Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UKASH Metropolitan Virus


  • This topic is locked This topic is locked
28 replies to this topic

#1 meenzie

meenzie

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 05 October 2012 - 04:55 AM

Hi there,
I have tried to download RKILL and placed it on my desktop, tried to double click it as soon as windows startup but still the UKASH metropolitan virus appears and locks the screen, unable to proceed and its coming up with the payment screen. Can you please help and guide me on how to remove the virus.

THanks,
meena

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 06 October 2012 - 11:57 AM

Hello meena and welcome to BleepingComputer forums.

What is your version of Windows ?
What is your antivirus program?
Does this sys have any other security applications?

IF the system is Windows 7 or Vista, then do this:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt Posted Image
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Edited by Maurice Naggar, 06 October 2012 - 11:57 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 meenzie

meenzie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 07 October 2012 - 06:42 AM

Hi there,
I manage to find a *random*.exe file created on the date the virus started in safe mode.It was in C:WINDOWS folder, i have deleted it and also did a search via REGEDIT and deleted that random.exe file.
After that i was able to enter windows as normal - but the system is running very slow.

I received your email after that and have executed the FRST file and text of the scan is as attached.

Can you please check as I am not sure the virus is completely removed as the system is running very slow now.

THanks,
meena


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-10-2012
Ran by mthevi at 07-10-2012 12:37:54
Running from C:\Documents and Settings\mthevi.AXON\Desktop
Service Pack 3 (X86) OS Language: English(US)
Attention: Could not load system hive.
Error: The process cannot access the file because it is being used by another process.
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-10-07 12:37 - 2012-10-07 12:37 - 00905954 ____A (Farbar) C:\Documents and Settings\mthevi.AXON\Desktop\FRST.exe
2012-10-07 12:37 - 2012-10-07 12:37 - 00000000 ____D C:\FRST
2012-10-06 12:37 - 2012-10-06 12:37 - 02598764 ____A C:\Documents and Settings\mthevi.AXON\Desktop\books.zip
2012-10-06 12:26 - 2012-10-06 12:26 - 00000818 ____A C:\Documents and Settings\mthevi.AXON\Desktop\PDFMate Free PDF Converter.lnk
2012-10-06 12:26 - 2012-10-06 12:26 - 00000000 ____D C:\Program Files\PDFMate
2012-10-06 12:26 - 2012-10-06 12:26 - 00000000 ____D C:\Documents and Settings\mthevi.AXON\Application Data\AnvsoftPdfTools
2012-10-05 15:56 - 2012-10-05 15:56 - 01037824 ____A (Microsoft Corporation) C:\Windows\explorer_xp_sp3.exe
2012-10-05 15:56 - 2012-10-05 15:56 - 01037824 ____A (Microsoft Corporation) C:\explorer_xp_sp3.exe
2012-10-05 15:56 - 2012-10-05 15:56 - 01036288 ____A (Microsoft Corporation) C:\Windows\explorer_xp_sp2.exe
2012-10-05 15:56 - 2012-10-05 15:56 - 01036288 ____A (Microsoft Corporation) C:\explorer_xp_sp2.exe
2012-10-05 14:30 - 2012-10-05 14:30 - 00000000 __SHD C:\found.000
2012-10-05 13:44 - 2012-10-05 13:44 - 00000443 ____A C:\Documents and Settings\mthevi.AXON\Desktop\GMER-1.txt
2012-10-05 11:54 - 2012-10-05 11:54 - 00106496 ____A C:\Windows\Minidump\Mini100512-01.dmp
2012-10-05 11:16 - 2012-10-05 11:16 - 00019844 ____A C:\Documents and Settings\mthevi.AXON\Desktop\attach-1.txt
2012-10-05 11:16 - 2012-10-05 11:16 - 00014671 ____A C:\Documents and Settings\mthevi.AXON\Desktop\dds-1.txt
2012-10-05 10:05 - 2012-10-05 10:40 - 00000000 ____D C:\Documents and Settings\mthevi.AXON\Desktop\virus removal
2012-10-05 10:05 - 2012-10-05 10:00 - 00302592 ____A C:\Documents and Settings\mthevi.AXON\Desktop\00 dom9cs3p.exe
2012-10-05 10:05 - 2012-10-05 09:58 - 00607260 ____R (Swearware) C:\Documents and Settings\mthevi.AXON\Desktop\0 dds.com
2012-10-05 10:05 - 2012-10-05 09:48 - 01678240 ____A C:\Documents and Settings\mthevi.AXON\Desktop\5 rkill.exe
2012-10-05 09:16 - 2012-10-05 09:16 - 00069778 ____A C:\Documents and Settings\All Users\Application Data\jipbreussxcfvjq
2012-10-05 09:16 - 2012-10-05 09:16 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\imrsyfwpukvkgwg
2012-09-26 20:49 - 2012-09-26 20:49 - 00000165 ___AH C:\Documents and Settings\mthevi.AXON\Desktop\~$citytrading.xlsx
2012-09-22 16:34 - 2012-09-22 16:34 - 00065848 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys

