Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG scan reports IRP Hook rootkits


  • Please log in to reply
25 replies to this topic

#1 frequitude

frequitude

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 11 July 2013 - 11:27 PM

Hello all,

 

My computer and internet has been running slow, but all scans with Microsoft Security Essentials revealed nothing.  So today I decided to switch to AVG 2013 Free and ran a full scan.  It detected 13 threats and automatically fixed 2 of them.  The remaining 11 could not be cleaned but there's an option to remove manually.  I didn't feel comfortable heading down that road so decided to come here for help.  System specs and AVG scan results are as follows.  Thank you very much.

 

 

System Specs

 

Windows XP Pro Version 2002 SP3

AMD Athlon XP 2500+, 1.84 GHz

2048 MB Ram

80 GB HD

 

 

 

Results of AVG scan

 

Whole Computer Scan
Medium priority;"13";"2";"11"
Folders selected for scanning:;"Scan Whole Computer"
Started:;"7/11/2013, 6:49:24 PM"
Finished:;"7/11/2013, 8:22:02 PM"
Total object scanned:;"1464825"
User who launched the scan:;"Liam"
 
Status;"Priority";"Name";"Description";"Result"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_CLOSE -> CLASSPNP.SYS ClassDebugPrint+0x618";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_FLUSH_BUFFERS -> CLASSPNP.SYS ClassIoComplete+0xEF";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_INTERNAL_DEVICE_CONTROL -> CLASSPNP.SYS ClassInternalIoControl";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Healed;"Medium";"Potentially harmful program HackTool.TEO";"C:\WINDOWS\AutoKMS\AutoKMS.exe";"Secured"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_READ -> CLASSPNP.SYS ClassCompleteRequest+0x13C";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_DEVICE_CONTROL -> CLASSPNP.SYS ClassIoComplete+0x1C8";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\ViaIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_SHUTDOWN -> CLASSPNP.SYS ClassIoComplete+0xEF";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_CREATE -> CLASSPNP.SYS ClassDebugPrint+0x618";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\Disk IRP_MJ_WRITE -> CLASSPNP.SYS ClassCompleteRequest+0x13C";"C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS";"Cannot be cleaned"
 
Healed;"Medium";"Found Adware.Ezula";"HKLM\SOFTWARE\Classes\AtlBrCon.AtlBrCon";"Secured"
 
Infected;"Medium";"IRP hook, \Driver\hidusb IRP_MJ_CLOSE -> HIDCLASS.SYS +0x1902";"C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS";"Cannot be cleaned"
 
Infected;"Medium";"IRP hook, \Driver\hidusb IRP_MJ_CREATE -> HIDCLASS.SYS +0x1902";"C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS";"Cannot be cleaned"
 

 

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 12 July 2013 - 04:17 AM

AVG has said HERE these are most likely False Positives.


Please run a GMER Scan > Directions and Copy and Paste the results back here -

 

Thank You -

 



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 PM

Posted 12 July 2013 - 07:15 AM

Not all hidden components detected by anti-rootkit (ARK)/anti-virus scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Most ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If your system is infected with malware, there most likely would be some signs of infection or symptoms such as slow performance, high CPU usage, browser redirects, BSODs, etc.

In most cases further investigation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 13 July 2013 - 01:31 AM

Not sure if this begets a new thread, but thought I should add the following.

 

1)  Right after installing AVG but before I did the full computer scan, AVG automatically picked up and secured the following high severity threat:

 

"Trojan horse Dropper.Generic7.BZYB, c:\Documents and Settings\Liam\My Documents\Downloads\Chrome Downloads\YourFileDownloader.exe";"Secured";"7/11/2013, 6:13:59 PM";"File or Directory";"C:\WINDOWS\explorer.exe"
 
 
2)  Since running the full computer scan and creating this post, AVG automatically picked up and secured the following medium security threat:
 
"Potentially harmful program HackTool.TEO, c:\System Volume Information\_restore{0CC1F9CB-711E-4B98-8552-B3129ADC24FC}\RP30\A0001545.exe";"Secured";"7/12/2013, 7:13:16 PM";"File or Directory";"C:\WINDOWS\system32\svchost.exe"
 

 

 

 

 

 

 



#5 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 13 July 2013 - 01:35 AM

AVG has said HERE these are most likely False Positives.

Please run a GMER Scan > Directions and Copy and Paste the results back here -

 

Thank You -

 

 

Gonna do that right now.  Thanks.  Will report back.

