016 ----a-w- c:\windows\system32\ffdshow.ax
2012-01-09 20:00:48 4346880 ----a-w- c:\windows\system32\ffmpeg.dll
2012-01-07 22:22:08 460800 ----a-w- c:\windows\system32\LAVSplitter.ax
2012-01-07 22:22:04 448000 ----a-w- c:\windows\system32\LAVVideo.ax
2012-01-07 22:22:04 212992 ----a-w- c:\windows\system32\LAVAudio.ax
2012-01-07 22:22:00 172032 ----a-w- c:\windows\system32\libbluray.dll
2012-01-07 22:21:50 6366094 ----a-w- c:\windows\system32\avcodec-lav-53.dll
2012-01-07 22:21:50 354979 ----a-w- c:\windows\system32\swscale-lav-2.dll
2012-01-07 22:21:50 203306 ----a-w- c:\windows\system32\avutil-lav-51.dll
2012-01-07 22:21:50 138727 ----a-w- c:\windows\system32\avfilter-lav-2.dll
2012-01-07 22:21:50 1007151 ----a-w- c:\windows\system32\avformat-lav-53.dll
2012-01-07 22:20:24 142336 ----a-w- c:\windows\system32\IntelQuickSyncDecoder.dll
2011-12-20 18:50:04 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2011-12-20 18:49:56 99328 ----a-w- c:\windows\system32\ff_wmv9.dll
2011-12-20 18:49:54 158720 ----a-w- c:\windows\system32\ff_unrar.dll
2011-12-20 18:49:54 146944 ----a-w- c:\windows\system32\ff_libmad.dll
2011-12-20 18:49:52 212480 ----a-w- c:\windows\system32\ff_libdts.dll
2011-12-20 18:49:52 1525248 ----a-w- c:\windows\system32\ff_samplerate.dll
2011-12-20 18:49:52 115200 ----a-w- c:\windows\system32\ff_liba52.dll
2011-12-20 18:49:50 328704 ----a-w- c:\windows\system32\ff_libfaad2.dll
2011-12-20 18:49:50 260608 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2011-12-20 18:49:50 137728 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2011-12-07 19:32:24 216064 ----a-w- c:\windows\system32\Lagarith.dll
.
============= FINISH: 0:41:53.53 ===============

3) The GMER/ ARK Check

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-27 01:06:57
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD12 rev.17.0
Running: gmer.exe; Driver: C:\DOCUME~1\MLW\LOCALS~1\Temp\pflcikob.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\MLW\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[308] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00951890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00951960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 009515F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00951690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00951A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00951B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 009519D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00951A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\NOTEPAD.EXE[340] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 009516C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01031890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 01031960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 010315F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01031690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 01031A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 01031B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 010319D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 01031A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 010316C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106C01A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106C0135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10450924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[356] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10450ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 00A8380D
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00A8447F
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00A844CE
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00A8452E
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!IsWindowVisible 7E429E3D 5 Bytes JMP 00A84555
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!MessageBoxIndirectW 7E4664D5 6 Bytes [33, C0, 40, C2, 04, 00] {XOR EAX, EAX; INC EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1116] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00A845AF
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00A84419
.text C:\WINDOWS\LTMSG.exe[1176] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00BF1890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00BF1960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00BF15F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00BF1690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00BF1A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00BF1B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00BF19D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00BF1A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\LTMSG.exe[1176] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00BF16C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00CA1890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00CA1960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00CA15F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00CA1690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00CA1A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00CA1B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00CA19D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00CA1A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1236] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00CA16C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 026A1890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 026A1960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 026A15F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 026A1690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 026A1A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 026A1B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 026A19D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 026A1A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1328] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 026A16C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01031890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 01031960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 010315F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01031690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 01031A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 01031B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 010319D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 01031A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 010316C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10450ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01B41890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 01B41960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 01B415F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01B41690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 01B41A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 01B41B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 01B419D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 01B41A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Microsoft Security Client\msseces.exe[1408] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 01B416C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00981890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00981960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 009815F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00981690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00981A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00981B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 009819D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00981A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Documents and Settings\MLW\Application Data\dplaysvr.exe[2056] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 009816C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01491890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 01491960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 014915F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01491690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 01491A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 01491B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 014919D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 01491A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[2076] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 014916C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00BD1890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00BD1960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00BD15F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00BD1690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00BD1A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00BD1B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00BD19D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00BD1A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2088] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00BD16C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02941890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 02941960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 029415F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 02941690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 02941A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 02941B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 029419D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 02941A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2408] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 029416C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00921890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00921960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 009215F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes JMP 00921690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] ntdll.dll!LdrLoadDll + 4 7C916331 1 Byte [84]
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00921A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00921B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 009219D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00921A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text c:\Program Files\Microsoft Silverlight\4.0.60831.0\Silverlight.Configuration.exe[2660] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 009216C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00B71890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00B71960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00B715F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00B71690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00B71A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00B71B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00B719D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00B71A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\taskmgr.exe[3848] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00B716C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00951890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00951960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 009515F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 013F5B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00951A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00951B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 009519D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00951A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4016] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 009516C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A51890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00A51960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00A515F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A51690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00A51A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00A51B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00A519D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00A51A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\WINDOWS\system32\rundll32.exe[4516] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00A516C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00C11890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00C11960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00C115F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00C11690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00C11A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00C11B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00C119D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00C11A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text C:\PROGRA~1\WINZIP\winzip32.exe[5216] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00C116C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A01890 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00A01960 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00A015F0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A01690 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00A01A90 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00A01B70 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00A019D0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00A01A40 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)
.text E:\Unzipped\gmer\gmer.exe[5348] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00A016C0 C:\Documents and Settings\MLW\Application Data\dplayx.dll (volmgr for Windows/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process C:\Documents and Settings\MLW\Application Data\dplaysvr.exe (*** hidden *** ) 2056

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dplaysvr C:\Documents and Settings\MLW\Application Data\dplaysvr.exe
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@dplaysvr C:\Documents and Settings\MLW\Application Data\dplaysvr.exe
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\MLW\Application Data\dplaysvr.exe dplaysvr

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 28 February 2012 - 01:54 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 28 February 2012 - 04:15 AM

Hi Gringo ! Thanks for showing up to help. I ran the Combofix prog as you've asked. The only strange part was when I got told by the program that there was 'no recovery console installed, and would I like to have it downloaded and installed from the internet' ? As your instructions were for all other programs to be off, espec the internet, I decided to click 'no' n let it proceed.

