Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several issues Error Dinging, scvhost 99% usage and virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 Sedadren

Sedadren

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 05 May 2012 - 11:55 PM

I appear to have several things gong on.

First, starting at the end of January, my computer began dinging. The ding is like when you try and do something the computer wont let you do and it normally pops up an error message, except in this case, there is no message. It shuts down different things in my computer. For example, after about a minute of having the computer on, the volume control stops working. After that things like the internet itself simply stops responding. Usually the internet stops working about every 45 minutes to 2 hours, and I have to reboot. The dinging comes at random, but as often as several in a second, or one every five or ten minutes. There appears to be no pattern, but they don't stop at a certain number.

Next, scvhost.exe is running at 99% every time we play our games. I do know that it is a program needed for running the OS. We play both Perfect World international and Uncharted Waters Online. CTRL + ALT + DEL and ending the task will stop it, but speeds up the shutting down of the computer. It also ends our games after a minute or two, but they can be restarted without any problem if we catch it before it heats up my processor enough to shut down the computer.

Last, I appear to have some sort of virus. This showed up a couple days ago. I ran Spybot and avira without success. The program (labeled bswecovu) runs on startup under msconfig, and I unchecked it and rebooted, but it had been checked again. I found it running in my processes and ended process and unchecked it, and it appears to have not reloaded itself, however the program is obviously still there. Avira and Spybot haven't found anything, and I don't know how to get rid of it forever as I am somewhat computer illiterate.

I have a black computer, and that is what I know about computers. . .

In addition, my computer is randomly rebooting itself, and at times it sets up it's own chkdisk. When it decides to do a chkdisk, I can not cancel, however it is finding a ton of problems and fixing them. Other times I can not turn off my computer. I will go to start and shut down and it will turn everything off except my desktop pic and will sit there, other times it will make it to say it is saving my settings, but never turns off until I am forced to hit the switch on the back to cut the power.

One last thing. I have been considering simply reloading, however we have moved 6 times in 4 months, and for the life of me I can not find my Windows disk, and I don't know anyone with a windows disk, so I can't just reload.

Thank you in advance for any help you can provide.

I posted this in the incorrect thread apparently and as directed am following steps 6-9 and re-posting here. The following is my dds log, the attach file is attached, however I can not keep my computer running long enough to get a GMER completed, however it does last long enough to show in red "Type: DISK Name: \Device\Harddisk0\DR0 Value: TDL4@MBR code has been found" as well as a "sector00: rootkit-like behavior" not in red but in the same location.



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Kiren at 21:55:04 on 2012-05-05
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.charter.net/
uWindow Title = Powered by Charter Communications
uSearch Page = hxxp://www.charter.net/google/index.php?q=
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Charter Toolbar: {47b6a4a9-dc94-4738-9f20-7411d9691ea4} - c:\program files\chartertoolbar\chartertoolbarDx.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Charter Toolbar: {47b6a4a9-dc94-4738-9f20-7411d9691ea4} - c:\program files\chartertoolbar\chartertoolbarDx.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CPUThermometer] c:\documents and settings\kiren\my documents\downloads\cpu thermometer\CPUThermometer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
TCP: Interfaces\{02CFAF65-5756-4440-8C0A-BD3642F6B9CA} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5FC4D222-AE55-43B1-BB90-EE1034720697} : DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{B34736C8-6AEF-4D02-999A-714429123A04} : DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
TCP: Interfaces\{FDD78A7E-DB41-42E8-85EB-680897C6DDDE} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kiren\application data\mozilla\firefox\profiles\n9wfir94.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\kiren\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\kiren\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npGlbNMNetmarbleDownload.dll
FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npGlbNMNPAPIUpdater.dll
FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npGlbNMStarter.dll
FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npGlbNMWebMessengerPlugin.dll
FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npNMSystemIDInfo.dll
FF - plugin: c:\netmarbleglobal\glbnmnpapiplugins\npNMSystemInformer.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-05-06 00:38:27 -------- d-----w- c:\documents and settings\kiren\application data\DriverCure
2012-05-06 00:38:25 -------- d-----w- c:\documents and settings\kiren\application data\ParetoLogic
2012-05-06 00:37:15 -------- d-----w- c:\program files\common files\ParetoLogic
2012-05-06 00:37:10 -------- d-----w- c:\program files\ParetoLogic
2012-05-06 00:37:10 -------- d-----w- c:\documents and settings\all users.windows\application data\ParetoLogic
2012-05-05 23:42:10 294912 ----a-w- c:\documents and settings\kiren\application data\zhnsq.exe
2012-05-05 23:39:48 294912 ----a-w- c:\documents and settings\kiren\application data\sysea.exe
2012-05-05 23:18:51 294912 ----a-w- c:\documents and settings\kiren\application data\jxdow.exe
2012-05-05 23:01:57 294912 ----a-w- c:\documents and settings\kiren\application data\uqhxg.exe
2012-05-05 21:55:07 294912 ----a-w- c:\documents and settings\kiren\application data\jvobs.exe
2012-05-05 21:42:59 294912 ----a-w- c:\documents and settings\kiren\application data\dzwsr.exe
2012-05-05 20:48:22 294912 ----a-w- c:\documents and settings\kiren\application data\dfkdh.exe
2012-05-05 19:51:15 294912 ----a-w- c:\documents and settings\kiren\application data\uoeug.exe
2012-05-05 18:38:00 294912 ----a-w- c:\documents and settings\kiren\application data\lkqvq.exe
2012-05-05 08:37:45 294912 ----a-w- c:\documents and settings\kiren\application data\zlufs.exe
2012-05-05 01:59:01 294912 ----a-w- c:\documents and settings\kiren\application data\ulhsg.exe
2012-05-05 00:43:57 294912 ----a-w- c:\documents and settings\kiren\application data\nsrmf.exe
2012-05-04 23:52:31 294912 ----a-w- c:\documents and settings\kiren\application data\wolal.exe
2012-05-04 23:52:21 294912 ---h--w- c:\documents and settings\all users.windows\bswecovu.exe
2012-05-04 23:52:15 294912 ----a-w- c:\documents and settings\kiren\application data\eytme.exe
2012-05-04 22:55:27 294912 ----a-w- c:\documents and settings\kiren\application data\knrtl.exe
2012-05-04 22:51:53 630784 ----a-w- c:\documents and settings\kiren\application data\rdxcjl.exe
2012-05-04 19:26:01 294912 ----a-w- c:\documents and settings\kiren\application data\jqgnl.exe
2012-05-04 19:00:45 294912 ----a-w- c:\documents and settings\kiren\application data\roxog.exe
2012-05-04 17:54:16 294912 ----a-w- c:\documents and settings\kiren\application data\dwmob.exe
2012-05-04 17:54:02 294912 ------w- c:\documents and settings\all users.windows\pdtjwcoi.exe
2012-05-04 17:53:49 294912 ----a-w- c:\documents and settings\kiren\application data\ctmsb.exe
2012-05-04 04:05:30 294912 ----a-w- c:\documents and settings\kiren\application data\jdyzi.exe
2012-05-04 00:42:30 294912 ----a-w- c:\documents and settings\kiren\application data\ibssr.exe
2012-05-04 00:42:27 294912 ------w- c:\documents and settings\all users.windows\ziqwqwrn.exe
2012-05-04 00:42:22 294912 ----a-w- c:\documents and settings\kiren\application data\ifezi.exe
2012-05-03 22:26:07 295936 ----a-w- c:\documents and settings\kiren\application data\ubapr.exe
2012-05-03 22:10:42 295936 ----a-w- c:\documents and settings\kiren\application data\dotlk.exe
2012-05-03 22:02:51 295936 ----a-w- c:\documents and settings\kiren\application data\wriux.exe
2012-05-03 18:15:29 295936 ----a-w- c:\documents and settings\kiren\application data\jhqhz.exe
2012-05-03 10:47:02 295936 ----a-w- c:\documents and settings\kiren\application data\xibgp.exe
2012-05-03 09:43:55 295936 ----a-w- c:\documents and settings\kiren\application data\njbrv.exe
2012-05-02 23:42:21 295936 ----a-w- c:\documents and settings\kiren\application data\tsbox.exe
2012-04-29 02:01:05 -------- d-sh--w- C:\found.002
2012-04-25 05:47:45 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-25 05:47:09 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-25 05:47:09 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-17 08:57:29 -------- d-sh--w- C:\found.001
2012-04-11 04:10:51 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-09 17:43:51 -------- d-sh--w- C:\found.000
.
==================== Find3M ====================
.
2012-05-02 21:49:02 295936 ----a-w- c:\documents and settings\kiren\application data\kqpxa.exe
2012-05-02 21:48:54 295936 ----a-w- c:\documents and settings\kiren\application data\cgvia.exe
2012-05-02 21:48:52 295936 ----a-w- c:\documents and settings\kiren\application data\ntsfz.exe
2012-05-02 21:48:48 295936 ----a-w- c:\documents and settings\kiren\application data\jlotr.exe
2012-05-02 21:48:45 295936 ----a-w- c:\documents and settings\kiren\application data\urgrz.exe
2012-05-02 21:48:41 295936 ----a-w- c:\documents and settings\kiren\application data\vsvom.exe
2012-05-02 21:48:38 295936 ----a-w- c:\documents and settings\kiren\application data\gynnt.exe
2012-05-02 21:48:35 295936 ----a-w- c:\documents and settings\kiren\application data\imdza.exe
2012-05-02 21:48:30 295936 ----a-w- c:\documents and settings\kiren\application data\iocim.exe
2012-05-02 21:48:30 295936 ------w- c:\documents and settings\all users.windows\tqxpvyig.exe
2012-05-02 21:48:28 295936 ----a-w- c:\documents and settings\kiren\application data\offgx.exe
2012-05-02 21:48:28 295936 ----a-w- c:\documents and settings\all users.windows\figrwplk.exe
2012-05-02 05:27:30 408576 ------w- c:\documents and settings\all users.windows\jzgccjxk.exe
2012-05-02 05:27:10 409600 ------w- c:\documents and settings\all users.windows\lhkzfhhk.exe
2012-05-02 05:26:50 400896 ------w- c:\documents and settings\all users.windows\tcletugg.exe
2012-05-02 05:26:30 394752 ------w- c:\documents and settings\all users.windows\igkuakgr.exe
2012-05-02 05:26:10 395776 ------w- c:\documents and settings\all users.windows\kakgxmol.exe
2012-05-02 05:25:50 388608 ------w- c:\documents and settings\all users.windows\gysytazm.exe
2012-05-02 05:25:30 576512 ------w- c:\documents and settings\all users.windows\tfwoacrb.exe
2012-05-02 05:25:10 447488 ------w- c:\documents and settings\all users.windows\ydpwblnr.exe
2012-05-02 05:24:50 1061376 ------w- c:\documents and settings\all users.windows\rkbxmirh.exe
2012-05-02 05:24:30 404480 ----a-w- c:\documents and settings\all users.windows\olzavgyp.exe
2012-04-18 03:17:10 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00YSA0 rev.12.01C02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B14449F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b14b738]; MOV EAX, [0x8b14b8ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B4F0AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006e[0x8B596820]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B53C940]
\Driver\atapi[0x8B360240] -> IRP_MJ_CREATE -> 0x8B14449F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B1442C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:56:33.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:01 PM

