Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What just happened?


  • Please log in to reply
15 replies to this topic

#1 amaniateas

amaniateas

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 12 September 2013 - 03:43 AM

Hello all! Nice to be here although i would wish the same only under different circumstances! Things i noticed out of the ordinary:

 

1) svchost.exe reaches 50% usage right after boot and at some point (after hours) it goes back to normal

2) sometimes wzcsldr2.exe reaches at the same time the other 50% although not immediately after boot

3) upon boot i get various errors regarding rundll32 and windows dynamic library the name i currently dont recall.

4) when i tried to delete rundll32 and copy the originall from the WinXP cd, it automatically created another one!

 

Number 3 came after i used programs like MBAM rootkit, hijack this, and a couple others that. Still No 1 and 2 sometimes both utilize 100% of my cpu. Online scanners i used dont show something of importance, just as MBAM.

 

There are just some Heur.Gen entries on AVG that is known for false positives



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:17 AM

Posted 12 September 2013 - 08:17 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 amaniateas

amaniateas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 13 September 2013 - 08:33 AM

The first one:

 

 Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 6 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 CCleaner     
 Panda Cloud Cleaner   
 Java™ 6 Update 29  
 Java 7 Update 25  
 Adobe Flash Player 11.8.800.168  
 Adobe Reader 10.0.1 Adobe Reader out of Date!  
 Mozilla Firefox (23.0.1) 
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe 
 AVG avgtray.exe 
 AVG avgrsx.exe 
 AVG avgnsx.exe 
 AVG avgemc.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive E:: 31% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 

The Second one:

 

Farbar Service Scanner Version: 13-09-2013
Ran by Apollon (administrator) on 13-09-2013 at 14:38:40
Running from "G:\"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Other Services:
==============
 
 
File Check:
========
E:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
E:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
E:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
E:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
E:\WINDOWS\system32\netman.dll => MD5 is legit
E:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
E:\WINDOWS\system32\srsvc.dll => MD5 is legit
E:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
E:\WINDOWS\system32\wscsvc.dll => MD5 is legit
E:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
E:\WINDOWS\system32\wuauserv.dll => MD5 is legit
E:\WINDOWS\system32\qmgr.dll => MD5 is legit
E:\WINDOWS\system32\es.dll => MD5 is legit
E:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
E:\WINDOWS\system32\svchost.exe => MD5 is legit
E:\WINDOWS\system32\rpcss.dll => MD5 is legit
E:\WINDOWS\system32\services.exe => MD5 is legit
 
Extra List:
=======
AegisP(10) Avgtdix(9) Gpc(6) IPSec(4) NetBT(5) NVTCP(8) PSched(7) Tcpip(3) 
0x0A0000000400000001000000020000000300000008000000090000000500000006000000070000000A000000
IpSec Tag value is correct.
 
**** End of log ****

 

The third one:

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by Apollon (administrator) on 13-09-2013 at 14:39:52
Running from "G:\"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
========================= FF Proxy Settings: ============================== 
 
========================= Hosts content: =================================
 
127.0.0.1 localhost
 
========================= IP Configuration: ================================
 
1394 Net Adapter = 1394 Connection 2 (Disconnected)
D-Link DWA-160 Xtreme N Dual Band USB Adapter(rev.B) = Wireless Network Connection (Connected)
NVIDIA nForce Networking Controller = Local Area Connection (Media disconnected)
NVIDIA nForce Networking Controller = Local Area Connection 2 (Media disconnected)
 
 
# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip
 
 
# Interface IP Configuration for "Local Area Connection"
 
set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
 
# Interface IP Configuration for "Local Area Connection 2"
 
set address name="Local Area Connection 2" source=dhcp 
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp
 
# Interface IP Configuration for "Wireless Network Connection"
 
set address name="Wireless Network Connection" source=dhcp 
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp
 
 
popd
# End of interface IP configuration
 
 
 
 
Windows IP Configuration
 
 
 
        Host Name . . . . . . . . . . . . : apollon-95ad429
 
        Primary Dns Suffix  . . . . . . . : 
 
        Node Type . . . . . . . . . . . . : Unknown
 
        IP Routing Enabled. . . . . . . . : No
 
        WINS Proxy Enabled. . . . . . . . : No
 
 
 
Ethernet adapter Local Area Connection:
 
 
 
        Media State . . . . . . . . . . . : Media disconnected
 
        Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
 
        Physical Address. . . . . . . . . : 00-1A-92-9B-20-02
 
 
 
Ethernet adapter Local Area Connection 2:
 
 
 
        Media State . . . . . . . . . . . : Media disconnected
 
        Description . . . . . . . . . . . : NVIDIA nForce Networking Controller #2
 
        Physical Address. . . . . . . . . : 00-1A-92-9B-26-6A
 
 
 
Ethernet adapter Wireless Network Connection:
 
 
 
        Connection-specific DNS Suffix  . : 
 
        Description . . . . . . . . . . . : D-Link DWA-160 Xtreme N Dual Band USB Adapter(rev.B)
 
