Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sirefef & can't remove


  • Please log in to reply
29 replies to this topic

#1 k-blur

k-blur

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 27 July 2012 - 09:10 PM

Assisting a friend with their PC. It's running Eset AV V.5 and MBAM. Both detect and block Sirefef variants as follows:
Sirefef.EZ
A variant of Sirefef.EZ
A variant of Sirefef.FA
A variant of Sirefef.FD
The infections are detected in operating memory - svchost.exe, in file C:\Windows\assembly\GAC\desktop.ini, and also in a restore point in the System Volume Information, usually at startup.

Neither Eset nor MBAM can remove the infection.

I have exported email from Outlook Express to a backup folder, still on the infected machine and imaged the drive on a Linux box to preserve user data. Not sure if I want to be restoring the email though as I don't know the infection vector for Sirefef.

I have successfully run Defogger.
D.D.S. starts but will not complete in either Safe or Normal Mode - shows a command prompt window with a line of #'s, then locks the machine up requiring a hard reset, before completing or producing log files.
I have run GMER - it detects rootkit activity. I have not attempted to disable or remove the rootkit service but have checked and both options are greyed out - i.e. not available, from the initial scan.

GMER log is as follows:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-23 21:31:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC35L040AVVN07-0 rev.VA2OAF1A
Running: 6k71zqjq.exe; Driver: C:\DOCUME~1\WALTER~1\LOCALS~1\Temp\kwtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xB19FA4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xB19FA7F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xB19FAAB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xB19FA5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0xB19FA8B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xB19FA350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xB19FA410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xB19FA570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xB19FA630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xB19FA530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xB19FA4F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xB19FA670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0xB19FA870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xB19FA3B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xB19FA430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xB19FA830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xB19FA370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xB19FA470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xB19FA5F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [B0, A3, 9F, B1, 30, A4, 9F, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1688] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \FileSystem\Fastfat \Fat B0B10D20

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library c:\windows\system32\n (*** hidden *** ) @ c:\windows\explorer.exe [1440] 0x01900000

---- EOF - GMER 1.0.15 ----

I hope you'll be able to help.

Thank you

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:59 AM

Posted 28 July 2012 - 12:02 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 28 July 2012 - 12:26 AM

Thanks for the quick reply - I will have the logs for you tomorrow morning. Have to go to work shortly.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:59 AM

Posted 28 July 2012 - 12:27 AM

:thumbup2:

#5 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 28 July 2012 - 11:20 AM

Here's the TDSKiller log:

23:49:22.0765 3004 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
23:49:23.0109 3004 ============================================================
23:49:23.0109 3004 Current date / time: 2012/07/28 23:49:23.0109
23:49:23.0109 3004 SystemInfo:
23:49:23.0109 3004
23:49:23.0109 3004 OS Version: 5.1.2600 ServicePack: 3.0
23:49:23.0109 3004 Product type: Workstation
23:49:23.0109 3004 ComputerName: IBM-P4
23:49:23.0109 3004 UserName: Walter & Adelphe
23:49:23.0109 3004 Windows directory: C:\WINDOWS
23:49:23.0109 3004 System windows directory: C:\WINDOWS
23:49:23.0109 3004 Processor architecture: Intel x86
23:49:23.0109 3004 Number of processors: 1
23:49:23.0109 3004 Page size: 0x1000
23:49:23.0109 3004 Boot type: Normal boot
23:49:23.0109 3004 ============================================================
23:49:26.0265 3004 Drive \Device\Harddisk0\DR0 - Size: 0x951240000 (37.27 Gb), SectorSize: 0x200, Cylinders: 0x1301, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
23:49:26.0281 3004 Drive \Device\Harddisk1\DR3 - Size: 0xEF000000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E7, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
23:49:26.0281 3004 ============================================================
23:49:26.0281 3004 \Device\Harddisk0\DR0:
23:49:26.0281 3004 MBR partitions:
23:49:26.0281 3004 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4732128
23:49:26.0281 3004 \Device\Harddisk1\DR3:
23:49:26.0281 3004 MBR partitions:
23:49:26.0281 3004 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xC, StartLBA 0x30, BlocksNum 0x777FD0
23:49:26.0281 3004 ============================================================
23:49:26.0312 3004 C: <-> \Device\Harddisk0\DR0\Partition0
23:49:26.0312 3004 ============================================================
23:49:26.0312 3004 Initialize success
23:49:26.0312 3004 ============================================================
23:49:45.0843 4008 ============================================================
23:49:45.0843 4008 Scan started
23:49:45.0843 4008 Mode: Manual;
23:49:45.0843 4008 ============================================================
23:49:46.0125 4008 Abiosdsk - ok
23:49:46.0140 4008 abp480n5 - ok
23:49:46.0203 4008 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:49:46.0203 4008 ACPI - ok
23:49:46.0250 4008 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:49:46.0265 4008 ACPIEC - ok
23:49:46.0281 4008 adpu160m - ok
23:49:46.0312 4008 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:49:46.0328 4008 aec - ok
23:49:46.0390 4008 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:49:46.0406 4008 AFD - ok
23:49:46.0421 4008 Aha154x - ok
23:49:46.0453 4008 aic78u2 - ok
23:49:46.0468 4008 aic78xx - ok
23:49:46.0531 4008 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
23:49:46.0531 4008 Alerter - ok
23:49:46.0562 4008 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
23:49:46.0562 4008 ALG - ok
23:49:46.0593 4008 AliIde - ok
23:49:46.0625 4008 amsint - ok
23:49:46.0687 4008 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
23:49:46.0687 4008 AppMgmt - ok
23:49:46.0718 4008 asc - ok
23:49:46.0734 4008 asc3350p - ok
23:49:46.0765 4008 asc3550 - ok
23:49:46.0859 4008 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
23:49:46.0875 4008 aspnet_state - ok
23:49:46.0921 4008 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:49:46.0921 4008 AsyncMac - ok
23:49:46.0953 4008 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:49:46.0953 4008 atapi - ok
23:49:46.0984 4008 Atdisk - ok
23:49:47.0015 4008 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:49:47.0015 4008 Atmarpc - ok
23:49:47.0093 4008 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
23:49:47.0093 4008 AudioSrv - ok
23:49:47.0140 4008 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:49:47.0140 4008 audstub - ok
23:49:47.0187 4008 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:49:47.0187 4008 Beep - ok
23:49:47.0250 4008 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
23:49:47.0250 4008 Browser - ok
23:49:47.0296 4008 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:49:47.0296 4008 cbidf2k - ok
23:49:47.0328 4008 cd20xrnt - ok
23:49:47.0359 4008 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:49:47.0359 4008 Cdaudio - ok
23:49:47.0421 4008 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:49:47.0421 4008 Cdfs - ok
23:49:47.0453 4008 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:49:47.0453 4008 Cdrom - ok
23:49:47.0484 4008 Changer - ok
23:49:47.0546 4008 cisvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\System32\cisvc.exe
23:49:47.0546 4008 cisvc - ok
23:49:47.0562 4008 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
23:49:47.0578 4008 ClipSrv - ok
23:49:47.0625 4008 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23:49:47.0656 4008 clr_optimization_v2.0.50727_32 - ok
23:49:47.0671 4008 CmdIde - ok
23:49:47.0703 4008 COMSysApp - ok
23:49:47.0734 4008 Cpqarray - ok
23:49:47.0781 4008 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
23:49:47.0781 4008 CryptSvc - ok
23:49:47.0812 4008 dac2w2k - ok
23:49:47.0828 4008 dac960nt - ok
23:49:47.0906 4008 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
23:49:47.0937 4008 DcomLaunch - ok
23:49:47.0984 4008 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
23:49:48.0000 4008 Dhcp - ok
23:49:48.0046 4008 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:49:48.0046 4008 Disk - ok
23:49:48.0078 4008 dmadmin - ok
23:49:48.0171 4008 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:49:48.0203 4008 dmboot - ok
23:49:48.0234 4008 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:49:48.0250 4008 dmio - ok
23:49:48.0296 4008 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:49:48.0296 4008 dmload - ok
23:49:48.0343 4008 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
23:49:48.0343 4008 dmserver - ok
23:49:48.0375 4008 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:49:48.0390 4008 DMusic - ok
23:49:48.0437 4008 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
23:49:48.0437 4008 Dnscache - ok
23:49:48.0500 4008 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
23:49:48.0500 4008 Dot3svc - ok
23:49:48.0531 4008 dpti2o - ok
23:49:48.0593 4008 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:49:48.0593 4008 drmkaud - ok
23:49:48.0656 4008 E100B (f1cbea5910b1e0c04222819cc6d2ef00) C:\WINDOWS\system32\DRIVERS\e100b325.sys
23:49:48.0656 4008 E100B - ok
23:49:48.0718 4008 eamon (8c2b6bbc82ad12cd9a2e73e5dcbba705) C:\WINDOWS\system32\DRIVERS\eamon.sys
23:49:48.0734 4008 eamon - ok
23:49:48.0781 4008 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
23:49:48.0781 4008 EapHost - ok
23:49:48.0828 4008 EGATHDRV (fade3c8099d7570c090738453d29123e) C:\WINDOWS\System32\EGATHDRV.SYS
23:49:48.0828 4008 EGATHDRV - ok
23:49:48.0890 4008 ehdrv (5412ed24fffca64e2f0168399b86c952) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
23:49:48.0906 4008 ehdrv - ok
23:49:49.0140 4008 ekrn (ad4faade819e0da9933bea7c01d2c763) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
23:49:49.0156 4008 ekrn - ok
23:49:49.0218 4008 epfwtdir (cf1108161dfedd82ae811307a3763e1c) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
23:49:49.0218 4008 epfwtdir - ok
23:49:49.0265 4008 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
23:49:49.0265 4008 ERSvc - ok
23:49:49.0328 4008 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
23:49:49.0343 4008 Eventlog - ok
23:49:49.0406 4008 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
23:49:49.0406 4008 EventSystem - ok
23:49:49.0468 4008 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:49:49.0468 4008 Fastfat - ok
23:49:49.0531 4008 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:49:49.0531 4008 FastUserSwitchingCompatibility - ok
23:49:49.0562 4008 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:49:49.0562 4008 Fdc - ok
23:49:49.0625 4008 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:49:49.0625 4008 Fips - ok
23:49:49.0656 4008 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:49:49.0656 4008 Flpydisk - ok
23:49:49.0703 4008 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:49:49.0718 4008 FltMgr - ok
23:49:49.0859 4008 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
23:49:49.0859 4008 FontCache3.0.0.0 - ok
23:49:49.0921 4008 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:49:49.0921 4008 Fs_Rec - ok
23:49:49.0953 4008 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:49:49.0953 4008 Ftdisk - ok
23:49:50.0078 4008 GoogleDesktopManager-051210-111108 (9f5f2f0fb0a7f5aa9f16b9a7b6dad89f) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
23:49:50.0078 4008 GoogleDesktopManager-051210-111108 - ok
23:49:50.0140 4008 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:49:50.0156 4008 Gpc - ok
23:49:50.0250 4008 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
23:49:50.0250 4008 gupdate - ok
23:49:50.0265 4008 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
23:49:50.0281 4008 gupdatem - ok
23:49:50.0328 4008 gusvc (5467f1ff0af264566740f67e8b810735) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
23:49:50.0343 4008 gusvc - ok
23:49:50.0437 4008 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
23:49:50.0437 4008 helpsvc - ok
23:49:50.0453 4008 HidServ - ok
23:49:50.0515 4008 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:49:50.0515 4008 HidUsb - ok