Posted 06 May 2012 - 02:17 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 06 May 2012 - 04:28 PM

Alright, I have spent a good part of the day trying to get combofix to work. I was sure to start the program and do nothing else, with all applications closed, my antivirus deactivated, and not clicking in the box at all. The following are the results I had

Attempt 1: Froze immediately. Waited 40 minutes and rebooted
Attempt 2: Froze after saying it was going to create a restore point.Waited 40 minutes and rebooted
Attempt 3: Froze after installing something to allow it to create a restore point. Waited 1 hour and rebooted
Attempt 4: Froze after Scan 3 Waited 35 minutes and rebooted
Attempt 5: Froze after deleting 78 things beginning with bswecovu and ending with a folder called Windows. Waited 90 minutes and rebooted
Attempt 6: Froze after scan 50. Not sure how long I waited, but we went to physical therapy, and it had not moved by the time we came back.

On the things it deleated, half were like the bswecovu and appeared to be random strings of letters. Almost half of the rest were system32 things that also had mostly random letters, though I did see iwin games there from one of the games my wife got once. The last 3 were folders. one was an administration folder, two were user folders. One of them was something like .# and the other was Windows. I wish I could get a better report, but it simply would not run all the way through for me to post it.

I did get the security check to work. It is as follows:


Security Check

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
McAfee Security Scan Plus
Antivirus out of date!
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Spybot - Search & Destroy
HijackThis 2.0.2
Java™ 6 Update 16
Java™ 6 Update 30
Java version out of date!
Adobe Flash Player 11.2.202.233
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Avira Antivir avguard.exe
``````````End of Log````````````


How the computer is doing now: The computer seems to be running, but very slow now. It works, but in slow motion almost. On the plus side, it has been several minutes without any dinging, but that will happen on occasion, so I don't know if that is a fix or if it is actually just taking its time like the rest of the system is. When I reboot now, it has a flash of potions for if I want to run windows, or a couple other options, but they go by so fast I can't tell what the other options are.

I will try and check back frequently, however we only have one computer in the home, and it is the primary source of entertainment for both myself and my wife. If you are married then you know that the wife gets the first choices, and so hitting the button to watch this thread and get e-mail notifications wont do me any good because she will be on using it.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:01 PM

Posted 06 May 2012 - 09:34 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 07 May 2012 - 07:08 AM

TDSSKiller did reboot the computer, and other than my antivirus having a field day trying to stop me from downloading the programs, I didn't have any problems with these two programs. The following are the logs. Thank you again, I appreciate the help.


TDDSKiller:

06:45:45.0765 4756 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
06:45:46.0093 4756 ============================================================
06:45:46.0093 4756 Current date / time: 2012/05/07 06:45:46.0093
06:45:46.0093 4756 SystemInfo:
06:45:46.0093 4756
06:45:46.0093 4756 OS Version: 5.1.2600 ServicePack: 3.0
06:45:46.0093 4756 Product type: Workstation
06:45:46.0093 4756 ComputerName: KI
06:45:46.0093 4756 UserName: Kiren
06:45:46.0093 4756 Windows directory: C:\WINDOWS
06:45:46.0093 4756 System windows directory: C:\WINDOWS
06:45:46.0093 4756 Processor architecture: Intel x86
06:45:46.0093 4756 Number of processors: 2
06:45:46.0093 4756 Page size: 0x1000
06:45:46.0093 4756 Boot type: Normal boot
06:45:46.0093 4756 ============================================================
06:45:50.0015 4756 Drive \Device\Harddisk0\DR0 - Size: 0x7470AFDE00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
06:45:50.0015 4756 ============================================================
06:45:50.0015 4756 \Device\Harddisk0\DR0:
06:45:50.0031 4756 MBR partitions:
06:45:50.0031 4756 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41
06:45:50.0031 4756 ============================================================
06:45:50.0078 4756 C: <-> \Device\Harddisk0\DR0\Partition0
06:45:50.0078 4756 ============================================================
06:45:50.0078 4756 Initialize success
06:45:50.0078 4756 ============================================================
06:45:51.0687 4828 ============================================================
06:45:51.0687 4828 Scan started
06:45:51.0687 4828 Mode: Manual;
06:45:51.0687 4828 ============================================================
06:45:52.0906 4828 Abiosdsk - ok
06:45:52.0906 4828 abp480n5 - ok
06:45:52.0953 4828 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
06:45:52.0953 4828 ACPI - ok
06:45:52.0984 4828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
06:45:53.0015 4828 ACPIEC - ok
06:45:53.0078 4828 Adobe LM Service (c1eb9968ec89fba5f3a264e2e57923ab) C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
06:45:53.0093 4828 Adobe LM Service - ok
06:45:53.0171 4828 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
06:45:53.0218 4828 AdobeFlashPlayerUpdateSvc - ok
06:45:53.0218 4828 adpu160m - ok
06:45:53.0265 4828 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
06:45:53.0296 4828 aec - ok
06:45:53.0343 4828 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
06:45:53.0375 4828 AFD - ok
06:45:53.0375 4828 Aha154x - ok
06:45:53.0375 4828 aic78u2 - ok
06:45:53.0375 4828 aic78xx - ok
06:45:53.0406 4828 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
06:45:53.0453 4828 Alerter - ok
06:45:53.0484 4828 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
06:45:53.0484 4828 ALG - ok
06:45:53.0484 4828 AliIde - ok
06:45:53.0593 4828 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
06:45:53.0671 4828 Ambfilt - ok
06:45:53.0796 4828 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
06:45:53.0796 4828 AmdK8 - ok
06:45:53.0796 4828 amsint - ok
06:45:53.0937 4828 AntiVirSchedulerService (9015bc03f62940527ec92d45ee89e46f) C:\Program Files\Avira\AntiVir Desktop\sched.exe
06:45:53.0968 4828 AntiVirSchedulerService - ok
06:45:54.0015 4828 AntiVirService (b8720a787c1223492e6f319465e996ce) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
06:45:54.0031 4828 AntiVirService - ok
06:45:54.0109 4828 Apple Mobile Device (5aa788d5a2c6737bb9c45933985bc1b8) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
06:45:54.0156 4828 Apple Mobile Device - ok
06:45:54.0187 4828 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
06:45:54.0218 4828 AppMgmt - ok
06:45:54.0250 4828 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
06:45:54.0265 4828 Arp1394 - ok
06:45:54.0265 4828 asc - ok
06:45:54.0281 4828 asc3350p - ok
06:45:54.0281 4828 asc3550 - ok
06:45:54.0406 4828 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
06:45:54.0515 4828 aspnet_state - ok
06:45:54.0625 4828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
06:45:54.0640 4828 AsyncMac - ok
06:45:54.0671 4828 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
06:45:54.0687 4828 atapi - ok
06:45:54.0687 4828 Atdisk - ok
06:45:54.0765 4828 Ati HotKey Poller (4753831a772af0dd89111b544e1bbdd9) C:\WINDOWS\system32\Ati2evxx.exe
06:45:54.0812 4828 Ati HotKey Poller - ok
06:45:55.0156 4828 ati2mtag (e7426973d081b6607056d1dd91bd9b01) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
06:45:55.0359 4828 ati2mtag - ok
06:45:55.0515 4828 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
06:45:55.0546 4828 Atmarpc - ok
06:45:55.0578 4828 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
06:45:55.0593 4828 AudioSrv - ok
06:45:55.0609 4828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
06:45:55.0625 4828 audstub - ok
06:45:55.0734 4828 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