==================== 3 Months Modified Files ==================

2012-10-07 12:37 - 2012-10-07 12:37 - 00905954 ____A (Farbar) C:\Documents and Settings\mthevi.AXON\Desktop\FRST.exe
2012-10-07 12:34 - 2008-11-24 04:39 - 01157622 ____A C:\Windows\WindowsUpdate.log
2012-10-07 12:31 - 2009-09-01 07:52 - 00000062 __ASH C:\Documents and Settings\mthevi.AXON\Local Settings\desktop.ini
2012-10-07 12:31 - 2008-11-24 12:33 - 00000159 ____A C:\Windows\wiadebug.log
2012-10-07 12:31 - 2008-11-24 12:33 - 00000049 ____A C:\Windows\wiaservc.log
2012-10-07 12:30 - 2008-11-24 04:54 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-10-07 12:30 - 2008-11-24 04:54 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-07 12:30 - 2008-11-24 04:53 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-10-07 12:28 - 2009-09-01 07:52 - 00000178 ___SH C:\Documents and Settings\mthevi.AXON\ntuser.ini
2012-10-07 12:28 - 2008-12-19 07:11 - 00524288 ____A C:\Windows\System32\config\ACEEvent.evt
2012-10-07 12:28 - 2008-11-24 04:54 - 00032572 ____A C:\Windows\SchedLgU.Txt
2012-10-07 11:11 - 2012-04-13 09:36 - 00000424 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{97039F5F-798F-45DE-95CD-F17CD1D59636}.job
2012-10-07 00:33 - 2010-10-15 19:42 - 00000418 ____A C:\Windows\Tasks\ParetoLogic Update Version2.job
2012-10-06 19:53 - 2009-09-02 08:01 - 00110080 ____A C:\Documents and Settings\mthevi.AXON\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-10-06 18:00 - 2010-10-15 19:44 - 00000444 ____A C:\Windows\Tasks\ParetoLogic Registration.job
2012-10-06 12:37 - 2012-10-06 12:37 - 02598764 ____A C:\Documents and Settings\mthevi.AXON\Desktop\books.zip
2012-10-06 12:26 - 2012-10-06 12:26 - 00000818 ____A C:\Documents and Settings\mthevi.AXON\Desktop\PDFMate Free PDF Converter.lnk
2012-10-06 10:54 - 2012-02-03 18:23 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-05 16:59 - 2009-08-27 08:31 - 00000178 __ASH C:\Documents and Settings\mthevi\ntuser.ini
2012-10-05 16:59 - 2009-08-27 08:31 - 00000062 __ASH C:\Documents and Settings\mthevi\Local Settings\desktop.ini
2012-10-05 15:58 - 2012-04-13 09:28 - 00036372 ____A C:\Windows\setupapi.log
2012-10-05 15:58 - 2006-02-28 13:00 - 01037824 ____A (Microsoft Corporation) C:\Windows\explorer.old
2012-10-05 15:56 - 2012-10-05 15:56 - 01037824 ____A (Microsoft Corporation) C:\Windows\explorer_xp_sp3.exe
2012-10-05 15:56 - 2012-10-05 15:56 - 01037824 ____A (Microsoft Corporation) C:\explorer_xp_sp3.exe
2012-10-05 15:56 - 2012-10-05 15:56 - 01036288 ____A (Microsoft Corporation) C:\Windows\explorer_xp_sp2.exe
2012-10-05 15:56 - 2012-10-05 15:56 - 01036288 ____A (Microsoft Corporation) C:\explorer_xp_sp2.exe
2012-10-05 13:44 - 2012-10-05 13:44 - 00000443 ____A C:\Documents and Settings\mthevi.AXON\Desktop\GMER-1.txt
2012-10-05 11:54 - 2012-10-05 11:54 - 00106496 ____A C:\Windows\Minidump\Mini100512-01.dmp
2012-10-05 11:49 - 2009-09-22 21:18 - 00000069 ____A C:\Windows\NeroDigital.ini