 

 

 

Not all hidden components detected by anti-rootkit (ARK)/anti-virus scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Most ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If your system is infected with malware, there most likely would be some signs of infection or symptoms such as slow performance, high CPU usage, browser redirects, BSODs, etc.

In most cases further investigation.

 

Definitely seeing slow performance and high CPU usage.  Had the odd browser redirect.  No BSOD.  Does further investigation need a new thread or should I just start with the GMER scan and work from here?



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 13 July 2013 - 02:48 AM

Hi -

Please follow the GMER directions listed at Post #2 and we will see if there is any result.

This may not cure the infection, rather it can give us a second opinion on the infections.

 

Once you Copy / Paste the result, we can make a decision on where to go next -

 

Thank You -



#7 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 13 July 2013 - 02:53 AM

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-13 01:51:48
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP0802N rev.TK100-23 74.56GB
Running: tool.exe; Driver: C:\DOCUME~1\Liam\LOCALS~1\Temp\pxtdapow.sys
 
 
---- System - GMER 2.1 ----
 
SSDT            sptd.sys                                                                                                                                               ZwCreateKey [0xF74ED0D0]
SSDT            sptd.sys                                                                                                                                               ZwEnumerateKey [0xF74F2FB2]
SSDT            sptd.sys                                                                                                                                               ZwEnumerateValueKey [0xF74F3340]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwNotifyChangeKey [0xF77905D0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwNotifyChangeMultipleKeys [0xF7790700]
SSDT            sptd.sys                                                                                                                                               ZwOpenKey [0xF74ED0B0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwOpenProcess [0xF7790010]
SSDT            sptd.sys                                                                                                                                               ZwQueryKey [0xF74F3418]
SSDT            sptd.sys                                                                                                                                               ZwQueryValueKey [0xF74F3298]
SSDT            sptd.sys                                                                                                                                               ZwSetValueKey [0xF74F34AA]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwSuspendProcess [0xF7790300]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwSuspendThread [0xF77903E0]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwTerminateProcess [0xF7790120]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwTerminateThread [0xF7790210]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys                                                                                                           ZwWriteVirtualMemory [0xF77904D0]
 
---- Kernel code sections - GMER 2.1 ----
 
?               C:\WINDOWS\system32\drivers\sptd.sys                                                                                                                   The process cannot access the file because it is being used by another process.
.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                                               section is writeable [0xB726C3C0, 0x84E2FA, 0xE8000020]
 
