Jump to content


Photo

iexplorer virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 February 2012 - 08:51 PM

I seem to have gotten the iexplorer virus. I have multiple iexplorer processes running and eating up resources. I have run Malwarebytes, Spybot, Tdskiller, ComboFix and Symantic. Each program finds all kinds of things and gets rid of them, but the virus does not go away. Below I attached a copy of HijackThis log file. I was hoping I can get some input on what I should get rid of according to what the log is showing. Thanks




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:49:16 PM, on 1/31/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Notes6\ntmulti.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Bitvise WinSSHD\WinSSHD.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\luall.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Companion\Installs\cpn4\ytbb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...&I=7.NQ4&N=&O=I
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: CrossriderApp0002258 - {11111111-1111-1111-1111-110011221158} - C:\Program Files\I Want This\I Want This.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [{0A75BD54-5F68-C424-047E-DE8CE67DA7FA}] "C:\Documents and Settings\Owner\Application Data\Ypq\erteym.exe"
O4 - HKUS\S-1-5-21-2765278398-2732076464-4134920479-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'tomc')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe -update activex (User 'Default user')
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 Startup: ornuol.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 Startup: risah.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 User Startup: ornuol.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 User Startup: risah.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-500 Startup: doditi.exe (User 'Administrator')
O4 - S-1-5-21-2765278398-2732076464-4134920479-500 Startup: yxzue.exe (User 'Administrator')
O4 - .DEFAULT User Startup: doditi.exe (User 'Default user')
O4 - .DEFAULT User Startup: esof.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} (IBM Lotus iNotes 8.5 Control) - https://mymail.bnyme....net/dwa85W.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://jpass.bankof...perSetupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/...SetupClient.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\system32\ nslsvice.exe (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Notes6\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WinSSHD - Bitvise - C:\Program Files\Bitvise WinSSHD\WinSSHD.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12884 bytes

Edit: Please read the Instructions and post the other requested logs. We need them in order to help you.

Edited by cnm, 02 February 2012 - 08:57 PM.


#2 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 02 February 2012 - 09:24 PM

Welcome Tomcos to SpywareInfo. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :)

Just a few things before we begin:

:excl: Before proceeding:
  • In the upper right hand corner of this topic there is a button labelled Watch this topic. Please click this button, select Immediate E-Mail notification and then click Proceed to ensure you are notified when I reply.
  • Please back up your personal documents and files by copying them to a location other than your system drive.

:excl: For the duration of this topic:
Please DO NOT run, install and/or uninstall/remove any tools/ programs other than those I suggest to you in order to avoid conflicts and/or additional problems on your system. :thumbup:


:excl: When you receive new instructions:
  • Please read the whole post before carrying out any of the instructions.
  • All our tools must be downloaded to the Desktop and launched from there (unless I specify otherwise).
  • Please perform all steps in the received order and DO NOT proceed if you need clarification.
  • Please DO NOT re-run any program unless I ask you to.
  • Please DO NOT plug in any external devices like USBs and Hard Drives unless I ask you to.
  • If you encounter any problems please stop and let me know.

:excl: When replying:
  • Please click the Add Reply button Posted Image so that my reply is not posted back to me. Thank you!
  • Please copy and paste your logs into your post unless I specifically ask you to attach one.
_________________________________________________________________________________________________________________________________


Please print out these instructions or copy them to a Notepad file for an easier reading.

To begin, there are a couple of programs installed that I recommend you consider removing.

There are signs of the Yahoo! Toolbar in your log. This toolbar comes bundled with other third party applications you may not want installed. Please see here for more information. I recommend you remove it.

You also have the Google Toolbar installed. This toolbar has been known to exhibit suspicious behaviour. Please see here for more information. I recommend you remove it.

