Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD, Pure Function Call, Combofix log


  • This topic is locked This topic is locked
17 replies to this topic

#1 D45ist

D45ist

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 August 2012 - 09:02 PM

Computer slow (10 minute response to a click sometimes), Error Msgs, BSOD, Pure Function Call, Combofix log

Ran Combo after another website suggested it and told me to post it here. Computer seemed better just running Combofix. Appreciated!

Dell XP Home SP3 (No new hard or software prior to problem)
Events – in chronological order

Suddenly slow, frequent low virtual memory msgs, systems sounds, but no other sound, speakers grayed out.
AVG found nothing. Deleted AVG, installed MSE
MSE found and removed Trojan. Additional scans clean. Speakers back for a day, then...
Error Msg – No Virtual Memory
Error Msg - Win Logon
Did System Restore, everything ok for a day, then slow, hung up, etc
Ran chkdsk c:/r followed by chkdsk c: f/r/ (both suggested by a questionable friend)
Computer worked, but very slow at times , then...
BSOD –Stop 7E kdcom.dll
After a big dose of Imodium I tried to reboot in safemode, no go, but last known good config did work
Then Error Msg - Visual C++ Runtime Library
Program c:windows\system32\svchost.exe
R6025, Pure Virtual Function call

Ran Combofix - here is the log

ComboFix 11-03-28.05 - Dell3000 03/29/2011 15:29:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.313 [GMT -4:00]
Running from: c:\documents and settings\Dell3000\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.4.inf
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-29 18:58 . 2011-03-29 18:58 -------- d-----w- c:\documents and settings\Dell3000\Local Settings\Application Data\Mozilla
2011-03-29 14:15 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-26 20:12 . 2011-03-26 20:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-26 20:11 . 2011-03-26 20:11 -------- d-----w- c:\program files\LittlePPT
2011-03-26 00:29 . 2011-03-26 00:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-25 23:51 . 2011-03-25 23:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-02-28 22:41 . 2011-02-28 22:41 -------- d-----w- c:\documents and settings\Dell3000\Application Data\Uniblue
2011-02-28 22:41 . 2011-02-28 22:41 -------- d-----w- c:\program files\Uniblue
2011-02-28 22:41 . 2011-02-28 22:41 -------- d-----w- c:\documents and settings\Dell3000\Local Settings\Application Data\PackageAware
2011-02-28 22:40 . 2011-02-28 22:40 -------- d-----w- c:\documents and settings\Dell3000\Application Data\FCSB000062035
2011-02-28 22:40 . 2011-02-28 22:40 -------- d-----w- c:\program files\Common Files\Oberon Media
2011-02-28 22:40 . 2011-03-26 20:02 -------- d-----w- c:\program files\Oberon Media
2011-02-28 22:40 . 2011-02-28 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Media
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-10 17:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-10 18:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 18:01 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 17:51 1854976 ----a-w- c:\windows\system32\win32k.sys
2011-03-18 17:53 . 2011-03-29 18:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-27 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-07-27 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-27 202256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Dell3000\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S1 khdqqzlq;khdqqzlq;\??\c:\windows\system32\drivers\khdqqzlq.sys --> c:\windows\system32\drivers\khdqqzlq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/26/2010 11:17 PM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-03-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-07-27 03:15]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 03:16]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-27 03:16]
.
2011-03-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-695272431-3323927724-207768928-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-695272431-3323927724-207768928-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Dell3000\Application Data\Mozilla\Firefox\Profiles\v4j06pd1.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 15:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-695272431-3323927724-207768928-1006\Software\SecuROM\License information*]
"datasecu"=hex:a9,e2,79,34,d8,e1,d0,6e,76,f3,a7,a9,2b,29,9e,5c,69,66,75,ec,3a,
51,82,eb,99,75,74,14,07,11,a6,0d,55,d5,9c,18,6c,fe,e1,65,af,0f,c2,f1,80,51,\
"rkeysecu"=hex:6e,68,ff,d9,dc,cd,fc,9c,a8,70,40,84,0a,35,71,b6
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-03-29 15:44:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-29 19:44
.
Pre-Run: 48,925,908,992 bytes free
Post-Run: 49,157,124,096 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - F5C4D42B0019110E59BFC3FEE7873145

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by D45ist, 22 August 2012 - 07:31 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:36 AM

Posted 26 August 2012 - 01:34 PM

Greetings D45ist and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. :thumbup2: If you prefer I call you something other than your screen name I would be pleased to do so.

You have been through numerous things before posting so I need to go back to basics a bit to see where we are at now and come up to speed. The first step is to produce 3 logs for me as described below.


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps are a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.

===================================================


Helping me Help You

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.


===================================================


Additional Information

  • If you have since resolved the original problem you were having, I would appreciate you letting me know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and I will guide you.
    • Explain as best you can what happens with your computer, i.e. it beeps three times, the the black screen starts then goes blank, etc
  • Please tell me if you have your original Windows CD/DVD available.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.

===================================================


Create DDS.txt and Attach.txt

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.

    DDS.com
    DDS.pif

  • Double click on the Posted Image icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Please copy and paste the contents of both results in your post.
  • Close the program window, and delete the program from your desktop.
You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


===================================================


Create GMER log

I also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • DDS.txt
  • Attach.txt
  • GMER log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:36 AM

Posted 29 August 2012 - 02:23 PM

Greetings D45ist,


===================================================


3 Day Bump

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 D45ist

D45ist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 August 2012 - 09:06 AM

Sorry for the delay - slooowww computer, no power one day re:Isaac, etc

Have the DDS done, trying to run Gmer per instructions.

After I extract all files and double click icon, choose run it starts automatically BEFORE I have a chance to uncheck IAT/EAT, drives/partition and show all.

I panicked and clicked cancel and then got a blue screen saying system was shut down to prevent damage to my computer, a bunch of 0x0 codes and Atapi.sys - F676B71D.

Do you want me to run it without unchecking or skip GMER log?

#5 D45ist

D45ist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 August 2012 - 10:24 AM

Here are the DDS and Attach logs without the GMER. If I understood your directions correctly I was to copy and paste the logs NOT attach them. If I misunderstood, I apologize in advance (hard to scroll back to instructions and flip pages with this bleeping computer) and will do it over correctly.
Thanks!