23:49:50.0562 4008 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
23:49:50.0562 4008 hkmsvc - ok
23:49:50.0593 4008 hpn - ok
23:49:50.0609 4008 hpt3xx - ok
23:49:50.0687 4008 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:49:50.0687 4008 HTTP - ok
23:49:50.0750 4008 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
23:49:50.0812 4008 HTTPFilter - ok
23:49:50.0828 4008 i2omgmt - ok
23:49:50.0859 4008 i2omp - ok
23:49:50.0890 4008 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:49:50.0906 4008 i8042prt - ok
23:49:50.0968 4008 ialm (d94e8efac511a2cf13b0232bd692074d) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
23:49:50.0968 4008 ialm - ok
23:49:51.0062 4008 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
23:49:51.0156 4008 idsvc - ok
23:49:51.0187 4008 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
23:49:51.0203 4008 Imapi - ok
23:49:51.0234 4008 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\System32\imapi.exe
23:49:51.0250 4008 ImapiService - ok
23:49:51.0281 4008 ini910u - ok
23:49:51.0312 4008 IntelIde - ok
23:49:51.0359 4008 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:49:51.0359 4008 intelppm - ok
23:49:51.0406 4008 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:49:51.0406 4008 ip6fw - ok
23:49:51.0453 4008 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:49:51.0453 4008 IpFilterDriver - ok
23:49:51.0515 4008 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:49:51.0531 4008 IpInIp - ok
23:49:51.0562 4008 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:49:51.0562 4008 IpNat - ok
23:49:51.0593 4008 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:49:51.0593 4008 IPSec - ok
23:49:51.0625 4008 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:49:51.0640 4008 IRENUM - ok
23:49:51.0703 4008 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:49:51.0718 4008 isapnp - ok
23:49:51.0875 4008 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
23:49:51.0875 4008 JavaQuickStarterService - ok
23:49:51.0890 4008 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:49:51.0890 4008 Kbdclass - ok
23:49:51.0937 4008 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:49:51.0953 4008 kmixer - ok
23:49:52.0000 4008 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:49:52.0000 4008 KSecDD - ok
23:49:52.0062 4008 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
23:49:52.0078 4008 lanmanserver - ok
23:49:52.0125 4008 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
23:49:52.0140 4008 lanmanworkstation - ok
23:49:52.0156 4008 lbrtfdc - ok
23:49:52.0234 4008 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
23:49:52.0234 4008 LmHosts - ok
23:49:52.0296 4008 MBAMProtector (6dfe7f2e8e8a337263aa5c92a215f161) C:\WINDOWS\system32\drivers\mbam.sys
23:49:52.0296 4008 MBAMProtector - ok
23:49:52.0359 4008 MBAMService (43683e970f008c93c9429ef428147a54) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
23:49:52.0375 4008 MBAMService - ok
23:49:52.0437 4008 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
23:49:52.0437 4008 Messenger - ok
23:49:52.0500 4008 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:49:52.0500 4008 mnmdd - ok
23:49:52.0546 4008 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
23:49:52.0546 4008 mnmsrvc - ok
23:49:52.0593 4008 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:49:52.0609 4008 Modem - ok
23:49:52.0640 4008 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:49:52.0640 4008 Mouclass - ok
23:49:52.0687 4008 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:49:52.0687 4008 mouhid - ok
23:49:52.0718 4008 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:49:52.0734 4008 MountMgr - ok
23:49:52.0781 4008 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
23:49:52.0796 4008 MozillaMaintenance - ok
23:49:52.0812 4008 mraid35x - ok
23:49:52.0843 4008 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:49:52.0859 4008 MRxDAV - ok
23:49:52.0937 4008 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:49:52.0953 4008 MRxSmb - ok
23:49:53.0000 4008 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
23:49:53.0000 4008 MSDTC - ok
23:49:53.0046 4008 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:49:53.0046 4008 Msfs - ok
23:49:53.0062 4008 MSIServer - ok
23:49:53.0109 4008 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:49:53.0125 4008 MSKSSRV - ok
23:49:53.0140 4008 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:49:53.0140 4008 MSPCLOCK - ok
23:49:53.0156 4008 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:49:53.0171 4008 MSPQM - ok
23:49:53.0187 4008 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:49:53.0187 4008 mssmbios - ok
23:49:53.0234 4008 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:49:53.0250 4008 Mup - ok
23:49:53.0312 4008 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
23:49:53.0328 4008 napagent - ok
23:49:53.0390 4008 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:49:53.0390 4008 NDIS - ok
23:49:53.0453 4008 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:49:53.0453 4008 NdisTapi - ok
23:49:53.0468 4008 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:49:53.0468 4008 Ndisuio - ok
23:49:53.0515 4008 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:49:53.0515 4008 NdisWan - ok
23:49:53.0578 4008 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:49:53.0578 4008 NDProxy - ok
23:49:53.0609 4008 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:49:53.0609 4008 NetBIOS - ok
23:49:53.0640 4008 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:49:53.0656 4008 NetBT - ok
23:49:53.0734 4008 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:49:53.0734 4008 NetDDE - ok
23:49:53.0750 4008 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:49:53.0765 4008 NetDDEdsdm - ok
23:49:53.0796 4008 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
23:49:53.0796 4008 Netlogon - ok
23:49:53.0843 4008 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
23:49:53.0843 4008 Netman - ok
23:49:53.0968 4008 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
23:49:53.0968 4008 NetTcpPortSharing - ok
23:49:54.0031 4008 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
23:49:54.0046 4008 Nla - ok
23:49:54.0156 4008 NMSSvc (717c9d23a20492b6c7870e2b2d9d30cb) C:\WINDOWS\System32\NMSSvc.exe
23:49:54.0187 4008 NMSSvc - ok
23:49:54.0265 4008 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:49:54.0281 4008 Npfs - ok
23:49:54.0328 4008 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:49:54.0343 4008 Ntfs - ok
23:49:54.0406 4008 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
23:49:54.0406 4008 NtLmSsp - ok
23:49:54.0500 4008 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
23:49:54.0515 4008 NtmsSvc - ok
23:49:54.0562 4008 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:49:54.0562 4008 Null - ok
23:49:54.0609 4008 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:49:54.0609 4008 NwlnkFlt - ok
23:49:54.0640 4008 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:49:54.0640 4008 NwlnkFwd - ok
23:49:54.0687 4008 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:49:54.0703 4008 Parport - ok
23:49:54.0734 4008 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:49:54.0734 4008 PartMgr - ok
23:49:54.0812 4008 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:49:54.0812 4008 ParVdm - ok
23:49:54.0859 4008 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:49:54.0875 4008 PCI - ok
23:49:54.0890 4008 PCIDump - ok
23:49:54.0937 4008 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:49:54.0937 4008 PCIIde - ok
23:49:54.0968 4008 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:49:54.0968 4008 Pcmcia - ok
23:49:55.0000 4008 PDCOMP - ok
23:49:55.0015 4008 PDFRAME - ok
23:49:55.0046 4008 PDRELI - ok
23:49:55.0062 4008 PDRFRAME - ok
23:49:55.0093 4008 perc2 - ok
23:49:55.0109 4008 perc2hib - ok
23:49:55.0203 4008 pfc (5903fa75200807ad739286bbf40c4904) C:\WINDOWS\system32\drivers\pfc.sys
23:49:55.0203 4008 pfc - ok
23:49:55.0265 4008 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
23:49:55.0265 4008 PlugPlay - ok
23:49:55.0328 4008 PMEM (fa292805788528c083f416e151b60ab6) C:\WINDOWS\system32\drivers\PMEMNT.SYS
23:49:55.0328 4008 PMEM - ok
23:49:55.0343 4008 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
23:49:55.0343 4008 PolicyAgent - ok
23:49:55.0406 4008 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:49:55.0406 4008 PptpMiniport - ok
23:49:55.0437 4008 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
23:49:55.0437 4008 Processor - ok
23:49:55.0453 4008 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:49:55.0468 4008 ProtectedStorage - ok
23:49:55.0500 4008 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:49:55.0500 4008 PSched - ok
23:49:55.0546 4008 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:49:55.0546 4008 Ptilink - ok
23:49:55.0609 4008 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:49:55.0609 4008 PxHelp20 - ok
23:49:55.0625 4008 ql1080 - ok
23:49:55.0656 4008 Ql10wnt - ok
23:49:55.0671 4008 ql12160 - ok
23:49:55.0703 4008 ql1240 - ok
23:49:55.0734 4008 ql1280 - ok
23:49:55.0750 4008 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:49:55.0750 4008 RasAcd - ok
23:49:55.0812 4008 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
23:49:55.0828 4008 RasAuto - ok
23:49:55.0843 4008 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:49:55.0859 4008 Rasl2tp - ok