        Physical Address. . . . . . . . . : 00-22-B0-62-61-EB
 
        Dhcp Enabled. . . . . . . . . . . : Yes
 
        Autoconfiguration Enabled . . . . : Yes
 
        IP Address. . . . . . . . . . . . : 192.168.0.199
 
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
 
        Default Gateway . . . . . . . . . : 192.168.0.1
 
        DHCP Server . . . . . . . . . . . : 192.168.0.1
 
        DNS Servers . . . . . . . . . . . : 192.168.0.1
 
        Lease Obtained. . . . . . . . . . : Παρασκευή, 13 Σεπτεμβρίου 2013 2:33:12 μμ
 
        Lease Expires . . . . . . . . . . : Σάββατο, 14 Σεπτεμβρίου 2013 2:33:12 μμ
 
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.0.1
 
Name:    google.com
Addresses:  173.194.35.39, 173.194.35.40, 173.194.35.41, 173.194.35.46
 173.194.35.32, 173.194.35.33, 173.194.35.34, 173.194.35.35, 173.194.35.36
 173.194.35.37, 173.194.35.38
 
 
 
Pinging google.com [173.194.35.40] with 32 bytes of data:
 
 
 
Reply from 173.194.35.40: bytes=32 time=68ms TTL=55
 
Reply from 173.194.35.40: bytes=32 time=68ms TTL=55
 
 
 
Ping statistics for 173.194.35.40:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 68ms, Maximum = 68ms, Average = 68ms
 
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.0.1
 
DNS request timed out.
    timeout was 2 seconds.
Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109
 
 
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
 
 
 
Reply from 206.190.36.45: bytes=32 time=271ms TTL=41
 
Reply from 206.190.36.45: bytes=32 time=330ms TTL=42
 
 
 
Ping statistics for 206.190.36.45:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 271ms, Maximum = 330ms, Average = 300ms
 
 
 
Pinging 127.0.0.1 with 32 bytes of data:
 
 
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
 
 
Ping statistics for 127.0.0.1:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a 92 9b 20 02 ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
0x3 ...00 1a 92 9b 26 6a ...... NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport
0x10005 ...00 22 b0 62 61 eb ...... D-Link DWA-160 Xtreme N Dual Band USB Adapter(rev.B) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.199  20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1  1
      169.254.0.0      255.255.0.0    192.168.0.199   192.168.0.199  1
      192.168.0.0    255.255.255.0    192.168.0.199   192.168.0.199  20
    192.168.0.199  255.255.255.255        127.0.0.1       127.0.0.1  20
    192.168.0.255  255.255.255.255    192.168.0.199   192.168.0.199  20
        224.0.0.0        240.0.0.0    192.168.0.199   192.168.0.199  20
  255.255.255.255  255.255.255.255    192.168.0.199               3  1
  255.255.255.255  255.255.255.255    192.168.0.199               2  1
  255.255.255.255  255.255.255.255    192.168.0.199   192.168.0.199  1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 E:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 E:\WINDOWS\system32\nvappfilter.dll [131072] (NVIDIA)
Catalog9 02 E:\WINDOWS\system32\nvappfilter.dll [131072] (NVIDIA)
Catalog9 03 E:\WINDOWS\system32\nvappfilter.dll [131072] (NVIDIA)
Catalog9 04 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 E:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 08 E:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 09 E:\WINDOWS\system32\nvappfilter.dll [131072] (NVIDIA)
Catalog9 10 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 23 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 24 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 25 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 26 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 27 E:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (09/12/2013 10:06:48 AM) (Source: Application Error) (User: )
Description: Faulting application setup.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [setup.exe!ws!]
 
Error: (09/12/2013 09:57:13 AM) (Source: Application Error) (User: )
Description: Faulting application setup.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [setup.exe!ws!]
 
Error: (09/12/2013 09:56:03 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
 
Error: (09/12/2013 09:56:03 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (09/05/2013 00:07:13 PM) (Source: MsiInstaller) (User: APOLLON-95AD429)
Description: Product: A.F.5 Rename your files 1.1 -- Error 1706. No valid source could be found for product A.F.5 Rename your files 1.1.  The Windows installer cannot continue.
 
Error: (09/05/2013 10:44:53 AM) (Source: Application Error) (User: )
Description: Faulting application ANIWZCSdS.exe, version 1.0.3.7034, faulting module ANIOApi.dll, version 2.0.5.819, fault address 0x00003d5d.
Processing media-specific event for [ANIWZCSdS.exe!ws!]
 
Error: (09/05/2013 10:28:07 AM) (Source: Application Error) (User: )
Description: Faulting application wzcsldr2.exe, version 1.0.10.7034, faulting module msvcrt.dll, version 7.0.2600.5512, fault address 0x00036edf.
Processing media-specific event for [wzcsldr2.exe!ws!]
 
Error: (09/05/2013 10:18:04 AM) (Source: Application Error) (User: )
Description: Faulting application ANIWZCSdS.exe, version 1.0.3.7034, faulting module msvcrt.dll, version 7.0.2600.5512, fault address 0x00036edf.
Processing media-specific event for [ANIWZCSdS.exe!ws!]
 
Error: (09/02/2013 00:36:20 AM) (Source: Application Error) (User: )
Description: Faulting application binarydomain.exe, version 1.0.0.1, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [binarydomain.exe!ws!]
 
Error: (09/02/2013 00:25:02 AM) (Source: Application Error) (User: )
Description: Faulting application ANIWZCSdS.exe, version 1.0.3.7034, faulting module user32.dll, version 5.1.2600.5512, fault address 0x00014acd.
Processing media-specific event for [ANIWZCSdS.exe!ws!]
 