---- User code sections - GMER 2.1 ----
 
.text           C:\Program Files\AVG\AVG2013\avgemcx.exe[232] ntdll.dll!LdrQueryImageFileExecutionOptions                                                              7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\AVG\AVG2013\avgemcx.exe[232] SHELL32.dll!ShellExecuteExW                                                                              7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                       7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\spoolsv.exe[388] SHELL32.dll!ShellExecuteExW                                                                                       7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\LEXPPS.EXE[400] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                        7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\LEXPPS.EXE[400] SHELL32.dll!ShellExecuteExW                                                                                        7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\System32\svchost.exe[552] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                       7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\System32\svchost.exe[552] SHELL32.dll!ShellExecuteExW                                                                                       7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[584] ntdll.dll!LdrQueryImageFileExecutionOptions                7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[584] SHELL32.dll!ShellExecuteExW                                7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\AVG\AVG2013\avgidsagent.exe[620] ntdll.dll!LdrQueryImageFileExecutionOptions                                                          7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\AVG\AVG2013\avgidsagent.exe[620] SHELL32.dll!ShellExecuteExW                                                                          7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\Java\jre7\bin\jqs.exe[760] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\Java\jre7\bin\jqs.exe[760] SHELL32.dll!ShellExecuteExW                                                                                7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\AVG\AVG2013\avgwdsvc.exe[844] ntdll.dll!LdrQueryImageFileExecutionOptions                                                             7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\AVG\AVG2013\avgwdsvc.exe[844] SHELL32.dll!ShellExecuteExW                                                                             7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1092] ntdll.dll!LdrQueryImageFileExecutionOptions          7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1092] SHELL32.dll!ShellExecuteExW                          7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\System32\svchost.exe[1100] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\winlogon.exe[1144] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                     7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\winlogon.exe[1144] SHELL32.dll!ShellExecuteExW                                                                                     7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\services.exe[1192] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                     7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\services.exe[1192] SHELL32.dll!ShellExecuteExW                                                                                     7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\lsass.exe[1204] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                        7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\lsass.exe[1204] SHELL32.dll!ShellExecuteExW                                                                                        7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\svchost.exe[1384] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\svchost.exe[1456] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\nvsvc32.exe[1520] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\nvsvc32.exe[1520] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\svchost.exe[1584] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\System32\svchost.exe[1608] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\Bonjour\mDNSResponder.exe[1692] ntdll.dll!LdrQueryImageFileExecutionOptions                                                           7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\Bonjour\mDNSResponder.exe[1692] SHELL32.dll!ShellExecuteExW                                                                           7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\System32\svchost.exe[1708] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\System32\svchost.exe[1708] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\svchost.exe[1884] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\svchost.exe[1884] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1944] ntdll.dll!LdrQueryImageFileExecutionOptions                                   7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1944] SHELL32.dll!ShellExecuteExW                                                   7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\AVG\AVG2013\avgnsx.exe[1992] ntdll.dll!LdrQueryImageFileExecutionOptions                                                              7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\AVG\AVG2013\avgnsx.exe[1992] SHELL32.dll!ShellExecuteExW                                                                              7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\Explorer.EXE[2132] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                              7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\Explorer.EXE[2132] SHELL32.dll!ShellExecuteExW                                                                                              7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtCreateFile + 6                   7C90D0B4 4 Bytes  [28, 50, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtCreateFile + B                   7C90D0B9 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtMapViewOfSection + 6             7C90D524 4 Bytes  [28, 53, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtMapViewOfSection + B             7C90D529 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenFile + 6                     7C90D5A4 4 Bytes  [68, 50, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenFile + B                     7C90D5A9 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenProcess + 6                  7C90D604 4 Bytes  [A8, 51, 86, 00] {TEST AL, 0x51; XCHG [EAX], AL}
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenProcess + B                  7C90D609 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenProcessToken + 6             7C90D614 4 Bytes  CALL 7B915C6A 
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenProcessToken + B             7C90D619 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenProcessTokenEx + 6           7C90D624 4 Bytes  [A8, 52, 86, 00] {TEST AL, 0x52; XCHG [EAX], AL}
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenProcessTokenEx + B           7C90D629 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenThread + 6                   7C90D664 4 Bytes  [68, 51, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenThread + B                   7C90D669 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenThreadToken + 6              7C90D674 4 Bytes  [68, 52, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenThreadToken + B              7C90D679 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenThreadTokenEx + 6            7C90D684 4 Bytes  CALL 7B915CDB 
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtOpenThreadTokenEx + B            7C90D689 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtQueryAttributesFile + 6          7C90D714 4 Bytes  [A8, 50, 86, 00] {TEST AL, 0x50; XCHG [EAX], AL}
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtQueryAttributesFile + B          7C90D719 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtQueryFullAttributesFile + 6      7C90D7B4 4 Bytes  CALL 7B915E09 
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtQueryFullAttributesFile + B      7C90D7B9 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtSetInformationFile + 6           7C90DC64 4 Bytes  [28, 51, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtSetInformationFile + B           7C90DC69 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtSetInformationThread + 6         7C90DCB4 4 Bytes  [28, 52, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtSetInformationThread + B         7C90DCB9 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtUnmapViewOfSection + 6           7C90DF14 4 Bytes  [68, 53, 86, 00]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!NtUnmapViewOfSection + B           7C90DF19 1 Byte  [E2]
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] ntdll.dll!LdrQueryImageFileExecutionOptions  7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2268] SHELL32.dll!ShellExecuteExW                  7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\ctfmon.exe[2360] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                       7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\ctfmon.exe[2360] SHELL32.dll!ShellExecuteExW                                                                                       7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\System32\svchost.exe[2372] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\System32\svchost.exe[2372] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2636] ntdll.dll!LdrQueryImageFileExecutionOptions  7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2636] SHELL32.dll!ShellExecuteExW                  7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\wuauclt.exe[2788] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                      7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\wuauclt.exe[2788] SHELL32.dll!ShellExecuteExW                                                                                      7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Documents and Settings\Liam\Desktop\Antivirus Tools\gmer\tool.exe[2916] ntdll.dll!LdrQueryImageFileExecutionOptions                                 7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Documents and Settings\Liam\Desktop\Antivirus Tools\gmer\tool.exe[2916] SHELL32.dll!ShellExecuteExW                                                 7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\AVG\AVG2013\avgui.exe[3072] ntdll.dll!LdrQueryImageFileExecutionOptions                                                               7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\AVG\AVG2013\avgui.exe[3072] SHELL32.dll!ShellExecuteExW                                                                               7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[3096] ntdll.dll!LdrQueryImageFileExecutionOptions                                   7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[3096] SHELL32.dll!ShellExecuteExW                                                   7CA0995B 5 Bytes  JMP 7FF90000 
.text           C:\WINDOWS\system32\SearchIndexer.exe[3160] ntdll.dll!LdrQueryImageFileExecutionOptions                                                                7C91BD83 5 Bytes  JMP 7FFA0000 
.text           C:\WINDOWS\system32\SearchIndexer.exe[3160] kernel32.dll!WriteFile                                                                                     7C8112FF 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL
.text           C:\WINDOWS\system32\SearchIndexer.exe[3160] SHELL32.dll!ShellExecuteExW                                                                                7CA0995B 5 Bytes  JMP 7FF90000 
 