23:49:55.0906 4008 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
23:49:55.0921 4008 RasMan - ok
23:49:55.0953 4008 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:49:55.0953 4008 RasPppoe - ok
23:49:55.0984 4008 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:49:55.0984 4008 Raspti - ok
23:49:56.0031 4008 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:49:56.0031 4008 Rdbss - ok
23:49:56.0046 4008 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:49:56.0062 4008 RDPCDD - ok
23:49:56.0109 4008 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:49:56.0125 4008 rdpdr - ok
23:49:56.0187 4008 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
23:49:56.0187 4008 RDPWD - ok
23:49:56.0250 4008 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
23:49:56.0265 4008 RDSessMgr - ok
23:49:56.0296 4008 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:49:56.0296 4008 redbook - ok
23:49:56.0359 4008 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
23:49:56.0375 4008 RemoteAccess - ok
23:49:56.0421 4008 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
23:49:56.0437 4008 RemoteRegistry - ok
23:49:56.0500 4008 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
23:49:56.0515 4008 RpcLocator - ok
23:49:56.0578 4008 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
23:49:56.0578 4008 RpcSs - ok
23:49:56.0640 4008 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
23:49:56.0656 4008 RSVP - ok
23:49:56.0703 4008 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:49:56.0718 4008 SamSs - ok
23:49:56.0781 4008 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
23:49:56.0781 4008 SCardSvr - ok
23:49:56.0843 4008 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
23:49:56.0859 4008 Schedule - ok
23:49:56.0906 4008 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:49:56.0906 4008 Secdrv - ok
23:49:56.0968 4008 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
23:49:56.0968 4008 seclogon - ok
23:49:57.0000 4008 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
23:49:57.0000 4008 SENS - ok
23:49:57.0062 4008 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:49:57.0062 4008 serenum - ok
23:49:57.0109 4008 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:49:57.0109 4008 Serial - ok
23:49:57.0156 4008 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:49:57.0156 4008 Sfloppy - ok
23:49:57.0234 4008 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:49:57.0234 4008 ShellHWDetection - ok
23:49:57.0250 4008 Simbad - ok
23:49:57.0343 4008 smwdm (b911c822922cf62df83ad36d5c9775cc) C:\WINDOWS\system32\drivers\smwdm.sys
23:49:57.0359 4008 smwdm - ok
23:49:57.0390 4008 Sparrow - ok
23:49:57.0437 4008 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:49:57.0437 4008 splitter - ok
23:49:57.0500 4008 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
23:49:57.0500 4008 Spooler - ok
23:49:57.0515 4008 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:49:57.0531 4008 sr - ok
23:49:57.0578 4008 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\System32\srsvc.dll
23:49:57.0593 4008 srservice - ok
23:49:57.0656 4008 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:49:57.0671 4008 Srv - ok
23:49:57.0734 4008 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
23:49:57.0734 4008 SSDPSRV - ok
23:49:57.0796 4008 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
23:49:57.0812 4008 stisvc - ok
23:49:57.0875 4008 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:49:57.0875 4008 swenum - ok
23:49:57.0906 4008 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:49:57.0906 4008 swmidi - ok
23:49:57.0937 4008 SwPrv - ok
23:49:58.0375 4008 Symantec Core LC (c1c706751f0499747da9442c2679a0b7) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
23:49:58.0437 4008 Symantec Core LC - ok
23:49:58.0453 4008 symc810 - ok
23:49:58.0484 4008 symc8xx - ok
23:49:58.0531 4008 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\System32\drivers\symlcbrd.sys
23:49:58.0531 4008 symlcbrd - ok
23:49:58.0562 4008 sym_hi - ok
23:49:58.0578 4008 sym_u3 - ok
23:49:58.0625 4008 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:49:58.0625 4008 sysaudio - ok
23:49:58.0687 4008 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
23:49:58.0687 4008 SysmonLog - ok
23:49:58.0750 4008 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
23:49:58.0750 4008 TapiSrv - ok
23:49:58.0828 4008 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:49:58.0843 4008 Tcpip - ok
23:49:58.0890 4008 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:49:58.0890 4008 TDPIPE - ok
23:49:58.0921 4008 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:49:58.0937 4008 TDTCP - ok
23:49:58.0953 4008 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:49:58.0968 4008 TermDD - ok
23:49:59.0046 4008 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
23:49:59.0046 4008 TermService - ok
23:49:59.0109 4008 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:49:59.0125 4008 Themes - ok
23:49:59.0187 4008 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\System32\tlntsvr.exe
23:49:59.0187 4008 TlntSvr - ok
23:49:59.0203 4008 TosIde - ok
23:49:59.0265 4008 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
23:49:59.0281 4008 TrkWks - ok
23:49:59.0343 4008 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:49:59.0343 4008 Udfs - ok
23:49:59.0375 4008 ultra - ok
23:49:59.0437 4008 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:49:59.0453 4008 Update - ok
23:49:59.0500 4008 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
23:49:59.0515 4008 upnphost - ok
23:49:59.0531 4008 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
23:49:59.0546 4008 UPS - ok
23:49:59.0578 4008 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:49:59.0578 4008 usbehci - ok
23:49:59.0640 4008 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:49:59.0656 4008 usbhub - ok
23:49:59.0703 4008 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:49:59.0703 4008 usbprint - ok
23:49:59.0734 4008 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:49:59.0734 4008 USBSTOR - ok
23:49:59.0796 4008 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:49:59.0796 4008 usbuhci - ok
23:49:59.0828 4008 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:49:59.0828 4008 VgaSave - ok
23:49:59.0843 4008 ViaIde - ok
23:49:59.0906 4008 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:49:59.0906 4008 VolSnap - ok
23:49:59.0968 4008 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
23:49:59.0984 4008 VSS - ok
23:50:00.0046 4008 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\System32\w32time.dll
23:50:00.0046 4008 W32Time - ok
23:50:00.0109 4008 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:50:00.0109 4008 Wanarp - ok
23:50:00.0140 4008 WDICA - ok
23:50:00.0171 4008 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:50:00.0171 4008 wdmaud - ok
23:50:00.0218 4008 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
23:50:00.0234 4008 WebClient - ok
23:50:00.0343 4008 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
23:50:00.0343 4008 winmgmt - ok
23:50:00.0437 4008 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
23:50:00.0437 4008 WmdmPmSN - ok
23:50:00.0515 4008 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
23:50:00.0531 4008 Wmi - ok
23:50:00.0609 4008 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
23:50:00.0609 4008 WmiApSrv - ok
23:50:00.0765 4008 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
23:50:00.0843 4008 WMPNetworkSvc - ok
23:50:00.0937 4008 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:50:00.0937 4008 WS2IFSL - ok
23:50:01.0000 4008 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:50:01.0000 4008 WudfPf - ok
23:50:01.0031 4008 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:50:01.0046 4008 WudfRd - ok
23:50:01.0109 4008 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
23:50:01.0140 4008 WudfSvc - ok
23:50:01.0187 4008 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
23:50:01.0218 4008 WZCSVC - ok
23:50:01.0281 4008 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
23:50:01.0296 4008 xmlprov - ok
23:50:01.0359 4008 {6080A529-897E-4629-A488-ABA0C29B635E} (e26e22b0c2897add352feaa21ae653f5) C:\WINDOWS\system32\drivers\ialmsbw.sys
23:50:01.0375 4008 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
23:50:01.0390 4008 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (c40ab11f98045f2df88ca72f07917dab) C:\WINDOWS\system32\drivers\ialmkchw.sys
23:50:01.0406 4008 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
23:50:01.0437 4008 MBR (0x1B8) (ab67d479e4ee1ccad757294b60ddb98f) \Device\Harddisk0\DR0
23:50:02.0078 4008 \Device\Harddisk0\DR0 - ok
23:50:02.0093 4008 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
23:50:07.0406 4008 \Device\Harddisk1\DR3 - ok
23:50:07.0437 4008 Boot (0x1200) (3b32c13cb305934b6e80cd4381375b9f) \Device\Harddisk0\DR0\Partition0
23:50:07.0437 4008 \Device\Harddisk0\DR0\Partition0 - ok
23:50:07.0468 4008 Boot (0x1200) (c769388c870bc924ccc1a27a5718f4fe) \Device\Harddisk1\DR3\Partition0
23:50:07.0468 4008 \Device\Harddisk1\DR3\Partition0 - ok
23:50:07.0468 4008 ============================================================
23:50:07.0468 4008 Scan finished
23:50:07.0468 4008 ============================================================
23:50:07.0500 4000 Detected object count: 0
23:50:07.0500 4000 Actual detected object count: 0
23:51:44.0250 2796 Deinitialize success