Now that I have the log file and am looking at it, it seems it removed or tried to remove the thing - I think it calls itself MLW as it operates. I can see from Win Task Manager that it's still very much alive and kicking and under svchost.exe it's operating at 452,408k which is SUPER high. I'm sure it's still up to something. This machine only has 1 G of RAM, so this is a huge chunk of brainspace for it to take up before I even open up firefox.

Super Important for me to Add: There were a total of 4 Infections on my machine when I started the thread on just this one Blacole problem. Here are the names of all the other infections, in case one of them may still be on my machine and combofix has already done its job correctly.

1)JS/BlacoleRef.G
2)JS/Blacole.BY
3)Java/CVE-2011-3544
4)WinNT/Simda.gen!A


Here goes the log post. Hope you see something good in there for cleaning purposes.

ComboFix 12-02-27.02 - MLW 02/27/2012 23:35:24.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.463 [GMT -8:00]
Running from: c:\documents and settings\MLW\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\MLW\Desktop\Internet Explorer.lnk
c:\documents and settings\MLW\Local Settings\Application Data\assembly\tmp
c:\documents and settings\MLW\WINDOWS
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_Parameters
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))
.
.
2012-02-28 04:56 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7D473BB3-EC6F-49ED-8610-9BB447793712}\mpengine.dll
2012-02-28 00:19 . 2012-02-28 00:19 -------- d-----w- c:\documents and settings\MLW\Application Data\Malwarebytes
2012-02-28 00:18 . 2012-02-28 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-26 04:32 . 2012-02-26 04:32 41680 ----a-w- c:\windows\system32\drivers\dmuzhdia.sys
2012-02-26 04:30 . 2012-02-26 04:30 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-02-09 07:11 . 2012-02-09 07:11 -------- d-----w- c:\documents and settings\MLW\Application Data\Windows Search
2012-02-09 06:09 . 2012-02-09 06:09 -------- d-----w- c:\program files\Common Files\Skype
2012-02-08 00:28 . 2012-02-08 00:28 -------- d-----w- c:\program files\FLAC
2012-02-08 00:22 . 2012-02-08 00:22 33540 ----a-w- c:\windows\system32\CoreFLACDecoder-uninstall.exe
2012-02-07 23:15 . 2012-02-07 23:56 -------- d-----w- c:\program files\SlySoft
2012-02-07 23:13 . 2012-02-07 23:13 -------- d-----w- c:\windows\system32\custom matrices
2012-02-07 23:13 . 2012-02-07 23:46 -------- d-----w- c:\windows\system32\C2MP
2012-02-07 06:49 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-02-07 06:49 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-07 06:48 . 2008-04-13 19:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-02-07 06:48 . 2008-04-13 19:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2012-02-06 18:08 . 2012-02-06 18:08 -------- d-----w- c:\documents and settings\MLW\Application Data\Apple Computer
2012-02-06 04:54 . 2012-02-06 04:54 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2012-02-06 04:54 . 2012-02-06 04:54 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2012-02-06 04:54 . 2012-02-06 04:54 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2012-02-06 04:54 . 2012-02-06 04:54 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2012-02-06 04:54 . 2012-02-06 04:54 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2012-02-06 04:54 . 2012-02-06 04:54 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2012-02-06 04:54 . 2012-02-06 04:54 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2012-02-06 04:52 . 2012-02-06 04:54 -------- d-----w- c:\program files\QuickTime
2012-02-06 04:52 . 2012-02-06 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-02-06 04:51 . 2012-02-06 04:51 -------- d-----w- c:\program files\Common Files\Apple
2012-02-06 04:51 . 2012-02-06 04:51 -------- d-----w- c:\documents and settings\MLW\Local Settings\Application Data\Apple
2012-02-06 04:51 . 2012-02-06 04:51 -------- d-----w- c:\program files\Apple Software Update
2012-02-06 04:51 . 2012-02-06 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2012-02-06 04:51 . 2012-02-06 04:51 -------- d-----w- c:\documents and settings\MLW\Local Settings\Application Data\Apple Computer
2012-02-04 05:27 . 2012-02-04 05:27 -------- d-----w- c:\documents and settings\MLW\Application Data\GRETECH
2012-02-03 07:43 . 2012-02-03 07:43 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-03 03:54 . 2012-02-03 07:39 -------- d-s---w- c:\documents and settings\Administrator
2012-02-03 03:26 . 2012-02-03 07:39 -------- d-s---w- c:\documents and settings\LogMeInRemoteUser
2012-02-03 01:48 . 2012-02-03 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2012-02-03 01:46 . 2012-02-03 07:39 -------- d-----w- c:\program files\LogMeIn
2012-02-02 21:11 . 2012-02-03 07:41 -------- d-----w- c:\documents and settings\MLW\Application Data\GetRightToGo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2010-12-14 06:04 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-31 12:44 . 2010-12-08 07:34 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 10:02 . 2012-01-25 08:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-09 20:03 . 2012-01-09 20:03 3478016 ----a-w- c:\windows\system32\ffdshow.ax
2012-01-09 20:00 . 2012-01-09 20:00 4346880 ----a-w- c:\windows\system32\ffmpeg.dll
2012-01-07 22:22 . 2012-01-07 22:22 460800 ----a-w- c:\windows\system32\LAVSplitter.ax
2012-01-07 22:22 . 2012-01-07 22:22 448000 ----a-w- c:\windows\system32\LAVVideo.ax
2012-01-07 22:22 . 2012-01-07 22:22 212992 ----a-w- c:\windows\system32\LAVAudio.ax
2012-01-07 22:22 . 2012-01-07 22:22 172032 ----a-w- c:\windows\system32\libbluray.dll
2012-01-07 22:21 . 2012-01-07 22:21 6366094 ----a-w- c:\windows\system32\avcodec-lav-53.dll
2012-01-07 22:21 . 2012-01-07 22:21 354979 ----a-w- c:\windows\system32\swscale-lav-2.dll
2012-01-07 22:21 . 2012-01-07 22:21 203306 ----a-w- c:\windows\system32\avutil-lav-51.dll
2012-01-07 22:21 . 2012-01-07 22:21 138727 ----a-w- c:\windows\system32\avfilter-lav-2.dll
2012-01-07 22:21 . 2012-01-07 22:21 1007151 ----a-w- c:\windows\system32\avformat-lav-53.dll
2012-01-07 22:20 . 2012-01-07 22:20 142336 ----a-w- c:\windows\system32\IntelQuickSyncDecoder.dll
2012-01-06 04:19 . 2012-01-27 00:58 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-12-20 18:50 . 2011-12-20 18:50 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2011-12-20 18:49 . 2011-12-20 18:49 99328 ----a-w- c:\windows\system32\ff_wmv9.dll
2011-12-20 18:49 . 2011-12-20 18:49 158720 ----a-w- c:\windows\system32\ff_unrar.dll
2011-12-20 18:49 . 2011-12-20 18:49 146944 ----a-w- c:\windows\system32\ff_libmad.dll
2011-12-20 18:49 . 2011-12-20 18:49 212480 ----a-w- c:\windows\system32\ff_libdts.dll
2011-12-20 18:49 . 2011-12-20 18:49 1525248 ----a-w- c:\windows\system32\ff_samplerate.dll
2011-12-20 18:49 . 2011-12-20 18:49 115200 ----a-w- c:\windows\system32\ff_liba52.dll
2011-12-20 18:49 . 2011-12-20 18:49 328704 ----a-w- c:\windows\system32\ff_libfaad2.dll
2011-12-20 18:49 . 2011-12-20 18:49 260608 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2011-12-20 18:49 . 2011-12-20 18:49 137728 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2011-12-07 19:32 . 2011-12-07 19:32 216064 ----a-w- c:\windows\system32\Lagarith.dll
2012-02-17 22:52 . 2012-02-13 09:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-08-22 94208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
backup=c:\windows\pss\Corel Desktop Application Director 8.LNKCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 18:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 06:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 19:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 23:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
S1 MpKsl917534c1;MpKsl917534c1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7D473BB3-EC6F-49ED-8610-9BB447793712}\MpKsl917534c1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7D473BB3-EC6F-49ED-8610-9BB447793712}\MpKsl917534c1.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/31/2012 3:09 PM 158856]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 23:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/orangecounty/home.cox
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\documents and settings\MLW\Application Data\Mozilla\Firefox\Profiles\vt6z0ni7.default\
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-dplaysvr - c:\documents and settings\MLW\Application Data\dplaysvr.exe
HKLM-Run-dplaysvr - c:\documents and settings\MLW\Application Data\dplaysvr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-28 00:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\LTMSG.exe
.
**************************************************************************
.
Completion time: 2012-02-28 00:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-28 08:47
.
Pre-Run: 65,616,576,512 bytes free
Post-Run: 65,647,747,072 bytes free
.
- - End Of File - - 3B2E134FCDC28752F27B568E2B51B0D8