2012-10-05 11:16 - 2012-10-05 11:16 - 00019844 ____A C:\Documents and Settings\mthevi.AXON\Desktop\attach-1.txt
2012-10-05 11:16 - 2012-10-05 11:16 - 00014671 ____A C:\Documents and Settings\mthevi.AXON\Desktop\dds-1.txt
2012-10-05 10:00 - 2012-10-05 10:05 - 00302592 ____A C:\Documents and Settings\mthevi.AXON\Desktop\00 dom9cs3p.exe
2012-10-05 09:58 - 2012-10-05 10:05 - 00607260 ____R (Swearware) C:\Documents and Settings\mthevi.AXON\Desktop\0 dds.com
2012-10-05 09:48 - 2012-10-05 10:05 - 01678240 ____A C:\Documents and Settings\mthevi.AXON\Desktop\5 rkill.exe
2012-10-05 09:16 - 2012-10-05 09:16 - 00069778 ____A C:\Documents and Settings\All Users\Application Data\jipbreussxcfvjq
2012-10-03 19:29 - 2006-02-28 13:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
2012-09-26 20:49 - 2012-09-26 20:49 - 00000165 ___AH C:\Documents and Settings\mthevi.AXON\Desktop\~$citytrading.xlsx
2012-09-26 20:38 - 2010-01-07 15:50 - 00000201 ____A C:\Windows\hpbafd.ini
2012-09-22 16:34 - 2012-09-22 16:34 - 00065848 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
2012-09-12 18:55 - 2011-12-30 17:10 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2012-09-07 21:20 - 2012-01-14 10:05 - 00000654 ____A C:\Documents and Settings\mthevi.AXON\Desktop\Tixati.lnk
2012-09-07 17:04 - 2010-03-29 21:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-27 17:10 - 2012-08-27 16:04 - 00001564 ____A C:\Documents and Settings\mthevi.AXON\Desktop\fsc.db
2012-08-27 17:07 - 2012-08-27 17:07 - 00001088 ____A C:\Documents and Settings\mthevi.AXON\Desktop\TBSettings.db
2012-08-27 15:46 - 2011-01-15 08:02 - 00165376 __ASH C:\Documents and Settings\mthevi.AXON\Desktop\Thumbs.db
2012-07-25 16:57 - 2012-07-28 10:08 - 04445507 ____A C:\Documents and Settings\mthevi.AXON\Desktop\com.adobe.flashplayer-10.2.156.12.apk
2012-07-14 12:24 - 2012-01-26 21:37 - 00001024 ____A C:\.rnd
2012-07-14 12:23 - 2012-01-26 21:38 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-07-14 12:23 - 2012-01-26 21:38 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-07-14 12:23 - 2012-01-26 21:37 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================

RP: -> 2012-10-07 12:15 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP132

RP: -> 2012-10-07 11:50 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP131

RP: -> 2012-10-05 22:27 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP129

RP: -> 2012-10-04 21:27 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP128

RP: -> 2012-09-25 22:47 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP127

RP: -> 2012-09-23 13:20 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP126

RP: -> 2012-09-22 03:15 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP125

RP: -> 2012-09-14 22:08 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP124

RP: -> 2012-09-12 20:32 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP123

RP: -> 2012-09-09 17:34 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP122

