Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Network Is Randomly Communicating with Adservers


  • This topic is locked This topic is locked
28 replies to this topic

#1 DariRyu

DariRyu

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 May 2013 - 05:17 AM

This problem was initially posted in the "Am I Infected? What Do I Do?" thread, but I was directed to post it here.  A link to the original post can be found here: http://ww.bleepingcomputer.com/forums/t/495353/hosted-byleasewebcom-keeps-showing-up/

 

The problem is as follows:

 

I was searching DeviantArt (yes, I know), and I had an odd popup window appear today that insisted I update Java when I attempted to log into the site.  I chose to do so through Mozilla's Plugin Finder service.  Suddenly my network connection seems to be always being accessed.  I used Start -> Run -> CMD, then "netstat -b" to see what it might be, and I kept seeing this thing from "hosted-by.leaseweb.com" popping up with "unknown components".  The messages attributed to it seem to be as follows:

 

C:\Windows\System32\mswinsock.dll

C:\Windows\System32\WS2_32.dll

-- unknown component(s) --

[svchost.exe]

 

This will repeat twice, and then this will pop up:

 

C:\Windows\System32\mswinsock.dll

C:\Windows\System32\WS2_32.dll

-- unknown component(s) --

ntdll.dll

C:\Windows\System32\kernel32.dll

[svchost.exe]

 

I was request to run DDS, and it produced two logs.  These logs are both attached to this post. Thank you in advance for any assistance you may be able to provide.

 

~*Dari

Attached Files


Edited by DariRyu, 23 May 2013 - 05:20 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 28 May 2013 - 05:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/495552 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 DariRyu

DariRyu
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 28 May 2013 - 12:49 PM

Yes, I do still require help for this problem.

 

In addition, I have found that I am experiencing additional issues.  It seems that when I make any changes in a folder from a dialogue window -- creating a new folder, renaming a folder/file, etc. -- I am not able to see these changes in the window after they are made.  However, refreshing the view shows that the changes have indeed been made.

 

Also any folder with pictures in it runs slow, taking up at least half the system's resources... just to press an arrow key to lightlight a single photo.  Not just the first time.  Every time.  I have tried deleting pictures, renaming, moving, changing the view, and the folders still run slow.  This did not happen before this problem, thusly I can only assume that it is somehow connected to this issue.

 

The requested logs have been attached to this message.  Thank you again for your time.

 

~*Dari

Attached Files



#4 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:51 AM

Posted 29 May 2013 - 09:06 AM

Hello DariRyu,

:welcome: to Bleeping Computer!

My name is whoabuddy and I will be assisting you today. Before we get started, please keep the following in mind while I am helping you to make things go easier and faster for both of us.


Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please do not attach logs or use code boxes, just copy and paste the text.

Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process. Also watch for items italicized or in green, these entries are notes to help explain the process or common occurrences.

Please provide feedback about your experience as we go.

A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of headaches as we go along. For more information about backing up your system, please review the links in the first item of the Malware Removal Preparation Guide.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Please respond and acknowledge that you have read my introduction and I will begin reviewing your logs so we can get started!

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#5 DariRyu

DariRyu
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 29 May 2013 - 08:43 PM

I will do this. Thank you for your reply and assistance.

 

As an aside however, the Microsoft site seems to no longer hold the "Microsoft Backup for XP" page, so the "Preparation Guide" leads to a page that does not exist.

 

~*Dari



#6 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:51 AM

Posted 29 May 2013 - 10:04 PM

(removed - wrong post - sorry!)


Edited by whoabuddy, 29 May 2013 - 10:05 PM.

Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#7 DariRyu

DariRyu
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 29 May 2013 - 10:39 PM

What logs are requested?  I didn't see anything in the instructions I was pointed to, or in the original reply, that requested logs.  Is it a DDS log that's requested?

 

~*Dari



#8 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:51 AM

Posted 29 May 2013 - 10:57 PM

Hi Dari,

That was my mistake, but I am working on your next set of instructions and will get them posted up for you soon.

Thank you for pointing out that link though, I will submit it for an update :)

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#9 DariRyu

DariRyu
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 29 May 2013 - 11:05 PM

Oh, I was told to post new issues I'm having in this thread.  Posted from the other topic:

 

"I also seem to be having another issue with my computer. When I try to create/rename files from a Save/Open dialogue, I can't see the effects.  If I create a new folder, it will be created; if I try to rename a folder, it will be renamed.  But I won't see those changes until I re-access the folder I made the changes inside from.

 

Example:  I use MUSHClient. If I wish to save a log, I  access the log folders through the program, then discover I need to create a new folder for May's logs.  I right-click, select "New -> Folder". Nothing appears to happen.  I don't see the new folder.  But if I press Backspace and then re-access the folder I was going to create the new folder in, there is a folder inside called "New Folder".

 

It happens, I just don't see it happen."

 

Additionally, I have a Sony Walkman MP3 player, and I don't seem to be able to copy files onto it anymore.  The copy will succeed until the very end, where I'll get a dialogue box that tells me it can't copy because "either the device was disconnected or has stopped responding".  And it's not full, because I just copied the song onto it using another computer, and there was no issue.