06:45:55.0765 4828 avgio - ok
06:45:55.0796 4828 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
06:45:55.0828 4828 avgntflt - ok
06:45:55.0859 4828 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
06:45:55.0890 4828 avipbb - ok
06:45:55.0921 4828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
06:45:55.0953 4828 Beep - ok
06:45:56.0000 4828 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
06:45:56.0140 4828 BITS - ok
06:45:56.0234 4828 Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe
06:45:56.0296 4828 Bonjour Service - ok
06:45:56.0328 4828 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
06:45:56.0359 4828 Bridge - ok
06:45:56.0359 4828 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
06:45:56.0359 4828 BridgeMP - ok
06:45:56.0375 4828 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
06:45:56.0390 4828 Browser - ok
06:45:56.0500 4828 catchme - ok
06:45:56.0515 4828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
06:45:56.0562 4828 cbidf2k - ok
06:45:56.0578 4828 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
06:45:56.0593 4828 CCDECODE - ok
06:45:56.0593 4828 cd20xrnt - ok
06:45:56.0625 4828 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
06:45:56.0656 4828 Cdaudio - ok
06:45:56.0671 4828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
06:45:56.0703 4828 Cdfs - ok
06:45:56.0718 4828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
06:45:56.0750 4828 Cdrom - ok
06:45:56.0750 4828 Changer - ok
06:45:56.0796 4828 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
06:45:56.0828 4828 CiSvc - ok
06:45:56.0843 4828 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
06:45:56.0859 4828 ClipSrv - ok
06:45:56.0968 4828 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
06:45:57.0031 4828 clr_optimization_v2.0.50727_32 - ok
06:45:57.0093 4828 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
06:45:57.0203 4828 clr_optimization_v4.0.30319_32 - ok
06:45:57.0203 4828 CmdIde - ok
06:45:57.0203 4828 COMSysApp - ok
06:45:57.0203 4828 Cpqarray - ok
06:45:57.0250 4828 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
06:45:57.0265 4828 CryptSvc - ok
06:45:57.0265 4828 dac2w2k - ok
06:45:57.0265 4828 dac960nt - ok
06:45:57.0328 4828 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
06:45:57.0328 4828 DcomLaunch - ok
06:45:57.0406 4828 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
06:45:57.0421 4828 Dhcp - ok
06:45:57.0468 4828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
06:45:57.0500 4828 Disk - ok
06:45:57.0500 4828 dmadmin - ok
06:45:57.0593 4828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
06:45:57.0640 4828 dmboot - ok
06:45:57.0687 4828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
06:45:57.0703 4828 dmio - ok
06:45:57.0718 4828 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
06:45:57.0734 4828 dmload - ok
06:45:57.0765 4828 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
06:45:57.0781 4828 dmserver - ok
06:45:57.0812 4828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
06:45:57.0843 4828 DMusic - ok
06:45:57.0875 4828 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
06:45:57.0906 4828 Dnscache - ok
06:45:57.0937 4828 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
06:45:57.0968 4828 Dot3svc - ok
06:45:57.0968 4828 dpti2o - ok
06:45:58.0000 4828 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
06:45:58.0015 4828 drmkaud - ok
06:45:58.0031 4828 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
06:45:58.0046 4828 EapHost - ok
06:45:58.0062 4828 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
06:45:58.0062 4828 ERSvc - ok
06:45:58.0093 4828 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
06:45:58.0156 4828 Eventlog - ok
06:45:58.0203 4828 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
06:45:58.0234 4828 EventSystem - ok
06:45:58.0265 4828 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
06:45:58.0281 4828 Fastfat - ok
06:45:58.0312 4828 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
06:45:58.0343 4828 FastUserSwitchingCompatibility - ok
06:45:58.0375 4828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
06:45:58.0406 4828 Fdc - ok
06:45:58.0437 4828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
06:45:58.0453 4828 Fips - ok
06:45:58.0484 4828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
06:45:58.0500 4828 Flpydisk - ok
06:45:58.0546 4828 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
06:45:58.0593 4828 FltMgr - ok
06:45:58.0687 4828 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
06:45:58.0718 4828 FontCache3.0.0.0 - ok
06:45:58.0750 4828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
06:45:58.0765 4828 Fs_Rec - ok
06:45:58.0953 4828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
06:45:59.0031 4828 Ftdisk - ok
06:45:59.0046 4828 gdrv (c6e3105b8c68c35cc1eb26a00fd1a8c6) C:\WINDOWS\gdrv.sys
06:45:59.0375 4828 gdrv - ok
06:45:59.0421 4828 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
06:45:59.0437 4828 GEARAspiWDM - ok
06:45:59.0500 4828 getPlusHelper (63677825d08cf4458caae9ef2372e5d6) C:\Program Files\NOS\bin\getPlus_Helper.dll
06:45:59.0562 4828 getPlusHelper - ok
06:45:59.0593 4828 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
06:45:59.0640 4828 Gpc - ok
06:45:59.0656 4828 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
06:45:59.0671 4828 HDAudBus - ok
06:45:59.0718 4828 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
06:45:59.0734 4828 helpsvc - ok
06:45:59.0750 4828 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
06:45:59.0765 4828 HidServ - ok
06:45:59.0796 4828 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
06:45:59.0828 4828 HidUsb - ok
06:45:59.0843 4828 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
06:45:59.0859 4828 hkmsvc - ok
06:45:59.0859 4828 hpn - ok
06:45:59.0921 4828 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
06:45:59.0921 4828 HTTP - ok
06:45:59.0953 4828 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
06:45:59.0984 4828 HTTPFilter - ok
06:45:59.0984 4828 i2omgmt - ok
06:45:59.0984 4828 i2omp - ok
06:46:00.0015 4828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
06:46:00.0046 4828 i8042prt - ok
06:46:00.0406 4828 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
06:46:00.0562 4828 IDriverT - ok
06:46:00.0656 4828 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
06:46:00.0703 4828 idsvc - ok
06:46:00.0750 4828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
06:46:00.0781 4828 Imapi - ok
06:46:00.0812 4828 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
06:46:00.0812 4828 ImapiService - ok
06:46:00.0812 4828 ini910u - ok
06:46:01.0093 4828 IntcAzAudAddService (2feb5bf0312e1cb76cd2caa875cbaa5d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
06:46:01.0328 4828 IntcAzAudAddService - ok
06:46:01.0437 4828 IntelIde - ok
06:46:01.0468 4828 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
06:46:01.0500 4828 ip6fw - ok
06:46:01.0515 4828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
06:46:01.0531 4828 IpFilterDriver - ok
06:46:01.0546 4828 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
06:46:01.0562 4828 IpInIp - ok
06:46:01.0593 4828 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
06:46:01.0593 4828 IpNat - ok
06:46:01.0718 4828 iPod Service (8e5e5a8cc84da3f683e3bbc045138d52) C:\Program Files\iPod\bin\iPodService.exe
06:46:01.0765 4828 iPod Service - ok
06:46:01.0828 4828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
06:46:01.0843 4828 IPSec - ok
06:46:01.0859 4828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
06:46:01.0875 4828 IRENUM - ok
06:46:01.0906 4828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
06:46:01.0921 4828 isapnp - ok
06:46:02.0015 4828 iWinTrusted (fe1a970e7ce330bb844e333c374c6599) C:\Program Files\iWin Games\iWinTrusted.exe
06:46:02.0046 4828 iWinTrusted - ok
06:46:02.0093 4828 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
06:46:02.0125 4828 JavaQuickStarterService - ok
06:46:02.0187 4828 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
06:46:02.0203 4828 Kbdclass - ok
06:46:02.0218 4828 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