#6 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 28 July 2012 - 11:22 AM

Here's the aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-28 10:59:07
-----------------------------
10:59:07.250 OS Version: Windows 5.1.2600 Service Pack 3
10:59:07.250 Number of processors: 1 586 0x207
10:59:07.282 ComputerName: IBM-P4 UserName:
10:59:09.532 Initialize success
11:11:32.032 AVAST engine defs: 12072701
11:12:34.391 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:12:34.391 Disk 0 Vendor: IC35L040AVVN07-0 VA2OAF1A Size: 38162MB BusType: 3
11:12:34.407 Disk 0 MBR read successfully
11:12:34.407 Disk 0 MBR scan
11:12:34.547 Disk 0 unknown MBR code
11:12:34.563 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 36452 MB offset 63
11:12:34.594 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSWIN4.1 1710 MB offset 74654055
11:12:34.610 Disk 0 scanning sectors +78156225
11:12:34.704 Disk 0 scanning C:\WINDOWS\system32\drivers
11:12:57.000 Service scanning
11:13:32.188 Modules scanning
11:13:44.797 Scan finished successfully
11:14:33.860 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Walter & Adelphe\Desktop\MBR.dat"
11:14:33.875 The log file has been saved successfully to "C:\Documents and Settings\Walter & Adelphe\Desktop\aswMBR.txt"

Eset Online scan is running - log to follow:

#7 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 28 July 2012 - 12:31 PM

Here's the Eset Online scan results:

C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\n a variant of Win32/Kryptik.AILC trojan
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\00000004.@ Win32/Conedex.D trojan
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000032.@ a variant of Win32/Sirefef.FD trojan
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000032.@ a variant of Win32/Sirefef.FD trojan
Operating memory a variant of Win32/Sirefef.FA trojan

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:59 AM

Posted 28 July 2012 - 12:48 PM

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.


Download

adware cleaner

Launch it click on Delete

post the generated log

Open your C drive

On top,click on Tools-folder options

Click on View tab and scroll down

Check mark Show hidden files
Uncheck Hide operating system files


Click ok,now go to

C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}

delete the folders

Edited by narenxp, 28 July 2012 - 12:48 PM.


#9 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 28 July 2012 - 08:10 PM

MBAM was already installed. It updated OK but the machine then froze. I have rebooted several times - get to the normal desktop and can move the mouse cursor, but no response to left or right clicks on anything. Machine boots OK into Safe Mode and MBAM is now scanning in Safe Mode, 3 objects detected so far. I'll update when I get to the next stage.