 

~*Dari


Edited by DariRyu, 29 May 2013 - 11:14 PM.


#10 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:51 AM

Posted 30 May 2013 - 09:25 AM

Hi Dari,

Thank you for the additional info. After looking over your previous topic and logs, I have a few questions I would like you to answer before we get started, as well as some additional scans we can run. I apologize for the confusion in the beginning, but to give you an overview we are going to check your machine for malware, check your applications for updates, then work down the list of issues in case malware is the root cause of the problem.

Questions:
  • are you using Webroot/Prevx as your main antivirus program? I see Prevx running along with Microsoft Security Essentials, and running more than one antivirus software at one time can cause performance issues. Right now this is what I see:
    - antivirus: Microsoft Security Essentials, Prevx 3.0
    - antispyware: Webroot Spysweeper
  • in this post and your last post you mentioned that you use the MUSH client, do you have the download link you used to install it? or do you just run it from a folder?
  • do you recognize the Pando Media Booster extension?
  • do you currently use Perfect Uninstaller? Is there a program you had difficulty removing?
  • do you recognize either of the folders below?
    c:\EMU
    c:\documents and settings\admin\application data\DDMSettings
  • do you recognize the software Yo-Jin-Bo?
  • during the errors described in this post, did your computer stop at a blue screen? Or just restart repeatedly and give you the message about a System Error?
One more thing I would like to add, Windows will suffer performance issues with less than 25% free space on the drive, and I noticed you had 11gb out of 75gb remaining. We can re-evaluate this after cleaning up temporary files, which will come toward the end of our adventure.

We need to run a scan with Farbar Recovery Scan Tool:

Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to download the 32-bit version of the application.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
We need to run a scan with aswMBR:

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply
In your next post I need the following:
  • answers to the questions at the beginning of the post
  • FRST.txt from FRST scan
  • Addition.txt from FRST scan
  • aswMBR.txt from aswMBR scan
  • Status Update - is there anything else you would like to add?
Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#11 DariRyu

DariRyu
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 May 2013 - 11:46 PM

Here is the information you requested:

 

ANSWERS TO QUESTIONS:

 

1) Are you using Webroot/Prevx as your main antivirus program? I see Prevx running along with Microsoft Security Essentials, and running more than one antivirus software at one time can cause performance issues. Right now this is what I see:
    - antivirus: Microsoft Security Essentials, Prevx 3.0
    - antispyware: Webroot Spysweeper

I actually don't know how to turn Microsoft Security Essentials off. I've tried and tried, and it will NOT go away.


2) In this post and your last post you mentioned that you use the MUSH client, do you have the download link you used to install it? or do you just run it from a folder?

I run MUSHClient from a folder.


3) Do you recognize the Pando Media Booster extension?

Yes. This was installed some time ago with an online game that I played.


4) Do you currently use Perfect Uninstaller? Is there a program you had difficulty removing?

I actually downloaded Perfect Uninstaller because when I upgraded Window Washer, it kept telling me it was washing the Trellian Toolbar, and that it was among my installed programs, but I could find no trace of it in any part of my computer.


5) Do you recognize either of the folders below?
c:\EMU
c:\documents and settings\admin\application data\DDMSettings

The first one I do recognize, yes; I do not wish to discuss its contents. I have had it there since I got this computer.  The second I do not recognize.


6) Do you recognize the software Yo-Jin-Bo?

Yo-Jin-Bo is a visual novel by TWO-FIVE HIRAMEKI.  This game I have had installed since shortly after I got this computer.


7) During the errors described in this post, did your computer stop at a blue screen? Or just restart repeatedly and give you the message about a System Error?

The computer did not restart after telling me about the error.  The restart occurred after running one of the programs I was directed to run in the other topic.  When this program restarted my computer -- without asking me, mind you -- I got a dialogue window telling me that "Windows has recovered from a serious error".  This window persisted after clicking the button, and the dialogue window appeared several times.  It seemed to be a legitimate Windows error message, as I checked the task manager, and the programs that run when an error window pops up were running.  No restart or blue screen occurred during this.  I have gotten the error window once more since then -- again, with no restart -- but the second time it only popped up once, and the window went away.

 

FRST.TXT

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-05-2013
Ran by admin (administrator) on 30-05-2013 20:00:52
Running from C:\Documents and Settings\admin\Desktop
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Webroot Software, Inc. ) C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\WINDOWS\System32\SCardSvr.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(SigmaTel, Inc.) C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Webroot Software, Inc.) C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apntex.exe
(Broadcom Corporation) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
(Prevx) C:\Program Files\Prevx\prevx.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Webroot Software, Inc. (www.webroot.com)) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
(Webroot Software, Inc.) C:\Program Files\Webroot\Washer\WasherSvc.exe
(Prevx) C:\Program Files\Prevx\prevx.exe
(Webroot Software, Inc. (www.webroot.com)) C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe" [155648 2004-09-13] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SigmatelSysTrayApp] "%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe" [405504 2007-05-10] (SigmaTel, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
HKLM\...\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k [x]
HKLM\...\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray [6515800 2011-04-20] (Webroot Software, Inc.)
HKLM\...\Winlogon: [System]
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\DOCUME~1\admin\LOCALS~1\Temp\sseqrap\sjpyxet\wow.dll ATTENTION! ====> ZeroAccess
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\05m0h20x.default
FF Homepage: hxxp://www.google.com
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin - C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin: @real.com/nppl3260;version=16.0.0.282 - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.0.282 - C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: anticontainer - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\05m0h20x.default\Extensions\anticontainer@downthemall.net.xpi
FF Extension: status4evar - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\05m0h20x.default\Extensions\status4evar@caligonstudios.com.xpi
FF Extension: No Name - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\05m0h20x.default\Extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi
FF Extension: No Name - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\05m0h20x.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: No Name - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\05m0h20x.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi

========================== Services (Whitelisted) =================

R2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [61440 2005-10-18] (Broadcom Corporation)
R2 CSIScanner; C:\Program Files\Prevx\prevx.exe [4368952 2013-01-10] (Prevx)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20472 2012-09-12] (Microsoft Corporation)
S4 S24EventMonitor; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [909312 2009-11-03] (Intel® Corporation)
R2 WebrootSpySweeperService; C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [4048256 2011-03-22] (Webroot Software, Inc. (www.webroot.com))
S4 WLANKEEPER; C:\Program Files\Intel\WiFi\bin\WLKeeper.exe [348160 2009-11-03] (Intel® Corporation)
R2 WRConsumerService; C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe [1201656 2013-01-10] (Webroot Software, Inc. )
R2 wwEngineSvc; C:\Program Files\Webroot\Washer\WasherSvc.exe [618896 2011-04-20] (Webroot Software, Inc.)
S4 HidServ; %SystemRoot%\System32\hidserv.dll [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [142720 2005-10-26] (Broadcom Corporation)
R2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [6025 2003-04-24] (Broadcom Corporation)
R3 guardian2; C:\Windows\System32\Drivers\oz776.sys [68696 2007-12-23] (O2Micro)
R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows ® Server 2003 DDK provider)
R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1170140 2006-07-14] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-31] (Microsoft Corporation)
S3 NETw5x32; C:\Windows\System32\DRIVERS\NETw5x32.sys [4221952 2009-10-26] (Intel Corporation)
R0 pxscan; C:\Windows\System32\drivers\pxscan.sys [22024 2013-01-10] (Prevx)
R0 pxsec; C:\Windows\System32\drivers\pxsec.sys [27656 2013-01-10] (Prevx)
R2 s24trans; C:\Windows\System32\DRIVERS\s24trans.sys [11904 2008-08-13] (Intel Corporation)
R0 ssfs0bbc; C:\Windows\System32\DRIVERS\ssfs0bbc.sys [29832 2011-03-22] (Webroot Software, Inc. (www.webroot.com))
R0 sshrmd; C:\Windows\System32\DRIVERS\sshrmd.sys [23176 2011-03-22] (Webroot Software, Inc. (www.webroot.com))
R0 ssidrv; C:\Windows\System32\DRIVERS\ssidrv.sys [176776 2011-03-22] (Webroot Software, Inc. (www.webroot.com))
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S4 Abiosdsk; No ImagePath
S4 abp480n5; No ImagePath
S4 adpu160m; No ImagePath
S4 Aha154x; No ImagePath
S4 aic78u2; No ImagePath
S4 aic78xx; No ImagePath
S4 AliIde; No ImagePath
S4 amsint; No ImagePath
S4 asc; No ImagePath
S4 asc3350p; No ImagePath
S4 asc3550; No ImagePath
S4 Atdisk; No ImagePath
S4 cd20xrnt; No ImagePath
S1 Changer; No ImagePath
S4 CmdIde; No ImagePath
S4 Cpqarray; No ImagePath
U4 dac2w2k; No ImagePath
S4 dac960nt; No ImagePath
S4 dpti2o; No ImagePath
S4 hpn; No ImagePath
S1 i2omgmt; No ImagePath
S4 i2omp; No ImagePath
S4 ini910u; No ImagePath
S4 IntelIde; No ImagePath
S1 lbrtfdc; No ImagePath
S4 mraid35x; No ImagePath
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 perc2; No ImagePath
S4 perc2hib; No ImagePath
S4 ql1080; No ImagePath
S4 Ql10wnt; No ImagePath
S4 ql12160; No ImagePath
S4 ql1240; No ImagePath
S4 ql1280; No ImagePath
S4 Simbad; No ImagePath
S4 Sparrow; No ImagePath
S4 symc810; No ImagePath
S4 symc8xx; No ImagePath
S4 sym_hi; No ImagePath
S4 sym_u3; No ImagePath
S4 TosIde; No ImagePath
S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [x]
S4 ultra; No ImagePath
S4 ViaIde; No ImagePath
S3 WDICA; No ImagePath
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-30 20:00 - 2013-05-30 20:00 - 00000000 ____D C:\FRST
2013-05-22 19:35 - 2013-05-22 19:37 - 00000900 ____A C:\AdwCleaner[S2].txt
2013-05-22 13:53 - 2013-05-23 05:02 - 00000000 ____D C:\Program Files\Common Files\Webroot Shared
2013-05-22 13:53 - 2011-04-20 10:12 - 00365456 ____A (Webroot Software, Inc.) C:\Windows\Unwash6.exe
2013-05-22 13:46 - 2013-05-22 13:46 - 00000000 ____D C:\Rbackup
2013-05-22 13:44 - 2013-05-22 13:44 - 00000042 ____A C:\Windows\System32\AK083E209605E394C.lie
2013-05-22 13:27 - 2013-05-22 13:27 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-05-22 00:53 - 2013-05-30 19:58 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-22 00:53 - 2013-05-30 19:41 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-22 00:53 - 2013-05-22 00:56 - 00000000 ____D C:\Program Files\Google
2013-05-21 23:13 - 2013-05-22 19:38 - 00000000 ____D C:\JRT
2013-05-21 23:13 - 2013-05-21 23:13 - 00000000 ____D C:\Windows\ERUNT
2013-05-21 23:09 - 2013-05-21 23:09 - 00002492 ____A C:\AdwCleaner[S1].txt
2013-05-21 17:57 - 2013-05-30 19:51 - 00000366 ___AH C:\Windows\Tasks\MpIdleTask.job
2013-05-21 15:49 - 2013-05-21 21:11 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-21 15:49 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-21 14:57 - 2013-05-21 14:57 - 00000000 ____D C:\Program Files\Common Files\Java
2013-05-21 14:56 - 2013-05-21 14:56 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-21 14:56 - 2013-05-21 14:56 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-21 14:56 - 2013-05-21 14:56 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-21 14:56 - 2013-05-21 14:56 - 00144896 ____A (Oracle Corporation) C:\Windows\System32\javacpl.cpl
2013-05-21 14:56 - 2013-05-21 14:56 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-21 14:55 - 2013-05-21 14:55 - 00000000 ____D C:\Program Files\Java
2013-05-06 16:11 - 2013-05-06 16:15 - 00000000 ____D C:\EMU
2013-04-30 05:14 - 2013-04-30 05:14 - 00000000 ____D C:\Program Files\TWOFIVE_HIRAMEKI