---- Devices - GMER 2.1 ----
 
Device          \FileSystem\Ntfs \Ntfs                                                                                                                                 8A9091E8
Device          \FileSystem\Fastfat \FatCdrom                                                                                                                          8A6291E8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{DCECF7A1-1C63-4861-AD09-0C0AD8A40688}                                                                               8A4B01E8
 
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                               avgtdix.sys
 
Device          \Driver\usbuhci \Device\USBPDO-0                                                                                                                       8A6971E8
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                                                              8A89E1E8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                                                                8A89E1E8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                                                   8A89E1E8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                                                  8A89E1E8
Device          \Driver\usbuhci \Device\USBPDO-1                                                                                                                       8A6971E8
Device          \Driver\usbuhci \Device\USBPDO-2                                                                                                                       8A6971E8
Device          \Driver\usbehci \Device\USBPDO-3                                                                                                                       8A6741E8
 
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                              avgtdix.sys
 
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                 8A90B1E8
Device          \Driver\Cdrom \Device\CdRom0                                                                                                                           8A6681E8
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                                     [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                                                            [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                                     [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                                                            [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17                                                                                                           [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                           8A6681E8
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                                8A4B01E8
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                                       8A4B01E8
 
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                              avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                            avgtdix.sys
 
Device          \Driver\usbuhci \Device\USBFDO-0                                                                                                                       8A6971E8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{EC0C0CD0-BC71-43C9-8A9C-EB6E4D96CD33}                                                                               8A4B01E8
Device          \Driver\usbuhci \Device\USBFDO-1                                                                                                                       8A6971E8
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                                      8A47B790
Device          \Driver\usbuhci \Device\USBFDO-2                                                                                                                       8A6971E8
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                            8A47B790
Device          \Driver\usbehci \Device\USBFDO-3                                                                                                                       8A6741E8
Device          \Driver\Ftdisk \Device\FtControl                                                                                                                       8A90B1E8
Device          \FileSystem\Fastfat \Fat                                                                                                                               8A6291E8
 
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                               fltmgr.sys
 
Device          \FileSystem\Cdfs \Cdfs                                                                                                                                 890AE1E8
 
---- Trace I/O - GMER 2.1 ----
 
Trace           ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8a8bf8ac]<<                                                        8a8bf8ac
Trace           1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a80bab8]                                                                                                8a80bab8
Trace           3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8a8149e8]                                                                           8a8149e8
Trace           5 ACPI.sys[f74ac620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a813d98]                                                                  8a813d98
 
---- Registry - GMER 2.1 ----
 
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Video\{BF835266-9D3E-4AF7-B1B8-EE0488B30513}\0000@D3D_\x3332\x3331                                               2089309684
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Video\{BF835266-9D3E-4AF7-B1B8-EE0488B30513}\0001@D3D_\x3332\x3331                                               2089309684
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                                     771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                                     285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                                     2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04                                                                       
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                                    1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                                 0x33 0x95 0xC1 0x14 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                                                       
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                    0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                                 0xAB 0x87 0x30 0x91 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                                                   
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                                        1
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                                     0x33 0x95 0xC1 0x14 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                                                   
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                                        C:\Program Files\DAEMON Tools\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                        0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                                     0x29 0xA7 0x81 0xE7 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)                                          
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                               0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                                            0x51 0x88 0xAC 0xDC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)                                    
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                                      0xDF 0xCD 0xC1 0x88 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)                                    
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                                                      0x9F 0xF5 0x6F 0xA3 ...
Reg             HKLM\SYSTEM\ControlSet003\Control\Video\{BF835266-9D3E-4AF7-B1B8-EE0488B30513}\0000@D3D_\x3332\x3331                                                   2089309684
Reg             HKLM\SYSTEM\ControlSet003\Control\Video\{BF835266-9D3E-4AF7-B1B8-EE0488B30513}\0001@D3D_\x3332\x3331                                                   2089309684
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                                                   
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                                        1
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                                     0x33 0x95 0xC1 0x14 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                                                   
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                        0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                                     0xAB 0x87 0x30 0x91 ...
 