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 28 February 2012 - 07:40 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 28 February 2012 - 04:39 PM

Here's the latest for you, Mr. Gringo.....

TDSS Rootkit Report

12:39:10.0484 1708 TDSS rootkit removing tool 2.7.15.0 Feb 27 2012 12:59:02
12:39:11.0203 1708 ============================================================
12:39:11.0203 1708 Current date / time: 2012/02/28 12:39:11.0203
12:39:11.0203 1708 SystemInfo:
12:39:11.0203 1708
12:39:11.0203 1708 OS Version: 5.1.2600 ServicePack: 3.0
12:39:11.0203 1708 Product type: Workstation
12:39:11.0203 1708 ComputerName: NESTOR_ESPANA
12:39:11.0203 1708 UserName: MLW
12:39:11.0203 1708 Windows directory: C:\WINDOWS
12:39:11.0203 1708 System windows directory: C:\WINDOWS
12:39:11.0203 1708 Processor architecture: Intel x86
12:39:11.0203 1708 Number of processors: 1
12:39:11.0203 1708 Page size: 0x1000
12:39:11.0203 1708 Boot type: Normal boot
12:39:11.0203 1708 ============================================================
12:39:16.0906 1708 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
12:39:16.0921 1708 Drive \Device\Harddisk1\DR1 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x285D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
12:39:16.0921 1708 \Device\Harddisk0\DR0:
12:39:16.0937 1708 MBR used
12:39:16.0937 1708 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF8F8C1
12:39:16.0937 1708 \Device\Harddisk1\DR1:
12:39:17.0000 1708 MBR used
12:39:17.0000 1708 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FB981
12:39:17.0281 1708 Initialize success
12:39:17.0281 1708 ============================================================
12:39:57.0421 2836 ============================================================
12:39:57.0421 2836 Scan started
12:39:57.0421 2836 Mode: Manual;
12:39:57.0421 2836 ============================================================
12:39:58.0437 2836 Abiosdsk - ok
12:39:58.0531 2836 abp480n5 - ok
12:39:58.0656 2836 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
12:39:58.0734 2836 ac97intc - ok
12:39:58.0921 2836 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:39:58.0968 2836 ACPI - ok
12:39:59.0078 2836 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:39:59.0109 2836 ACPIEC - ok
12:39:59.0187 2836 adpu160m - ok
12:39:59.0296 2836 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:39:59.0359 2836 aec - ok
12:39:59.0546 2836 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:39:59.0578 2836 AFD - ok
12:39:59.0703 2836 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
12:39:59.0750 2836 agp440 - ok
12:39:59.0796 2836 Aha154x - ok
12:39:59.0843 2836 aic78u2 - ok
12:39:59.0875 2836 aic78xx - ok
12:39:59.0921 2836 AliIde - ok
12:39:59.0984 2836 amsint - ok
12:40:00.0046 2836 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:40:00.0109 2836 Arp1394 - ok
12:40:00.0156 2836 asc - ok
12:40:00.0187 2836 asc3350p - ok
12:40:00.0218 2836 asc3550 - ok
12:40:00.0296 2836 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:40:00.0312 2836 AsyncMac - ok
12:40:00.0359 2836 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:40:00.0453 2836 atapi - ok
12:40:00.0531 2836 Atdisk - ok
12:40:00.0578 2836 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:40:00.0640 2836 Atmarpc - ok
12:40:00.0718 2836 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:40:00.0734 2836 audstub - ok
12:40:00.0875 2836 BCMModem (2d39d498108c4810ef8cc1103a2a5b73) C:\WINDOWS\system32\DRIVERS\BCMDM.sys
12:40:00.0984 2836 BCMModem - ok
12:40:01.0078 2836 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:40:01.0109 2836 Beep - ok
12:40:01.0140 2836 catchme - ok
12:40:01.0234 2836 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:40:01.0265 2836 cbidf2k - ok
12:40:01.0328 2836 cd20xrnt - ok
12:40:01.0375 2836 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:40:01.0406 2836 Cdaudio - ok
12:40:01.0515 2836 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:40:01.0578 2836 Cdfs - ok
12:40:01.0625 2836 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:40:01.0687 2836 Cdrom - ok
12:40:01.0734 2836 Changer - ok
12:40:01.0796 2836 CmdIde - ok
12:40:01.0843 2836 Cpqarray - ok
12:40:02.0015 2836 ctaud2k (500447cf9b47daa4be833b3d21dd0d78) C:\WINDOWS\system32\drivers\ctaud2k.sys
12:40:02.0078 2836 ctaud2k - ok
12:40:02.0156 2836 dac2w2k - ok
12:40:02.0203 2836 dac960nt - ok
12:40:02.0281 2836 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:40:02.0328 2836 Disk - ok
12:40:02.0578 2836 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:40:02.0687 2836 dmboot - ok
12:40:02.0843 2836 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:40:02.0906 2836 dmio - ok
12:40:03.0015 2836 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:40:03.0046 2836 dmload - ok
12:40:03.0140 2836 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:40:03.0187 2836 DMusic - ok
12:40:03.0265 2836 dpti2o - ok
12:40:03.0343 2836 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:40:03.0359 2836 drmkaud - ok
12:40:03.0468 2836 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
12:40:03.0484 2836 E100B - ok
12:40:03.0656 2836 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:40:03.0718 2836 Fastfat - ok
12:40:03.0828 2836 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:40:03.0906 2836 Fdc - ok
12:40:04.0031 2836 FET5X86V (4580f83e94774aa1724179a6a97e25e6) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
12:40:04.0093 2836 FET5X86V - ok
12:40:04.0218 2836 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
12:40:04.0250 2836 FETNDIS - ok
12:40:04.0312 2836 FETNDISB (95bc4d8493fe30312f5e1ab57ef36083) C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys
12:40:04.0359 2836 FETNDISB - ok
12:40:04.0453 2836 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:40:04.0515 2836 Fips - ok
12:40:04.0625 2836 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:40:04.0656 2836 Flpydisk - ok
12:40:04.0750 2836 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:40:04.0781 2836 FltMgr - ok
12:40:04.0843 2836 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:40:04.0875 2836 Fs_Rec - ok
12:40:04.0984 2836 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:40:05.0046 2836 Ftdisk - ok
12:40:05.0140 2836 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
12:40:05.0171 2836 gameenum - ok
12:40:05.0234 2836 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:40:05.0265 2836 Gpc - ok
12:40:05.0406 2836 ha10kx2k (4e296353ff2039d089d71c453459f7c0) C:\WINDOWS\system32\drivers\ha10kx2k.sys
12:40:05.0593 2836 ha10kx2k - ok