==================== One Month Modified Files and Folders ========

2013-05-30 20:00 - 2013-05-30 20:00 - 00000000 ____D C:\FRST
2013-05-30 20:00 - 2012-11-16 16:54 - 00578511 ____A C:\Windows\setupapi.log
2013-05-30 19:58 - 2013-05-22 00:53 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-30 19:51 - 2013-05-21 17:57 - 00000366 ___AH C:\Windows\Tasks\MpIdleTask.job
2013-05-30 19:45 - 2012-11-16 16:55 - 00356120 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-30 19:42 - 2013-01-10 16:49 - 00000278 ____A C:\Windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1004336348-602162358-1417001333-1003.job
2013-05-30 19:42 - 2012-11-17 01:04 - 01397383 ____A C:\Windows\WindowsUpdate.log
2013-05-30 19:41 - 2013-05-22 00:53 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-30 19:41 - 2013-01-10 16:49 - 00000286 ____A C:\Windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1004336348-602162358-1417001333-1003.job
2013-05-30 19:41 - 2012-11-17 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-30 19:41 - 2012-11-16 16:57 - 00000159 ____A C:\Windows\wiadebug.log
2013-05-30 19:41 - 2012-11-16 16:57 - 00000049 ____A C:\Windows\wiaservc.log
2013-05-30 19:41 - 2008-04-14 07:00 - 00013646 ____A C:\Windows\System32\wpa.dbl
2013-05-30 11:12 - 2012-11-17 01:08 - 00032240 ____A C:\Windows\SchedLgU.Txt
2013-05-30 11:10 - 2013-01-10 14:04 - 00000000 ____D C:\Program Files\Trillian
2013-05-28 12:29 - 2013-01-31 04:34 - 00000000 ____D C:\Program Files\WinRAR
2013-05-28 03:36 - 2008-04-14 07:00 - 00000779 ____A C:\Windows\win.ini
2013-05-24 16:17 - 2013-01-11 06:04 - 00000000 ____D C:\Program Files\ASCII
2013-05-23 05:02 - 2013-05-22 13:53 - 00000000 ____D C:\Program Files\Common Files\Webroot Shared
2013-05-22 19:38 - 2013-05-21 23:13 - 00000000 ____D C:\JRT
2013-05-22 19:37 - 2013-05-22 19:35 - 00000900 ____A C:\AdwCleaner[S2].txt
2013-05-22 13:53 - 2013-01-10 14:59 - 00000000 ____D C:\Program Files\Webroot
2013-05-22 13:46 - 2013-05-22 13:46 - 00000000 ____D C:\Rbackup
2013-05-22 13:44 - 2013-05-22 13:44 - 00000042 ____A C:\Windows\System32\AK083E209605E394C.lie
2013-05-22 13:27 - 2013-05-22 13:27 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-05-22 12:23 - 2013-01-10 14:32 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-22 12:23 - 2013-01-10 13:50 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-22 00:56 - 2013-05-22 00:53 - 00000000 ____D C:\Program Files\Google
2013-05-21 23:13 - 2013-05-21 23:13 - 00000000 ____D C:\Windows\ERUNT
2013-05-21 23:09 - 2013-05-21 23:09 - 00002492 ____A C:\AdwCleaner[S1].txt
2013-05-21 21:11 - 2013-05-21 15:49 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-05-21 20:39 - 2012-11-16 16:55 - 00958950 ____A C:\Windows\iis6.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00814567 ____A C:\Windows\FaxSetup.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00411102 ____A C:\Windows\ocgen.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00381838 ____A C:\Windows\tsoc.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00283347 ____A C:\Windows\comsetup.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00265488 ____A C:\Windows\msmqinst.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00171379 ____A C:\Windows\ntdtcsetup.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00144084 ____A C:\Windows\netfxocm.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00057399 ____A C:\Windows\MedCtrOC.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00046046 ____A C:\Windows\ocmsn.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00041421 ____A C:\Windows\msgsocm.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00041413 ____A C:\Windows\tabletoc.log
2013-05-21 20:39 - 2012-11-16 16:55 - 00001917 ____A C:\Windows\imsins.log
2013-05-21 17:23 - 2012-11-20 21:50 - 00000000 __HDC C:\Windows\$NtUninstallKB972270$
2013-05-21 14:57 - 2013-05-21 14:57 - 00000000 ____D C:\Program Files\Common Files\Java
2013-05-21 14:56 - 2013-05-21 14:56 - 00263584 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-05-21 14:56 - 2013-05-21 14:56 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-05-21 14:56 - 2013-05-21 14:56 - 00174496 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-05-21 14:56 - 2013-05-21 14:56 - 00144896 ____A (Oracle Corporation) C:\Windows\System32\javacpl.cpl
2013-05-21 14:56 - 2013-05-21 14:56 - 00094112 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-05-21 14:56 - 2013-01-11 14:24 - 00788896 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-05-21 14:55 - 2013-05-21 14:55 - 00000000 ____D C:\Program Files\Java
2013-05-11 11:47 - 2012-11-17 01:01 - 00015351 ____A C:\Windows\wmsetup.log
2013-05-09 14:41 - 2012-11-16 16:45 - 00000000 ____D C:\Windows\Help
2013-05-06 16:15 - 2013-05-06 16:11 - 00000000 ____D C:\EMU
2013-05-02 02:06 - 2012-11-20 23:24 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-30 05:14 - 2013-04-30 05:14 - 00000000 ____D C:\Program Files\TWOFIVE_HIRAMEKI