 
System errors:
=============
Error: (09/13/2013 02:33:28 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:33:15 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:33:15 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:33:15 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:32:47 PM) (Source: DCOM) (User: APOLLON-95AD429)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user APOLLON-95AD429\UpdatusUser SID (S-1-5-21-1935655697-1326574676-1801674531-1007).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:32:47 PM) (Source: DCOM) (User: APOLLON-95AD429)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user APOLLON-95AD429\UpdatusUser SID (S-1-5-21-1935655697-1326574676-1801674531-1007).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:32:47 PM) (Source: DCOM) (User: APOLLON-95AD429)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user APOLLON-95AD429\UpdatusUser SID (S-1-5-21-1935655697-1326574676-1801674531-1007).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:32:47 PM) (Source: DCOM) (User: APOLLON-95AD429)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user APOLLON-95AD429\UpdatusUser SID (S-1-5-21-1935655697-1326574676-1801674531-1007).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:32:47 PM) (Source: DCOM) (User: APOLLON-95AD429)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user APOLLON-95AD429\UpdatusUser SID (S-1-5-21-1935655697-1326574676-1801674531-1007).  This security permission can be modified using the Component Services administrative tool.
 
Error: (09/13/2013 02:32:47 PM) (Source: DCOM) (User: APOLLON-95AD429)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
 to the user APOLLON-95AD429\UpdatusUser SID (S-1-5-21-1935655697-1326574676-1801674531-1007).  This security permission can be modified using the Component Services administrative tool.
 
 
Microsoft Office Sessions:
=========================
Error: (09/12/2013 10:06:48 AM) (Source: Application Error)(User: )
Description: setup.exe0.0.0.00.0.0.000000000
 
Error: (09/12/2013 09:57:13 AM) (Source: Application Error)(User: )
Description: setup.exe0.0.0.00.0.0.000000000
 
Error: (09/12/2013 09:56:03 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.
 
Error: (09/12/2013 09:56:03 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.
 
Error: (09/05/2013 00:07:13 PM) (Source: MsiInstaller)(User: APOLLON-95AD429)
Description: Product: A.F.5 Rename your files 1.1 -- Error 1706. No valid source could be found for product A.F.5 Rename your files 1.1.  The Windows installer cannot continue.(NULL)(NULL)(NULL)(NULL)
 
Error: (09/05/2013 10:44:53 AM) (Source: Application Error)(User: )
Description: ANIWZCSdS.exe1.0.3.7034ANIOApi.dll2.0.5.81900003d5d
 
Error: (09/05/2013 10:28:07 AM) (Source: Application Error)(User: )
Description: wzcsldr2.exe1.0.10.7034msvcrt.dll7.0.2600.551200036edf
 
Error: (09/05/2013 10:18:04 AM) (Source: Application Error)(User: )
Description: ANIWZCSdS.exe1.0.3.7034msvcrt.dll7.0.2600.551200036edf
 
Error: (09/02/2013 00:36:20 AM) (Source: Application Error)(User: )
Description: binarydomain.exe1.0.0.10.0.0.000000000
 
Error: (09/02/2013 00:25:02 AM) (Source: Application Error)(User: )
Description: ANIWZCSdS.exe1.0.3.7034user32.dll5.1.2600.551200014acd
 