12:40:05.0765 2836 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:40:05.0781 2836 hidusb - ok
12:40:05.0906 2836 hpn - ok
12:40:06.0015 2836 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:40:06.0093 2836 HPZid412 - ok
12:40:06.0187 2836 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:40:06.0218 2836 HPZipr12 - ok
12:40:06.0296 2836 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:40:06.0328 2836 HPZius12 - ok
12:40:06.0437 2836 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:40:06.0453 2836 HTTP - ok
12:40:06.0531 2836 i2omgmt - ok
12:40:06.0593 2836 i2omp - ok
12:40:06.0671 2836 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:40:06.0718 2836 i8042prt - ok
12:40:06.0796 2836 IdeBusDr (791f0829de88dd0ca77192f0dfad03b6) C:\WINDOWS\system32\DRIVERS\IdeBusDr.sys
12:40:06.0828 2836 IdeBusDr - ok
12:40:06.0921 2836 IdeChnDr (7d2b8be9e89628663c1fb571f7c34062) C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys
12:40:06.0921 2836 IdeChnDr - ok
12:40:07.0046 2836 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:40:07.0109 2836 Imapi - ok
12:40:07.0171 2836 ini910u - ok
12:40:07.0218 2836 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:40:07.0250 2836 IntelIde - ok
12:40:07.0312 2836 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:40:07.0343 2836 intelppm - ok
12:40:07.0468 2836 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:40:07.0531 2836 Ip6Fw - ok
12:40:07.0671 2836 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:40:07.0703 2836 IpFilterDriver - ok
12:40:07.0812 2836 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:40:07.0875 2836 IpInIp - ok
12:40:08.0062 2836 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:40:08.0109 2836 IpNat - ok
12:40:08.0203 2836 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:40:08.0296 2836 IPSec - ok
12:40:08.0406 2836 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:40:08.0421 2836 IRENUM - ok
12:40:08.0562 2836 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:40:08.0609 2836 isapnp - ok
12:40:08.0734 2836 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:40:08.0765 2836 Kbdclass - ok
12:40:08.0828 2836 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:40:08.0843 2836 kmixer - ok
12:40:08.0906 2836 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:40:09.0000 2836 KSecDD - ok
12:40:09.0078 2836 lbrtfdc - ok
12:40:09.0218 2836 ltmodem5 (3070246fba35aa2e0c2251d55f5848f8) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
12:40:09.0265 2836 ltmodem5 - ok
12:40:09.0421 2836 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:40:09.0437 2836 mnmdd - ok
12:40:09.0578 2836 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:40:09.0609 2836 Modem - ok
12:40:09.0734 2836 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
12:40:09.0750 2836 MODEMCSA - ok
12:40:09.0812 2836 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:40:09.0843 2836 Mouclass - ok
12:40:09.0921 2836 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:40:09.0953 2836 mouhid - ok
12:40:10.0015 2836 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:40:10.0062 2836 MountMgr - ok
12:40:10.0140 2836 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
12:40:10.0140 2836 MpFilter - ok
12:40:10.0250 2836 MpKslf9e71564 (a69630d039c38018689190234f866d77) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CD658D55-3559-4676-B4C5-B1D58BBC0A58}\MpKslf9e71564.sys
12:40:10.0250 2836 MpKslf9e71564 - ok
12:40:10.0343 2836 mraid35x - ok
12:40:10.0406 2836 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:40:10.0406 2836 MRxDAV - ok
12:40:10.0546 2836 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:40:10.0609 2836 MRxSmb - ok
12:40:10.0703 2836 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:40:10.0765 2836 Msfs - ok
12:40:10.0828 2836 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:40:10.0843 2836 MSKSSRV - ok
12:40:10.0906 2836 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:40:10.0921 2836 MSPCLOCK - ok
12:40:10.0953 2836 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:40:10.0984 2836 MSPQM - ok
12:40:11.0078 2836 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:40:11.0109 2836 mssmbios - ok
12:40:11.0156 2836 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
12:40:11.0187 2836 ms_mpu401 - ok
12:40:11.0281 2836 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:40:11.0328 2836 Mup - ok
12:40:11.0406 2836 NAL (481daa2cba98521a4e40f75518c06330) C:\WINDOWS\system32\Drivers\iqvw32.sys
12:40:11.0406 2836 NAL - ok
12:40:11.0515 2836 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:40:11.0593 2836 NDIS - ok
12:40:11.0718 2836 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:40:11.0750 2836 NdisTapi - ok
12:40:11.0875 2836 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:40:11.0890 2836 Ndisuio - ok
12:40:11.0984 2836 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:40:12.0078 2836 NdisWan - ok
12:40:12.0171 2836 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:40:12.0234 2836 NDProxy - ok
12:40:12.0296 2836 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:40:12.0343 2836 NetBIOS - ok
12:40:12.0406 2836 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:40:12.0500 2836 NetBT - ok
12:40:12.0625 2836 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:40:12.0703 2836 NIC1394 - ok
12:40:12.0750 2836 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:40:12.0796 2836 Npfs - ok
12:40:12.0859 2836 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:40:12.0921 2836 Ntfs - ok
12:40:13.0062 2836 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:40:13.0078 2836 Null - ok
12:40:13.0312 2836 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:40:13.0531 2836 nv - ok
12:40:13.0656 2836 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:40:13.0687 2836 NwlnkFlt - ok
12:40:13.0765 2836 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:40:13.0812 2836 NwlnkFwd - ok
12:40:13.0906 2836 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:40:13.0984 2836 ohci1394 - ok
12:40:14.0109 2836 ossrv (0ee11c769501701e3f108e47b2831268) C:\WINDOWS\system32\drivers\ctoss2k.sys
12:40:14.0187 2836 ossrv - ok
12:40:14.0281 2836 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:40:14.0359 2836 Parport - ok
12:40:14.0453 2836 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:40:14.0484 2836 PartMgr - ok
12:40:14.0625 2836 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:40:14.0640 2836 ParVdm - ok
12:40:14.0781 2836 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:40:14.0843 2836 PCI - ok