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dell3000 at 15:21:44 on 2012-08-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.226 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1345313617645
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: Interfaces\{77A218B8-D0F5-483E-862A-E2ADB2996668} : NameServer = 208.67.222.123,208.67.220.123
TCP: Interfaces\{E7F03C20-36B9-4628-B623-63D6FEF8D2D7} : DhcpNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S1 khdqqzlq;khdqqzlq;\??\c:\windows\system32\drivers\khdqqzlq.sys --> c:\windows\system32\drivers\khdqqzlq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2010-12-7 17432]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2012-8-17 563840]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
.
=============== Created Last 30 ================
.
2012-08-28 15:37:58 7023536 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{320842fc-06d9-4ca2-9c5a-8334c66bca44}\mpengine.dll
2012-08-26 22:39:09 7023536 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-21 19:31:43 208896 ----a-w- c:\windows\MBR.exe
2012-08-21 19:31:41 518144 ----a-w- c:\windows\SWREG.exe
2012-08-21 19:31:41 256000 ----a-w- c:\windows\PEV.exe
2012-08-21 19:31:40 98816 ----a-w- c:\windows\sed.exe
2012-08-18 19:34:25 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-18 02:04:07 563840 ----a-r- c:\windows\system32\drivers\RTL8192su.sys
2012-08-18 01:51:26 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-08-18 01:51:26 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-13 13:13:22 -------- d-----w- C:\found.001
2012-08-09 01:27:58 -------- d-----w- c:\documents and settings\dell3000\application data\Webroot
2012-08-07 22:47:40 -------- d-----w- C:\found.000
2012-07-30 21:52:13 103904 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-07-18 02:32:51 4024320 ----a-w- c:\program files\GUT8C.tmp
2012-06-04 21:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 45080 ----a-w- c:\windows\system32\wups2(2)(2).dll
2012-06-02 19:19:34 35864 ----a-w- c:\windows\system32\wups(2)(2).dll
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82CEC4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82cf393c]; MOV EAX, [0x82cf3ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8338CAB8]
3 CLASSPNP[0xF8838FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x832ED570]
\Driver\atapi[0x82FE6AB8] -> IRP_MJ_CREATE -> 0x82CEC4B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82CEC2E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:23:47.71 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/26/2010 9:11:58 PM
System Uptime: 8/28/2012 3:17:08 PM (0 hours ago)
.
Motherboard: Dell Computer Corp. | | 0TC667
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 29.532 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP209: 6/1/2012 8:47:59 PM - System Checkpoint
RP210: 6/2/2012 9:39:30 PM - System Checkpoint
RP211: 6/4/2012 11:02:05 AM - System Checkpoint
RP212: 6/4/2012 9:42:36 PM - Software Distribution Service 3.0
RP213: 6/6/2012 4:06:47 PM - System Checkpoint
RP214: 6/7/2012 4:54:15 PM - System Checkpoint
RP215: 6/8/2012 5:54:12 PM - System Checkpoint
RP216: 6/13/2012 7:00:37 PM - System Checkpoint
RP217: 6/14/2012 10:00:25 AM - Software Distribution Service 3.0
RP218: 6/26/2012 2:17:10 PM - System Checkpoint
RP219: 6/27/2012 3:07:15 PM - System Checkpoint
RP220: 6/28/2012 3:48:07 PM - System Checkpoint
RP221: 6/29/2012 4:58:51 PM - System Checkpoint
RP222: 6/30/2012 9:26:22 PM - System Checkpoint
RP223: 7/2/2012 4:34:02 PM - System Checkpoint
RP224: 7/5/2012 3:25:21 PM - System Checkpoint
RP225: 7/7/2012 8:55:22 PM - System Checkpoint
RP226: 7/8/2012 9:43:12 PM - System Checkpoint
RP227: 7/9/2012 10:43:12 PM - System Checkpoint
RP228: 7/10/2012 11:43:12 PM - System Checkpoint
RP229: 7/12/2012 12:43:11 AM - System Checkpoint
RP230: 7/13/2012 1:43:11 AM - System Checkpoint
RP231: 7/16/2012 2:50:11 PM - System Checkpoint
RP232: 7/16/2012 11:11:20 PM - Software Distribution Service 3.0
RP233: 7/18/2012 2:04:19 PM - System Checkpoint
RP234: 7/19/2012 3:15:52 PM - System Checkpoint
RP235: 7/20/2012 3:55:24 PM - System Checkpoint
RP236: 7/21/2012 4:49:15 PM - System Checkpoint
RP237: 7/22/2012 5:38:43 PM - System Checkpoint
RP238: 7/23/2012 6:35:22 PM - System Checkpoint
RP239: 7/24/2012 6:37:42 PM - System Checkpoint
RP240: 7/25/2012 6:58:56 PM - System Checkpoint
RP241: 7/27/2012 10:56:54 AM - System Checkpoint
RP242: 7/28/2012 3:26:40 PM - System Checkpoint
RP243: 7/29/2012 4:15:07 PM - System Checkpoint
RP244: 7/30/2012 4:49:58 PM - System Checkpoint
RP245: 8/1/2012 11:13:26 AM - System Checkpoint
RP246: 8/6/2012 9:38:39 AM - System Checkpoint
RP247: 8/7/2012 9:43:45 AM - System Checkpoint
RP248: 8/7/2012 12:49:26 PM - Restore Operation
RP249: 8/8/2012 4:25:50 PM - Software Distribution Service 3.0
RP250: 8/9/2012 12:21:32 AM - Restore Operation
RP251: 8/9/2012 12:54:38 AM - Removed Nero 9 Lite 4.4.9.0
RP252: 8/9/2012 10:00:22 AM - Software Distribution Service 3.0
RP253: 8/10/2012 10:10:10 AM - System Checkpoint
RP254: 8/11/2012 12:55:08 PM - System Checkpoint
RP255: 8/12/2012 9:47:52 PM - System Checkpoint
RP256: 8/15/2012 2:08:58 PM - System Checkpoint
RP257: 8/16/2012 10:08:04 PM - System Checkpoint
RP258: 8/16/2012 11:06:42 PM - Software Distribution Service 3.0
RP259: 8/17/2012 9:31:15 PM - Restore Operation
RP260: 8/19/2012 12:26:07 AM - System Checkpoint
RP261: 8/20/2012 5:36:15 PM - System Checkpoint
RP262: 8/26/2012 6:30:06 PM - Software Distribution Service 3.0
RP263: 8/28/2012 11:33:26 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 9.5.2
Adobe Shockwave Player 11.5
Advertising Center
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Dark Parables: Curse of Briar Rose Collector's Edition
Dell Driver Download Manager
Dell Driver Reset Tool
Dell Support 3.1
Dell System Restore
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2633952)
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java™ 6 Update 31
LittlePPT
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nancy Drew - Warnings at Waverly Academy
Nancy Drew: Alibi in Ashes
Nancy Drew: Danger on Deception Island
Nancy Drew: Secret of the Old Clock
Nancy Drew: The Captive Curse
Nancy Drew: The Curse of Blackmoor Manor
Nancy Drew: The Final Scene
Nancy Drew: The Haunted Carousel
Nancy Drew: The Phantom of Venice
Nancy Drew: Trail of the Twister
Nero 9 Lite
Nero ControlCenter
Nero Installer
Nero Online Upgrade
Nero StartSmart
neroxml
OpenOffice.org 3.2
OTOY
PowerDVD 5.5
Qualxserve Service Agreement
QuickTime
RealPlayer
RealUpgrade 1.0
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
The White Wolf of Icicle Creek
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
WebFldrs XP
WhiteSmokeTranslator
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Wizard101
.
==== Event Viewer Messages From Past Week ========
.
8/26/2012 6:29:15 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2322.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8601.0&avdelta=1.131.2322.0&asdelta=1.131.2322.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8000ffff Error description: Catastrophic failure
8/26/2012 6:29:15 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2322.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8601.0&avdelta=1.131.2322.0&asdelta=1.131.2322.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8000ffff Error description: Catastrophic failure
8/26/2012 6:29:14 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2322.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8601.0&avdelta=1.131.2322.0&asdelta=1.131.2322.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8000ffff Error description: Catastrophic failure
8/26/2012 6:29:14 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2322.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8601.0&avdelta=1.131.2322.0&asdelta=1.131.2322.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8000ffff Error description: Catastrophic failure
8/26/2012 6:03:40 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the file specified.
8/26/2012 6:03:40 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The system cannot find the file specified.
8/21/2012 8:40:26 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2322.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/21/2012 11:04:29 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2322.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
.
==== End Of File ===========================

Edited by D45ist, 30 August 2012 - 10:35 AM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:36 AM

Posted 30 August 2012 - 12:32 PM

Greetings D45ist,

Please try and rerun GMER. It appears as if it automatically starts the scan but there is a short period of time it runs and then it stops allowing you to uncheck things and then select the real run.

----------

There is no need to run GMER now. I have the information I need from the DDS log.

Please run this program for me.


===================================================


Run TDSSKiller by Kaspersky on XP

--------------------

  • Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
  • If you desire you may print out and follow the instructions for performing a scan.
  • Double-click on TDSSKiller.exe.
  • When the program opens, click the Start Scan button.


    Posted Image

  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.


    Posted Image

  • Click Continue > Reboot now to finish the cleaning process.<- Important!!


    Posted Image

  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. Please submit these results with your next reply


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log

Edited by Oh My, 30 August 2012 - 12:48 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 D45ist

D45ist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 August 2012 - 12:46 PM

Just tried to run GMER again twice. Both times it went to the same blue screen about 2 seconds into the scan even though I did not click anything (not even cancel)other than Run.