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

ADDITION.TXT

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 30-05-2013
Ran by admin at 2013-05-30 20:01:15 Run:
Running from C:\Documents and Settings\admin\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

Adobe Flash Player 11 ActiveX (Version: 11.5.502.149)
Adobe Flash Player 11 Plugin (Version: 11.7.700.202)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
AIM for Windows
ALPS Touch Pad Driver
Audacity 2.0.3 (Version: 2.0.3)
Broadcom Advanced Control Suite (Version: 8.68.05)
Broadcom ASF Management Applications (Version: 8.17.03)
Broadcom Gigabit Integrated Controller (Version: 8.22.11)
Broadcom TPM Driver Installer (Version: 8.04.04)
CDisplay 1.8
Champions Online
Combined Community Codec Pack 2012-12-30 (Version: 2012.12.30.0)
Conexant HDA D110 MDC V.92 Modem
CyberLink PowerDVD 8 (Version: 8.0.1531)
Digital Line Detect (Version: 1.15)
DivX Converter (Version: 6.6.1)
DivX Setup (Version: 2.6.1.22)
Freelang Dictionary (wordlist)
Freelang Dictionary 3.74 beta
GIMP 2.8.2 (Version: 2.8.2)
Google Update Helper (Version: 1.3.21.145)
HP Deskjet 3050 J610 series Basic Device Software (Version: 28.0.1315.0)
HP Deskjet 3050 J610 series Help (Version: 140.0.63.63)
iDraw3.32 Chara Maker
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver (Version: 6.14.10.4634)
Intel® PROSet/Wireless WiFi Software (Version: 12.04.4000)
Java 7 Update 21 (Version: 7.0.210)
Java Auto Updater (Version: 2.1.9.5)
Magical Diary 1.0.13
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Media Player Classic - Home Cinema 1.6.1.4235 (Version: 1.6.1.4235)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Security Client (Version: 4.1.0522.0)
Microsoft Security Essentials (Version: 4.1.522.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Word 2002 (Version: 10.0.2627.01)
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0 (Version: 06.00.0000)
Mozilla Firefox 21.0 (x86 en-US) (Version: 21.0)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (Version: 1.0.0.0)
OpenOffice.org 3.4.1 (Version: 3.41.9593)
OZ776 SCR Driver V1.1.4.202 (Version: 1.1.4.202)
Pando Media Booster (Version: 2.6.0.9)
Perfect Uninstaller v6.3.3.9
Prevx 3.0
Ragnarok Online (Version: 14.1.3)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealPlayer (Version: 16.0.0)
RealUpgrade 1.1 (Version: 1.1.0)
Redblade 1.3.0.16 RC 1
RPG Maker 2000 1.07b
RTP 1.32 Add-On for RM2k
RTP for RM2K (Png, Wav, Midi, Fonts)
SigmaTel Audio (Version: 5.10.5210.0)
Skype™ 6.1 (Version: 6.1.129)
Spy Sweeper (Version: 6.1)
Spy Sweeper Core (Version: 4.4.0.86)
Switch Sound File Converter
TouchChip USB Driver 2.6 (Version: 2.6.0.0097)
Trillian
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0)
VOCALOID2 Editor V2.0.12.2 (Version: 0.0.0.1)
VOCALOID2 Expression DB (Standard) (Version: 0.0.0.1)
VOCALOID2 Voice DB (BigAL) (Version: 0.0.0.1)
VOCALOID2 VSTi V2.0.12.3 (Version: 0.0.0.1)
WebFldrs XP (Version: 9.50.7523)
Window Washer (Version: )
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Works Suite OS Pack (Version: 1.0.0.0000)
Works Synchronization (Version: 1.0.0.0000)
Yo-Jin-Bo (Version: 1.01.0000)