12:40:14.0906 2836 PCIDump - ok
12:40:14.0937 2836 PCIIde - ok
12:40:15.0015 2836 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:40:15.0062 2836 Pcmcia - ok
12:40:15.0140 2836 PDCOMP - ok
12:40:15.0171 2836 PDFRAME - ok
12:40:15.0203 2836 PDRELI - ok
12:40:15.0250 2836 PDRFRAME - ok
12:40:15.0281 2836 perc2 - ok
12:40:15.0312 2836 perc2hib - ok
12:40:15.0453 2836 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:40:15.0500 2836 PptpMiniport - ok
12:40:15.0625 2836 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:40:15.0687 2836 PSched - ok
12:40:15.0765 2836 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:40:15.0796 2836 Ptilink - ok
12:40:15.0843 2836 ql1080 - ok
12:40:15.0890 2836 Ql10wnt - ok
12:40:15.0921 2836 ql12160 - ok
12:40:15.0968 2836 ql1240 - ok
12:40:16.0015 2836 ql1280 - ok
12:40:16.0062 2836 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:40:16.0062 2836 RasAcd - ok
12:40:16.0109 2836 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:40:16.0156 2836 Rasl2tp - ok
12:40:16.0250 2836 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:40:16.0296 2836 RasPppoe - ok
12:40:16.0375 2836 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:40:16.0406 2836 Raspti - ok
12:40:16.0500 2836 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:40:16.0578 2836 Rdbss - ok
12:40:16.0656 2836 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:40:16.0687 2836 RDPCDD - ok
12:40:16.0781 2836 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:40:16.0859 2836 rdpdr - ok
12:40:16.0937 2836 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:40:16.0937 2836 RDPWD - ok
12:40:17.0031 2836 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:40:17.0093 2836 redbook - ok
12:40:17.0265 2836 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:40:17.0296 2836 Secdrv - ok
12:40:17.0406 2836 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:40:17.0437 2836 serenum - ok
12:40:17.0578 2836 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:40:17.0671 2836 Serial - ok
12:40:17.0812 2836 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:40:17.0843 2836 Sfloppy - ok
12:40:17.0906 2836 Simbad - ok
12:40:17.0968 2836 Sparrow - ok
12:40:18.0078 2836 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:40:18.0093 2836 splitter - ok
12:40:18.0187 2836 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:40:18.0265 2836 sr - ok
12:40:18.0406 2836 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:40:18.0484 2836 Srv - ok
12:40:18.0625 2836 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:40:18.0640 2836 swenum - ok
12:40:18.0750 2836 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:40:18.0812 2836 swmidi - ok
12:40:18.0875 2836 symc810 - ok
12:40:18.0921 2836 symc8xx - ok
12:40:18.0968 2836 sym_hi - ok
12:40:19.0000 2836 sym_u3 - ok
12:40:19.0078 2836 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:40:19.0140 2836 sysaudio - ok
12:40:19.0250 2836 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:40:19.0312 2836 Tcpip - ok
12:40:19.0453 2836 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:40:19.0484 2836 TDPIPE - ok
12:40:19.0625 2836 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:40:19.0625 2836 TDTCP - ok
12:40:19.0734 2836 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:40:19.0734 2836 TermDD - ok
12:40:19.0812 2836 TosIde - ok
12:40:19.0906 2836 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:40:19.0968 2836 Udfs - ok
12:40:20.0031 2836 ultra - ok
12:40:20.0140 2836 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:40:20.0250 2836 Update - ok
12:40:20.0359 2836 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
12:40:20.0421 2836 usbaudio - ok
12:40:20.0531 2836 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:40:20.0578 2836 usbccgp - ok
12:40:20.0734 2836 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:40:20.0765 2836 usbehci - ok
12:40:20.0843 2836 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:40:20.0906 2836 usbhub - ok
12:40:21.0000 2836 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
12:40:21.0031 2836 usbohci - ok
12:40:21.0109 2836 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:40:21.0140 2836 usbprint - ok
12:40:21.0218 2836 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:40:21.0250 2836 usbscan - ok
12:40:21.0328 2836 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:40:21.0359 2836 USBSTOR - ok
12:40:21.0500 2836 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:40:21.0531 2836 usbuhci - ok
12:40:21.0687 2836 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:40:21.0718 2836 VgaSave - ok
12:40:21.0812 2836 ViaIde - ok
12:40:21.0906 2836 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:40:21.0953 2836 VolSnap - ok
12:40:22.0062 2836 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:40:22.0109 2836 Wanarp - ok
12:40:22.0187 2836 WBHWDOCT (0b16ffee9f3607f04769fbb1d8f280a6) C:\WINDOWS\system32\drivers\WBHWDOCT.sys
12:40:22.0203 2836 WBHWDOCT - ok
12:40:22.0265 2836 WDICA - ok
12:40:22.0375 2836 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:40:22.0453 2836 wdmaud - ok
12:40:22.0625 2836 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:40:22.0671 2836 WS2IFSL - ok
12:40:22.0828 2836 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:40:22.0906 2836 WudfPf - ok
12:40:23.0015 2836 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:40:23.0078 2836 WudfRd - ok
12:40:23.0140 2836 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
12:40:23.0671 2836 \Device\Harddisk0\DR0 ( Rootkit.Win32.BackBoot.gen ) - warning
12:40:23.0671 2836 \Device\Harddisk0\DR0 - detected Rootkit.Win32.BackBoot.gen (1)
12:40:23.0687 2836 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
12:40:23.0734 2836 \Device\Harddisk1\DR1 - ok
12:40:23.0734 2836 Boot (0x1200) (e77b1528a4665a8f69d335f66866fe05) \Device\Harddisk0\DR0\Partition0
12:40:23.0734 2836 \Device\Harddisk0\DR0\Partition0 - ok
12:40:23.0765 2836 Boot (0x1200) (019f30d0ab202a751d25d2e74569d7c9) \Device\Harddisk1\DR1\Partition0
12:40:23.0765 2836 \Device\Harddisk1\DR1\Partition0 - ok
12:40:23.0765 2836 ============================================================
12:40:23.0765 2836 Scan finished
12:40:23.0765 2836 ============================================================
12:40:23.0796 2824 Detected object count: 1
12:40:23.0796 2824 Actual detected object count: 1
12:40:48.0703 2824 \Device\Harddisk0\DR0 ( Rootkit.Win32.BackBoot.gen ) - skipped by user
12:40:48.0703 2824 \Device\Harddisk0\DR0 ( Rootkit.Win32.BackBoot.gen ) - User select action: Skip