---- EOF - GMER 2.1 ----
 

 



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 13 July 2013 - 04:19 AM

Hi -

A few items I am still not sure on, so lets take this back to square one -

 

First - Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

 

Next - Please download MiniToolBox, Save it to your desktop and run it.
Close any Firefox browsers you may have open while it resets Firefox Settings.
Checkmark the following boxes:
•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files
 
Click Go and copy / paste the result (Result.txt).

 

 

Next - You should disable your Antivirus while we scan your machine with ESET OnlineScan

This is best done with Internet Explorer, but other directions are also listed.

1.Hold down Control key and click HERE to open ESET OnlineScan in a new window.
2.Click the ESET Online Scanner button.
3.NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

- 1.Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
- 2.Double click on the ESET Online Scanner icon on your desktop.

 

 4.Check "YES, I accept the Terms of Use."
 5.Click the Start button.
 6.Accept any security warnings from your browser.
 7.Under scan settings, check "Scan Archives" and "Remove found threats"
8.Click Advanced settings and select the following:
Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

 9.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time to download the program for a first time, and then download updated data base (1 to 2  hours is not unusual)
10.When the scan completes, click List Threats
11.Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12.Click the Back button.
13.Click the Finish button

 

 

 

Finally - Please download AdwCleaner by Xplode onto your desktop.

*Close all open programs and internet browsers.
*Double click on adwcleaner.exe to run the tool.
*Click on Delete.
*Confirm each time with Ok.
* NOTE : Your computer will be rebooted automatically. A text file will open after the restart.

*Please post the contents of that logfile with your next reply.
*You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

 

Thank You -



#9 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 14 July 2013 - 06:29 AM

 Results of screen317's Security Check version 0.99.69  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Disabled!  
AVG AntiVirus Free Edition 2013   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Windows Defender Signatures   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java™ 6 Update 31  
 Java 7 Update 15  
 Java™ SE Runtime Environment 6 Update 1 
 Java version out of Date! 
 Adobe Flash Player 11.7.700.202  
 Adobe Reader 10.1.7 Adobe Reader out of Date!  
 Mozilla Firefox 20.0.1 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe 
 AVG avgrsx.exe 
 AVG avgnsx.exe 
 AVG avgemc.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 

 



#10 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 14 July 2013 - 06:32 AM

MiniToolBox by Farbar  Version: 13-07-2013
Ran by Liam (administrator) on 13-07-2013 at 21:58:09
Running from "C:\Documents and Settings\Liam\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
 
127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
 
There are 15448 more lines starting with "127.0.0.1"
 
========================= IP Configuration: ================================
 
3Com 3C900COMBO-based Ethernet Adapter (Generic) = Local Area Connection (Disconnected)
VIA Compatable Fast Ethernet Adapter = Local Area Connection 2 (Connected)
1394 Net Adapter = 1394 Connection (Connected)
Linksys Wireless-G PCI Network Adapter with SpeedBooster = Wireless Network Connection (Connected)
 
 
# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip
 
 
# Interface IP Configuration for "Wireless Network Connection"
 
set address name="Wireless Network Connection" source=dhcp 
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp
 
# Interface IP Configuration for "Local Area Connection 2"
 
set address name="Local Area Connection 2" source=dhcp 
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp
 