 
=========================== Installed Programs ============================
 
15 Days (Version: )
7554 Final Release 1.0.1
A Stroke Of Fate. Operation Valkyrie
A.F.5 Rename your files 1.1 (Version: 1.1.0.0)
Activision® (Version: 1.00.0000)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.168)
Adobe Flash Player 11 Plugin (Version: 11.8.800.168)
Adobe Reader X (10.0.1) (Version: 10.0.1)
Afterfall InSanity (Version: 2.00.0000)
Agricultural Simulator Historical Farming 2012
Airline Tycoon 2 v1.01
Alien Breed: Impact
Alpha Prime (Version: 0.01.000)
Alpha Protocol (Version: 1.00.0000)
Alternativa
Amnesia - The Dark Descent  (Version: 1.0.0)
ANIO Service
ANIWZCS2 Service
Any Video Converter 3.5.8
AREA-51 (remove only) (Version: 1.7.0.11.2.4.3)
Armed Forces Corps
Ashampoo Burning Studio 6 FREE v.6.80 (Version: 6.8.0)
ASUS Smart Doctor (Version: 5.61)
AVG 2012 (Version: 12.0.3222)
AVG 2012 (Version: 12.1.2242)
AVG 2012 (Version: 2012.1.2242)
Awesomenauts
Battlestrike: Shadow of Stalingrad
Binary Domain
Bionic Commando (Version: 1.0)
BioWare Premium Module: Neverwinter Nights - Infinite Dungeons
BioWare Premium Module: Neverwinter Nights - Pirates of the Sword Coast
BioWare Premium Module: Neverwinter Nights - Wyvern Crown of Cormyr
BioWare Premium Module: Neverwinter Nights™ Kingmaker
Blades of Time
BloodRayne
Blur™
BoneTown (Version: 1.1.1)
Borderlands (Version: 1.4.1)
BulletStorm (Version: 1.0.0001.130)
Caesar 3
Camtasia Studio 8 (Version: 8.0.0.878)
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 3.0
Canon MP560 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Captain Morgane (Version: 1.0)
Cart Life
CCleaner (Version: 3.09)
Ceville 1.0
Children of the Nile: Enhanced Edition + Alexandria Exp.
Cities XL Platinum version 1.00 (Version: 1.00)
Command & Conquer The First Decade (Version: 1.00.0000)
Connect Label Design software
Corel DVD MovieFactory 7 (Version: 7.0.0)
Corel DVD MovieFactory 7 TBYB (Version: 7.0.0)
CPUID CPU-Z 1.58
DAEMON Tools Lite (Version: 4.40.2.0131)
Dead Space 3 Limited Edition
Defraggler (Version: 2.08)
D-Fend Reloaded 1.2.1 (deinstall) (Version: 1.2.1)
D-Link Wireless N Dual Band DWA-160 
Download Accelerator Plus (DAP) (Version: 9707 (Build 2266))
Duke Nukem Forever
EasyBCD 2.2 (Version: 2.2)
Exodus From The Earth
F.E.A.R. 2 Complete
Fable - The Lost Chapters (Version: 1.00.0000)
FairUse Wizard 2 (Version: (LE))
Fallout 3 Game Of The Year Edition (Version: 1.7)
FM Genie Scout 12g version 1.2 (Version: 1.2)
FM Genie Scout 13 version 1.0 13.3.3 (Version: 1.0 13.3.3)
Football Manager 2012
Football Manager 2013
Football Manager 2013 Editor
GameSave Manager (Version: 2.3 (Build 687))
GameSpy Arcade
Geeks3D.com FurMark 1.9.1
GrabIt 1.7.2 Beta 4 (build 997)
HandBrake 0.9.6 (Version: 0.9.6)
Hard Disk Sentinel PRO
Hard Disk Wipe Tool 2.35 build 1178
Hinterland
Impire
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Java™ 6 Update 29 (Version: 6.0.290)
K-Lite Codec Pack 7.1.0 (Full) (Version: 7.1.0)
Kohan: Immortal Sovereigns
L.A. Noire (Version: 1.00.0000)
Labtec WebCam (Version: 10.51.1130)
Labtec® Camera Driver
Lands Of Lore 1 and 2
League of Legends (Version: 1.3)
Leisure Suit Larry - Box Office Bust (Version: 1.00.0000)
LightScribe  1.4.124.1 (Version: 1.4.124.1)
Logitech Audio Echo Cancellation Component (Version: 10.51.1130)
Logitech Video Enumerator (Version: 10.51.1130)
M.U.D. TV (Version: 1.0.6.0)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
Mark of the Ninja
Mass Effect 2 Deluxe Edition (Version: v1.02)
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - ELL (Version: 2.1.21022)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - ELL (Version: 3.1.21022)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 Language Pack - ell (Version: 3.5.21022)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Games for Windows - LIVE (Version: 3.3.24.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.2.3.0)
Microsoft Rise Of Nations
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Windows Media Video 9 VCM
Microsoft XNA Framework Redistributable 3.1 (Version: 3.1.10527.0)
Mozilla Firefox 23.0.1 (x86 en-US) (Version: 23.0.1)
Mozilla Maintenance Service (Version: 23.0.1)
MSXML4 Parser (Version: 1.0.0)
MVision (Version: 10.51.1130)
Need For Speed Hot Pursuit 2
Need for Speed™ Carbon
Need for Speed™ Most Wanted
NETGEAR WG111v2 wireless USB 2.0 adapter (Version: 1.0.0.133)
Nuclear Coffee - VideoGet (Version: 2011)
NVIDIA Control Panel 320.49 (Version: 320.49)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager (Version: 2.03.6026)
NVIDIA GeForce Experience 1.5 (Version: 1.5)
NVIDIA Graphics Driver 320.49 (Version: 320.49)
NVIDIA HD Audio Driver 1.3.24.2 (Version: 1.3.24.2)
NVIDIA Install Application (Version: 2.1002.124.810)
NVIDIA nView 140.62 (Version: 140.62)
NVIDIA nView Desktop Manager (Version: 6.14.10.13570)
NVIDIA PhysX (Version: 9.13.0604)
NVIDIA PhysX System Software 9.13.0604 (Version: 9.13.0604)
NVIDIA Update 4.11.9 (Version: 4.11.9)
NVIDIA Update Components (Version: 4.11.9)
OpenAL
OpenOffice.org 3.3 (Version: 3.3.9567)
Panda Cloud Cleaner (Version: 1.0.68)
Pando Media Booster (Version: 2.6.0.8)
Picture Ripper 4
Port Royale
Prey (Version: 1.0)
PunkBuster Services (Version: 0.990)
Rockstar Games Social Club (Version: 1.0.9.5)
Rome: Total War
Rome: Total War - Alexander
Salammbo
Sandboxie 3.54 (32-bit)
Scarface: The World is Yours (Version: 1.00.0000)
SeaTools for Windows (Version: 1.2.0.6)
SetupChecker (Version: 1.0.0)
Sierra Utilities
Skype Click to Call (Version: 5.6.8442)
Skype™ 5.5 (Version: 5.5.124)
Smart CD Catalog Pro 3
SoundMAX (Version: 5.10.01.6110)
Spec Ops The Line
Spider-Man 2 (Version: 1.0)
Star Wars: The Old Republic (Version: 1.00)
Starcraft
Steam (Version: 1.0.0.0)
StreamTransport version: 1.0.2.2171
TeamViewer 7 (Version: 7.0.12979)
Terminator Salvation (Version: 1.0)
The Amazing Spider-Man
The Blackwell Legacy 2.72.920.0 (Version: 2.72.920.0)
The Sims Complete Collection
The Walking Dead Episode 2 - Starved for Help
The Walking Dead Episode 3 © TellTale Games version 1 (Version: 1)
The Witcher Enhanced Edition (Version: 1.00.0000)
Tom Clancy's H.A.W.X. 2 (Version: 1.0.1)
Ubisoft Game Launcher (Version: 1.0.0.0)
UE3Redist (Version: 1.00.0000)
Utility (Version: 2.00.000)
WebFldrs XP (Version: 9.50.7523)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.2980)
Windows Media Format 11 runtime
WinPcap 4.1.2 (Version: 4.1.0.2001)
WinRAR 4.01 (32-bit) (Version: 4.01.0)
X - Beyond the Frontier
X-Men Origins - Wolverine™ (Version: 1.00.0000)
XML Paper Specification Shared Components Language Pack 1.0
XviD MPEG-4 Video Codec
Zip Motion Block Video codec (Remove Only)
Δήλωση χρήστη Canon MP560 series
Πακέτο γλώσσας του Microsoft .NET Framework 3.5 - ELL
 