RP: -> 2012-09-02 12:32 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP121

RP: -> 2012-08-26 15:56 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP119

RP: -> 2012-08-24 09:06 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP118

RP: -> 2012-08-17 18:20 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP117

RP: -> 2012-07-29 11:21 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP116

RP: -> 2012-07-28 10:39 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP115

RP: -> 2012-07-26 18:10 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP114

RP: -> 2012-07-25 18:05 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP113

RP: -> 2012-07-23 13:29 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP112

RP: -> 2012-07-17 23:36 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP111

RP: -> 2012-07-14 12:24 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP110

RP: -> 2012-07-11 21:00 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP109

RP: -> 2012-07-10 20:11 - 032768 _restore{F4D299F6-7A65-44DE-95E9-41D455D4C20D}\RP108


==================== Memory info ===========================

Percentage of memory in use: 53%
Total physical RAM: 3036.19 MB
Available physical RAM: 1423.01 MB
Total Pagefile: 4920.72 MB
Available Pagefile: 3550.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.32 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:156.24 GB) (Free:78.53 GB) NTFS ==>[Drive with boot components (Windows XP)]
2 Drive d: () (Fixed) (Total:76.64 GB) (Free:35.28 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 156 GB 32 KB
Partition 2 Primary 77 GB 156 GB
=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 156 GB Healthy System (partition with boot components)
=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 77 GB Healthy
=========================================================
==================== End Of Log ============================

Edited by Maurice Naggar, 07 October 2012 - 01:54 PM.


#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 07 October 2012 - 02:01 PM

Hello Meena,

I must advise you to NOT do any deletes or changes to the system while I am helping you. If you have questions on my instructions, please stop and ask.
It's important you let me guide you from here on out.

Do NOT do any websurfing, or online transactions, or any games, or anything else online. Only go to this forum and the websites I guide you to.

There will be lots to do (even after the following) so please have patience. There is NOT a single "magic cure" for your infection(s). Consider that this system is to be treated as if it were in "Quarantine".
Do NOT use the system for anything other than what I outline. At the end of a day, you may logoff and Shutdown the system.


Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Step 3

See Grinler's article here
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

See the section titled Automated Removal Instructions
Follow his instructions to get into Safe Mode with Networking
and do the rest of the steps listed after that (including the tool from from Emsisoft

Report back with the results.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 meenzie

meenzie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 10 October 2012 - 02:48 AM

Hi,

Please refer to the scan logs obtained :-
Firstly i executed emisoft in safemode with networking.
After that i restarted windows in normal mode and ran emisoft again.

However, i am unable to connect to the network whilst on safe mode with networking.

Logs as attached.

Thanks,
meena

Attached Files



#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 11 October 2012 - 10:48 AM

We Need to Run a Batch Script
  • Press the Windows-key on keyboard.
  • In the RUN box, type notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
    rd /s /q C:\Documents and Settings\All Users\Application Data\jipbreussxcfvjq
    rd /s /q C:\Documents and Settings\All Users\Application Data\imrsyfwpukvkgwg
    del /f /q "%~f0"
  • In NOTEPAD, Select File -> Save AS.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.bat.
  • Press Posted Image.
  • Close Notepad.
  • Double click Fix.bat to run it.
    It will run very quickly in a command-prompt and at the end, will delete itself.

Questions for you:
You ran Combofix on your own?
When was that?

Be advised, that while I am helping you, that you NOT run tools or fixes nor make changes on your own. If there is an issue, or you have a question, please Stop and ask.

Always Copy & Paste the contents of logs / reports. Do NOT do an attach ---- unless I specifically ask you.


Download DDS and save it to your desktop from http://download.bleepingcomputer.com/sUBs/dds.com here
or http://download.bleepingcomputer.com/sUBs/dds.scr or
http://www.infospyware.net/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.
Please Copy & Paste contents of the following logs in your next reply:
DDS.txt
Attach.txt



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Edited by Maurice Naggar, 11 October 2012 - 11:04 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 meenzie

meenzie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 11 October 2012 - 02:11 PM

Hi there,
Yes i did run the combo fix but that was before i posted a message here for help. As i was reading through the forums, i just tried to follow the steps outlined on another post to check if it would resolve my issue but unfortunately it did not. Than i continued to create a message here after which i have not done anything else other than what you have instructed me to do.