==================== Restore Points  =========================

05-03-2013 21:55:45 System Checkpoint
07-03-2013 15:08:49 System Checkpoint
10-03-2013 13:02:49 System Checkpoint
12-03-2013 13:26:47 System Checkpoint
14-03-2013 22:30:30 System Checkpoint
16-03-2013 12:23:26 System Checkpoint
20-03-2013 05:15:48 System Checkpoint
21-03-2013 05:43:02 System Checkpoint
22-03-2013 21:37:27 System Checkpoint
24-03-2013 14:03:26 System Checkpoint
25-03-2013 14:57:53 System Checkpoint
28-03-2013 02:45:08 System Checkpoint
29-03-2013 13:00:51 System Checkpoint
30-03-2013 21:04:34 System Checkpoint
01-04-2013 12:41:04 System Checkpoint
02-04-2013 15:27:08 System Checkpoint
04-04-2013 16:01:03 System Checkpoint
10-04-2013 15:47:00 System Checkpoint
11-04-2013 16:27:46 System Checkpoint
13-04-2013 09:05:47 System Checkpoint
16-04-2013 08:21:12 System Checkpoint
17-04-2013 16:11:36 System Checkpoint
18-04-2013 06:41:07 Installed DirectX
19-04-2013 22:28:43 Software Distribution Service 3.0
21-04-2013 20:44:33 Software Distribution Service 3.0
22-04-2013 22:57:06 Software Distribution Service 3.0
24-04-2013 04:43:05 Software Distribution Service 3.0
24-04-2013 17:48:46 Installed Age of Wushu
25-04-2013 05:42:41 Software Distribution Service 3.0
25-04-2013 16:45:31 Removed Age of Wushu
27-04-2013 15:43:14 Software Distribution Service 3.0
28-04-2013 20:08:55 Software Distribution Service 3.0
30-04-2013 00:49:29 Software Distribution Service 3.0
30-04-2013 10:14:46 Installed Yo-Jin-Bo
01-05-2013 09:17:16 Software Distribution Service 3.0
02-05-2013 09:28:47 Software Distribution Service 3.0
02-05-2013 09:40:08 Software Distribution Service 3.0
04-05-2013 16:01:10 System Checkpoint
05-05-2013 17:02:13 System Checkpoint
06-05-2013 17:24:53 System Checkpoint
08-05-2013 13:40:48 System Checkpoint
09-05-2013 19:58:11 System Checkpoint
11-05-2013 14:18:28 System Checkpoint
13-05-2013 16:57:46 System Checkpoint
15-05-2013 11:48:08 System Checkpoint
16-05-2013 18:15:06 System Checkpoint
17-05-2013 19:55:37 System Checkpoint
21-05-2013 19:55:29 Removed Java 7 Update 10
21-05-2013 19:55:56 Installed Java 7 Update 21
23-05-2013 00:49:30 Software Distribution Service 3.0
24-05-2013 17:00:03 Software Distribution Service 3.0
25-05-2013 19:58:11 Software Distribution Service 3.0
27-05-2013 18:13:18 Software Distribution Service 3.0
28-05-2013 20:27:09 System Checkpoint
30-05-2013 01:27:03 Software Distribution Service 3.0

==================== Faulty Device Manager Devices =============

Name: Intel® PRO/Wireless 3945ABG Network Connection
Description: Intel® PRO/Wireless 3945ABG Network Connection
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel Corporation
Service: NETw5x32
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Broadcom NetXtreme 57xx Gigabit Controller
Description: Broadcom NetXtreme 57xx Gigabit Controller
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom
Service: b57w2k
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (05/29/2013 08:16:08 PM) (Source: Broadcom ASF IP Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (05/28/2013 00:29:51 PM) (Source: Broadcom ASF IP Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (05/22/2013 01:49:10 PM) (Source: Broadcom ASF IP Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (05/21/2013 06:38:22 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/21/2013 06:38:22 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/20/2013 04:07:56 PM) (Source: Application Error) (User: )
Description: Fault bucket -707920941.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (05/20/2013 04:07:53 PM) (Source: Application Error) (User: )
Description: Faulting application drakensangonline.exe, version 0.0.0.0, faulting module drakensangonline.exe, version 0.0.0.0, fault address 0x0066de7d.
Processing media-specific event for [drakensangonline.exe!ws!]