#10 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 29 July 2012 - 03:13 AM

OK - results from the last set of instructions:

##################

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.28.07

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 7.0.5730.13
Walter & Adelphe :: IBM-P4 [administrator]

Protection: Disabled

29/07/2012 8:55:25 AM
mbam-log-2012-07-29 (08-55-25).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 290184
Time elapsed: 1 hour(s), 22 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\n (Trojan.Agent.BVXGen) -> Delete on reboot.
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B00B8C3F-C348-4603-BA4C-D699359DC347}\RP1587\A0190966.ini (Trojan.0access) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

###### Followed by a rescan in normal mode - clean log file

MiniToolBox by Farbar Version: 23-07-2012
Ran by Walter & Adelphe (administrator) on 29-07-2012 at 15:37:27
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com

There are 14938 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Intel® PRO/100 VE Network Connection = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=static addr=203.21.20.20 register=PRIMARY
add dns name="Local Area Connection" addr=203.10.1.9 index=2
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : IBM-P4

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : home



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-09-6B-35-43-2B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.11

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 203.21.20.20

203.10.1.9

Lease Obtained. . . . . . . . . . : Sunday, 29 July 2012 3:37:02 PM

Lease Expires . . . . . . . . . . : Monday, 30 July 2012 3:37:02 PM

Server: dnscache02.westnet.com.au
Address: 203.10.1.9

Name: google.com
Addresses: 203.59.140.146, 203.59.140.149, 203.59.140.153, 203.59.140.167
203.59.140.170, 203.59.140.160, 203.59.140.156, 203.59.140.184, 203.59.140.177
203.59.140.181, 203.59.140.163, 203.59.140.174



Pinging google.com [203.59.140.184] with 32 bytes of data:



Reply from 203.59.140.184: bytes=32 time=17ms TTL=60

Reply from 203.59.140.184: bytes=32 time=15ms TTL=60



Ping statistics for 203.59.140.184:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 15ms, Maximum = 17ms, Average = 16ms

Server: dnscache01.westnet.com.au
Address: 203.21.20.20

Name: yahoo.com
Addresses: 98.139.183.24, 209.191.122.70, 72.30.38.140



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=712ms TTL=51

Reply from 209.191.122.70: bytes=32 time=423ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 423ms, Maximum = 712ms, Average = 567ms

Server: dnscache01.westnet.com.au
Address: 203.21.20.20

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 09 6b 35 43 2b ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.11 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.11 192.168.1.11 20
192.168.1.11 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.11 192.168.1.11 20
224.0.0.0 240.0.0.0 192.168.1.11 192.168.1.11 20
255.255.255.255 255.255.255.255 192.168.1.11 192.168.1.11 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/29/2012 03:36:36 PM) (Source: Application Hang) (User: )
Description: Hanging application MiniToolBox.exe, version 3.3.8.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/29/2012 08:54:35 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/29/2012 08:22:44 AM) (Source: Application Hang) (User: )
Description: Hanging application mbam.exe, version 1.62.0.87, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/28/2012 11:44:58 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:56:34 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:28:04 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:24:44 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:17:54 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/25/2012 04:22:19 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/23/2012 04:45:37 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.


System errors:
=============
Error: (07/29/2012 10:23:09 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (07/29/2012 10:21:41 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (07/29/2012 10:20:51 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/29/2012 08:54:49 AM) (Source: DCOM) (User: IBM-P4)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (07/29/2012 08:54:48 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/29/2012 08:32:34 AM) (Source: DCOM) (User: IBM-P4)
Description: The server {BA126AE5-2166-11D1-B1D0-00805FC1270E} did not register with DCOM within the required timeout.

Error: (07/28/2012 11:57:56 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2012 11:57:48 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2012 11:57:41 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2012 11:57:34 AM) (Source: 0) (User: )
Description: \Device\CdRom0


Microsoft Office Sessions:
=========================
Error: (07/29/2012 03:36:36 PM) (Source: Application Hang)(User: )
Description: MiniToolBox.exe3.3.8.1hungapp0.0.0.000000000

Error: (07/29/2012 08:54:35 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/29/2012 08:22:44 AM) (Source: Application Hang)(User: )
Description: mbam.exe1.62.0.87hungapp0.0.0.000000000

Error: (07/28/2012 11:44:58 PM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:56:34 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:28:04 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:24:44 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:17:54 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/25/2012 04:22:19 PM) (Source: WinMgmt)(User: )
Description:

Error: (07/23/2012 04:45:37 PM) (Source: WinMgmt)(User: )
Description:


=========================== Installed Programs ============================

7-Zip 4.42
Access IBM (Version: 3.5)
Ad-Aware SE Personal (Version: 1.06)
Adobe Acrobat 5.0 (Version: 5.0)
Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)
Adobe Flash Player 10 Plugin (Version: 10.0.45.2)
Adobe Reader 8.1.6 (Version: 8.1.6)
ALOT Toolbar
Apple Software Update (Version: 2.1.1.116)
Britannica 2001 Standard Edition CD-ROM
Canon iP3300
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CCleaner (Version: 3.20)
Critical Update for Windows Media Player 11 (KB959772)
Easy-WebPrint
ESET NOD32 Antivirus (Version: 5.2.9.1)
ESET Online Scanner v3
Google Chrome (Version: 20.0.1132.57)
Google Desktop (Version: 5.9.1005.12335)
Google Earth (Version: 6.1.0.5001)
Google Pack Screensaver (Version: 1.0)
Google Toolbar for Firefox (Version: 7.1.20110512)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2710.138)
Google Update Helper (Version: 1.3.21.115)
Google Updater (Version: 2.4.1536.6592)
IBM Access Support
IBM Update Connector (Version: 5.00)
Image Web Server IE Plugins 1,7,1,43
Intel® 845G Chipset Graphics Driver Software
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II (Version: 2.10.0061)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Encarta Interactive World Atlas 2000
Microsoft Home Publishing 2000 (Version: 4.0.0000)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003 (Version: 11.0.6458.0)
Microsoft Picture It! Express 2000 (Version: 4.0.0.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2000 (Version: 9.00.2720)
Microsoft Works 2000 (Version: 1.0.0.0000)
Microsoft Works 2000 Setup Launcher
Mozilla Firefox 12.0 (x86 en-GB) (Version: 12.0)
Mozilla Maintenance Service (Version: 12.0)
Outlook Express Backup Genie v2.0
PhotoMail Maker (Version: 1.0.0.1040)
Picasa 3 (Version: 3.8)
QuickTime (Version: 7.4.5.67)
SoundMAX
Support.com Software
Symantec KB-DocID:2003093015493306 (Version: 1.0.0.1)
Uninstall PC-Doctor
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Vol 1 Wildflowers of Western Australia Screen Saver
Vol 2 Wildflowers of Western Australia Screen Saver
Vol 3 Wildflowers of Western Australia Screen Saver
WebFldrs XP (Version: 9.50.5318)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
Word in Works Suite add-in (Version: 1.0.0.0000)

========================= Memory info: ===================================

Percentage of memory in use: 45%
Total physical RAM: 1277.98 MB
Available physical RAM: 694.25 MB
Total Pagefile: 1517.05 MB
Available Pagefile: 1126.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.61 MB

========================= Partitions: =====================================

2 Drive c: (IBM_PRELOAD) (Fixed) (Total:35.6 GB) (Free:15.16 GB) NTFS
3 Drive d: (BartPE) (CDROM) (Total:0.15 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\IBM-P4

Administrator Guest HelpAssistant
SUPPORT_388945a0 Walter & Adelphe


**** End of log ****

##########

Farbar Service Scanner Version: 26-07-2012
Ran by Walter & Adelphe (administrator) on 29-07-2012 at 15:46:15
Running from "C:\Documents and Settings\Walter & Adelphe\Desktop\Farbar Service Scanner"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.


Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile. The key does not exist.
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile. The key does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
epfwtdir(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

############

# AdwCleaner v1.703 - Logfile created 07/29/2012 at 15:47:17
# Updated 20/07/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Walter & Adelphe - IBM-P4
# Running from : C:\Documents and Settings\Walter & Adelphe\Desktop\Adware Scanner\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Walter & Adelphe\Application Data\Mozilla\Firefox\Profiles\d62d38cu.default\searchplugins\MyStart Search.xml

***** [Registry] *****

Key Deleted : HKCU\Software\alot
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\alotToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A3F2A195-0D11-463b-96BB-D2FF1B7490A1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ECD0ECC6-DCA4-4013-A915-12355AB70999}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (en-GB)

Profile name : default
File : C:\Documents and Settings\Walter & Adelphe\Application Data\Mozilla\Firefox\Profiles\d62d38cu.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "MyStart Search");

*************************

AdwCleaner[S1].txt - [1476 octets] - [29/07/2012 15:47:17]

########## EOF - C:\AdwCleaner[S1].txt - [1604 octets] ##########

Directories deleted as per instructions.

############

Further information - the reboot after the Adware Cleaner scan produced the normal desktop but locked up and unresponsive to mouse clicks.

A hard reset with the LAN cable disconnected produced a very slow, but normal boot, with a responsive desktop. I was then able to copy of the logs above.

I could try a few more reboots to be sure but I have the impression that booting with the LAN cable plugged in causes a lockup, and with the LAN cable disconnected produces a normal boot.

Let me know if this is a good idea and I'll post back with the results...

#11 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 29 July 2012 - 03:13 AM

OK - results from the last set of instructions:

##################

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.28.07

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 7.0.5730.13
Walter & Adelphe :: IBM-P4 [administrator]

Protection: Disabled

29/07/2012 8:55:25 AM
mbam-log-2012-07-29 (08-55-25).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 290184
Time elapsed: 1 hour(s), 22 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\n (Trojan.Agent.BVXGen) -> Delete on reboot.
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B00B8C3F-C348-4603-BA4C-D699359DC347}\RP1587\A0190966.ini (Trojan.0access) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

###### Followed by a rescan in normal mode - clean log file

MiniToolBox by Farbar Version: 23-07-2012
Ran by Walter & Adelphe (administrator) on 29-07-2012 at 15:37:27
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com

There are 14938 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Intel® PRO/100 VE Network Connection = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=static addr=203.21.20.20 register=PRIMARY
add dns name="Local Area Connection" addr=203.10.1.9 index=2
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : IBM-P4

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : home



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-09-6B-35-43-2B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.11

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 203.21.20.20

203.10.1.9

Lease Obtained. . . . . . . . . . : Sunday, 29 July 2012 3:37:02 PM

Lease Expires . . . . . . . . . . : Monday, 30 July 2012 3:37:02 PM

Server: dnscache02.westnet.com.au
Address: 203.10.1.9

Name: google.com
Addresses: 203.59.140.146, 203.59.140.149, 203.59.140.153, 203.59.140.167
203.59.140.170, 203.59.140.160, 203.59.140.156, 203.59.140.184, 203.59.140.177
203.59.140.181, 203.59.140.163, 203.59.140.174



Pinging google.com [203.59.140.184] with 32 bytes of data:



Reply from 203.59.140.184: bytes=32 time=17ms TTL=60

Reply from 203.59.140.184: bytes=32 time=15ms TTL=60



Ping statistics for 203.59.140.184:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 15ms, Maximum = 17ms, Average = 16ms

Server: dnscache01.westnet.com.au
Address: 203.21.20.20

Name: yahoo.com
Addresses: 98.139.183.24, 209.191.122.70, 72.30.38.140



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=712ms TTL=51

Reply from 209.191.122.70: bytes=32 time=423ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 423ms, Maximum = 712ms, Average = 567ms

Server: dnscache01.westnet.com.au
Address: 203.21.20.20

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 09 6b 35 43 2b ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.11 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.11 192.168.1.11 20
192.168.1.11 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.11 192.168.1.11 20
224.0.0.0 240.0.0.0 192.168.1.11 192.168.1.11 20
255.255.255.255 255.255.255.255 192.168.1.11 192.168.1.11 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/29/2012 03:36:36 PM) (Source: Application Hang) (User: )
Description: Hanging application MiniToolBox.exe, version 3.3.8.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/29/2012 08:54:35 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/29/2012 08:22:44 AM) (Source: Application Hang) (User: )
Description: Hanging application mbam.exe, version 1.62.0.87, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/28/2012 11:44:58 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:56:34 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:28:04 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:24:44 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/28/2012 11:17:54 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/25/2012 04:22:19 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (07/23/2012 04:45:37 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.


System errors:
=============
Error: (07/29/2012 10:23:09 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (07/29/2012 10:21:41 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (07/29/2012 10:20:51 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/29/2012 08:54:49 AM) (Source: DCOM) (User: IBM-P4)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (07/29/2012 08:54:48 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/29/2012 08:32:34 AM) (Source: DCOM) (User: IBM-P4)
Description: The server {BA126AE5-2166-11D1-B1D0-00805FC1270E} did not register with DCOM within the required timeout.