========================= Devices: ================================
 
Name: 1394 Net Adapter #2
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Enhanced Display Driver Helper Service
Description: Enhanced Display Driver Helper Service
Class Guid: {5458011F-08D4-4605-93A2-F03E61BEDBA3}
Manufacturer: ASUSTeK
Service: asuskbnt
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 37%
Total physical RAM: 3326.48 MB
Available physical RAM: 2094.55 MB
Total Pagefile: 6490.21 MB
Available Pagefile: 5431.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.29 MB
 
========================= Partitions: =====================================
 
2 Drive c: () (Fixed) (Total:298.08 GB) (Free:0.19 GB) NTFS
3 Drive d: (New Volume) (Fixed) (Total:931.51 GB) (Free:653.83 GB) NTFS
4 Drive e: (Win XP SP3) (Fixed) (Total:29.29 GB) (Free:1.61 GB) NTFS
5 Drive f: () (Fixed) (Total:29.84 GB) (Free:2.76 GB) NTFS
6 Drive g: () (Removable) (Total:14.94 GB) (Free:14.83 GB) NTFS
7 Drive h: (Win 7) (Fixed) (Total:21.95 GB) (Free:6.86 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\APOLLON-95AD429
 
Administrator            Apollon                  ASPNET                   
Guest                    HelpAssistant            SUPPORT_388945a0         
UpdatusUser              
 
 
**** End of log ****
 

The fourth one:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.13.05
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Apollon :: APOLLON-95AD429 [administrator]
 
Protection: Disabled
 
13/9/2013 3:13:42 μμ
mbam-log-2013-09-13 (15-13-42).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236655
Time elapsed: 19 minute(s), 53 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
E:\Documents and Settings\Apollon\Local Settings\Temp\e2e3VMcY.zip.part (Malware.Packer.ORPC) -> Quarantined and deleted successfully.
 
(end)
 

The fifth ones:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org
 
Database version: v2013.09.13.05
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Apollon :: APOLLON-95AD429 [administrator]
 
13/9/2013 3:49:22 μμ
mbar-log-2013-09-13 (15-49-22).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 239374
Time elapsed: 5 minute(s), 55 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 6.0.2900.5512
 
Java version: 1.6.0_29
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, H:\ DRIVE_FIXED
CPU speed: 2.666000 GHz
Memory total: 3488071680, free: 2388533248
 
Downloaded database version: v2013.09.13.05
Downloaded database version: v2013.08.06.01
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 6.0.2900.5512
 
Java version: 1.6.0_29
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, H:\ DRIVE_FIXED
CPU speed: 2.666000 GHz
Memory total: 3488071680, free: 2850590720
 
=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 6.0.2900.5512
 
Java version: 1.6.0_29
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, H:\ DRIVE_FIXED
CPU speed: 2.666000 GHz
Memory total: 3488071680, free: 2174464000
 