06:46:02.0265 4828 kbdhid - ok
06:46:02.0312 4828 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
06:46:02.0343 4828 kmixer - ok
06:46:02.0359 4828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
06:46:02.0390 4828 KSecDD - ok
06:46:02.0406 4828 lanmanserver (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
06:46:02.0437 4828 lanmanserver - ok
06:46:02.0468 4828 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
06:46:02.0484 4828 lanmanworkstation - ok
06:46:02.0484 4828 lbrtfdc - ok
06:46:02.0578 4828 Linksys_adapter_H (bcdf72dce41874b3ad9143d537b493b2) C:\WINDOWS\system32\DRIVERS\AE2500xp.sys
06:46:02.0656 4828 Linksys_adapter_H - ok
06:46:02.0687 4828 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
06:46:02.0703 4828 LmHosts - ok
06:46:02.0796 4828 McciCMService (f8b823414a22dbf3bec10dcaa5f93cd8) C:\Program Files\Common Files\Motive\McciCMService.exe
06:46:02.0828 4828 McciCMService - ok
06:46:02.0937 4828 McComponentHostService (f453d1e6d881e8f8717e20ccd4199e85) C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
06:46:02.0968 4828 McComponentHostService - ok
06:46:02.0968 4828 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
06:46:03.0000 4828 Messenger - ok
06:46:03.0093 4828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
06:46:03.0109 4828 mnmdd - ok
06:46:03.0140 4828 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
06:46:03.0171 4828 mnmsrvc - ok
06:46:03.0218 4828 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
06:46:03.0234 4828 Modem - ok
06:46:03.0343 4828 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
06:46:03.0406 4828 Monfilt - ok
06:46:03.0703 4828 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
06:46:03.0718 4828 Mouclass - ok
06:46:03.0750 4828 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
06:46:03.0765 4828 mouhid - ok
06:46:03.0796 4828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
06:46:03.0828 4828 MountMgr - ok
06:46:03.0890 4828 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
06:46:03.0921 4828 MozillaMaintenance - ok
06:46:03.0921 4828 mraid35x - ok
06:46:03.0984 4828 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
06:46:04.0015 4828 MREMP50 - ok
06:46:04.0015 4828 MREMPR5 - ok
06:46:04.0015 4828 MRENDIS5 - ok
06:46:04.0031 4828 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
06:46:04.0046 4828 MRESP50 - ok
06:46:04.0078 4828 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
06:46:04.0109 4828 MRxDAV - ok
06:46:04.0156 4828 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
06:46:04.0218 4828 MRxSmb - ok
06:46:04.0234 4828 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
06:46:04.0265 4828 MSDTC - ok
06:46:04.0281 4828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
06:46:04.0296 4828 Msfs - ok
06:46:04.0296 4828 MSIServer - ok
06:46:04.0328 4828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
06:46:04.0343 4828 MSKSSRV - ok
06:46:04.0359 4828 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
06:46:04.0375 4828 MSPCLOCK - ok
06:46:04.0375 4828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
06:46:04.0375 4828 MSPQM - ok
06:46:04.0421 4828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
06:46:04.0421 4828 mssmbios - ok
06:46:04.0437 4828 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
06:46:04.0468 4828 MSTEE - ok
06:46:04.0484 4828 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
06:46:04.0515 4828 Mup - ok
06:46:04.0546 4828 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
06:46:04.0578 4828 NABTSFEC - ok
06:46:04.0625 4828 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
06:46:04.0656 4828 napagent - ok
06:46:04.0703 4828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
06:46:04.0750 4828 NDIS - ok
06:46:04.0796 4828 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
06:46:04.0828 4828 NdisIP - ok
06:46:04.0859 4828 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
06:46:04.0890 4828 NdisTapi - ok
06:46:04.0921 4828 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
06:46:04.0953 4828 Ndisuio - ok
06:46:04.0953 4828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
06:46:04.0968 4828 NdisWan - ok
06:46:04.0984 4828 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
06:46:05.0015 4828 NDProxy - ok
06:46:05.0015 4828 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
06:46:05.0015 4828 NetBIOS - ok
06:46:05.0062 4828 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
06:46:05.0093 4828 NetBT - ok
06:46:05.0125 4828 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
06:46:05.0140 4828 NetDDE - ok
06:46:05.0156 4828 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
06:46:05.0156 4828 NetDDEdsdm - ok
06:46:05.0171 4828 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
06:46:05.0187 4828 Netlogon - ok
06:46:05.0234 4828 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
06:46:05.0265 4828 Netman - ok
06:46:05.0390 4828 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
06:46:05.0437 4828 NetTcpPortSharing - ok
06:46:05.0453 4828 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
06:46:05.0453 4828 NIC1394 - ok
06:46:05.0468 4828 Nla (832e4dd8964ab7acc880b2837cb1ed20) C:\WINDOWS\System32\mswsock.dll
06:46:05.0484 4828 Nla - ok
06:46:05.0531 4828 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
06:46:05.0562 4828 Npfs - ok
06:46:05.0562 4828 npggsvc - ok
06:46:05.0625 4828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
06:46:05.0656 4828 Ntfs - ok
06:46:05.0656 4828 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
06:46:05.0656 4828 NtLmSsp - ok
06:46:05.0703 4828 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
06:46:05.0734 4828 NtmsSvc - ok
06:46:05.0781 4828 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
06:46:05.0812 4828 Null - ok
06:46:05.0843 4828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
06:46:05.0875 4828 NwlnkFlt - ok
06:46:05.0890 4828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
06:46:05.0906 4828 NwlnkFwd - ok
06:46:05.0921 4828 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
06:46:05.0921 4828 ohci1394 - ok
06:46:05.0968 4828 PAC7311 (2085d5168fc0c56bb13304d180d244b6) C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS
06:46:05.0984 4828 PAC7311 - ok
06:46:06.0031 4828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
06:46:06.0062 4828 Parport - ok
06:46:06.0078 4828 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
06:46:06.0093 4828 PartMgr - ok
06:46:06.0125 4828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
06:46:06.0140 4828 ParVdm - ok
06:46:06.0156 4828 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
06:46:06.0171 4828 PCI - ok
06:46:06.0187 4828 PCIDump - ok
06:46:06.0203 4828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
06:46:06.0203 4828 PCIIde - ok
06:46:06.0218 4828 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
06:46:06.0250 4828 Pcmcia - ok
06:46:06.0250 4828 PDCOMP - ok
06:46:06.0250 4828 PDFRAME - ok
06:46:06.0265 4828 PDRELI - ok
06:46:06.0265 4828 PDRFRAME - ok
06:46:06.0265 4828 perc2 - ok
06:46:06.0265 4828 perc2hib - ok
06:46:06.0312 4828 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
06:46:06.0312 4828 PlugPlay - ok
06:46:06.0312 4828 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:46:06.0312 4828 PolicyAgent - ok
06:46:06.0343 4828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
06:46:06.0359 4828 PptpMiniport - ok
06:46:06.0390 4828 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
06:46:06.0406 4828 Processor - ok
06:46:06.0406 4828 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:46:06.0421 4828 ProtectedStorage - ok
06:46:06.0437 4828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
06:46:06.0468 4828 PSched - ok
06:46:06.0468 4828 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
06:46:06.0484 4828 Ptilink - ok
06:46:06.0500 4828 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
06:46:06.0515 4828 PxHelp20 - ok
06:46:06.0531 4828 ql1080 - ok
06:46:06.0531 4828 Ql10wnt - ok
06:46:06.0531 4828 ql12160 - ok
06:46:06.0531 4828 ql1240 - ok
06:46:06.0531 4828 ql1280 - ok
06:46:06.0578 4828 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
06:46:06.0593 4828 RasAcd - ok