Error: (05/11/2013 04:35:05 PM) (Source: Application Error) (User: )
Description: Fault bucket -1386201031.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (05/11/2013 04:34:55 PM) (Source: Application Error) (User: )
Description: Faulting application game.exe, version 3.0.0.1, faulting module rgss301.dll, version 3.0.1.1, fault address 0x00111a1c.
Processing media-specific event for [game.exe!ws!]

Error: (05/02/2013 04:28:59 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 0x80070002, P2 mpupdateengine, P3 am bdd, P4 11.1.4340.0, P5 mpsigstub.exe, P6 4.1.522.0, P7 microsoft security essentials, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.


System errors:
=============
Error: (05/30/2013 07:41:33 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.6 for the Network Card with network address 001C230764A3 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (05/29/2013 08:17:28 PM) (Source: Service Control Manager) (User: )
Description: The Window Washer Engine service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/28/2013 00:31:08 PM) (Source: Service Control Manager) (User: )
Description: The Window Washer Engine service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/27/2013 01:03:29 PM) (Source: Service Control Manager) (User: )
Description: The Window Washer Engine service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/26/2013 02:38:58 PM) (Source: Service Control Manager) (User: )
Description: The Window Washer Engine service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/25/2013 02:47:28 PM) (Source: Service Control Manager) (User: )
Description: The Window Washer Engine service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/24/2013 08:26:45 PM) (Source: Service Control Manager) (User: )
Description: The Window Washer Engine service terminated unexpectedly.  It has done this 2 time(s).

Error: (05/24/2013 11:48:43 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 15000 milliseconds: Restart the service.

Error: (05/24/2013 11:48:35 AM) (Source: Service Control Manager) (User: )
Description: The Window Washer Engine service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/24/2013 11:47:36 AM) (Source: System Error) (User: )
Description: Error code 10000050, parameter1 e166a000, parameter2 00000001, parameter3 bf04963f, parameter4 00000001.


Microsoft Office Sessions:
=========================
Error: (05/29/2013 08:16:08 PM) (Source: Broadcom ASF IP Monitor)(User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (05/28/2013 00:29:51 PM) (Source: Broadcom ASF IP Monitor)(User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (05/22/2013 01:49:10 PM) (Source: Broadcom ASF IP Monitor)(User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (05/21/2013 06:38:22 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/21/2013 06:38:22 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/20/2013 04:07:56 PM) (Source: Application Error)(User: )
Description: -707920941

Error: (05/20/2013 04:07:53 PM) (Source: Application Error)(User: )
Description: drakensangonline.exe0.0.0.0drakensangonline.exe0.0.0.00066de7d

Error: (05/11/2013 04:35:05 PM) (Source: Application Error)(User: )
Description: -1386201031

Error: (05/11/2013 04:34:55 PM) (Source: Application Error)(User: )
Description: game.exe3.0.0.1rgss301.dll3.0.1.100111a1c

Error: (05/02/2013 04:28:59 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry0x80070002mpupdateengineam bdd11.1.4340.0mpsigstub.exe4.1.522.0microsoft security essentialsNILNILNIL


==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3062.05 MB
Available physical RAM: 2622.41 MB
Total Pagefile: 4947.64 MB
Available Pagefile: 4650.85 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.68 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.53 GB) (Free:14.78 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 31863185)
Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

ASWMBR.TXT

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-30 20:01:54
-----------------------------
20:01:54.593    OS Version: Windows 5.1.2600 Service Pack 3
20:01:54.593    Number of processors: 2 586 0xF02
20:01:54.593    ComputerName: ADMIN-72CC38AFE  UserName: admin
20:01:54.890    Initialize success
20:05:18.718    AVAST engine defs: 13053001
20:07:27.203    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:07:27.218    Disk 0 Vendor: ST980813AS 3.ADB Size: 76319MB BusType: 3
20:07:27.343    Disk 0 MBR read successfully
20:07:27.343    Disk 0 MBR scan
20:07:27.390    Disk 0 Windows XP default MBR code
20:07:27.390    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        76316 MB offset 63
20:07:27.390    Disk 0 scanning sectors +156296385
20:07:27.421    Disk 0 scanning C:\WINDOWS\system32\drivers
20:07:35.140    Service scanning
20:07:50.812    Modules scanning
20:07:54.718    Disk 0 trace - called modules:
20:07:54.734    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:07:54.734    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a46cab8]
20:07:55.078    3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\00000079[0x8a544750]
20:07:55.078    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a4bd940]
20:07:55.390    AVAST engine scan C:\WINDOWS
20:08:04.140    AVAST engine scan C:\WINDOWS\system32
20:09:49.609    AVAST engine scan C:\WINDOWS\system32\drivers
20:10:00.609    AVAST engine scan C:\Documents and Settings\admin
20:10:55.656    File: C:\Documents and Settings\admin\My Documents\compstuff\OTS.exe  **INFECTED** Win32:Trojan-gen
20:46:34.343    AVAST engine scan C:\Documents and Settings\All Users
20:48:09.312    Scan finished successfully
21:10:19.875    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\admin\Desktop\MBR.dat"
21:10:19.875    The log file has been saved successfully to "C:\Documents and Settings\admin\Desktop\aswMBR.txt"