Initializing...
======================
------------ Kernel report ------------
     09/13/2013 15:49:12
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
sptd.sys
\WINDOWS\System32\Drivers\WMILIB.SYS
\WINDOWS\System32\Drivers\SCSIPORT.SYS
ACPI.sys
pci.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
sfsync02.sys
VolSnap.sys
atapi.sys
SI3132.sys
nvata.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
SiWinAcc.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
SiRemFil.sys
sfvfs02.sys
sfhlp02.sys
sfdrv01.sys
Mup.sys
avgrkx86.sys
avgidshx.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\nvnetbus.sys
\SystemRoot\system32\DRIVERS\NVNRM.SYS
\SystemRoot\system32\DRIVERS\NVSNPU.SYS
\SystemRoot\System32\Drivers\ab55ww15.SYS
\SystemRoot\system32\DRIVERS\ASACPI.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\dtsoftbus01.sys
\SystemRoot\System32\Drivers\ULCDRHlp.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda32.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\NVENETFD.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\system32\drivers\AEAudio.sys
\SystemRoot\system32\drivers\Senfilt.sys
\SystemRoot\system32\DRIVERS\avgmfx86.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\NVTcp.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\avgtdix.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\avgldx86.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\rt2870.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dump_nvata.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\??\E:\Program Files\Sandboxie\SbieDrv.sys
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\??\E:\WINDOWS\system32\ANIO.SYS
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\system32\DRIVERS\avgidsshimx.sys
\SystemRoot\system32\drivers\wdmaud.sys
\??\E:\WINDOWS\system32\drivers\cpuz135_x32.sys
\??\E:\WINDOWS\system32\drivers\EIO_XP.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\SystemRoot\system32\drivers\kmixer.sys
\SystemRoot\system32\DRIVERS\avgidsfilterx.sys
\SystemRoot\system32\DRIVERS\avgidsdriverx.sys
\??\E:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\ipfltdrv.sys
\??\E:\WINDOWS\system32\drivers\IOMap.sys
\SystemRoot\system32\drivers\splitter.sys
\??\E:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\E:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
\Program Files\DAEMON Tools Lite\Engine.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk6\DR11
Upper Device Object: 0xffffffff8aadeab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a8\
Lower Device Object: 0xffffffff89e03848
Lower Device Driver Name: \Driver\usbstor\
IRP handler 0 of \Driver\usbstor points to an unknown module
Unhooking enabled.
<<<1>>>
Upper Device Name: \Device\Harddisk6\DR11
Upper Device Object: 0xffffffff8aadeab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a8\
Lower Device Object: 0xffffffff89e03848
Lower Device Driver Name: \Driver\usbstor\
Driver name found: usbstor
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR10
Upper Device Object: 0xffffffff8ac82ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a4\
Lower Device Object: 0xffffffff89dbc848
Lower Device Driver Name: \Driver\usbstor\
Driver name found: usbstor
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR9
Upper Device Object: 0xffffffff8ac9b300
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a3\
Lower Device Object: 0xffffffff89dd8848
Lower Device Driver Name: \Driver\usbstor\
Driver name found: usbstor
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xffffffff8ad71030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000008d\
Lower Device Object: 0xffffffff8ad56030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff8ada1ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000008b\
Lower Device Object: 0xffffffff8ad72030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8ad56ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000088\
Lower Device Object: 0xffffffff8ad26030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8ad72ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000087\
Lower Device Object: 0xffffffff8adfc030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
<<<2>>>
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff8ada1ab8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ada15e0, DeviceName: Unknown, DriverName: \Driver\SiRemFil\
DevicePointer: 0xffffffff8ada17d8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ada1ab8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ada2f18, DeviceName: \Device\0000008c\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8ad72030, DeviceName: \Device\0000008b\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\PartMgr\
Upper DeviceData: 0xffffffffe1642a18, 0xffffffff8ada1ab8, 0xffffffff88083618
Lower DeviceData: 0xffffffffe59d54a0, 0xffffffff8ad72030, 0xffffffff880a16c0
<<<3>>>
Volume: E:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: E:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: E:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: E:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File user open failed: E:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8ad72ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ad26b78, DeviceName: Unknown, DriverName: \Driver\SiRemFil\
DevicePointer: 0xffffffff8ad26cb8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ad72ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ad73f18, DeviceName: \Device\00000089\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8adfc030, DeviceName: \Device\00000087\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\PartMgr\
Upper DeviceData: 0xffffffffe5150a18, 0xffffffff8ad72ab8, 0xffffffff87fce798
Lower DeviceData: 0xffffffffe4b8ad98, 0xffffffff8adfc030, 0xffffffff8807f180
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: B65B810
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 1953520002
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-1953505168-1953525168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8ad56ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ad26a38, DeviceName: Unknown, DriverName: \Driver\SiRemFil\
DevicePointer: 0xffffffff8ada1020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ad56ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ad74d08, DeviceName: \Device\0000008a\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8ad26030, DeviceName: \Device\00000088\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\PartMgr\
Upper DeviceData: 0xffffffffe4951dd0, 0xffffffff8ad56ab8, 0xffffffff8806e040
Lower DeviceData: 0xffffffffe5a0ad98, 0xffffffff8ad26030, 0xffffffff88c74380
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: EFEBEFEB
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 625121217
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Done!
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1609D8DB
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 61432497
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 61432560  Numsec = 46026225
    Partition is not bootable
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 55021510656 bytes
Sector size: 512 bytes
 
Done!
Physical Sector Size: 512
Drive: 3, DevicePointer: 0xffffffff8ad71030, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ad71e28, DeviceName: Unknown, DriverName: \Driver\SiRemFil\
DevicePointer: 0xffffffff8ada1258, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ad71030, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8adfcac0, DeviceName: \Device\0000008e\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8ad56030, DeviceName: \Device\0000008d\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\PartMgr\
Upper DeviceData: 0xffffffffe37de728, 0xffffffff8ad71030, 0xffffffff87fa0ab8
Lower DeviceData: 0xffffffffe4cef6c0, 0xffffffff8ad56030, 0xffffffff880a6c20
Drive 3
Scanning MBR on drive 3...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C88EDB65
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 62573112
    Partition file system is NTFS
    Partition is not bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 32044482560 bytes
Sector size: 512 bytes
 
Done!
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffffffff8ac9b300, DeviceName: \Device\Harddisk4\DR9\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89e80888, DeviceName: Unknown, DriverName: \Driver\SiRemFil\
DevicePointer: 0xffffffff8a199748, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ac9b300, DeviceName: \Device\Harddisk4\DR9\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89dd8848, DeviceName: \Device\000000a3\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 0
Drive: 5, DevicePointer: 0xffffffff8ac82ab8, DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89e77888, DeviceName: Unknown, DriverName: \Driver\SiRemFil\
DevicePointer: 0xffffffff89bf8748, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ac82ab8, DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89dbc848, DeviceName: \Device\000000a4\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 512
Drive: 6, DevicePointer: 0xffffffff8aadeab8, DeviceName: \Device\Harddisk6\DR11\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89e65888, DeviceName: Unknown, DriverName: \Driver\SiRemFil\
DevicePointer: 0xffffffff89e4d7b0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8aadeab8, DeviceName: \Device\Harddisk6\DR11\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89e03848, DeviceName: \Device\000000a8\, DriverName: \Driver\usbstor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\PartMgr\
Upper DeviceData: 0xffffffffe4302078, 0xffffffff8aadeab8, 0xffffffff87fa0040
Lower DeviceData: 0xffffffffe595f588, 0xffffffff89e03848, 0xffffffff88088040
Drive 6
Scanning MBR on drive 6...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 32  Numsec = 31326175
    Partition file system is NTFS
    Partition is not bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 16039018496 bytes
Sector size: 512 bytes
 