06:46:06.0625 4828 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
06:46:06.0656 4828 RasAuto - ok
06:46:06.0656 4828 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
06:46:06.0671 4828 Rasl2tp - ok
06:46:06.0703 4828 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
06:46:06.0750 4828 RasMan - ok
06:46:06.0750 4828 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
06:46:06.0781 4828 RasPppoe - ok
06:46:06.0781 4828 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
06:46:06.0796 4828 Raspti - ok
06:46:06.0812 4828 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
06:46:06.0843 4828 Rdbss - ok
06:46:06.0859 4828 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
06:46:06.0890 4828 RDPCDD - ok
06:46:06.0937 4828 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
06:46:06.0968 4828 rdpdr - ok
06:46:07.0031 4828 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
06:46:07.0062 4828 RDPWD - ok
06:46:07.0109 4828 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
06:46:07.0125 4828 RDSessMgr - ok
06:46:07.0140 4828 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
06:46:07.0171 4828 redbook - ok
06:46:07.0203 4828 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
06:46:07.0218 4828 RemoteAccess - ok
06:46:07.0281 4828 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
06:46:07.0312 4828 RemoteRegistry - ok
06:46:07.0328 4828 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
06:46:07.0343 4828 RpcLocator - ok
06:46:07.0406 4828 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
06:46:07.0406 4828 RpcSs - ok
06:46:07.0453 4828 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
06:46:07.0468 4828 RSVP - ok
06:46:07.0687 4828 RTHDMIAzAudService (a5a9f4b77d7ff2b02633999ff71a7e9b) C:\WINDOWS\system32\drivers\RtKHDMI.sys
06:46:07.0843 4828 RTHDMIAzAudService - ok
06:46:08.0015 4828 RTLE8023xp (6ebfbbf24fed8285928b825a46618f8a) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
06:46:08.0046 4828 RTLE8023xp - ok
06:46:08.0078 4828 RTLTEAMING (376218d4209b1e749953f9edef0cef2e) C:\WINDOWS\system32\DRIVERS\RTLTEAMING.SYS
06:46:08.0109 4828 RTLTEAMING - ok
06:46:08.0140 4828 RTLVLAN (6ec43dc18746bb9b6ddec4c99b15b6fc) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
06:46:08.0156 4828 RTLVLAN - ok
06:46:08.0187 4828 RtNdPt5x (5ffd2aaf467b80fab34929afb7702060) C:\WINDOWS\system32\DRIVERS\RtNdPt5x.sys
06:46:08.0218 4828 RtNdPt5x - ok
06:46:08.0250 4828 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:46:08.0265 4828 SamSs - ok
06:46:08.0312 4828 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
06:46:08.0328 4828 SCardSvr - ok
06:46:08.0359 4828 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
06:46:08.0406 4828 Schedule - ok
06:46:08.0437 4828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
06:46:08.0453 4828 Secdrv - ok
06:46:08.0484 4828 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
06:46:08.0500 4828 seclogon - ok
06:46:08.0515 4828 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
06:46:08.0515 4828 SENS - ok
06:46:08.0546 4828 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
06:46:08.0578 4828 serenum - ok
06:46:08.0609 4828 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
06:46:08.0625 4828 Serial - ok
06:46:08.0671 4828 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
06:46:08.0703 4828 Sfloppy - ok
06:46:08.0734 4828 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
06:46:08.0750 4828 SharedAccess - ok
06:46:08.0781 4828 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
06:46:08.0781 4828 ShellHWDetection - ok
06:46:08.0781 4828 Simbad - ok
06:46:08.0812 4828 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
06:46:08.0859 4828 SLIP - ok
06:46:08.0859 4828 Sparrow - ok
06:46:08.0906 4828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
06:46:08.0921 4828 splitter - ok
06:46:08.0937 4828 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
06:46:08.0953 4828 Spooler - ok
06:46:08.0953 4828 sptd - ok
06:46:08.0984 4828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
06:46:09.0015 4828 sr - ok
06:46:09.0046 4828 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
06:46:09.0062 4828 srservice - ok
06:46:09.0109 4828 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
06:46:09.0140 4828 Srv - ok
06:46:09.0187 4828 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
06:46:09.0187 4828 SSDPSRV - ok
06:46:09.0234 4828 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
06:46:09.0250 4828 ssmdrv - ok
06:46:09.0281 4828 STI Simulator (ed78dfad8efcdfbc89500492c4d14645) C:\WINDOWS\System32\PAStiSvc.exe
06:46:09.0312 4828 STI Simulator - ok
06:46:09.0343 4828 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
06:46:09.0390 4828 stisvc - ok
06:46:09.0421 4828 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
06:46:09.0453 4828 streamip - ok
06:46:09.0484 4828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
06:46:09.0500 4828 swenum - ok
06:46:09.0531 4828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
06:46:09.0562 4828 swmidi - ok
06:46:09.0562 4828 SwPrv - ok
06:46:09.0562 4828 symc810 - ok
06:46:09.0562 4828 symc8xx - ok
06:46:09.0578 4828 sym_hi - ok
06:46:09.0578 4828 sym_u3 - ok
06:46:09.0593 4828 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
06:46:09.0609 4828 sysaudio - ok
06:46:09.0656 4828 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
06:46:09.0671 4828 SysmonLog - ok
06:46:09.0703 4828 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
06:46:09.0703 4828 TapiSrv - ok
06:46:09.0734 4828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
06:46:09.0781 4828 Tcpip - ok
06:46:09.0812 4828 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
06:46:09.0843 4828 TDPIPE - ok
06:46:09.0859 4828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
06:46:09.0875 4828 TDTCP - ok
06:46:09.0875 4828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
06:46:09.0875 4828 TermDD - ok
06:46:09.0921 4828 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
06:46:09.0937 4828 TermService - ok
06:46:09.0984 4828 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
06:46:09.0984 4828 Themes - ok
06:46:10.0000 4828 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\System32\tlntsvr.exe
06:46:10.0015 4828 TlntSvr - ok
06:46:10.0031 4828 TosIde - ok
06:46:10.0046 4828 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
06:46:10.0062 4828 TrkWks - ok
06:46:10.0093 4828 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
06:46:10.0109 4828 Udfs - ok
06:46:10.0109 4828 ultra - ok
06:46:10.0156 4828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
06:46:10.0187 4828 Update - ok
06:46:10.0218 4828 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
06:46:10.0234 4828 upnphost - ok
06:46:10.0250 4828 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
06:46:10.0281 4828 UPS - ok
06:46:10.0312 4828 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
06:46:10.0328 4828 USBAAPL - ok
06:46:10.0375 4828 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
06:46:10.0375 4828 usbaudio - ok
06:46:10.0390 4828 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
06:46:10.0421 4828 usbccgp - ok
06:46:10.0437 4828 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
06:46:10.0468 4828 usbehci - ok
06:46:10.0484 4828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
06:46:10.0500 4828 usbhub - ok
06:46:10.0531 4828 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
06:46:10.0546 4828 usbohci - ok
06:46:10.0562 4828 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
06:46:10.0578 4828 USBSTOR - ok
06:46:10.0593 4828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
06:46:10.0609 4828 VgaSave - ok
06:46:10.0609 4828 ViaIde - ok
06:46:10.0656 4828 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
06:46:10.0671 4828 VolSnap - ok
06:46:10.0718 4828 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
06:46:10.0765 4828 VSS - ok
06:46:10.0796 4828 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
06:46:10.0828 4828 W32Time - ok
06:46:10.0843 4828 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
06:46:10.0859 4828 Wanarp - ok
06:46:10.0859 4828 WDICA - ok