#8 D45ist

D45ist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 August 2012 - 01:14 PM

14:03:36.0421 1064 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
14:03:36.0875 1064 ============================================================
14:03:36.0875 1064 Current date / time: 2012/08/30 14:03:36.0875
14:03:36.0875 1064 SystemInfo:
14:03:36.0875 1064
14:03:36.0875 1064 OS Version: 5.1.2600 ServicePack: 3.0
14:03:36.0875 1064 Product type: Workstation
14:03:36.0875 1064 ComputerName: D9QVSG81
14:03:36.0875 1064 UserName: Dell3000
14:03:36.0875 1064 Windows directory: C:\WINDOWS
14:03:36.0875 1064 System windows directory: C:\WINDOWS
14:03:36.0875 1064 Processor architecture: Intel x86
14:03:36.0875 1064 Number of processors: 1
14:03:36.0875 1064 Page size: 0x1000
14:03:36.0875 1064 Boot type: Normal boot
14:03:36.0875 1064 ============================================================
14:03:39.0046 1064 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:03:39.0046 1064 ============================================================
14:03:39.0046 1064 \Device\Harddisk0\DR0:
14:03:39.0046 1064 MBR partitions:
14:03:39.0046 1064 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x8E6818F
14:03:39.0046 1064 ============================================================
14:03:39.0093 1064 C: <-> \Device\Harddisk0\DR0\Partition1
14:03:39.0093 1064 ============================================================
14:03:39.0093 1064 Initialize success
14:03:39.0093 1064 ============================================================
14:03:53.0765 1684 ============================================================
14:03:53.0765 1684 Scan started
14:03:53.0765 1684 Mode: Manual;
14:03:53.0765 1684 ============================================================
14:03:55.0062 1684 ================ Scan system memory ========================
14:03:55.0062 1684 System memory - ok
14:03:55.0062 1684 ================ Scan services =============================
14:03:55.0187 1684 Abiosdsk - ok
14:03:55.0250 1684 [ 6ABB91494FE6C59089B9336452AB2EA3 ] abp480n5 C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:03:55.0250 1684 abp480n5 - ok
14:03:55.0296 1684 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:03:55.0312 1684 ACPI - ok
14:03:55.0343 1684 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
14:03:55.0343 1684 ACPIEC - ok
14:03:55.0359 1684 [ 9A11864873DA202C996558B2106B0BBC ] adpu160m C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:03:55.0375 1684 adpu160m - ok
14:03:55.0421 1684 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
14:03:55.0421 1684 aec - ok
14:03:55.0468 1684 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
14:03:55.0484 1684 AFD - ok
14:03:55.0531 1684 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
14:03:55.0531 1684 agp440 - ok
14:03:55.0562 1684 [ 03A7E0922ACFE1B07D5DB2EEB0773063 ] agpCPQ C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:03:55.0562 1684 agpCPQ - ok
14:03:55.0593 1684 [ C23EA9B5F46C7F7910DB3EAB648FF013 ] Aha154x C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:03:55.0593 1684 Aha154x - ok
14:03:55.0593 1684 [ 19DD0FB48B0C18892F70E2E7D61A1529 ] aic78u2 C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:03:55.0609 1684 aic78u2 - ok
14:03:55.0609 1684 [ B7FE594A7468AA0132DEB03FB8E34326 ] aic78xx C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:03:55.0625 1684 aic78xx - ok
14:03:55.0656 1684 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
14:03:55.0656 1684 Alerter - ok
14:03:55.0687 1684 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
14:03:55.0687 1684 ALG - ok
14:03:55.0718 1684 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
14:03:55.0718 1684 AliIde - ok
14:03:55.0734 1684 [ CB08AED0DE2DD889A8A820CD8082D83C ] alim1541 C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:03:55.0750 1684 alim1541 - ok
14:03:55.0765 1684 [ 95B4FB835E28AA1336CEEB07FD5B9398 ] amdagp C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:03:55.0765 1684 amdagp - ok
14:03:55.0765 1684 [ 79F5ADD8D24BD6893F2903A3E2F3FAD6 ] amsint C:\WINDOWS\system32\DRIVERS\amsint.sys
14:03:55.0765 1684 amsint - ok
14:03:55.0875 1684 Apple Mobile Device - ok
14:03:55.0890 1684 AppMgmt - ok
14:03:55.0921 1684 [ 62D318E9A0C8FC9B780008E724283707 ] asc C:\WINDOWS\system32\DRIVERS\asc.sys
14:03:55.0937 1684 asc - ok
14:03:55.0937 1684 [ 69EB0CC7714B32896CCBFD5EDCBEA447 ] asc3350p C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:03:55.0937 1684 asc3350p - ok
14:03:55.0953 1684 [ 5D8DE112AA0254B907861E9E9C31D597 ] asc3550 C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:03:55.0953 1684 asc3550 - ok
14:03:56.0125 1684 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
14:03:56.0140 1684 aspnet_state - ok
14:03:56.0203 1684 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:03:56.0203 1684 AsyncMac - ok
14:03:56.0250 1684 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
14:03:56.0250 1684 atapi - ok
14:03:56.0265 1684 Atdisk - ok
14:03:56.0296 1684 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:03:56.0296 1684 Atmarpc - ok
14:03:56.0343 1684 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
14:03:56.0343 1684 AudioSrv - ok
14:03:56.0390 1684 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
14:03:56.0390 1684 audstub - ok
14:03:56.0437 1684 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
14:03:56.0437 1684 Beep - ok
14:03:56.0515 1684 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
14:03:56.0562 1684 BITS - ok
14:03:56.0625 1684 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
14:03:56.0625 1684 Browser - ok
14:03:56.0671 1684 [ 92A964547B96D697E5E9ED43B4297F5A ] BrScnUsb C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
14:03:56.0671 1684 BrScnUsb - ok
14:03:56.0859 1684 catchme - ok
14:03:56.0921 1684 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:03:56.0921 1684 cbidf - ok
14:03:56.0921 1684 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
14:03:56.0921 1684 cbidf2k - ok
14:03:56.0953 1684 [ F3EC03299634490E97BBCE94CD2954C7 ] cd20xrnt C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:03:56.0953 1684 cd20xrnt - ok
14:03:57.0000 1684 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
14:03:57.0000 1684 Cdaudio - ok
14:03:57.0062 1684 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
14:03:57.0062 1684 Cdfs - ok
14:03:57.0109 1684 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:03:57.0109 1684 Cdrom - ok
14:03:57.0125 1684 Changer - ok
14:03:57.0156 1684 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
14:03:57.0156 1684 CiSvc - ok
14:03:57.0187 1684 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
14:03:57.0187 1684 ClipSrv - ok
14:03:57.0234 1684 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:03:57.0250 1684 clr_optimization_v2.0.50727_32 - ok
14:03:57.0281 1684 [ E5DCB56C533014ECBC556A8357C929D5 ] CmdIde C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:03:57.0281 1684 CmdIde - ok
14:03:57.0296 1684 COMSysApp - ok
14:03:57.0328 1684 [ 3EE529119EED34CD212A215E8C40D4B6 ] Cpqarray C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:03:57.0328 1684 Cpqarray - ok
14:03:57.0375 1684 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
14:03:57.0375 1684 CryptSvc - ok
14:03:57.0421 1684 [ E550E7418984B65A78299D248F0A7F36 ] dac2w2k C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:03:57.0421 1684 dac2w2k - ok
14:03:57.0453 1684 [ 683789CAA3864EB46125AE86FF677D34 ] dac960nt C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:03:57.0453 1684 dac960nt - ok
14:03:57.0515 1684 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
14:03:57.0562 1684 DcomLaunch - ok
14:03:57.0625 1684 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
14:03:57.0625 1684 Dhcp - ok
14:03:57.0640 1684 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
14:03:57.0640 1684 Disk - ok
14:03:57.0640 1684 dmadmin - ok
14:03:57.0703 1684 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
14:03:57.0718 1684 dmboot - ok
14:03:57.0750 1684 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
14:03:57.0765 1684 dmio - ok
14:03:57.0796 1684 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
14:03:57.0796 1684 dmload - ok
14:03:57.0843 1684 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
14:03:57.0843 1684 dmserver - ok
14:03:57.0890 1684 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
14:03:57.0890 1684 DMusic - ok
14:03:57.0953 1684 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
14:03:57.0953 1684 Dnscache - ok
14:03:58.0015 1684 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
14:03:58.0015 1684 Dot3svc - ok
14:03:58.0078 1684 [ 3E4B043F8BC6BE1D4820CC6C9C500306 ] dot4 C:\WINDOWS\system32\DRIVERS\Dot4.sys
14:03:58.0078 1684 dot4 - ok
14:03:58.0140 1684 [ 77CE63A8A34AE23D9FE4C7896D1DEBE7 ] Dot4Print C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