Please find the logs as attached.

Thanks !,
Meena

Attached Files



#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 11 October 2012 - 02:55 PM

Please Copy and Paste the contents of all the logs. Do not do any attachment. I'd appreciate that.
If needed, use a separate reply for each report.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 11 October 2012 - 02:56 PM

P.S.
One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx
Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 meenzie

meenzie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 11 October 2012 - 03:44 PM

Here are the logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by mthevi at 20:04:17 on 2012-10-11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3036.1401 [GMT 1:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\SvcTools\6.8\bin\lnchr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\system32\AccelerometerSt.Exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\SvcTools\6.8\bin\lnchr.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Button Manager\BM.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
c:\SvcTools\pkg\swmeter\swmeter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = hxxp://http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [VoipCheapCom] "c:\program files\voipcheapcom.com\voipcheapcom\VoipCheapCom.exe" -nosplash -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [xbramiepuzofzmt] c:\windows\xbramiep.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SMA6.8] c:\svctools\6.8\bin\lnchr.exe --context=user --control-dir=c:\svctools\6.8\ctrl
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
StartupFolder: c:\docume~1\mthevi~1.axo\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netscr~1.lnk - c:\program files\juniper\netscreen-remote\SafeCfg.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\provappbridge.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: axonglobal.com\support
Trusted Zone: sap-ag.de\websmp202
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_Win32.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1274173809250
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://axonit.webex.com/client/T26L/support/ieatgpc.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{1E0087D1-93FE-4375-B01D-20CD6533BEFB} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{7389769D-535A-410F-ABD5-A744DE6946BB} : DhcpNameServer = 10.203.65.70 10.203.65.68
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mthevi.axon\application data\mozilla\firefox\profiles\3t9cuqng.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - plugin: c:\documents and settings\mthevi.axon\application data\mozilla\plugins\npCtxCAO.dll
FF - plugin: c:\documents and settings\mthevi.axon\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-6-5 109184]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-6-5 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-6-5 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-11-24 24064]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2008-11-24 138296]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-17 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-9-22 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-9-22 166840]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-6-5 12496]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-15 1176824]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2008-11-24 536634]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2008-6-10 18944]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-6-5 256512]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-12-7 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-9-16 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-1-26 47640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-9-22 976728]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-16 115952]
R2 SMA6.8;Software Management Agent 6.8;c:\svctools\6.8\bin\lnchr.exe --service --context=system --control-dir=c:\svctools\6.8\ctrl --> c:\svctools\6.8\bin\lnchr.exe --service --context=system --control-dir=c:\svctools\6.8\ctrl [?]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-16 1799408]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.EXE [2008-11-24 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-15 475520]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2008-11-24 29184]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-11-24 244368]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-9-17 26137]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-10-3 106656]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20121009.003\naveng.sys [2012-10-10 92704]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20121009.003\navex15.sys [2012-10-10 1601184]
R3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2011-10-21 14924]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-30 21520]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-11-24 47616]
S0 bkdp;bkdp;c:\windows\system32\drivers\paobbbks.sys --> c:\windows\system32\drivers\paobbbks.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FlexService;Remote Connections Service;"c:\program files\rapidbit\cisvc.exe" --> c:\program files\rapidbit\cisvc.exe [?]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-11-24 193840]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-3-9 112640]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\xerox external access network\Extranet_serv.exe [2009-9-17 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-9-17 155152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-9-22 65848]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-10-07 11:37:51 -------- d-----w- C:\FRST
2012-10-06 11:26:27 -------- d-----w- c:\documents and settings\mthevi.axon\application data\AnvsoftPdfTools
2012-10-06 11:26:09 -------- d-----w- c:\program files\PDFMate
2012-10-05 14:56:52 1036288 ----a-w- c:\windows\explorer_xp_sp2.exe
2012-10-05 14:56:45 1037824 ----a-w- c:\windows\explorer_xp_sp3.exe
2012-10-05 14:56:25 1036288 ----a-w- C:\explorer_xp_sp2.exe
2012-10-05 14:56:09 1037824 ----a-w- C:\explorer_xp_sp3.exe
2012-10-05 13:30:24 -------- d-sh--w- C:\found.000
2012-10-05 08:16:37 -------- d-----w- c:\documents and settings\all users\application data\imrsyfwpukvkgwg
2012-09-22 15:34:42 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2012-10-05 14:58:21 1037824 ----a-w- c:\windows\explorer.old
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-14 11:23:06 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-14 11:23:06 52128 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-07-14 11:23:05 87456 ----a-w- c:\windows\system32\LMIinit.dll
2012-07-14 11:23:05 30624 ----a-w- c:\windows\system32\LMIport.dll
.
============= FINISH: 20:05:07.29 ===============