Done!
Read File:  File "e:\documents and settings\all users\application data\avg2012\chjw\2c9c6c249c6be6b4.dat:2a5fb641-730f-4f7b-aa7a-da109dc03e2b" is sparse (flags = 32768)
Read File:  File "e:\documents and settings\all users\application data\avg2012\chjw\2c9c6c249c6be6b4.dat:c7246577-b8b5-4e7f-87aa-6450d5940f18" is sparse (flags = 32768)
Read File:  File "e:\documents and settings\all users\application data\avg2012\chjw\6a247a9a247a6949.dat:6c5dd608-0056-444a-91bf-fe35d8a71f2a" is sparse (flags = 32768)
Scan finished
 

And the final one:

 

Rkill 2.6.1 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 09/13/2013 04:04:28 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * E:\WINDOWS\system32\UAService7.exe (PID: 484) [WD-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * E:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => E:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * E:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => E:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * E:\WINDOWS\System32\sfcfiles.dll : 1.614.848 : 10/13/2008 03:08 PM : 649b4101c35e996e1866037c28a5fd42 [NoSig]
 
Checking HOSTS File: 
 
 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.
 
 * HOSTS file entries found: 
 
  127.0.0.1 localhost
 
Program finished at: 09/13/2013 04:04:54 PM
Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:17 AM

Posted 13 September 2013 - 04:57 PM

p22002970.gif Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

p22002970.gif Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


=============================================================================

p22002970.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


=======================================

p22002970.gif Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 amaniateas

amaniateas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 14 September 2013 - 01:35 AM

Is it normal for TFC to seem like it stopped working? It seems frozen for the past 20 minutes saying "Stopping Processes" or something...



#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:17 AM

Posted 14 September 2013 - 03:17 PM

Re-run it from safe mode.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 amaniateas

amaniateas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 15 September 2013 - 04:51 PM

Done. I am waiting for the scan to finish and will post again. By the way, any ideas about the errors on boot regarding rundll32 and msvcrt.dll?



#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:17 AM

Posted 15 September 2013 - 05:44 PM

You need to post EXACT error message.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 amaniateas

amaniateas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 15 September 2013 - 06:04 PM

The common thing about all messages appearing is this text:

"the procedure entry point_except_handler4_common could not be located in dynamic link library msvcrt.dll"

 

As for the logs requested, here they are

 

# AdwCleaner v3.003 - Report created 14/09/2013 at 11:06:52
# Updated 07/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Apollon - APOLLON-95AD429
# Running from : G:\Second Part\adwcleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v6.0.2900.5512
 
 
-\\ Mozilla Firefox v23.0.1 (en-US)
 
[ File : E:\Documents and Settings\Apollon\Application Data\Mozilla\Firefox\Profiles\u2yfkwg4.default\prefs.js ]
 
 
*************************
 
AdwCleaner[R0].txt - [2409 octets] - [02/09/2013 01:39:19]
AdwCleaner[R1].txt - [2469 octets] - [05/09/2013 10:37:28]
AdwCleaner[R2].txt - [772 octets] - [14/09/2013 11:06:52]
AdwCleaner[S0].txt - [2566 octets] - [05/09/2013 10:45:37]
 
########## EOF - E:\AdwCleaner\AdwCleaner[R2].txt - [891 octets] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.0 (09.12.2013:1)
OS: Microsoft Windows XP x86
Ran by Apollon on ‘™ 14/09/2013 at 11:08:22,45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Emptied folder: E:\Documents and Settings\Apollon\Application Data\mozilla\firefox\profiles\u2yfkwg4.default\minidumps [31 files]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on ‘™ 14/09/2013 at 11:13:36,59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ESET Scan Log File
 