06:46:10.0875 4828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
06:46:10.0890 4828 wdmaud - ok
06:46:10.0937 4828 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
06:46:10.0953 4828 WebClient - ok
06:46:11.0046 4828 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
06:46:11.0062 4828 winmgmt - ok
06:46:11.0171 4828 WinRing0_1_2_0 - ok
06:46:11.0250 4828 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
06:46:11.0312 4828 WinRM - ok
06:46:11.0484 4828 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
06:46:11.0562 4828 wlidsvc - ok
06:46:11.0671 4828 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
06:46:11.0687 4828 WmdmPmSN - ok
06:46:11.0750 4828 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
06:46:11.0781 4828 Wmi - ok
06:46:11.0828 4828 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
06:46:11.0828 4828 WmiAcpi - ok
06:46:11.0890 4828 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
06:46:11.0906 4828 WmiApSrv - ok
06:46:12.0000 4828 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
06:46:12.0062 4828 WMPNetworkSvc - ok
06:46:12.0250 4828 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
06:46:12.0296 4828 WPFFontCache_v0400 - ok
06:46:12.0437 4828 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
06:46:12.0453 4828 WS2IFSL - ok
06:46:12.0484 4828 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
06:46:12.0500 4828 wscsvc - ok
06:46:12.0515 4828 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
06:46:12.0546 4828 WSTCODEC - ok
06:46:12.0562 4828 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
06:46:12.0562 4828 wuauserv - ok
06:46:12.0578 4828 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
06:46:12.0609 4828 WudfPf - ok
06:46:12.0625 4828 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
06:46:12.0656 4828 WudfRd - ok
06:46:12.0671 4828 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
06:46:12.0718 4828 WudfSvc - ok
06:46:12.0765 4828 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
06:46:12.0828 4828 WZCSVC - ok
06:46:12.0859 4828 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
06:46:12.0906 4828 xmlprov - ok
06:46:12.0937 4828 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
06:46:12.0953 4828 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
06:46:12.0953 4828 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
06:46:12.0953 4828 Boot (0x1200) (45ff4072b6a20d9c0e2dbf608c5aa01c) \Device\Harddisk0\DR0\Partition0
06:46:12.0953 4828 \Device\Harddisk0\DR0\Partition0 - ok
06:46:12.0953 4828 ============================================================
06:46:12.0953 4828 Scan finished
06:46:12.0953 4828 ============================================================
06:46:12.0968 4804 Detected object count: 1
06:46:12.0968 4804 Actual detected object count: 1
06:46:20.0828 4804 \Device\Harddisk0\DR0\# - copied to quarantine
06:46:20.0843 4804 \Device\Harddisk0\DR0 - copied to quarantine
06:46:20.0875 4804 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
06:46:20.0875 4804 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
06:46:20.0890 4804 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
06:46:20.0890 4804 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
06:46:20.0906 4804 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
06:46:20.0906 4804 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
06:46:20.0968 4804 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
06:46:21.0015 4804 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
06:46:21.0015 4804 \Device\Harddisk0\DR0 - ok
06:46:26.0593 4804 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
06:46:38.0625 4792 Deinitialize success


aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-07 06:51:20
-----------------------------
06:51:20.234 OS Version: Windows 5.1.2600 Service Pack 3
06:51:20.234 Number of processors: 2 586 0x4303
06:51:20.234 ComputerName: KI UserName:
06:51:21.531 Initialize success
06:53:48.578 AVAST engine defs: 12050700
06:53:59.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
06:53:59.890 Disk 0 Vendor: WDC_WD5000AAKB-00YSA0 12.01C02 Size: 476938MB BusType: 3
06:53:59.906 Disk 0 MBR read successfully
06:53:59.906 Disk 0 MBR scan
06:53:59.968 Disk 0 Windows XP default MBR code
06:53:59.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
06:53:59.968 Disk 0 scanning sectors +976752000
06:54:00.062 Disk 0 scanning C:\WINDOWS\system32\drivers
06:54:09.734 Service scanning
06:54:23.640 Modules scanning
06:54:28.156 Disk 0 trace - called modules:
06:54:28.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
06:54:28.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b86fab8]
06:54:28.687 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000070[0x8b91d9a8]
06:54:28.687 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8b8bb940]
06:54:30.187 AVAST engine scan C:\WINDOWS
06:54:51.359 AVAST engine scan C:\WINDOWS\system32
06:58:15.328 AVAST engine scan C:\WINDOWS\system32\drivers
06:58:34.953 AVAST engine scan C:\Documents and Settings\Kiren
07:04:41.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kiren\Desktop\MBR.dat"
07:04:41.062 The log file has been saved successfully to "C:\Documents and Settings\Kiren\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:01 PM

Posted 07 May 2012 - 07:57 AM

Hello


very good


now I would like you to try and run combofix again for me



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 07 May 2012 - 02:19 PM

I went to bed after more than an hour, but it did finally get done. Here is the log


ComboFix 12-05-07.01 - Kiren 05/07/2012 8:01.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2611 [GMT -5:00]
Running from: c:\documents and settings\Kiren\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
.
.
2012-05-07 11:46 . 2012-05-07 11:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-07 02:15 . 2012-05-07 02:15 -------- d-----w- c:\windows\Performance
2012-05-07 02:15 . 2012-05-07 02:15 -------- d-----w- c:\documents and settings\Kiren\Local Settings\Application Data\Microsoft Corporation
2012-05-07 02:14 . 2012-05-07 02:14 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-05-06 00:38 . 2012-05-06 00:38 -------- d-----w- c:\documents and settings\Kiren\Application Data\DriverCure
2012-05-06 00:38 . 2012-05-06 00:38 -------- d-----w- c:\documents and settings\Kiren\Application Data\ParetoLogic
2012-05-06 00:37 . 2012-05-06 04:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2012-04-29 02:01 . 2012-04-29 02:01 -------- d-----w- C:\found.002
2012-04-25 05:47 . 2012-04-25 05:47 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-25 05:47 . 2012-04-25 05:47 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-25 05:47 . 2012-04-25 05:47 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-17 08:57 . 2012-04-17 08:57 -------- d-----w- C:\found.001
2012-04-11 04:10 . 2012-04-18 03:17 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-09 17:43 . 2012-04-09 17:43 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-18 03:17 . 2011-05-28 20:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-25 05:47 . 2011-05-06 21:34 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47B6A4A9-DC94-4738-9F20-7411D9691EA4}]
2011-04-20 17:29 81920 ----a-w- c:\program files\chartertoolbar\chartertoolbarDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{47B6A4A9-DC94-4738-9F20-7411D9691EA4}"= "c:\program files\chartertoolbar\chartertoolbarDx.dll" [2011-04-20 81920]
.
[HKEY_CLASSES_ROOT\clsid\{47b6a4a9-dc94-4738-9f20-7411d9691ea4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPUThermometer"="c:\documents and settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe" [2011-01-14 127488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Delta AutoLoad.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Delta AutoLoad.lnk
backup=c:\windows\pss\Delta AutoLoad.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 21:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
2002-12-12 05:14 46592 ----a-w- c:\windows\system32\dxdllreg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-25 00:45 136176 ----atw- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-02-23 02:49 6591800 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 19:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iWinTrusted"=2 (0x2)