Please go to Start>Control Panel> Add or Remove Programs and remove the following programs (if present):

  • Google Toolbar
  • Yahoo! Companion
  • Yahoo! Toolbar
Please restart your computer after these program removals.
==========

Next, please use HijackThis to do a little more cleanup:

  • Please open HijackThis.
  • Click Do a system scan only.
  • Check the following entry (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: CrossriderApp0002258 - {11111111-1111-1111-1111-110011221158} - C:\Program Files\I Want This\I Want This.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKCU\..\Run: [{0A75BD54-5F68-C424-047E-DE8CE67DA7FA}] "C:\Documents and Settings\Owner\Application Data\Ypq\erteym.exe"
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 Startup: ornuol.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 Startup: risah.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 User Startup: ornuol.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-1007 User Startup: risah.exe (User 'tomc')
O4 - S-1-5-21-2765278398-2732076464-4134920479-500 Startup: doditi.exe (User 'Administrator')
O4 - S-1-5-21-2765278398-2732076464-4134920479-500 Startup: yxzue.exe (User 'Administrator')
O4 - .DEFAULT User Startup: doditi.exe (User 'Default user')
O4 - .DEFAULT User Startup: esof.exe (User 'Default user')


And if you removed Google Toolbar earlier then please check these entries (if present):

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll


And if you removed the Yahoo! Toolbar earlier then please check these entries (if present):

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll


  • Please close all other open windows and click Fix checked.
  • Close HijackThis.
  • Reboot your computer.
==========

Please run these scans and post their logs in your next reply.

  • Please download DDS by sUBs from one of the following links. Save it to your Desktop.


    NOTE: Before scanning, make sure all other running programs are closed.
    There shouldn't be any scheduled antivirus scans running while the scan is being performed.
    Do not use your computer for anything else during the scan.
  • Double click on the DDS icon and allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your Desktop.

Next, please download Malwarebytes' Anti-Malware to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to the Desktop.
  • Copy and Paste that log into your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Finally, please download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe
http://download.blee...al/MBRCheck.exe
http://www.kernelmod...fo/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
==========

In your next reply, please post the following:
  • Fresh HJT log.
  • DDS log.
  • Log from MBAM.
  • Log from MBRCheck.
How is your computer currently running?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#3 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 04 February 2012 - 11:26 PM

I followed your instructions and it seems the iexplorer virus has cleared-up, thanks for your help. I'm sending the requested logs, maybe there are other things that can be cleaned. Thanks....

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by Owner at 12:29:09 on 2012-02-04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.24 [GMT -5:00]
.