14:03:58.0140 1684 Dot4Print - ok
14:03:58.0187 1684 [ 6EC3AF6BB5B30E488A0C559921F012E1 ] dot4usb C:\WINDOWS\system32\DRIVERS\dot4usb.sys
14:03:58.0187 1684 dot4usb - ok
14:03:58.0203 1684 [ 40F3B93B4E5B0126F2F5C0A7A5E22660 ] dpti2o C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:03:58.0203 1684 dpti2o - ok
14:03:58.0250 1684 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
14:03:58.0250 1684 drmkaud - ok
14:03:58.0312 1684 [ 7D91DC6342248369F94D6EBA0CF42E99 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:03:58.0312 1684 E100B - ok
14:03:58.0375 1684 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
14:03:58.0375 1684 EapHost - ok
14:03:58.0421 1684 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
14:03:58.0421 1684 ERSvc - ok
14:03:58.0484 1684 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
14:03:58.0484 1684 Eventlog - ok
14:03:58.0546 1684 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
14:03:58.0562 1684 EventSystem - ok
14:03:58.0578 1684 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
14:03:58.0578 1684 Fastfat - ok
14:03:58.0625 1684 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
14:03:58.0640 1684 FastUserSwitchingCompatibility - ok
14:03:58.0703 1684 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
14:03:58.0703 1684 Fax - ok
14:03:58.0718 1684 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
14:03:58.0734 1684 Fdc - ok
14:03:58.0734 1684 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
14:03:58.0734 1684 Fips - ok
14:03:58.0781 1684 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:03:58.0781 1684 Flpydisk - ok
14:03:58.0812 1684 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
14:03:58.0812 1684 FltMgr - ok
14:03:58.0937 1684 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
14:03:58.0937 1684 FontCache3.0.0.0 - ok
14:03:59.0000 1684 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:03:59.0000 1684 Fs_Rec - ok
14:03:59.0062 1684 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:03:59.0062 1684 Ftdisk - ok
14:03:59.0078 1684 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
14:03:59.0078 1684 GEARAspiWDM - ok
14:03:59.0125 1684 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:03:59.0156 1684 Gpc - ok
14:03:59.0234 1684 gupdate - ok
14:03:59.0234 1684 gupdatem - ok
14:03:59.0281 1684 [ 408DDD80EEDE47175F6844817B90213E ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
14:03:59.0281 1684 gusvc - ok
14:03:59.0375 1684 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:03:59.0375 1684 helpsvc - ok
14:03:59.0390 1684 HidServ - ok
14:03:59.0437 1684 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:03:59.0437 1684 HidUsb - ok
14:03:59.0484 1684 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
14:03:59.0484 1684 hkmsvc - ok
14:03:59.0515 1684 [ 299683D4C8AAA3F6F5D5D226A1782A6E ] HPEWSFXBULK C:\WINDOWS\system32\drivers\hpfxbulk.sys
14:03:59.0531 1684 HPEWSFXBULK - ok
14:03:59.0546 1684 [ B028377DEA0546A5FCFBA928A8AEFAE0 ] hpn C:\WINDOWS\system32\DRIVERS\hpn.sys
14:03:59.0546 1684 hpn - ok
14:03:59.0609 1684 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
14:03:59.0625 1684 HTTP - ok
14:03:59.0656 1684 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
14:03:59.0656 1684 HTTPFilter - ok
14:03:59.0687 1684 [ 9368670BD426EBEA5E8B18A62416EC28 ] i2omgmt C:\WINDOWS\system32\drivers\i2omgmt.sys
14:03:59.0687 1684 i2omgmt - ok
14:03:59.0718 1684 [ F10863BF1CCC290BABD1A09188AE49E0 ] i2omp C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:03:59.0718 1684 i2omp - ok
14:03:59.0765 1684 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:03:59.0765 1684 i8042prt - ok
14:03:59.0906 1684 [ 9A883C3C4D91292C0D09DE7C728E781C ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:03:59.0937 1684 ialm - ok
14:04:00.0046 1684 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:04:00.0109 1684 idsvc - ok
14:04:00.0140 1684 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
14:04:00.0140 1684 Imapi - ok
14:04:00.0218 1684 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
14:04:00.0218 1684 ImapiService - ok
14:04:00.0265 1684 [ 4A40E045FAEE58631FD8D91AFC620719 ] ini910u C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:04:00.0265 1684 ini910u - ok
14:04:00.0312 1684 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
14:04:00.0312 1684 IntelIde - ok
14:04:00.0343 1684 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:04:00.0343 1684 intelppm - ok
14:04:00.0390 1684 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
14:04:00.0406 1684 Ip6Fw - ok
14:04:00.0453 1684 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:04:00.0453 1684 IpFilterDriver - ok
14:04:00.0500 1684 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:04:00.0515 1684 IpInIp - ok
14:04:00.0546 1684 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:04:00.0546 1684 IpNat - ok
14:04:00.0593 1684 iPod Service - ok
14:04:00.0625 1684 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:04:00.0625 1684 IPSec - ok
14:04:00.0671 1684 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
14:04:00.0671 1684 IRENUM - ok
14:04:00.0703 1684 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:04:00.0703 1684 isapnp - ok
14:04:00.0953 1684 [ 0A5709543986843D37A92290B7838340 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
14:04:00.0953 1684 JavaQuickStarterService - ok
14:04:00.0984 1684 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:04:00.0984 1684 Kbdclass - ok
14:04:01.0000 1684 khdqqzlq - ok
14:04:01.0062 1684 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
14:04:01.0078 1684 kmixer - ok
14:04:01.0109 1684 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
14:04:01.0125 1684 KSecDD - ok
14:04:01.0187 1684 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
14:04:01.0218 1684 lanmanserver - ok
14:04:01.0250 1684 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
14:04:01.0265 1684 lanmanworkstation - ok
14:04:01.0265 1684 lbrtfdc - ok
14:04:01.0328 1684 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
14:04:01.0328 1684 LmHosts - ok
14:04:01.0359 1684 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
14:04:01.0359 1684 Messenger - ok
14:04:01.0406 1684 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
14:04:01.0406 1684 mnmdd - ok
14:04:01.0468 1684 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
14:04:01.0468 1684 mnmsrvc - ok
14:04:01.0515 1684 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
14:04:01.0515 1684 Modem - ok
14:04:01.0531 1684 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
14:04:01.0531 1684 MODEMCSA - ok
14:04:01.0578 1684 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:04:01.0578 1684 Mouclass - ok
14:04:01.0625 1684 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:04:01.0625 1684 mouhid - ok
14:04:01.0656 1684 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
14:04:01.0656 1684 MountMgr - ok
14:04:01.0734 1684 [ D993BEA500E7382DC4E760BF4F35EFCB ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
14:04:01.0781 1684 MpFilter - ok
14:04:01.0937 1684 [ A69630D039C38018689190234F866D77 ] MpKslda16f06c c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D965E491-0D57-49C5-83B2-64887CACE645}\MpKslda16f06c.sys
14:04:01.0937 1684 MpKslda16f06c - ok
14:04:02.0015 1684 [ 3F4BB95E5A44F3BE34824E8E7CAF0737 ] mraid35x C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:04:02.0015 1684 mraid35x - ok
14:04:02.0046 1684 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:04:02.0046 1684 MRxDAV - ok
14:04:02.0125 1684 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:04:02.0171 1684 MRxSmb - ok
14:04:02.0218 1684 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
14:04:02.0250 1684 MSDTC - ok
14:04:02.0281 1684 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
14:04:02.0281 1684 Msfs - ok
14:04:02.0296 1684 MSIServer - ok
14:04:02.0328 1684 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:04:02.0328 1684 MSKSSRV - ok
14:04:02.0406 1684 [ 24516BF4E12A46CB67302E2CDCB8CDDF ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
14:04:02.0406 1684 MsMpSvc - ok
14:04:02.0453 1684 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:04:02.0453 1684 MSPCLOCK - ok
14:04:02.0500 1684 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
14:04:02.0531 1684 MSPQM - ok
14:04:02.0578 1684 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:04:02.0578 1684 mssmbios - ok
14:04:02.0609 1684 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
14:04:02.0625 1684 Mup - ok
14:04:02.0656 1684 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
14:04:02.0671 1684 napagent - ok
14:04:02.0718 1684 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
14:04:02.0718 1684 NDIS - ok
14:04:02.0765 1684 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:04:02.0765 1684 NdisTapi - ok