"wlidsvc"=2 (0x2)
"McciCMService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"npggsvc"=3 (0x3)
"McComponentHostService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\NetmarbleGlobal\\MarbleStation\\nmgDownloader\\nmgDownload.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\swtor\\retailclient\\swtor.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Kiren\\Application Data\\unc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"56095:TCP"= 56095:TCP:Pando Media Booster
"56095:UDP"= 56095:UDP:Pando Media Booster
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/16/2010 4:31 PM 108289]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [1/20/2010 10:48 PM 22016]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/10/2012 11:10 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/21/2010 5:02 PM 1684736]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [9/28/2011 2:27 PM 1034240]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 12:47 AM 129976]
S3 PAC7311;Trust WB-3300p Mini HiRes Webcam;c:\windows\system32\drivers\PA707UCM.SYS [10/18/2005 11:48 AM 154752]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [1/20/2010 10:48 PM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/20/2010 10:48 PM 17536]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [7/7/2003 11:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/8/2011 10:17 AM 176848]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 03:17]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003Core.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003UA.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
MSConfigStartUp-NEMyNTAwQjkwMTZCOTNFOD - c:\documents and settings\All Users.WINDOWS\bswecovu.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-Shop To Win - c:\program files\Shop To Win\ShopToWin.exe
AddRemove-LimeWire - c:\program files\LimeWire\uninstall.exe
AddRemove-UnityWebPlayer - c:\documents and settings\Kiren\Local Settings\Application Data\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-07 08:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:a7,3c,55,88,9b,6e,2d,66,f9,fe,ac,74,6e,a4,6b,81,f1,b7,eb,f5,90,
af,ce,9d,87,2e,d1,2f,9d,5f,0c,fe,f7,9f,91,fb,c1,f6,ff,73,4a,09,58,33,b0,b6,\
"rkeysecu"=hex:a3,26,81,76,7a,fa,42,be,41,09,2b,04,ae,42,3f,cc
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:wjY*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\16?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"c:\\documents and settings\\kiren\\desktop\\xp32\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-05-07 08:40:19
ComboFix-quarantined-files.txt 2012-05-07 13:40
.
Pre-Run: 331,171,631,104 bytes free
Post-Run: 334,873,395,200 bytes free
.
- - End Of File - - 795379138755C3B08B7F57C3F80D9CC2

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:01 PM

Posted 07 May 2012 - 02:46 PM

Greetings

How are things running now?

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 08 May 2012 - 02:55 PM

Things are better than they have been in months. My wife was on the computer all yesterday and the error dinging appears to have stopped. She didn't have a problem with the scvhost at all last night. Last, when I turn on my computer I run a temperature gauge because I have a processer that runs really hot. It starts out at about 50c-60c and today it started out at 39c, so the temp is dropping dramatically. I can't tell you how much I appreciate the help.

The following is the log you asked for after dropping the file onto it.

ComboFix 12-05-08.02 - Kiren 05/08/2012 14:25:38.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2815 [GMT -5:00]
Running from: c:\documents and settings\Kiren\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Kiren\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-08 to 2012-05-08 )))))))))))))))))))))))))))))))
.
.
2012-05-07 11:46 . 2012-05-07 11:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-07 02:15 . 2012-05-07 02:15 -------- d-----w- c:\windows\Performance
2012-05-07 02:15 . 2012-05-07 02:15 -------- d-----w- c:\documents and settings\Kiren\Local Settings\Application Data\Microsoft Corporation
2012-05-07 02:14 . 2012-05-07 02:14 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-05-06 00:38 . 2012-05-06 00:38 -------- d-----w- c:\documents and settings\Kiren\Application Data\DriverCure
2012-05-06 00:38 . 2012-05-06 00:38 -------- d-----w- c:\documents and settings\Kiren\Application Data\ParetoLogic
2012-05-06 00:37 . 2012-05-06 04:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2012-04-29 02:01 . 2012-04-29 02:01 -------- d-----w- C:\found.002
2012-04-25 05:47 . 2012-04-25 05:47 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-25 05:47 . 2012-04-25 05:47 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-25 05:47 . 2012-04-25 05:47 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-17 08:57 . 2012-04-17 08:57 -------- d-----w- C:\found.001
2012-04-11 04:10 . 2012-04-18 03:17 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-09 17:43 . 2012-04-09 17:43 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-18 03:17 . 2011-05-28 20:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-25 05:47 . 2011-05-06 21:34 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47B6A4A9-DC94-4738-9F20-7411D9691EA4}]
2011-04-20 17:29 81920 ----a-w- c:\program files\chartertoolbar\chartertoolbarDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{47B6A4A9-DC94-4738-9F20-7411D9691EA4}"= "c:\program files\chartertoolbar\chartertoolbarDx.dll" [2011-04-20 81920]
.
[HKEY_CLASSES_ROOT\clsid\{47b6a4a9-dc94-4738-9f20-7411d9691ea4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPUThermometer"="c:\documents and settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe" [2011-01-14 127488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Delta AutoLoad.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Delta AutoLoad.lnk
backup=c:\windows\pss\Delta AutoLoad.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 21:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
2002-12-12 05:14 46592 ----a-w- c:\windows\system32\dxdllreg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-25 00:45 136176 ----atw- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-02-23 02:49 6591800 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 19:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iWinTrusted"=2 (0x2)
"wlidsvc"=2 (0x2)
"McciCMService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"npggsvc"=3 (0x3)
"McComponentHostService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\NetmarbleGlobal\\MarbleStation\\nmgDownloader\\nmgDownload.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\swtor\\retailclient\\swtor.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Kiren\\Application Data\\unc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"56095:TCP"= 56095:TCP:Pando Media Booster
"56095:UDP"= 56095:UDP:Pando Media Booster
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/16/2010 4:31 PM 108289]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [1/20/2010 10:48 PM 22016]
R3 WinRing0_1_2_0;WinRing0_1_2_0;\??\c:\documents and settings\Kiren\Local Settings\Temp\tmp1.tmp --> c:\documents and settings\Kiren\Local Settings\Temp\tmp1.tmp [?]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/10/2012 11:10 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/21/2010 5:02 PM 1684736]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [9/28/2011 2:27 PM 1034240]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 12:47 AM 129976]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PAC7311;Trust WB-3300p Mini HiRes Webcam;c:\windows\system32\drivers\PA707UCM.SYS [10/18/2005 11:48 AM 154752]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [1/20/2010 10:48 PM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/20/2010 10:48 PM 17536]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [7/7/2003 11:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/8/2011 10:17 AM 176848]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WINRING0_1_2_0