aswMBR Report

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-28 12:42:31
-----------------------------
12:42:31.000 OS Version: Windows 5.1.2600 Service Pack 3
12:42:31.000 Number of processors: 1 586 0x207
12:42:31.000 ComputerName: NESTOR_ESPANA UserName: MLW
12:42:32.359 Initialize success
12:46:58.703 AVAST engine defs: 12022801
12:52:04.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
12:52:04.078 Disk 0 Vendor: WDC_WD12 17.0 Size: 114473MB BusType: 3
12:52:04.078 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0
12:52:04.078 Disk 1 Vendor: IC35L080 VA4O Size: 76293MB BusType: 3
12:52:04.078 Disk 0 MBR read error 0
12:52:04.078 Disk 0 MBR scan
12:52:04.171 Disk 0 unknown MBR code
12:52:04.171 MBR BIOS signature not found 0
12:52:04.171 Disk 0 scanning sectors +234420480
12:52:04.343 Disk 0 scanning C:\WINDOWS\system32\drivers
12:52:17.093 Service scanning
12:52:25.312 Service MpKslf9e71564 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CD658D55-3559-4676-B4C5-B1D58BBC0A58}\MpKslf9e71564.sys **LOCKED** 32
12:52:34.812 Modules scanning
12:52:41.031 Disk 0 trace - called modules:
12:52:41.031 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8590349f]<<
12:52:41.031 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85efc030]
12:52:41.046 3 CLASSPNP.SYS[f78cefd7] -> nt!IofCallDriver -> \Device\00000060[0x86f8abb0]
12:52:41.046 5 ACPI.sys[f7825620] -> nt!IofCallDriver -> [0x86f89030]
12:52:41.046 \Driver\IdeChnDr[0x85de2910] -> IRP_MJ_CREATE -> 0x8590349f
12:52:42.968 AVAST engine scan C:\WINDOWS
12:52:49.843 AVAST engine scan C:\WINDOWS\system32
12:56:35.593 AVAST engine scan C:\WINDOWS\system32\drivers
12:56:57.546 AVAST engine scan C:\Documents and Settings\MLW
13:10:10.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MLW\Desktop\MBR.dat"
13:10:10.296 The log file has been saved successfully to "C:\Documents and Settings\MLW\Desktop\aswMBR.txt"
13:14:25.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MLW\Desktop\MBR.dat"
13:14:25.546 The log file has been saved successfully to "C:\Documents and Settings\MLW\Desktop\aswMBR.txt"
13:22:40.890 AVAST engine scan C:\Documents and Settings\All Users
13:26:36.218 Scan finished successfully
13:30:27.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MLW\Desktop\MBR.dat"
13:30:28.046 The log file has been saved successfully to "C:\Documents and Settings\MLW\Desktop\aswMBR.txt"