14:04:02.0812 1684 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:04:02.0812 1684 Ndisuio - ok
14:04:02.0828 1684 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:04:02.0828 1684 NdisWan - ok
14:04:02.0890 1684 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
14:04:02.0890 1684 NDProxy - ok
14:04:02.0953 1684 [ A081CB6FB9A12668F233EB5414BE3A0E ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
14:04:02.0953 1684 Net Driver HPZ12 - ok
14:04:02.0968 1684 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
14:04:02.0968 1684 NetBIOS - ok
14:04:02.0984 1684 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
14:04:03.0000 1684 NetBT - ok
14:04:03.0062 1684 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
14:04:03.0062 1684 NetDDE - ok
14:04:03.0078 1684 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
14:04:03.0078 1684 NetDDEdsdm - ok
14:04:03.0125 1684 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
14:04:03.0125 1684 Netlogon - ok
14:04:03.0156 1684 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
14:04:03.0156 1684 Netman - ok
14:04:03.0296 1684 [ 02D0798F376FCBD0210EDA58476D0B1B ] NetSvc C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
14:04:03.0296 1684 NetSvc - ok
14:04:03.0359 1684 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
14:04:03.0359 1684 NetTcpPortSharing - ok
14:04:03.0421 1684 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
14:04:03.0421 1684 Nla - ok
14:04:03.0453 1684 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
14:04:03.0453 1684 Npfs - ok
14:04:03.0515 1684 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
14:04:03.0546 1684 Ntfs - ok
14:04:03.0546 1684 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
14:04:03.0562 1684 NtLmSsp - ok
14:04:03.0625 1684 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
14:04:03.0640 1684 NtmsSvc - ok
14:04:03.0656 1684 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
14:04:03.0656 1684 Null - ok
14:04:03.0750 1684 [ 2B298519EDBFCF451D43E0F1E8F1006D ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:04:03.0812 1684 nv - ok
14:04:03.0843 1684 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:04:03.0843 1684 NwlnkFlt - ok
14:04:03.0859 1684 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:04:03.0859 1684 NwlnkFwd - ok
14:04:03.0921 1684 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
14:04:03.0921 1684 Parport - ok
14:04:03.0921 1684 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
14:04:03.0937 1684 PartMgr - ok
14:04:03.0953 1684 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
14:04:03.0968 1684 ParVdm - ok
14:04:04.0000 1684 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
14:04:04.0000 1684 PCI - ok
14:04:04.0000 1684 PCIDump - ok
14:04:04.0015 1684 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
14:04:04.0015 1684 PCIIde - ok
14:04:04.0046 1684 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
14:04:04.0046 1684 Pcmcia - ok
14:04:04.0062 1684 PDCOMP - ok
14:04:04.0078 1684 PDFRAME - ok
14:04:04.0078 1684 PDRELI - ok
14:04:04.0093 1684 PDRFRAME - ok
14:04:04.0125 1684 [ 6C14B9C19BA84F73D3A86DBA11133101 ] perc2 C:\WINDOWS\system32\DRIVERS\perc2.sys
14:04:04.0125 1684 perc2 - ok
14:04:04.0125 1684 [ F50F7C27F131AFE7BEBA13E14A3B9416 ] perc2hib C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:04:04.0125 1684 perc2hib - ok
14:04:04.0171 1684 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
14:04:04.0171 1684 PlugPlay - ok
14:04:04.0187 1684 [ 65BC271F337637731D3C71455AE1F476 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
14:04:04.0187 1684 Pml Driver HPZ12 - ok
14:04:04.0203 1684 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
14:04:04.0203 1684 PolicyAgent - ok
14:04:04.0250 1684 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:04:04.0250 1684 PptpMiniport - ok
14:04:04.0265 1684 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
14:04:04.0265 1684 ProtectedStorage - ok
14:04:04.0296 1684 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
14:04:04.0375 1684 PSched - ok
14:04:04.0421 1684 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:04:04.0453 1684 Ptilink - ok
14:04:04.0531 1684 [ 0A63FB54039EB5662433CABA3B26DBA7 ] ql1080 C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:04:04.0546 1684 ql1080 - ok
14:04:04.0562 1684 [ 6503449E1D43A0FF0201AD5CB1B8C706 ] Ql10wnt C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:04:04.0578 1684 Ql10wnt - ok
14:04:04.0609 1684 [ 156ED0EF20C15114CA097A34A30D8A01 ] ql12160 C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:04:04.0718 1684 ql12160 - ok
14:04:04.0718 1684 [ 70F016BEBDE6D29E864C1230A07CC5E6 ] ql1240 C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:04:04.0750 1684 ql1240 - ok
14:04:04.0750 1684 [ 907F0AEEA6BC451011611E732BD31FCF ] ql1280 C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:04:04.0750 1684 ql1280 - ok
14:04:04.0796 1684 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:04:04.0812 1684 RasAcd - ok
14:04:04.0859 1684 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
14:04:04.0859 1684 RasAuto - ok
14:04:04.0906 1684 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:04:04.0906 1684 Rasl2tp - ok
14:04:05.0031 1684 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
14:04:05.0046 1684 RasMan - ok
14:04:05.0078 1684 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:04:05.0125 1684 RasPppoe - ok
14:04:05.0187 1684 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
14:04:05.0187 1684 Raspti - ok
14:04:05.0234 1684 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:04:05.0250 1684 Rdbss - ok
14:04:05.0343 1684 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:04:05.0343 1684 RDPCDD - ok
14:04:05.0421 1684 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:04:05.0421 1684 rdpdr - ok
14:04:05.0484 1684 [ 5B3055DAA788BD688594D2F5981F2A83 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
14:04:05.0484 1684 RDPWD - ok
14:04:05.0546 1684 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
14:04:05.0546 1684 RDSessMgr - ok
14:04:05.0562 1684 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
14:04:05.0562 1684 redbook - ok
14:04:05.0609 1684 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
14:04:05.0609 1684 RemoteAccess - ok
14:04:05.0671 1684 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
14:04:05.0671 1684 RpcLocator - ok
14:04:05.0703 1684 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
14:04:05.0718 1684 RpcSs - ok
14:04:05.0796 1684 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
14:04:05.0875 1684 RSVP - ok
14:04:05.0953 1684 [ 5FCCA99C136FDDF8CE819D75E940D64B ] RTL8192su C:\WINDOWS\system32\DRIVERS\RTL8192su.sys
14:04:06.0015 1684 RTL8192su - ok
14:04:06.0062 1684 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
14:04:06.0062 1684 SamSs - ok
14:04:06.0125 1684 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
14:04:06.0156 1684 SCardSvr - ok
14:04:06.0500 1684 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
14:04:06.0500 1684 Schedule - ok
14:04:06.0531 1684 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:04:06.0531 1684 Secdrv - ok
14:04:06.0593 1684 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
14:04:06.0593 1684 seclogon - ok
14:04:06.0671 1684 [ B9C7617C1E8AB6FDFF75D3C8DAFCB4C8 ] senfilt C:\WINDOWS\system32\drivers\senfilt.sys
14:04:06.0687 1684 senfilt - ok
14:04:06.0734 1684 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
14:04:06.0750 1684 SENS - ok
14:04:06.0765 1684 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
14:04:06.0765 1684 serenum - ok
14:04:06.0781 1684 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
14:04:06.0781 1684 Serial - ok
14:04:06.0828 1684 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
14:04:06.0828 1684 Sfloppy - ok
14:04:06.0921 1684 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
14:04:06.0937 1684 SharedAccess - ok
14:04:06.0968 1684 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
14:04:06.0968 1684 ShellHWDetection - ok
14:04:06.0968 1684 Simbad - ok
14:04:07.0031 1684 [ 6B33D0EBD30DB32E27D1D78FE946A754 ] sisagp C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:04:07.0031 1684 sisagp - ok
14:04:07.0093 1684 [ C6D9959E493682F872A639B6EC1B4A08 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
14:04:07.0093 1684 smwdm - ok
14:04:07.0125 1684 [ 83C0F71F86D3BDAF915685F3D568B20E ] Sparrow C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:04:07.0125 1684 Sparrow - ok
14:04:07.0187 1684 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
14:04:07.0203 1684 splitter - ok
14:04:07.0265 1684 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
14:04:07.0281 1684 Spooler - ok
14:04:07.0312 1684 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
14:04:07.0312 1684 sr - ok