 

STATUS UPDATE:

 

Yes, there are new issues.  After running the scan, I loaded Firefox.  Google is my homepage.  This is what I got:

 

http://i44.tinypic.com/2rcppa9.jpg

 

Clicking on the DivX window allows Google's movie to play, and then this screen results:

 

http://i42.tinypic.com/167379w.jpg

 

Is this normal?  How do I make it so that I don't have to click on it?

 

Also, the errors with the inability to manipulate new folders through the Save/Open windows extends to more than just with MUSHClient.  I tried it with MSWord and Notepad, and it does the same thing in both.  If I use right-click, I can create a new folder, but I can't actually name the folder.  The new folder does not appear until at least one re-accessing of the folder through using Backspace/Folder up.  Deleting the new folder (when it's re-accessed and viewable) also results in the changes not being seen until the folder in which the new folder was made is re-accessed.  It's as though the window is not refreshing when it should.

 

~*Dari


Edited by DariRyu, 31 May 2013 - 12:06 AM.


#12 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:51 AM

Posted 31 May 2013 - 10:19 AM

Hi Dari,

Thank you for the logs and additional information, I will work on our next steps after reviewing everything.

I actually don't know how to turn Microsoft Security Essentials off. I've tried and tried, and it will NOT go away.

We will look further into this once we analyze for and remove any infections :)

I run MUSHClient from a folder.

The reason I asked is the installation for MUSHclient is known to include malicious toolbars, but it sounds like that is not the case here.

I actually downloaded Perfect Uninstaller because when I upgraded Window Washer, it kept telling me it was washing the Trellian Toolbar, and that it was among my installed programs, but I could find no trace of it in any part of my computer.

Gotcha, there is a good free alternative called Revo Uninstaller should you need that function in the future, but if it worked for what you need it for then we can disregard.

The computer did not restart after telling me about the error. The restart occurred after running one of the programs I was directed to run in the other topic. When this program restarted my computer -- without asking me, mind you -- I got a dialogue window telling me that "Windows has recovered from a serious error".

There is a setting in Windows that tells the computer to restart whenever a Blue Screen of Death (BSOD or STOP Error) occurs, and the subsequent message you are describing is Windows way of notifying you of what happened without halting your system at a bright blue screen with white text :) The logs are all recorded in the Event Viewer and we will look further into this once we clean up the PC.

Clicking on the DivX window allows Google's movie to play

It's hard to say from just those images, but I believe Firefox contains a "click-to-play" media setting, which may explain the behaviour. Today's home page is a set of petri dishes and I have to click the play button before it starts as well, do you think it may have been their design? This is another item we can look at after we clean up the PC.

Also, the errors with the inability to manipulate new folders through the Save/Open windows extends to more than just with MUSHClient. I tried it with MSWord and Notepad, and it does the same thing in both. If I use right-click, I can create a new folder, but I can't actually name the folder. The new folder does not appear until at least one re-accessing of the folder through using Backspace/Folder up. Deleting the new folder (when it's re-accessed and viewable) also results in the changes not being seen until the folder in which the new folder was made is re-accessed. It's as though the window is not refreshing when it should.

These refresh errors could mean a few things, but I will keep this in mind as we do our scans and cleanup to make sure it is not malware-related.

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#13 DariRyu

DariRyu
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 May 2013 - 07:18 PM

Thank you very much.  I will await your reply.  :)

 

~*Dari



#14 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:51 AM

Posted 01 June 2013 - 03:30 PM

Hi Dari,

According to the log your machine is infected with a Backdoor Trojan, please read the information below to learn about this type of threat before we proceed.

NOTE: Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.

NOTE: If possible, you should disconnect the computer from the Internet and from any networked computers until it is cleaned, using an alternate computer to access the removal instructions. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately from a clean computer. Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat,and reinstall the OS. Please read: When should I re-format? How should I reinstall?

However if you would like to continue cleaning your machine, please let me know and we will start removing the infection.

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#15 DariRyu

DariRyu
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 01 June 2013 - 04:17 PM

I rather have no choice but to attempt to clean this machine and continue to use it.  This is a refurbished computer, and I do not have the disk to wipe the drive.  I am also on a fixed income, so I am unable to just take it somewhere to have it done.  Thank you for finding the issue, and if it can be done, please let me know how.

 

~*Dari

 

EDIT: As a note, if it's OTS that tripped the scan, that may not be it. I have had that file on the computer since first turning the computer on. OTS is a scanning tool that MajorGeeks Support forums uses.


Edited by DariRyu, 02 June 2013 - 05:35 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users