 
popd
# End of interface IP configuration
 
 
Windows IP Configuration        Host Name . . . . . . . . . . . . : lmd        Primary Dns Suffix  . . . . . . . :         Node Type . . . . . . . . . . . . : Unknown        IP Routing Enabled. . . . . . . . : No        WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Wireless Network Connection:        Connection-specific DNS Suffix  . :         Description . . . . . . . . . . . : Linksys Wireless-G PCI Network Adapter with SpeedBooster        Physical Address. . . . . . . . . : 00-18-F8-29-D4-26        Dhcp Enabled. . . . . . . . . . . : Yes        Autoconfiguration Enabled . . . . : Yes        IP Address. . . . . . . . . . . . : 192.168.0.102        Subnet Mask . . . . . . . . . . . : 255.255.255.0        Default Gateway . . . . . . . . . : 192.168.0.1        DHCP Server . . . . . . . . . . . : 192.168.0.1        DNS Servers . . . . . . . . . . . : 64.59.135.133                                            64.59.128.120        Lease Obtained. . . . . . . . . . : Saturday, July 13, 2013 9:39:52 PM        Lease Expires . . . . . . . . . . : Saturday, July 13, 2013 10:39:52 PMEthernet adapter Local Area Connection 2:        Connection-specific DNS Suffix  . :         Description . . . . . . . . . . . : VIA Compatable Fast Ethernet Adapter        Physical Address. . . . . . . . . : 00-0C-76-1A-AA-AD        Dhcp Enabled. . . . . . . . . . . : Yes        Autoconfiguration Enabled . . . . : Yes        IP Address. . . . . . . . . . . . : 192.168.0.124        Subnet Mask . . . . . . . . . . . : 255.255.255.0        Default Gateway . . . . . . . . . : 192.168.0.1        DHCP Server . . . . . . . . . . . : 192.168.0.1        DNS Servers . . . . . . . . . . . : 64.59.135.133                                            64.59.128.120        Lease Obtained. . . . . . . . . . : Saturday, July 13, 2013 9:39:46 PM        Lease Expires . . . . . . . . . . : Saturday, July 13, 2013 10:39:46 PMServer:  nsc1.so.cg.shawcable.net
Address:  64.59.135.133
 
Name:    google.com
Addresses:  24.244.4.94, 24.244.4.109, 24.244.4.99, 24.244.4.113
 24.244.4.89, 24.244.4.98, 24.244.4.103, 24.244.4.88, 24.244.4.108
 24.244.4.119, 24.244.4.104, 24.244.4.114, 24.244.4.123, 24.244.4.93
 24.244.4.84, 24.244.4.118
 
Pinging google.com [24.244.4.94] with 32 bytes of data:Reply from 24.244.4.94: bytes=32 time=7ms TTL=61Reply from 24.244.4.94: bytes=32 time=10ms TTL=61Ping statistics for 24.244.4.94:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 7ms, Maximum = 10ms, Average = 8msServer:  nsc1.so.cg.shawcable.net
Address:  64.59.135.133
 
Name:    yahoo.com
Addresses:  206.190.36.45, 98.139.183.24, 98.138.253.109
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:Reply from 206.190.36.45: bytes=32 time=35ms TTL=54Reply from 206.190.36.45: bytes=32 time=61ms TTL=54Ping statistics for 206.190.36.45:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 35ms, Maximum = 61ms, Average = 48msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 f8 29 d4 26 ...... Linksys Wireless-G PCI Network Adapter with SpeedBooster - Packet Scheduler Miniport
0x10004 ...00 0c 76 1a aa ad ...... VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.102  25
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.124  20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1  1
      169.254.0.0      255.255.0.0    192.168.0.124   192.168.0.124  20
      192.168.0.0    255.255.255.0    192.168.0.102   192.168.0.102  25
      192.168.0.0    255.255.255.0    192.168.0.124   192.168.0.124  20
    192.168.0.102  255.255.255.255        127.0.0.1       127.0.0.1  25
    192.168.0.124  255.255.255.255        127.0.0.1       127.0.0.1  20
    192.168.0.255  255.255.255.255    192.168.0.102   192.168.0.102  25
    192.168.0.255  255.255.255.255    192.168.0.124   192.168.0.124  20
        224.0.0.0        240.0.0.0    192.168.0.102   192.168.0.102  25
        224.0.0.0        240.0.0.0    192.168.0.124   192.168.0.124  20
  255.255.255.255  255.255.255.255    192.168.0.102   192.168.0.102  1
  255.255.255.255  255.255.255.255    192.168.0.124   192.168.0.124  1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\MY DOCUMENTS\MY PICTURES> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\MY DOCUMENTS\MY PICTURES> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER (2)> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER (2)> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER\EMILY1.JPG> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER\EMILY1.JPG> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\EMILY1.JPG> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\EMILY1.JPG> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
 
System errors:
=============
Error: (07/13/2013 01:48:15 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:47:04 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:36:11 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:34:12 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:32:40 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:32:34 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:30:10 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:29:59 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:28:15 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (07/13/2013 01:27:46 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
 