14:04:07.0390 1684 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
14:04:07.0390 1684 srservice - ok
14:04:07.0484 1684 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
14:04:07.0531 1684 Srv - ok
14:04:07.0593 1684 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
14:04:07.0593 1684 SSDPSRV - ok
14:04:07.0671 1684 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
14:04:07.0687 1684 stisvc - ok
14:04:07.0734 1684 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
14:04:07.0734 1684 swenum - ok
14:04:07.0750 1684 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
14:04:07.0750 1684 swmidi - ok
14:04:07.0765 1684 SwPrv - ok
14:04:07.0796 1684 [ 1FF3217614018630D0A6758630FC698C ] symc810 C:\WINDOWS\system32\DRIVERS\symc810.sys
14:04:07.0812 1684 symc810 - ok
14:04:07.0843 1684 [ 070E001D95CF725186EF8B20335F933C ] symc8xx C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:04:07.0843 1684 symc8xx - ok
14:04:07.0890 1684 [ 80AC1C4ABBE2DF3B738BF15517A51F2C ] sym_hi C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:04:07.0890 1684 sym_hi - ok
14:04:07.0890 1684 [ BF4FAB949A382A8E105F46EBB4937058 ] sym_u3 C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:04:07.0890 1684 sym_u3 - ok
14:04:07.0921 1684 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
14:04:07.0921 1684 sysaudio - ok
14:04:07.0984 1684 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
14:04:07.0984 1684 SysmonLog - ok
14:04:08.0093 1684 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
14:04:08.0093 1684 TapiSrv - ok
14:04:08.0171 1684 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:04:08.0187 1684 Tcpip - ok
14:04:08.0250 1684 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
14:04:08.0250 1684 TDPIPE - ok
14:04:08.0296 1684 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
14:04:08.0296 1684 TDTCP - ok
14:04:08.0343 1684 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
14:04:08.0343 1684 TermDD - ok
14:04:08.0421 1684 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
14:04:08.0421 1684 TermService - ok
14:04:08.0468 1684 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
14:04:08.0468 1684 Themes - ok
14:04:08.0515 1684 [ F2790F6AF01321B172AA62F8E1E187D9 ] TosIde C:\WINDOWS\system32\DRIVERS\toside.sys
14:04:08.0515 1684 TosIde - ok
14:04:08.0578 1684 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
14:04:08.0593 1684 TrkWks - ok
14:04:08.0671 1684 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
14:04:08.0718 1684 Udfs - ok
14:04:08.0750 1684 [ 1B698A51CD528D8DA4FFAED66DFC51B9 ] ultra C:\WINDOWS\system32\DRIVERS\ultra.sys
14:04:08.0812 1684 ultra - ok
14:04:09.0109 1684 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
14:04:09.0171 1684 Update - ok
14:04:09.0234 1684 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
14:04:09.0312 1684 upnphost - ok
14:04:09.0375 1684 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
14:04:09.0421 1684 UPS - ok
14:04:09.0484 1684 [ 5C2BDC152BBAB34F36473DEAF7713F22 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
14:04:09.0531 1684 USBAAPL - ok
14:04:09.0578 1684 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:04:09.0593 1684 usbccgp - ok
14:04:09.0640 1684 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:04:09.0640 1684 usbehci - ok
14:04:09.0718 1684 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:04:09.0781 1684 usbhub - ok
14:04:09.0812 1684 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:04:09.0812 1684 usbprint - ok
14:04:09.0921 1684 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:04:09.0968 1684 usbscan - ok
14:04:10.0125 1684 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:04:10.0140 1684 USBSTOR - ok
14:04:10.0171 1684 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:04:10.0187 1684 usbuhci - ok
14:04:10.0218 1684 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
14:04:10.0250 1684 VgaSave - ok
14:04:10.0312 1684 [ 754292CE5848B3738281B4F3607EAEF4 ] viaagp C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:04:10.0359 1684 viaagp - ok
14:04:10.0421 1684 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
14:04:10.0453 1684 ViaIde - ok
14:04:10.0500 1684 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
14:04:10.0515 1684 VolSnap - ok
14:04:10.0578 1684 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
14:04:10.0593 1684 VSS - ok
14:04:10.0640 1684 [ 54AF4B1D5459500EF0937F6D33B1914F ] w32time C:\WINDOWS\system32\w32time.dll
14:04:10.0640 1684 w32time - ok
14:04:10.0687 1684 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:04:10.0703 1684 Wanarp - ok
14:04:10.0703 1684 wanatw - ok
14:04:10.0718 1684 WDICA - ok
14:04:10.0765 1684 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
14:04:10.0781 1684 wdmaud - ok
14:04:10.0828 1684 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
14:04:10.0843 1684 WebClient - ok
14:04:10.0984 1684 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
14:04:11.0000 1684 winmgmt - ok
14:04:11.0109 1684 [ 18F347402DA544A780949B8FDF83351B ] WinRM C:\WINDOWS\system32\WsmSvc.dll
14:04:11.0593 1684 WinRM - ok
14:04:11.0640 1684 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
14:04:11.0656 1684 WmdmPmSN - ok
14:04:11.0718 1684 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:04:11.0734 1684 WmiApSrv - ok
14:04:11.0968 1684 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
14:04:12.0265 1684 WMPNetworkSvc - ok
14:04:12.0328 1684 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:04:12.0328 1684 WS2IFSL - ok
14:04:12.0390 1684 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
14:04:12.0390 1684 wscsvc - ok
14:04:12.0437 1684 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
14:04:12.0453 1684 wuauserv - ok
14:04:12.0578 1684 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:04:12.0593 1684 WudfPf - ok
14:04:12.0640 1684 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:04:12.0640 1684 WudfRd - ok
14:04:12.0687 1684 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
14:04:12.0687 1684 WudfSvc - ok
14:04:12.0750 1684 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
14:04:12.0812 1684 WZCSVC - ok
14:04:12.0859 1684 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
14:04:12.0859 1684 xmlprov - ok
14:04:12.0890 1684 ================ Scan global ===============================
14:04:12.0937 1684 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
14:04:13.0109 1684 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:04:13.0218 1684 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:04:13.0265 1684 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
14:04:13.0265 1684 [Global] - ok
14:04:13.0265 1684 ================ Scan MBR ==================================
14:04:13.0296 1684 [ A03E065717CB65F3034AD33AD58B6BBA ] \Device\Harddisk0\DR0
14:04:13.0296 1684 Suspicious mbr (Forged): \Device\Harddisk0\DR0
14:04:13.0328 1684 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
14:04:13.0328 1684 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
14:04:13.0328 1684 ================ Scan VBR ==================================
14:04:13.0359 1684 [ 3B24418C77FB622DBD1F0F948E2930CE ] \Device\Harddisk0\DR0\Partition1
14:04:13.0359 1684 \Device\Harddisk0\DR0\Partition1 - ok
14:04:13.0375 1684 ============================================================
14:04:13.0375 1684 Scan finished
14:04:13.0375 1684 ============================================================
14:04:13.0390 0968 Detected object count: 1
14:04:13.0390 0968 Actual detected object count: 1
14:08:28.0062 0968 \Device\Harddisk0\DR0\# - copied to quarantine
14:08:28.0062 0968 \Device\Harddisk0\DR0 - copied to quarantine
14:08:28.0093 0968 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
14:08:28.0109 0968 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
14:08:28.0109 0968 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
14:08:28.0109 0968 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
14:08:28.0109 0968 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
14:08:28.0125 0968 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
14:08:28.0343 0968 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
14:08:28.0343 0968 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
14:08:28.0343 0968 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
14:08:28.0343 0968 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
14:08:28.0343 0968 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
14:08:28.0343 0968 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
14:08:28.0359 0968 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
14:08:28.0375 0968 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
14:08:28.0421 0968 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
14:08:28.0437 0968 \Device\Harddisk0\DR0 - ok
14:08:28.0453 0968 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:36 AM