.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Notes6\ntmulti.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Bitvise WinSSHD\WinSSHD.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=usertomc&key=008f383dda2eef7bf7ff30a5dda71c06&ts=4223aca1&A=0&B=1104825600000&C=1034751600000&D=0&I=7.NQ4&N=&O=I
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: AvayaIEHlprObj Class: {e6df0b46-7d6f-407a-a6a2-62d17a021a9a} - c:\program files\avaya\avaya ip softphone\AvayaWebDial.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\www.update
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mymail.bnymellon.net/dwa85W.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://jpass.bankofny.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5EF7FC75-2399-47BA-B156-747C4F27309E} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\ab7w5xtw.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-1-21 56208]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-11 10384]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-2-2 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [2010-10-30 91728]
S0 inmm;inmm;c:\windows\system32\drivers\hmhibmfx.sys --> c:\windows\system32\drivers\hmhibmfx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-27 135664]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2005-4-27 565248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-27 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120131.017\NAVENG.SYS [2012-1-31 86136]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120131.017\NAVEX15.SYS [2012-1-31 1576312]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-7-3 12984]
S4 OracleDBConsoleorl11g;OracleDBConsoleorl11g; [x]
.
=============== File Associations ===============
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-02-04 17:29:23 849 ----a-w- c:\documents and settings\all users\application data\wcgmaaa.tmp
2012-02-04 17:29:07 879 ----a-w- c:\documents and settings\all users\application data\ycgmaaa.tmp
2012-02-04 17:29:06 843 ----a-w- c:\documents and settings\all users\application data\vcgmaaa.tmp
2012-02-04 17:28:47 844 ----a-w- c:\documents and settings\all users\application data\ucgmaaa.tmp
2012-02-04 17:18:02 834 ----a-w- c:\documents and settings\all users\application data\xcgmaaa.tmp
2012-02-04 16:57:18 876 ----a-w- c:\documents and settings\all users\application data\rwhlaaa.tmp
2012-02-01 03:56:40 831 ----a-w- c:\documents and settings\all users\application data\ptruaaa.tmp
2012-02-01 03:56:36 850 ----a-w- c:\documents and settings\all users\application data\qtruaaa.tmp
2012-02-01 03:53:43 806 ----a-w- c:\documents and settings\all users\application data\otruaaa.tmp
2012-02-01 03:32:51 -------- d-----w- c:\documents and settings\owner\application data\Muvis
2012-02-01 03:32:51 -------- d-----w- c:\documents and settings\owner\application data\Abokra
2012-02-01 03:32:23 809 ----a-w- c:\documents and settings\all users\application data\struaaa.tmp
2012-02-01 02:47:36 41728 ----a-w- c:\windows\system32\drivers\a182fc26fbe3d24f.sys
2012-01-29 22:30:10 840 ----a-w- c:\documents and settings\all users\application data\isnsaaa.tmp
2012-01-29 21:45:47 -------- d-----w- c:\documents and settings\owner\application data\Yzymt
2012-01-29 21:45:47 -------- d-----w- c:\documents and settings\owner\application data\Ypq
2012-01-29 05:32:12 840 ----a-w- c:\documents and settings\all users\application data\asluaaa.tmp
2012-01-29 01:19:57 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-29 01:12:23 -------- d-----w- c:\documents and settings\owner\local settings\application data\Babylon
2012-01-29 01:12:22 -------- d-----w- c:\documents and settings\owner\application data\Babylon
2012-01-29 01:12:22 -------- d-----w- c:\documents and settings\all users\application data\Babylon
2012-01-27 15:33:09 -------- dc----w- c:\windows\ie8
2012-01-23 22:06:33 208896 ----a-w- c:\windows\MBR.exe
2012-01-23 22:06:32 98816 ----a-w- c:\windows\sed.exe
2012-01-23 22:06:32 518144 ----a-w- c:\windows\SWREG.exe
2012-01-23 22:06:32 256000 ----a-w- c:\windows\PEV.exe
2012-01-23 00:32:49 -------- d-----w- c:\program files\4CE5F
2012-01-15 01:28:22 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-15 01:28:22 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-15 01:28:22 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-15 01:28:22 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-18 01:29:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-15 00:47:30 408648 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2011-11-15 00:47:30 363592 ----a-w- c:\windows\system32\dsNcCredProv.dll
2011-11-15 00:43:24 225280 ----a-w- c:\windows\system32\dsGinaLoader.dll
2011-11-15 00:14:44 26624 ----a-w- c:\windows\system32\drivers\dsNcAdpt.sys
.
============= FINISH: 12:33:42.40 ===============