I haven't had to reboot anything yet. The computer still continues to run super slow and even snag on things. Can't wait till I've got this machine clean again.

Please let me know where to go from here. Thanks in advance !

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 29 February 2012 - 08:27 AM

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIXMBR button
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 29 February 2012 - 03:27 PM

Hi Gringo.

This time things happened a little bit strangely in the beginning. I kept having it freeze up on the virus def update, but I think that's because the internet provider was iffy today. It froze a couple of times and each time I exited and restarted the program and the update. I wish the prog had a way of showing me if it started at 0 def's ea time, or if it continued from the previous end point. Then 2x when I tried to update I got an error message. My mistake for not writing down what it was. Finally on one startup it gave me a total virus def’s count at 12,022,901 and I imagined it was right, so I began my scan. Everything seems to have worked right, catching the same invaders lodged in the HDD as before.

It’s finished the scan and seems alright, but.....

I’m getting a ‘Disk 0 MBR fix error’ statement. It doesn’t seem to want to fix it. I’m gonna reboot and start over with update, scan, and fix. Then I'll get back to you again.

#8 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 29 February 2012 - 09:49 PM

Hi Gringo. I've tried various combinations of exiting all other programs, turning off Windows security, rebooting and then re-running the program. Results still are the same - virus is still there. All I can say, is that after I hit the 'Fix' button it only takes 1/10 of a second to say that there's an error. Like it's being prevented from even going in and doing the actual removal. One time there was maybe a 1/2 second start at something after my first reboot and retry, but still it returned to the error message. Here are my last 2 logs of the scan and the results. In total I've done just under 10 attempts today. My machine is super slow and it's bugging the ____ out of me. And of course I need to get work done on it.....

Here you go.

Next to Last Scan

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-29 14:18:44
-----------------------------
14:18:44.781 OS Version: Windows 5.1.2600 Service Pack 3
14:18:44.781 Number of processors: 1 586 0x207
14:18:44.781 ComputerName: NESTOR_ESPANA UserName: MLW
14:18:51.296 Initialize success
14:19:24.265 AVAST engine defs: 12022901
14:19:37.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
14:19:37.062 Disk 0 Vendor: WDC_WD12 17.0 Size: 114473MB BusType: 3
14:19:37.062 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0
14:19:37.062 Disk 1 Vendor: IC35L080 VA4O Size: 76293MB BusType: 3
14:19:37.078 Disk 0 MBR read error 0
14:19:37.078 Disk 0 MBR scan
14:19:37.171 Disk 0 unknown MBR code
14:19:37.171 MBR BIOS signature not found 0
14:19:37.187 Disk 0 scanning sectors +234420480
14:19:37.265 Disk 0 scanning C:\WINDOWS\system32\drivers
14:20:16.859 Service scanning
14:20:28.859 Service MpKsl333517cb C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{128061F0-C37C-4263-A361-4272DD919971}\MpKsl333517cb.sys **LOCKED** 32
14:20:45.312 Modules scanning
14:20:51.625 Disk 0 trace - called modules:
14:20:51.625 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85a0b49f]<<
14:20:51.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f8d030]
14:20:51.625 3 CLASSPNP.SYS[f78cefd7] -> nt!IofCallDriver -> \Device\00000060[0x86f3fbb0]
14:20:51.640 5 ACPI.sys[f7825620] -> nt!IofCallDriver -> [0x86f7f030]
14:20:51.640 \Driver\IdeChnDr[0x85b678b8] -> IRP_MJ_CREATE -> 0x85a0b49f
14:20:52.390 AVAST engine scan C:\WINDOWS
14:21:17.734 AVAST engine scan C:\WINDOWS\system32
14:30:58.921 AVAST engine scan C:\WINDOWS\system32\drivers
14:31:35.484 AVAST engine scan C:\Documents and Settings\MLW
14:52:05.312 AVAST engine scan C:\Documents and Settings\All Users
14:54:06.265 Scan finished successfully
15:17:07.218 Disk 0 MBR fix error
15:17:16.203 Disk 0 MBR fix error
15:17:49.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MLW\Desktop\MBR.dat"
15:17:49.937 The log file has been saved successfully to "C:\Documents and Settings\MLW\Desktop\aswMBR Scan After Reboot.txt"