Posted 30 August 2012 - 01:50 PM

Greetings D45ist,

Getting a notice that a password reset was requested is not the same as accessing your account. In fact it is evidence they can't get in your account otherwise there would be no need for a reset.

You included a Combofix log which appears to be over a year old. Did you just run this recently?

ComboFix 11-03-28.05 - Dell3000 03/29/2011 15:29:24.1.1 - x86


I am going to give you instruction on deleting the existing icon and downloading a fresh Combofix. If you no longer have the program on your desktop simply start with the download part.

First I must advise you of the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Re-installing and Running Combofix in Windows XP

--------------------

I would like you to delete Combofix and then re-install it. We will then run the program again with the new copy.

  • Right click on the ComboFix Icon Posted Image on your desktop and select Delete.
    Please download ComboFix from one of these locations and save it to your desktop:

    Bleepingcomputer
    ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Note: If the Microsoft Windows Recovery Console is already installed ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.


    Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 D45ist

D45ist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 August 2012 - 03:09 PM

Here is a new Combofix log. Did not realize that the old was was still there, so I deleted and did it over. Combofix gave me a warning that AVG linkscanner was active, but I cannot find it in my machine to disable it. I had deleted this months ago and thought it was gone.

This is my child's computer for homework and online games - let's fix if we can (at last until I can buy her a new one) Thanks!


ComboFix 12-08-30.03 - Dell3000 08/30/2012 15:31:53.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.233 [GMT -4:00]
Running from: c:\documents and settings\Dell3000\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-30 )))))))))))))))))))))))))))))))
.
.
2012-08-30 18:08 . 2012-08-30 18:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-30 15:36 . 2012-08-30 15:36 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D965E491-0D57-49C5-83B2-64887CACE645}\offreg.dll
2012-08-30 15:07 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D965E491-0D57-49C5-83B2-64887CACE645}\mpengine.dll
2012-08-28 15:37 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-18 19:34 . 2012-08-18 19:35 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-18 02:04 . 2009-03-28 00:05 563840 ----a-r- c:\windows\system32\drivers\RTL8192su.sys
2012-08-18 01:51 . 2012-08-18 01:51 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-18 01:34 . 2012-08-18 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2012-08-13 13:13 . 2012-08-13 13:13 -------- d-----w- C:\found.001
2012-08-09 01:27 . 2012-08-09 01:27 -------- d-----w- c:\documents and settings\Dell3000\Application Data\Webroot
2012-08-07 22:47 . 2012-08-07 22:47 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 02:32 . 2012-07-18 02:32 4024320 ----a-w- c:\program files\GUT8C.tmp
2012-06-04 21:35 . 2009-08-06 23:23 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2004-08-10 18:02 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2004-08-10 18:02 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2004-08-10 18:02 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-07 00:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-07 00:24 45080 ----a-w- c:\windows\system32\wups2(2)(2).dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2004-08-10 18:02 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2004-08-10 18:02 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2004-08-10 18:02 35864 ----a-w- c:\windows\system32\wups(2)(2).dll
2012-06-02 19:19 . 2004-08-10 17:50 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2004-08-10 18:02 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2004-08-10 18:02 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2011-03-29 22:02 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2011-03-29 22:02 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
.
.
((((((((((((((((((((((((((((( SnapShot_2012-08-21_20.09.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-30 18:17 . 2012-08-30 18:17 16384 c:\windows\temp\Perflib_Perfdata_134.dat
+ 2011-03-29 14:15 . 2012-01-31 12:44 237072 c:\windows\system32\MpSigStub.exe
- 2011-03-29 14:15 . 2012-05-31 16:25 237072 c:\windows\system32\MpSigStub.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dell3000^Start Menu^Programs^Startup^Launch WhiteSmokeTranslator.lnk]
path=c:\documents and settings\Dell3000\Start Menu\Programs\Startup\Launch WhiteSmokeTranslator.lnk
backup=c:\windows\pss\Launch WhiteSmokeTranslator.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dell3000^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Dell3000\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-07-27 03:16 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-29 19:07 136176 ----atw- c:\documents and settings\Dell3000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 13:32 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 13:36 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 13:35 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 00:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-07-27 03:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-27 03:21 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [8/17/2012 10:04 PM 563840]
S1 khdqqzlq;khdqqzlq;\??\c:\windows\system32\drivers\khdqqzlq.sys --> c:\windows\system32\drivers\khdqqzlq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [12/7/2010 6:35 PM 17432]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 71285819
*NewlyCreated* - 88090517
*Deregistered* - 71285819
*Deregistered* - 88090517
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2012-08-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-07-27 22:07]
.
2012-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695272431-3323927724-207768928-1006Core.job
- c:\documents and settings\Dell3000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 19:07]
.
2012-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695272431-3323927724-207768928-1006UA.job
- c:\documents and settings\Dell3000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 19:07]
.
2012-08-30 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-08-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-695272431-3323927724-207768928-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2012-08-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-695272431-3323927724-207768928-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{77A218B8-D0F5-483E-862A-E2ADB2996668}: NameServer = 208.67.222.123,208.67.220.123
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-88090517.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-30 15:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-695272431-3323927724-207768928-1006\Software\SecuROM\License information*]
"datasecu"=hex:32,43,56,cf,3b,7a,5a,ec,6f,60,55,13,e0,89,7f,b7,35,61,75,87,e7,
23,85,b7,5c,45,f9,19,69,51,30,0d,f7,f7,7d,77,6f,8b,6a,db,e9,f6,6f,67,e5,43,\
"rkeysecu"=hex:32,8d,2a,b9,87,9d,09,29,4b,52,28,56,70,24,2c,18
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-08-30 15:50:15
ComboFix-quarantined-files.txt 2012-08-30 19:49
ComboFix2.txt 2012-08-21 20:18
ComboFix3.txt 2011-08-29 23:24
ComboFix4.txt 2011-03-29 19:44
.
Pre-Run: 31,995,912,192 bytes free
Post-Run: 32,263,557,120 bytes free
.
- - End Of File - - 5D302D87EE3AE772D896674561B09C2E

Edited by D45ist, 30 August 2012 - 03:21 PM.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:36 AM

Posted 30 August 2012 - 04:19 PM

Greetings D45ist,

I am assuming your child's computer doesn't have vital information on it so reformatting is not as urgent an issue as it would be on a critical computer.