.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 24/11/2008 03:52:07
System Uptime: 10/10/2012 05:22:43 (39 hours ago)
.
Motherboard: Hewlett-Packard | | 30DC
Processor: Intel Pentium III Xeon processor | Intel® Genuine processor | 2101/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 156 GiB total, 77.795 GiB free.
D: is FIXED (NTFS) - 77 GiB total, 57.682 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VPN-1 SecureClient Adapter
Device ID: ROOT\NET\0000
Manufacturer: Check Point
Name: VPN-1 SecureClient Adapter
PNP Device ID: ROOT\NET\0000
Service: OMVA
.
==== System Restore Points ===================
.
RP110: 14/07/2012 12:24:10 - Printer Driver LogMeIn Printer Driver Installed
RP111: 17/07/2012 23:36:43 - System Checkpoint
RP112: 23/07/2012 13:29:14 - Installed Rapport
RP113: 25/07/2012 18:05:13 - System Checkpoint
RP114: 26/07/2012 18:10:15 - System Checkpoint
RP115: 28/07/2012 10:39:20 - System Checkpoint
RP116: 29/07/2012 11:21:38 - System Checkpoint
RP117: 17/08/2012 18:20:05 - Installed Rapport
RP118: 24/08/2012 09:06:57 - System Checkpoint
RP119: 26/08/2012 15:56:39 - Installed Rapport
RP120: 27/08/2012 16:45:59 - Configured Microsoft Office Standard 2007
RP121: 02/09/2012 12:32:04 - System Checkpoint
RP122: 09/09/2012 17:34:38 - System Checkpoint
RP123: 12/09/2012 20:32:42 - Installed Rapport
RP124: 14/09/2012 22:08:28 - System Checkpoint
RP125: 22/09/2012 03:15:19 - System Checkpoint
RP126: 23/09/2012 13:20:13 - Software Distribution Service 3.0
RP127: 25/09/2012 22:47:40 - System Checkpoint
RP128: 04/10/2012 21:27:31 - System Checkpoint
RP129: 05/10/2012 22:27:27 - System Checkpoint
RP130: 06/10/2012 10:28:43 - Restore Operation
RP131: 07/10/2012 11:50:59 - System Checkpoint
RP132: 07/10/2012 12:15:46 - Installed Rapport
RP133: 10/10/2012 08:06:50 - System Checkpoint
RP134: 11/10/2012 08:28:39 - System Checkpoint
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
ActivClient 6.1 x86
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Photoshop Lightroom 2.2
Adobe Reader X (10.1.4)
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Agere Systems HDA Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Audible Download Manager
AuthenTec Fingerprint System
Big Fish Games: Game Manager
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Citrix Endpoint Analysis Plugin
Connect
Credential Manager for HP ProtectTools
CutePDF Writer 2.7
dj_sf_software_req
Drive Encryption for HP ProtectTools
Dropbox
DVD Chief
Embedded Security for HP ProtectTools Driver
ERUNT 1.1j
ESET Online Scanner v3
Google Talk (remove only)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP 3D DriveGuard
HP Button Manager
HP Deskjet Printer Driver Software 9.0
HP Integrated Module with Bluetooth wireless technology
HP JavaCard for HP ProtectTools
HP ProtectTools Security Manager
HP ProtectTools Security Manager Suite
HP Quick Launch Buttons 6.40 E1
HP Webcam
ImTOO Audio Maker
ImTOO DVD Copy Express
ImTOO DVD Creator
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® Network Connections Drivers
Intel® Active Management Technology
Intel® Matrix Storage Manager
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java Auto Updater
Java™ 6 Update 29
K-Lite Codec Pack 5.8.3 (Basic)
kuler
LiveUpdate 3.0 (Symantec Corporation)
LogMeIn
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft ActiveSync
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project Standard 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Visio Standard 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 9.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Nero 7 Premium
neroxml
NetScreen-Remote
Octoshape Streaming Services
ParetoLogic Data Recovery
PDF Settings CS4
PDFMate Free PDF Converter 1.40
Photomatix Pro version 4.0.2
Photoshop Camera Raw
QuickTime
Rapport
RICOH R5C853 Media Driver Ver.1.02.00.09
SAP Active Components Framework
SAP Front End
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Skins
Skype™ 5.5
SoundMAX
Suite Shared Configuration CS4
Symantec AntiVirus
Synaptics Pointing Device Driver
Tixati
Toolbox
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (kb2279264)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VirtualLab Client 5.7.5
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.11
VoipCheapCom
WebEx
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 7 Multilingual User Interface (MUI)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile Device Updater Component