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 03:17]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003Core.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003UA.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-08 14:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WinRing0_1_2_0]
"ImagePath"="\??\c:\documents and settings\Kiren\Local Settings\Temp\tmp1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:a7,3c,55,88,9b,6e,2d,66,f9,fe,ac,74,6e,a4,6b,81,f1,b7,eb,f5,90,
af,ce,9d,87,2e,d1,2f,9d,5f,0c,fe,f7,9f,91,fb,c1,f6,ff,73,4a,09,58,33,b0,b6,\
"rkeysecu"=hex:a3,26,81,76,7a,fa,42,be,41,09,2b,04,ae,42,3f,cc
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:wjY*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\16?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"c:\\documents and settings\\kiren\\desktop\\xp32\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-05-08 14:44:46
ComboFix-quarantined-files.txt 2012-05-08 19:44
ComboFix2.txt 2012-05-07 13:40
.
Pre-Run: 335,459,950,592 bytes free
Post-Run: 335,438,262,272 bytes free
.
- - End Of File - - 23CBCB157142FEAEA4918B75C3EF6A34

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:01 PM

Posted 08 May 2012 - 09:09 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.5.0
Java™ 6 Update 16
Java™ 6 Update 30
LimeWire 5.5.16
McAfee Security Scan Plus
Premiumplay Codec-C
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 09 May 2012 - 03:46 AM

Only problem I had was removing the adobe. I may have misinterpreted the instructions. After I removed from the bold, there were the left over folders and I removed them, THEN hit next to see that there were the leftovers there. I was confused and closed out before removing those by accident.

The subsequent removals were fine. I did not find limewire in either the program I downloaded nor in my add/remove programs list, but the instructions said they may not all be there.

I already had hijackthis on my computer so I skipped the step of installing and just got the log file.

Last, I saw teamviewer come up a few times in a flash here and there, and the warning about P2P I can only assume is referencing to that. I don't know of any other programs that would fit the bill on my computer. I didn't even know there was limewire installed on here at any point, but the teamviewer is for my brother, who works on my computer from out of town when he isn't int he hospital like he has been for a few months now. If there is another program, then I am simply not aware of it, and may have to have a serious talk with my wife.

Generally the computer is running well now. Since the dinging and scvhost problems stopped, everything has been doing great for what we use the computer for.

Anyhow, here are the two logs as requested. Thank you and have a great day.

MBAM Log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.09.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kiren :: KI [administrator]

Protection: Enabled

5/9/2012 3:09:20 AM
mbam-log-2012-05-09 (03-09-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 350713
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_XMLLookup (Hijacker.XMLLookup) -> Data: http://shell.windows.com/fileassoc/fileassoc.asp?LangID=%04x&Ext=%s -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_intl (Hijacker.intl) -> Data: http://shell.windows.com/fileassoc/fileassoc.asp?LangID=%04x&Ext=%s -> Quarantined and deleted successfully.

Registry Data Items Detected: 6
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|XMLLookup (Hijacker.XMLLookup) -> Bad: (http://www.helpmeopen.com/?n=app&l=%04x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=%04x&Ext=%s) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&l=%04x&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|intl (Hijacker.intl) -> Bad: (http://www.helpmeopen.com/?n=app&l=%04x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=%04x&Ext=%s) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:56 AM, on 5/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Charter Toolbar - {47B6A4A9-DC94-4738-9F20-7411D9691EA4} - C:\Program Files\chartertoolbar\chartertoolbarDx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: Charter Toolbar - {47B6A4A9-DC94-4738-9F20-7411D9691EA4} - C:\Program Files\chartertoolbar\chartertoolbarDx.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CPUThermometer] C:\Documents and Settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_2_202_233_Plugin.exe -update plugin
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--
End of file - 4651 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:01 PM

Posted 09 May 2012 - 07:38 AM

Greetings

The P2P was limewire but if cannot find it is no big deal

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_2_202_233_Plugin.exe -update plugin
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo

Edited by gringo_pr, 09 May 2012 - 07:38 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 09 May 2012 - 11:59 PM

Of the 4 things you said to get rid of on hijackthis, only one was there when I went to do it. I went ahead and did another scan to be safe, and am going to post it here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:05 PM, on 5/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Charter Toolbar - {47B6A4A9-DC94-4738-9F20-7411D9691EA4} - C:\Program Files\chartertoolbar\chartertoolbarDx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: Charter Toolbar - {47B6A4A9-DC94-4738-9F20-7411D9691EA4} - C:\Program Files\chartertoolbar\chartertoolbarDx.dll
O4 - HKCU\..\Run: [CPUThermometer] C:\Documents and Settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 3574 bytes




For the Eset Online Scanner. I go to the page in internet explorer, I click to run the scan, and when it comes to accepting the ActiveX install it gives me about 1/10th a second where something flashes up and then the program closes. I have turned off all antivirus that I am aware of before doing this, but I can't get the program to run.

In addition, when MBAM is running, about every 10 minutes it gives a bubble popup from the lower left hand corner telling me it has stopped an attack page, even when we have not started using the internet yet.

I don't think this reply is going as well as we had hoped.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:01 PM

Posted 10 May 2012 - 12:28 AM

Hello

try resetting IE - go here and scroll down and click on show all and click on the fix-it button - http://windows.microsoft.com/en-US/windows-vista/Reset-Internet-Explorer-8-settings


if that does not work then try this one

F-Secure Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go HERE to run an online scan from F-Secure
  • Click on Start scanning
  • This will open a new window

    In Interner Explorer
  • It will require an activex control, please install it
  • Click Accept

  • In Firefox
  • It will require an Add-on to be installed, please install it
  • Order to install the Add-on Firefox needs to be restarted, please do so
[*]Click Full System Scan
[*]It will now download the scanner this may take a while please be patient
[*]It will then start scanning wait for the scan to finish
[*]Click Automatic cleaning (recommended)
[*]Wait for it finish the cleaning process
[*]Click show report
[*]This will open up a window with the results of the scan copy and paste those results as a reply to this topic[/list]

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 11 May 2012 - 06:03 AM

I reset IE easy enough, however Eset Online Scanner still isn't wanting to run for me. I suspect I have some antivirus stopping it, but I don't know how since I am turning it off before the scan. Sounds like a popup blocker when I try to run the scan, but I am unaware of any popup blocker I have on IE, or how to turn it off. I turned one off under tools, but it is still blocking it. There is a very fast "click here to install" something that flashed before I hear the sound like it is blocking it, but it is fast enough I can' click on it, and I can't read it all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users