C:\Documents and Settings\Apollon\Application Data\Sun\Java\Deployment\cache\6.0\45\2846da2d-1e83e557 Java/TrojanDownloader.Agent.NCK trojan cleaned by deleting - quarantined
C:\Documents and Settings\Apollon\Desktop\daemon4123-lite.exe Win32/Adware.Toolbar.Shopper application cleaned by deleting - quarantined
C:\Documents and Settings\Apollon\Desktop\unlocker1.8.6.exe Win32/Adware.ADON application cleaned by deleting - quarantined
C:\Documents and Settings\Apollon\Local Settings\Temporary Internet Files\Content.IE5\9PJT1HW9\OrbitSetup4.0.10[1].exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Downloads\cpu-z_1.57.1-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Downloads\OrbitDownloaderSetup3005.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Downloads\OrbitSetup4.0.4.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Downloads\OrbitSetup4.1.00.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\games\Hitman Sniper Challenge\buddha.dll a variant of Win32/Packed.VMProtect.AAA trojan cleaned by deleting - quarantined
C:\games\Hitman Sniper Challenge\hmsc_skr.dll a variant of Win32/Packed.VMProtect.AAA trojan cleaned by deleting - quarantined
C:\games\The Amazing Spider-Man\Game.exe Win32/Agent.NAN virus deleted - quarantined
C:\games\The Matrix - Path of Neo\Crack_Budah\daemon400.exe Win32/Adware.WhenU.SaveNow application cleaned by deleting - quarantined
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe a variant of Win32/HackTool.Patcher.N application cleaned by deleting - quarantined
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe Win32/Adware.ADON application cleaned by deleting - quarantined
D:\Games\Alpha Protocol\Binaries\skidrow.DLL a variant of Win32/Packed.VMProtect.AAA trojan cleaned by deleting - quarantined
D:\Games\Borderlands GOTY Edition\Binaries\paul.dll a variant of Win32/Packed.VMProtect.AAH trojan cleaned by deleting - quarantined
D:\Games\Bulletstorm\Binaries\Win32\xlive.dll a variant of Win32/Packed.VMProtect.AAD trojan cleaned by deleting - quarantined
D:\Games\Spec Ops The Line\Binaries\Win32\buddha.dll a variant of Win32/Packed.VMProtect.AAA trojan cleaned by deleting - quarantined
E:\Documents and Settings\Apollon\Desktop\cnet2_partition_recovery_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
E:\Documents and Settings\Apollon\Desktop\cpu-z_1.58-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
E:\Documents and Settings\Apollon\DoctorWeb\Quarantine\PDFB5A.tmp JS/Exploit.Pdfka.OXB.Gen trojan cleaned by deleting - quarantined
E:\Documents and Settings\Apollon\My Documents\Downloads\avc-free.exe Win32/OpenCandy application cleaned by deleting - quarantined
E:\Documents and Settings\Apollon\My Documents\GrabIt Downloads\Total Recorder v8.3.4370\Total.Recorder.v8.3.4370.SE.with.Restoration.and.Speech.AddOn.Incl.Patch.and.Keymaker-ZWT\keygen.exe a variant of Win32/Keygen.GY application cleaned by deleting - quarantined
E:\Program Files\Hard Disk Sentinel\hard.disk.sentinel.pro-MPT.exe a variant of Win32/HackTool.Patcher.T application cleaned by deleting - quarantined
C:\anime games\Utahime Yuunan no Yuuutsu 2.rar Win32/Sality.NAR virus deleted - quarantined
C:\Documents and Settings\Apollon\Local Settings\Temp\DAEMON.Tools.Pro.Advanced.v4.30.0305.rar a variant of Win32/Injector.YD trojan deleted - quarantined
D:\To Catalog\Disk D 60 GB Backup\Downloads\s2k.serials2k7.1.zip a variant of Win32/Dialer.StarDialer application deleted - quarantined
D:\Various to catalog\rld-dom.rar probably a variant of Win32/Agent.ICYBJQM trojan deleted - quarantined
 

I think i saw some cracks among those entries and i think my brother and i have some talking to do...

 

Still after those scans the same problem persists though...



#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:17 AM

Posted 15 September 2013 - 07:12 PM

and i think my brother and i have some talking to do...

30 lashes :)

 

As for the error...

 

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:

p4436801.gif

Upload the file(s) here: http://www.sendspace.com/
Click on Browse button and navigate to the file you want to upload.
Click on Upload button.
Click on FIRST Copy Link button and paste the link in your next reply.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 amaniateas

amaniateas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 17 September 2013 - 05:18 AM

http://www.sendspace.com/file/8cxyll

 

Despite all the cleaning so far, 50% of my cpu is occupied most of the time and 100% for 20 mins...



#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:17 AM

Posted 17 September 2013 - 01:17 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:

:filefind
msvcrt.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Regarding CPU usage...

 

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
 

Upload the file(s) here: http://www.sendspace.com/
Click on Browse button and navigate to the file you want to upload.
Click on Upload button.
Click on FIRST Copy Link button and paste the link in your next reply.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 amaniateas

amaniateas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 18 September 2013 - 06:28 PM

Here goes:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 01:58 on 19/09/2013 by Apollon
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "msvcrt.dll"
E:\Program Files\Java\jre6\bin\msvcrt.dll --a---- 266293 bytes [13:03 05/07/2011] [13:03 05/07/2011] 63DA4613383EC70E047B4CD5C48F0B05
E:\WINDOWS\system32\msvcrt.dll --a---- 343040 bytes [05:42 14/04/2008] [05:42 14/04/2008] 355EDBB4D412B01F1740C17E3F50FA00
E:\WINDOWS\system32\dllcache\msvcrt.dll --a--c- 343040 bytes [05:42 14/04/2008] [05:42 14/04/2008] 355EDBB4D412B01F1740C17E3F50FA00
E:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll -ra---- 322560 bytes [22:36 19/05/2011] [14:00 23/08/2001] 4200BE3808F6406DBE45A7B88DAE5035
E:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll -ra---- 343040 bytes [22:36 19/05/2011] [05:42 14/04/2008] D7075E95AA599EE77B7A89D39296BD3D
 
-= EOF =-

 

 

And the results of Process Explorer: http://www.sendspace.com/file/kufy9w

 

Also, playing around with Process Explorer revealed that a thread of svchost named wuaueng.dll causes 50% cpu usage...



#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:17 AM

Posted 18 September 2013 - 08:43 PM

Something is not right there.

 

Let's employ some more advanced tools.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 amaniateas

amaniateas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 20 September 2013 - 04:32 AM

I did as you asked and still no reply from someone. Maybe i misunderstood something






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users