Windows XP Service Pack 3
WinRAR archiver
WinZip
XEAN Extranet Access Client
Yahoo! Messenger
YouTube Downloader 2.5.5
Zune
Zune Language Pack (DEU)
Zune Language Pack (ESP)
Zune Language Pack (FRA)
Zune Language Pack (ITA)
Zune Language Pack (NLD)
Zune Language Pack (PTB)
Zune Language Pack (PTG)
.
==== Event Viewer Messages From Past Week ========
.
11/10/2012 16:12:44, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 960 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/10/2012 08:12:43, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/10/2012 04:12:42, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/10/2012 02:12:42, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/10/2012 01:12:41, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/10/2012 00:42:41, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
07/10/2012 12:36:15, error: Service Control Manager [7034] - The HP ProtectTools Service service terminated unexpectedly. It has done this 1 time(s).
06/10/2012 11:16:39, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
06/10/2012 11:13:43, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
06/10/2012 00:19:09, error: System Error [1003] - Error code 100000c5, parameter1 013e3008, parameter2 00000002, parameter3 00000000, parameter4 8055196d.
05/10/2012 17:06:26, error: Service Control Manager [7034] - The Intel® Active Management Technology User Notification Service service terminated unexpectedly. It has done this 1 time(s).
05/10/2012 15:59:10, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
05/10/2012 15:39:06, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec IPSECDRV Lbd MRxSmb NetBIOS NetBT RasAcd Rdbss RsvLock SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
05/10/2012 15:39:06, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
05/10/2012 15:39:06, error: Service Control Manager [7001] - The SafeNet IKE Service service depends on the SafeNet IPSec Plugin service which failed to start because of the following error: A device attached to the system is not functioning.
05/10/2012 15:39:06, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
05/10/2012 15:39:06, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
05/10/2012 15:39:06, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
05/10/2012 15:39:06, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
05/10/2012 15:07:33, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
05/10/2012 13:47:04, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
05/10/2012 11:47:31, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 545543445200. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
05/10/2012 11:43:30, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
05/10/2012 11:12:01, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm Lbd RsvLock SAVRT SAVRTPEL SPBBCDrv SYMTDI
05/10/2012 11:12:01, error: Service Control Manager [7023] - The Workstation service terminated with the following error: The filename, directory name, or volume label syntax is incorrect.
05/10/2012 11:12:01, error: Service Control Manager [7001] - The Net Logon service depends on the Workstation service which failed to start because of the following error: The filename, directory name, or volume label syntax is incorrect.
05/10/2012 11:12:01, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The filename, directory name, or volume label syntax is incorrect.
05/10/2012 11:11:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
05/10/2012 11:10:30, error: Workstation [3870] - . is not a valid computer name.
05/10/2012 10:54:30, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
05/10/2012 10:54:30, error: Service Control Manager [7000] - The Remote Connections Service service failed to start due to the following error: The system cannot find the file specified.
05/10/2012 10:50:51, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2102 (0x836).
05/10/2012 10:45:53, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
05/10/2012 10:45:53, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
05/10/2012 10:45:52, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
05/10/2012 10:44:25, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
05/10/2012 10:16:06, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume M:.
05/10/2012 09:33:30, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
05/10/2012 09:25:53, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
.
==== End Of File ===========================