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 141):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7D4F000 \WINDOWS\system32\KDCOM.DLL
0xF7C5F000 \WINDOWS\system32\BOOTVID.dll
0xF784F000 vwjpeq.sys
0x86BCD000 a182fc26fbe3d24f.sys
0xF7800000 ACPI.sys
0xF7D51000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF77EF000 pci.sys
0xF786F000 isapnp.sys
0xF7C63000 ACPIEC.sys
0xF7E17000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7C67000 compbatt.sys
0xF7C6B000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF7E18000 pciide.sys
0xF7ACF000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF77D1000 pcmcia.sys
0xF787F000 MountMgr.sys
0xF77B2000 ftdisk.sys
0xF7AD7000 PartMgr.sys
0xF788F000 VolSnap.sys
0xF779A000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7782000 atapi.sys
0xF791F000 disk.sys
0xF792F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF771D000 fltmgr.sys
0xF7706000 KSecDD.sys
0xF76F3000 WudfPf.sys
0xF7666000 Ntfs.sys
0xF7639000 NDIS.sys
0xF75CE000 timntr.sys
0xF7575000 tdrpman.sys
0xF7556000 snapman.sys
0xF795F000 ohci1394.sys
0xF796F000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF753C000 Mup.sys
0xF7B3F000 hotcore3.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7368000 \SystemRoot\system32\drivers\TotRec7.sys
0xF7344000 \SystemRoot\system32\drivers\portcls.sys
0xF74AC000 \SystemRoot\system32\drivers\drmk.sys
0xF7321000 \SystemRoot\system32\drivers\ks.sys
0xF7302000 \??\C:\WINDOWS\system32\drivers\TotRec8.sys
0xF789F000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF72EB000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF72D7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7BEF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF72B3000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7BFF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF78AF000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF6B57000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF78CF000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7C1F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6B2B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7D89000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7C27000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF6AE8000 \SystemRoot\system32\drivers\camchal.sys
0xF6AA0000 \SystemRoot\system32\drivers\camcaud.sys
0xF6A77000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF6968000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF68CF000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7C37000 \SystemRoot\System32\Drivers\Modem.SYS
0xF73C6000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF798F000 \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
0xF7FA4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF799F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF73BE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF68B8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF794F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF793F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7C4F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF68A7000 \SystemRoot\system32\DRIVERS\psched.sys
0xF79FF000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7B4F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B6F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7B7F000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF7A1F000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7D8D000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6849000 \SystemRoot\system32\DRIVERS\update.sys
0xF73B2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7B87000 \SystemRoot\system32\DRIVERS\UimBus.sys
0xF67EE000 \SystemRoot\System32\Drivers\Uim_IM.sys
0xF67B2000 \SystemRoot\System32\Drivers\UimFIO.SYS
0xF7A4F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEE71A000 \SystemRoot\system32\drivers\ialmkchw.sys
0xEE6FC000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF7A8F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7434000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7DCB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7EF0000 \SystemRoot\System32\Drivers\Null.SYS
0xF7DCF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B07000 \SystemRoot\System32\drivers\vga.sys
0xF7DD3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7DD7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7B0F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7B1F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF742C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE6C9000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE670000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEE648000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEE5FA000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF73FA000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEE5D8000 \SystemRoot\System32\drivers\afd.sys
0xF752C000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEE5AD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF78DF000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE589000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7BA7000 \SystemRoot\System32\Drivers\LUsbFilt.Sys
0xF78FF000 \SystemRoot\System32\Drivers\WDFLDR.SYS
0xEE4E6000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF73AE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF790F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7BAF000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7BBF000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xF7392000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7BC7000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xEE4CE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7DE5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7444000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7BD7000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7F47000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF073000 \SystemRoot\System32\ialmdd5.DLL
0xBF0EE000 \SystemRoot\System32\ATMFD.DLL
0xF78BF000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xEE38E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEE326000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEE2E6000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEE091000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7E90000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xEE08D000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEDE81000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7B67000 \SystemRoot\system32\DRIVERS\strmdisp.sys
0xEDBC4000 \SystemRoot\system32\drivers\wdmaud.sys
0xEDCE1000 \SystemRoot\system32\drivers\sysaudio.sys
0xED88D000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
532 C:\WINDOWS\system32\smss.exe
596 C:\WINDOWS\system32\csrss.exe
620 C:\WINDOWS\system32\winlogon.exe
668 C:\WINDOWS\system32\services.exe
680 C:\WINDOWS\system32\lsass.exe
840 C:\WINDOWS\system32\svchost.exe
896 C:\WINDOWS\system32\svchost.exe
936 C:\WINDOWS\system32\svchost.exe
976 C:\WINDOWS\system32\svchost.exe
1028 C:\WINDOWS\system32\svchost.exe
1060 C:\WINDOWS\system32\svchost.exe
1892 C:\WINDOWS\system32\spoolsv.exe
1972 C:\WINDOWS\system32\svchost.exe
2004 C:\Program Files\Bonjour\mDNSResponder.exe
2016 C:\WINDOWS\system32\CTSVCCDA.EXE
2036 C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
320 C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
428 C:\WINDOWS\system32\qosservm.exe
440 C:\Program Files\Java\jre6\bin\jqs.exe
464 C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
524 C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
556 C:\Program Files\Notes6\ntmulti.exe
568 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
824 C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
964 C:\WINDOWS\system32\svchost.exe
1176 C:\Program Files\ThreatFire\TFService.exe
1248 C:\Program Files\Bitvise WinSSHD\WinSSHD.exe
1264 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
1300 C:\Program Files\Java\jre6\bin\javaw.exe
1748 C:\WINDOWS\system32\alg.exe
1728 C:\WINDOWS\explorer.exe
3288 C:\Program Files\QuickTime\QTTask.exe
3232 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`0caa4800 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: IC25N080ATMR04-0, Rev: MO4OAD4A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:31:34 PM, on 2/4/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Notes6\ntmulti.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Bitvise WinSSHD\WinSSHD.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Owner\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...&I=7.NQ4&N=&O=I
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe -update activex (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} (IBM Lotus iNotes 8.5 Control) - https://mymail.bnyme....net/dwa85W.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://jpass.bankof...perSetupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/...SetupClient.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\system32\ nslsvice.exe (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Notes6\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WinSSHD - Bitvise - C:\Program Files\Bitvise WinSSHD\WinSSHD.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8982 bytes