Microsoft Office Sessions:
=========================
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\MY DOCUMENTS\MY PICTURES
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\MY DOCUMENTS\MY PICTURES
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER (2)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER (2)
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER\EMILY1.JPG
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER\EMILY1.JPG
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\NEW FOLDER
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\EMILY1.JPG
 
Error: (07/11/2013 11:36:17 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\EMILY1.JPG
 
 
=========================== Installed Programs ============================
 
µTorrent (Version: 3.1.3)
Adobe Flash Player 11 ActiveX (Version: 11.6.602.168)
Adobe Flash Player 11 Plugin (Version: 11.7.700.202)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Apple Application Support (Version: 2.2.2)
Apple Mobile Device Support (Version: 6.0.0.59)
Apple Software Update (Version: 2.1.3.127)
AutoUpdate (Version: 1.1)
AVG 2013 (Version: 13.0.3204)
AVG 2013 (Version: 13.0.3349)
AVG 2013 (Version: 2013.0.3349)
BIG-IP Edge Client Components (All Users) (Version: 70.2013.0213.2310)
Bonjour (Version: 3.0.0.10)
CCleaner (Version: 4.01)
Citrix Authentication Manager (Version: 4.0.0.53726)
Citrix Receiver (HDX Flash Redirection) (Version: 13.4.0.25)
Citrix Receiver (Version: 13.4.0.25)
Citrix Receiver Inside (Version: 3.4.0.29585)
Citrix Receiver Updater (Version: 3.4.0.29577)
Citrix Receiver(Aero) (Version: 13.4.0.25)
Citrix Receiver(DV) (Version: 13.4.0.25)
Citrix Receiver(USB) (Version: 13.4.0.25)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DivX Codec (Version: 6.7.0)
Dropbox (Version: 2.0.22)
Google Chrome (Version: 28.0.1500.72)
Google Update Helper (Version: 1.3.21.153)
iTunes (Version: 10.7.0.21)
Java 7 Update 15 (Version: 7.0.150)
Java Auto Updater (Version: 2.1.9.0)
Java™ 6 Update 31 (Version: 6.0.310)
Java™ SE Runtime Environment 6 Update 1 (Version: 1.6.0.10)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Fix it Center (Version: 1.0.0100)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies (Version: 11.0.6553.0)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Visio Professional 2003 (Version: 11.0.8173.0)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft Software Update for Web Folders  (English) 14 (Version: 14.0.6029.1000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Mozilla Firefox 20.0.1 (x86 en-US) (Version: 20.0.1)
Mozilla Maintenance Service (Version: 20.0.1)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
NVIDIA Control Panel 307.83 (Version: 307.83)
NVIDIA Graphics Driver 307.83 (Version: 307.83)
NVIDIA Install Application (Version: 2.1002.109.706)
NVIDIA nView 136.53 (Version: 136.53)
NVIDIA Update 1.10.8 (Version: 1.10.8)
NVIDIA Update Components (Version: 1.10.8)
Online Plug-in (Version: 13.4.0.25)
QuickTime (Version: 7.70.80.34)
RETScreen (Version: 1.0.1)
RETScreen Version 4 (Version: 4.0.14.0)
Segoe UI (Version: 14.0.4327.805)
Self-service Plug-in (Version: 3.4.0.33684)
Skype™ 5.10 (Version: 5.10.116)
Sound Blaster Live!
Symantec KB-DocID:2003093015493306 (Version: 1.0.0.1)
TurboTax 2012 (Version: 1.00.0000)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB980302) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB961503) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
USB Video Driver (Version: 1.00)
VLC media player 2.0.1 (Version: 2.0.1)
WebFldrs XP (Version: 9.50.6513)
Windows Defender Signatures (Version: 1.20.0.0)
Windows Driver Package - Advanced Micro Devices, Inc. (USB28xxBGA) Media  (08/31/2007 5.7.0831.0) (Version: 08/31/2007 5.7.0831.0)
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA  (08/31/2007 5.7.0831.0) (Version: 08/31/2007 5.7.0831.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8098.930)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Messenger (Version: 14.0.8089.0726)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Management Framework Core
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.2980)
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Search 4.0 (Version: 04.00.6001.503)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
Yahoo! Detect
 
========================= Memory info: ===================================
 
Percentage of memory in use: 39%
Total physical RAM: 2047.48 MB
Available physical RAM: 1236.21 MB
Total Pagefile: 2281.09 MB
Available Pagefile: 1667.96 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.01 MB
 
========================= Partitions: =====================================
 
2 Drive c: () (Fixed) (Total:74.55 GB) (Free:15.05 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\LMD
 
Administrator            ASPNET                   Guest                    
HelpAssistant            Liam                     SUPPORT_388945a0         
UpdatusUser              
 
 
**** End of log ****

Edited by frequitude, 14 July 2013 - 06:33 AM.