Error: (07/28/2012 11:57:56 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2012 11:57:48 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2012 11:57:41 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/28/2012 11:57:34 AM) (Source: 0) (User: )
Description: \Device\CdRom0


Microsoft Office Sessions:
=========================
Error: (07/29/2012 03:36:36 PM) (Source: Application Hang)(User: )
Description: MiniToolBox.exe3.3.8.1hungapp0.0.0.000000000

Error: (07/29/2012 08:54:35 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/29/2012 08:22:44 AM) (Source: Application Hang)(User: )
Description: mbam.exe1.62.0.87hungapp0.0.0.000000000

Error: (07/28/2012 11:44:58 PM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:56:34 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:28:04 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:24:44 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/28/2012 11:17:54 AM) (Source: WinMgmt)(User: )
Description:

Error: (07/25/2012 04:22:19 PM) (Source: WinMgmt)(User: )
Description:

Error: (07/23/2012 04:45:37 PM) (Source: WinMgmt)(User: )
Description:


=========================== Installed Programs ============================

7-Zip 4.42
Access IBM (Version: 3.5)
Ad-Aware SE Personal (Version: 1.06)
Adobe Acrobat 5.0 (Version: 5.0)
Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)
Adobe Flash Player 10 Plugin (Version: 10.0.45.2)
Adobe Reader 8.1.6 (Version: 8.1.6)
ALOT Toolbar
Apple Software Update (Version: 2.1.1.116)
Britannica 2001 Standard Edition CD-ROM
Canon iP3300
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CCleaner (Version: 3.20)
Critical Update for Windows Media Player 11 (KB959772)
Easy-WebPrint
ESET NOD32 Antivirus (Version: 5.2.9.1)
ESET Online Scanner v3
Google Chrome (Version: 20.0.1132.57)
Google Desktop (Version: 5.9.1005.12335)
Google Earth (Version: 6.1.0.5001)
Google Pack Screensaver (Version: 1.0)
Google Toolbar for Firefox (Version: 7.1.20110512)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2710.138)
Google Update Helper (Version: 1.3.21.115)
Google Updater (Version: 2.4.1536.6592)
IBM Access Support
IBM Update Connector (Version: 5.00)
Image Web Server IE Plugins 1,7,1,43
Intel® 845G Chipset Graphics Driver Software
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II (Version: 2.10.0061)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Encarta Interactive World Atlas 2000
Microsoft Home Publishing 2000 (Version: 4.0.0000)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003 (Version: 11.0.6458.0)
Microsoft Picture It! Express 2000 (Version: 4.0.0.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2000 (Version: 9.00.2720)
Microsoft Works 2000 (Version: 1.0.0.0000)
Microsoft Works 2000 Setup Launcher
Mozilla Firefox 12.0 (x86 en-GB) (Version: 12.0)
Mozilla Maintenance Service (Version: 12.0)
Outlook Express Backup Genie v2.0
PhotoMail Maker (Version: 1.0.0.1040)
Picasa 3 (Version: 3.8)
QuickTime (Version: 7.4.5.67)
SoundMAX
Support.com Software
Symantec KB-DocID:2003093015493306 (Version: 1.0.0.1)
Uninstall PC-Doctor
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Vol 1 Wildflowers of Western Australia Screen Saver
Vol 2 Wildflowers of Western Australia Screen Saver
Vol 3 Wildflowers of Western Australia Screen Saver
WebFldrs XP (Version: 9.50.5318)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
Word in Works Suite add-in (Version: 1.0.0.0000)

========================= Memory info: ===================================

Percentage of memory in use: 45%
Total physical RAM: 1277.98 MB
Available physical RAM: 694.25 MB
Total Pagefile: 1517.05 MB
Available Pagefile: 1126.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.61 MB

========================= Partitions: =====================================

2 Drive c: (IBM_PRELOAD) (Fixed) (Total:35.6 GB) (Free:15.16 GB) NTFS
3 Drive d: (BartPE) (CDROM) (Total:0.15 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\IBM-P4

Administrator Guest HelpAssistant
SUPPORT_388945a0 Walter & Adelphe


**** End of log ****

##########

Farbar Service Scanner Version: 26-07-2012
Ran by Walter & Adelphe (administrator) on 29-07-2012 at 15:46:15
Running from "C:\Documents and Settings\Walter & Adelphe\Desktop\Farbar Service Scanner"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.


Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile. The key does not exist.
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile. The key does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
epfwtdir(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

############

# AdwCleaner v1.703 - Logfile created 07/29/2012 at 15:47:17
# Updated 20/07/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Walter & Adelphe - IBM-P4
# Running from : C:\Documents and Settings\Walter & Adelphe\Desktop\Adware Scanner\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Walter & Adelphe\Application Data\Mozilla\Firefox\Profiles\d62d38cu.default\searchplugins\MyStart Search.xml

***** [Registry] *****

Key Deleted : HKCU\Software\alot
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\alotToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A3F2A195-0D11-463b-96BB-D2FF1B7490A1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ECD0ECC6-DCA4-4013-A915-12355AB70999}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (en-GB)

Profile name : default
File : C:\Documents and Settings\Walter & Adelphe\Application Data\Mozilla\Firefox\Profiles\d62d38cu.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "MyStart Search");

*************************

AdwCleaner[S1].txt - [1476 octets] - [29/07/2012 15:47:17]

########## EOF - C:\AdwCleaner[S1].txt - [1604 octets] ##########

Directories deleted as per instructions.

############

Further information - the reboot after the Adware Cleaner scan produced the normal desktop but locked up and unresponsive to mouse clicks.

A hard reset with the LAN cable disconnected produced a very slow, but normal boot, with a responsive desktop. I was then able to copy of the logs above.

I could try a few more reboots to be sure but I have the impression that booting with the LAN cable plugged in causes a lockup, and with the LAN cable disconnected produces a normal boot.

Let me know if this is a good idea and I'll post back with the results...

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:59 AM

Posted 29 July 2012 - 05:54 AM

Did you Delete the folders?

Open your C drive

On top,click on Tools-folder options

Click on View tab and scroll down

Check mark Show hidden files
Uncheck Hide operating system files


Click ok,now go to

C:\Documents and Settings\Walter & Adelphe\Local Settings\Application Data\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}
C:\WINDOWS\Installer\{d80a9c1a-cc9e-79eb-cf67-3d54cecaf254}

delete the folders


Download

BITS
wuauserv
Sharedaccess
wscsvc

Launch the keys,click YES

Restart the PC,post the new FSS log

#13 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 29 July 2012 - 06:45 AM

Yes, folders deleted - see the line in my last post after the Adware Cleaner log.

########## EOF - C:\AdwCleaner[S1].txt - [1604 octets] ##########

Directories deleted as per instructions.

############


Launched the keys, rebooted - got a prompt to install an Adobe Flash update- I believe this CAN be a ZeroAccess or Sirefef vector so did NOT install it.

Machine has booted to a normal desktop but does not respond to mouse clicks or keyboard inputs and cursor shows as an hourglass if placed over the taskbar. No disk activity.

A hard reset (power off/power on) makes no difference. LAN cable pugged in or not makes no difference (looks like my earlier theory was wrong).

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:59 AM

Posted 29 July 2012 - 06:51 AM

Can you boot into safemode ?

#15 k-blur

k-blur
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 29 July 2012 - 06:58 AM

I thought of that but decided to run it by you first - trying Safe Mode now.

OK - successfully boots to Safe Mode.

Please let me know what to do next...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users