Results of screen317's Security Check version 0.99.51
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Symantec AntiVirus Corporate Edition
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
Java™ 6 Update 29
HP JavaCard for HP ProtectTools
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.4)
Mozilla Firefox (9.0.1)
````````Process Check: objlist.exe by Laurent````````
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus SavRoam.exe
Symantec AntiVirus Rtvscan.exe
mthevi.AXON Desktop virus removal 11102012\SecurityCheck.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 11 October 2012 - 06:40 PM

Do not do any websurfing, or anything online. Just go to this forum and the websites I guide you to.

do this:
1. Open Internet Explorer.
2. Click "Tools," and then click "Internet Options."
3. Click "Connections," and then click "LAN Settings."
4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.
5. Make sure Proxy servers block is not selected (not checkmarked).
6. Apply changes & OK

Step 2
Use your Internet Explorer browser to go here at Virustotal website
Click the Choose File button and then navigate to c:\windows\xbramiep.exe, then click the Scan it button.
The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Use your Internet Explorer browser to go here at VirSCAN.org website
Click the Browse button and then navigate to c:\windows\xbramiep.exe, then click the Upload button.

Save the results, and post back here in a reply.

Step 3
Logoff and Restart the system fresh.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)


Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe Posted Image accept the EULA & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

Notes:
[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh !

Reply & Copy / Paste the contents of C:\Combofix.txt log and tell me, How is the system now ?

RE-Enable your AntiVirus and AntiSpyware applications.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 meenzie

meenzie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 12 October 2012 - 02:37 AM

Dear Maurice,

Step 1 - DOne
Step 2 - c:\windows\xbramiep.exe does not exist.
Step 3 - Unable to disable symantec antivirus - as when i right clicked on the system tray i did not have the option to disable it.

Note:-
As mention to yourself, in one of the forums it advised to do a search for an *.exe file which was created in my machine the day it was infected. So before contacting bleepingcomputers, i have done that step and i found xbramiep.exe. I followed that forum which advised me to delete the xbramiep.exe from the file directory as well as from the registry. I have informed you before that i did delete a random exe file and it was xbramiep.exe. Perhaps thats being the reason i am unable to locate it now in my laptop.


I have downloaded the combo-fix.exe to desktop, but did not run it as i was unable to disable the antivirus i have on my system

Please let me know if you still need me to run combo-fix.exe.


Thanks,
meena

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 12 October 2012 - 09:17 AM

Meena,

Please do some checking on the Symantect web support site. Get some help from Symantec support on how to turn off Symantec product.
SEE http://www.symantec.com/connect/
http://www.symantec.com/business/support/index?page=selectCategory

I need for you to turn off Symantec before you start running Combofix.



Questions for you:

Is this a home system?
or is this in a company or organization ?

Your license to Symantec Corporate a-v is current ?

Are you logged in to this pc with an administrator-rights account ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 meenzie

meenzie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 12 October 2012 - 10:08 AM

Hi Maurice,

This is a personal computer with a company image on it incase i need to log on from home for work purposes. And yes i do have full adminstrator rights. I believe in the company image they have disabled the functionality to disable the antivirus.

can i run combo fix without disabling it?

Thanks,
meena

#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:01 PM

Posted 12 October 2012 - 10:27 AM

Check with your IT system support on how to disable it temporarily. !!!



Meantime, restart the system into Safe Moe with Networking.

Then run Combofix.


The preferred way is to run C-F in normal mode, but with an active antivirus monitor the odds will be that it will cause a conflict with C-F.

After you finish with Combofix, restart the system into Normal mode.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users