Log from Last Scan:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-29 17:31:07
-----------------------------
17:31:07.906 OS Version: Windows 5.1.2600 Service Pack 3
17:31:07.906 Number of processors: 1 586 0x207
17:31:07.906 ComputerName: NESTOR_ESPANA UserName: MLW
17:31:10.203 Initialize success
17:31:29.531 AVAST engine defs: 12022901
17:32:20.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
17:32:20.968 Disk 0 Vendor: WDC_WD12 17.0 Size: 114473MB BusType: 3
17:32:20.984 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0
17:32:20.984 Disk 1 Vendor: IC35L080 VA4O Size: 76293MB BusType: 3
17:32:20.984 Disk 0 MBR read error 0
17:32:20.984 Disk 0 MBR scan
17:32:21.031 Disk 0 unknown MBR code
17:32:21.031 MBR BIOS signature not found 0
17:32:21.031 Disk 0 scanning sectors +234420480
17:32:21.140 Disk 0 scanning C:\WINDOWS\system32\drivers
17:32:35.140 Service scanning
17:32:54.968 Modules scanning
17:33:12.125 Disk 0 trace - called modules:
17:33:12.578 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x858c049f]<<
17:33:12.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f7c030]
17:33:12.578 3 CLASSPNP.SYS[f78cefd7] -> nt!IofCallDriver -> \Device\00000061[0x86f40bb0]
17:33:12.578 5 ACPI.sys[f7825620] -> nt!IofCallDriver -> [0x86f44030]
17:33:12.578 \Driver\IdeChnDr[0x85c7fac0] -> IRP_MJ_CREATE -> 0x858c049f
17:33:14.812 AVAST engine scan C:\WINDOWS
17:33:22.656 AVAST engine scan C:\WINDOWS\system32
17:37:26.890 AVAST engine scan C:\WINDOWS\system32\drivers
17:37:50.906 AVAST engine scan C:\Documents and Settings\MLW
17:56:56.015 AVAST engine scan C:\Documents and Settings\All Users
17:58:51.406 Scan finished successfully
18:32:06.500 Disk 0 MBR fix error
18:32:10.375 Disk 0 MBR fix error
18:32:58.015 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MLW\Desktop\MBR.dat"
18:32:58.328 The log file has been saved successfully to "C:\Documents and Settings\MLW\Desktop\aswMBR Reboot n Redo Log 3.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 01 March 2012 - 01:14 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun ASWMbr for me and send me the report

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 01 March 2012 - 06:23 PM

Hi Gringo.

It appears that fixTDSS has finally cleaned my machine, as things are running at normal speed again for an older IDE machine. I do see on Task Manager that there are still some background running functions under the MLW name, which is what I thought the infection was calling itself. I don't remember seeing that in the week before when I was using this computer. Everything else is running under 'System', 'Local Service', and 'Network Service'. I would gladly make a screen capture to send you, or is there another program I should do a general sweep with ? Last idea is that it is now running normally, but during the infection, some of the function operator names got changed, but they really are all, in fact, being run by 'System' now and there is no reason to worry. Let me know your thoughts.

Here is the log report from aswMBR:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-01 13:48:49
-----------------------------
13:48:49.234 OS Version: Windows 5.1.2600 Service Pack 3
13:48:49.234 Number of processors: 1 586 0x207
13:48:49.234 ComputerName: NESTOR_ESPANA UserName: MLW
13:48:49.609 Initialize success
13:49:05.687 AVAST engine defs: 12022901
13:49:29.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
13:49:29.796 Disk 0 Vendor: WDC_WD12 17.0 Size: 114473MB BusType: 3
13:49:29.796 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0
13:49:29.796 Disk 1 Vendor: IC35L080 VA4O Size: 76293MB BusType: 3
13:49:29.812 Disk 0 MBR read successfully
13:49:29.812 Disk 0 MBR scan
13:49:29.859 Disk 0 Windows XP default MBR code
13:49:29.859 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114463 MB offset 63
13:49:29.859 Disk 0 scanning sectors +234420480
13:49:29.937 Disk 0 scanning C:\WINDOWS\system32\drivers
13:49:41.265 Service scanning
13:49:55.734 Modules scanning
13:50:01.921 Disk 0 trace - called modules:
13:50:02.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IdeChnDr.sys
13:50:02.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f8e878]
13:50:02.421 3 CLASSPNP.SYS[f78cefd7] -> nt!IofCallDriver -> \Device\00000060[0x86fca8a0]
13:50:02.437 5 ACPI.sys[f7825620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0[0x86f66030]
13:50:02.859 AVAST engine scan C:\WINDOWS
13:50:08.765 AVAST engine scan C:\WINDOWS\system32
13:53:28.187 AVAST engine scan C:\WINDOWS\system32\drivers
13:53:47.515 AVAST engine scan C:\Documents and Settings\MLW
14:08:21.656 AVAST engine scan C:\Documents and Settings\All Users
14:10:04.109 Scan finished successfully
15:13:11.625 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MLW\Desktop\MBR.dat"
15:13:11.625 The log file has been saved successfully to "C:\Documents and Settings\MLW\Desktop\aswMBR 4 030112.txt"

One thing about aswMBR - I did the scan, then went to actually use the 'Fix MBR'option before printing the log. This gave me a message about erasing partitions or losing data on the boot disk. I re-examined your directions for this round, and didn't see you asking me to run the fix function, so decided not to do it. I simply did the scan then printed the log as above, n exited. Let me know what's next if anything.

Thanks for all your help !

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 01 March 2012 - 09:18 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 01 March 2012 - 11:58 PM

Gringo, I can't get the hyperlink to the report to work. Can you repost, or just post the site and which program to download ?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 02 March 2012 - 12:17 AM

Hello


That is not a link - start at the

•push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 02 March 2012 - 01:18 AM

Here's what's there. Sorry for misunderstanding your instructions !

µTorrent
ACDSee Photo Manager 12
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.0
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Software Update
Auslogics Disk Defrag
CCleaner
CoreFLAC Audio Decoder+Source Filter (remove only)
Corel WordPerfect Suite 8
D-Link PCI Fast Ethernet Adapter
EPSON Photo Print
EPSON TWAIN 5
FLAC 1.2.1b (remove only)
GOM Player
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel Application Accelerator
Intel® Network Connections 14.0.40.0
Java™ 6 Update 22
Media Player Codec Pack 4.1.4
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox 10.0.2 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
OGA Notifier 2.0.0048.0
PeerBlock 1.0+ (r484)
Quicken 2010
QuickTime
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skype™ 5.8
Snagit 10.0.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast-Ethernet Adapter
WebFldrs XP
Winbond HWDoctor
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
WinZip

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:40 AM

Posted 02 March 2012 - 01:23 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

µTorrent
Adobe Reader 9.5.0
Java™ 6 Update 22
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users