I would like you to run the following Combofix script for me please.


===================================================


Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text below into the Notepad document

    Registry::
    [-HKLM\~\startupfolder\C:^Documents and Settings^Dell3000^Start Menu^Programs^Startup^Launch WhiteSmokeTranslator.lnk]
    
    File::
    C:^Documents and Settings^Dell3000^Start Menu^Programs^Startup^Launch WhiteSmokeTranslator.lnk
    c:\windows\pss\Launch WhiteSmokeTranslator.lnkStartup
    c:\windows\system32\drivers\khdqqzlq.sys
    c:\program files\GUT8C.tmp
    
    Driver::
    khdqqzlq
    

  • Save this on your desktop as CFScript.txt.


    Posted Image

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your computer running? What issues still remain?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 D45ist

D45ist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 August 2012 - 05:51 PM

I hope this is correct, it looked the same as combofix when it ran. I am not using the computer until we are finished with this although it is responding to commands more readily. The only issue I am wondering about is that after I ran the TDSSKILLER when I open Chrome it tells me that it is not the default browser even though Chrome is shown as the default in Internet Options.


ComboFix 12-08-30.05 - Dell3000 08/30/2012 18:12:59.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.197 [GMT -4:00]
Running from: c:\documents and settings\Dell3000\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dell3000\Desktop\CFScript.txt..txt
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_khdqqzlq
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-30 )))))))))))))))))))))))))))))))
.
.
2012-08-30 20:10 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F59A9A2C-E7A2-49EB-A3B1-055D18E7D7AA}\mpengine.dll
2012-08-30 18:08 . 2012-08-30 18:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-28 15:37 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-18 19:34 . 2012-08-18 19:35 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-18 02:04 . 2009-03-28 00:05 563840 ----a-r- c:\windows\system32\drivers\RTL8192su.sys
2012-08-18 01:51 . 2012-08-18 01:51 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-18 01:34 . 2012-08-18 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2012-08-13 13:13 . 2012-08-13 13:13 -------- d-----w- C:\found.001
2012-08-09 01:27 . 2012-08-09 01:27 -------- d-----w- c:\documents and settings\Dell3000\Application Data\Webroot
2012-08-07 22:47 . 2012-08-07 22:47 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 02:32 . 2012-07-18 02:32 4024320 ----a-w- c:\program files\GUT8C.tmp
2012-06-04 21:35 . 2009-08-06 23:23 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2004-08-10 18:02 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2004-08-10 18:02 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2004-08-10 18:02 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-07 00:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-07 00:24 45080 ----a-w- c:\windows\system32\wups2(2)(2).dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2004-08-10 18:02 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2004-08-10 18:02 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2004-08-10 18:02 35864 ----a-w- c:\windows\system32\wups(2)(2).dll
2012-06-02 19:19 . 2004-08-10 17:50 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2004-08-10 18:02 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2004-08-10 18:02 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2011-03-29 22:02 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2011-03-29 22:02 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
.
.
((((((((((((((((((((((((((((( SnapShot_2012-08-21_20.09.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-30 22:25 . 2012-08-30 22:25 16384 c:\windows\temp\Perflib_Perfdata_79c.dat
+ 2011-03-29 14:15 . 2012-01-31 12:44 237072 c:\windows\system32\MpSigStub.exe
- 2011-03-29 14:15 . 2012-05-31 16:25 237072 c:\windows\system32\MpSigStub.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dell3000^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Dell3000\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-07-27 03:16 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-29 19:07 136176 ----atw- c:\documents and settings\Dell3000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 13:32 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 13:36 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 13:35 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 00:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-07-27 03:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-27 03:21 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [8/17/2012 10:04 PM 563840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [12/7/2010 6:35 PM 17432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2012-08-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-07-27 22:07]
.
2012-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695272431-3323927724-207768928-1006Core.job
- c:\documents and settings\Dell3000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 19:07]
.
2012-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-695272431-3323927724-207768928-1006UA.job
- c:\documents and settings\Dell3000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 19:07]
.
2012-08-30 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-08-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-695272431-3323927724-207768928-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2012-08-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-695272431-3323927724-207768928-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{77A218B8-D0F5-483E-862A-E2ADB2996668}: NameServer = 208.67.222.123,208.67.220.123
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-30 18:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-695272431-3323927724-207768928-1006\Software\SecuROM\License information*]
"datasecu"=hex:32,43,56,cf,3b,7a,5a,ec,6f,60,55,13,e0,89,7f,b7,35,61,75,87,e7,
23,85,b7,5c,45,f9,19,69,51,30,0d,f7,f7,7d,77,6f,8b,6a,db,e9,f6,6f,67,e5,43,\
"rkeysecu"=hex:32,8d,2a,b9,87,9d,09,29,4b,52,28,56,70,24,2c,18
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2012-08-30 18:30:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-30 22:30
ComboFix2.txt 2012-08-30 19:50
ComboFix3.txt 2012-08-21 20:18
ComboFix4.txt 2011-08-29 23:24
ComboFix5.txt 2012-08-30 22:07
.
Pre-Run: 32,180,514,816 bytes free
Post-Run: 32,170,635,264 bytes free
.
- - End Of File - - 29B4033C5EBDA39A6E4334FF75705B76

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:36 AM

Posted 30 August 2012 - 06:22 PM

Greetings D45ist,

You did great with Combofix. It will look very much like the previous run.

Please complete the below. Following these steps check your default browser again and let me know what it is.


===================================================


Delete File/Folder

--------------------

Use Windows Explorer to find and delete these files/folders (if still present):

c:\program files\GUT8C.tmp


As an example, to delete C:\WINDOWS\badfile.dll
  • Right click on the Start button and select Open Windows Explorer. You may also open Windows by pressing the Windows KEY Posted Image + the E key at the same time.
  • Double click on Local Disc (C:)
  • Double click on the Windows folder
  • Right click on badfile.dll and then from the menu that appears, click on Delete


===================================================


Malwarebytes

--------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download. You can also right click on the link and select Save Link As
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version .
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    Posted Image

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Did you delete the file successfully?
  • MBAM results
  • ESET results
  • Default browser

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 D45ist

D45ist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 August 2012 - 08:45 PM

Gut8c.tmp found and deleted
Default browser = Chrome


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.30.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dell3000 :: D9QVSG81 [administrator]

8/30/2012 7:49:16 PM
mbam-log-2012-08-30 (19-49-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 188185
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.NP trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_14.03.36\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:36 AM

Posted 30 August 2012 - 08:55 PM

Greetings D45ist,

Very nice results! Let's do some updating now.

Please consider and perform the below.


===================================================


Update Java for 32 Bit Systems

-------------------

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for the JRE icon Posted Image underneath "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right and a new page will open.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select Windows x86 Offline 29.73 MB jre-7u6-windows-i586.exe
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • If you selected Offline Installation then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.

To disable the JQS service if you don't want to use it:

  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

===================================================


Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern.

Here is some excellent information and a video which explains the importance of minimizing the risk of infection through compromised PDF files.

Please download Adobe Reader

After installing the latest Adobe Reader, uninstall all previous versions.

  • If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader (the one I use personally). It's a much smaller file to download and uses a lot less resources than Adobe Reader.

  • When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other addons.

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Did all go well?
  • Do you have any remaining issues?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users