#11 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 14 July 2013 - 06:34 AM

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Program Files\HotSpotShield\HSS-1.56-install-anchorfree-243-ask3.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{0CC1F9CB-711E-4B98-8552-B3129ADC24FC}\RP16\A0000523.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{0CC1F9CB-711E-4B98-8552-B3129ADC24FC}\RP17\A0000635.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\WINDOWS\Installer\MSI356.tmp a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
 

 



# AdwCleaner v2.305 - Logfile created 07/14/2013 at 05:09:25
# Updated 11/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Liam - LMD
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Liam\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\adawaretb.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\Liam\Application Data\yourfiledownloader
Folder Deleted : C:\Documents and Settings\Liam\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Program Files\Conduit
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v20.0.1 (en-US)
 
File : C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\y12gq3ly.default\prefs.js
 
[OK] File is clean.
 
File : C:\Documents and Settings\Liam\Application Data\Mozilla\Firefox\Profiles\z7qvgi5g.default-1371801246593\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v28.0.1500.72
 
File : C:\Documents and Settings\Liam\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [3259 octets] - [14/07/2013 05:09:25]
 
########## EOF - C:\AdwCleaner[S1].txt - [3319 octets] ##########
 

 



#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 14 July 2013 - 05:43 PM

Hi -

 Java™ 6 Update 31 
 Java 7 Update 15 
 Java™ SE Runtime Environment 6 Update 1  Java versions out of Date! - Current is Version7 Update25
Note that old versions of Java are vunerable to attack from unwanted programs and infections
You can verify the version of Java installed, http://www.java.com/en/download/installed.jsp?detect=jre
Click on Download on the big Red bar to get the current version, and remove All other versions from Programs and Features
Be sure to untick All offered Toolbars and Add-ons as they are not Java related -

 

Update Adobe Reader to current Version11

Again, do not accept any Toolbars or Add-ons offered in the update, and be sure the old version is removed -

 

After this, please update me on your situation and how things are running -

 

Thank You -



#13 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 17 July 2013 - 08:41 PM

I have updated Java & Adobe Reader and uninstalled old versions. I have also moved about 10 gigs of files to a backup hard drive to free up some space and then defragged my hard drive.

Defragging seems to have sped things up a bit but things still seem sluggish. High memory use and lots of processes still.

Where to from here? Are you thinking the malware's removed and it's more about cleaning up programs/start up or still more malware cleanup to go?

Thank you for all the help so far.

#14 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 17 July 2013 - 09:53 PM

Hi -

A few quick scans and then a Temp File Cleaner to finish (I hope)

 

Update your Malwarebytes Anti-Malware program. Run a Quick Scan only and post the log back here

 

 

Download SUPERAntiSpyware Free (aka SAS)
* Double-click SAS -setup.exe and follow the prompts to install the program.
* At the end, click on Check for Updates to be sure it is current
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to reboot the computer after you post the log.

 

 

 

Please download TFC, or Temp File Cleaner by Old Timer
Usage Instructions:

  • Download TFC from the download link above and save the file on your desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon.
  • When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  • When done, press OK to reboot your computer and finish the cleanup.

Note: Depending on how much data is currently stored in the Temp folders, this process can take quite a while to remove all of the files, so please be patient.

No log is produced, but it may tell you how much was cleaned -

 

 

 

Thank You -



#15 frequitude

frequitude
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 17 July 2013 - 10:49 PM

Before I proceed with that I have another question.  I ran combofix unsupervised a couple months ago.  Dumb probably.  Not sure if I ran it from my desktop as it seems I should have.  Probably not.

 

I now have a combofix folder on my C drive (C:\ComboFix).  In that folder is one files, nircmdb.exe.  There is also a Combofix.txt file right in my C:\ drive.

 

Reading online one of the things I came across with this is that a guy was having problems installing a windows update for microsoft office.  I've got the same problem.  The latest update won't install.  Coincidence probably.

 

Is this bad?  I'd like to uninstall it completely from my system.  


Edited by frequitude, 17 July 2013 - 10:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users