#4 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 05 February 2012 - 07:02 AM

Hello Tomcos. :)

Thank you for posting the requested logs. :thumbup:


Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis: You will only be able to have one file scanned at a time.

c:\windows\system32\drivers\a182fc26fbe3d24f.sys

Then click Submit. Allow the file to be scanned, and then please copy/paste the results here for me to see.

If Jotti is busy, please go to http://www.virustotal.com.

Please post the results in your next reply.
==========

Next, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

Please include the C:\ComboFix.txt in your next reply for further review.
==========

Finally, please run MBAM (or download it as per my previous post) and post its log in your next reply.
==========

In your next reply, please provide the following:
  • Results from Virus Total/Jotti.
  • ComboFix.txt.
  • Log from MBAM.
How does your computer seem to be running?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#5 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 06 February 2012 - 08:59 PM

Hi, my computer is running much better, but I noticed a couple of issues:

My cd/dvd drive is no longer visable in my computer, and there is the yellow
exclamation on the drive in device manager.

Also I noticed in event viewer i'm getting the following errors under system:

Source: Workstation
Could not load RDR device driver

Source: Service Control Manager
The Workstation service terminated with service-specfic
error 2250

Source: Workstation Control Manager
The Computer Browser Service depends on The Workstation service
which failed to start because of the following error:
EventID 7001

Below are the rquested logs. Thanks

SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
MD5: d41d8cd98f00b204e9800998ecf8427e
File size: 0 bytes ( 0 bytes )
File name: C:\WINDOWS\system32\drivers\a182fc26fbe3d24f.sys


ComboFix 12-02-05.02 - Owner 02/05/2012 11:23:21.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.701 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\asluaaa.tmp
c:\documents and settings\All Users\Application Data\isnsaaa.tmp
c:\documents and settings\All Users\Application Data\otruaaa.tmp
c:\documents and settings\All Users\Application Data\ptruaaa.tmp
c:\documents and settings\All Users\Application Data\qtruaaa.tmp
c:\documents and settings\All Users\Application Data\rwhlaaa.tmp
c:\documents and settings\All Users\Application Data\struaaa.tmp
c:\documents and settings\All Users\Application Data\ucgmaaa.tmp
c:\documents and settings\All Users\Application Data\vcgmaaa.tmp
c:\documents and settings\All Users\Application Data\wcgmaaa.tmp
c:\documents and settings\All Users\Application Data\xcgmaaa.tmp
c:\documents and settings\All Users\Application Data\ycgmaaa.tmp
c:\windows\$NtUninstallKB18311$
c:\windows\$NtUninstallKB18311$\372318992
c:\windows\system32\drivers\a182fc26fbe3d24f.sys
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
c:\windows\wallpg.exe
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.mrxsmb
-------\Service_syshost32
-------\Legacy_a182fc26fbe3d24f
-------\Service_a182fc26fbe3d24f
.
.
((((((((((((((((((((((((( Files Created from 2012-01-05 to 2012-02-05 )))))))))))))))))))))))))))))))
.
.
2012-02-04 03:18 . 2012-02-04 03:18 -------- d-----w- c:\documents and settings\tomc\Local Settings\Application Data\Identities
2012-02-04 03:18 . 2012-02-04 04:29 -------- d-----w- c:\documents and settings\tomc\Application Data\Adoquk
2012-02-04 03:18 . 2012-02-04 03:18 -------- d-----w- c:\documents and settings\tomc\Application Data\Cosyymk
2012-02-01 03:32 . 2012-02-04 04:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Muvis
2012-02-01 03:32 . 2012-02-01 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Abokra
2012-01-29 21:45 . 2012-02-04 04:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Ypq
2012-01-29 21:45 . 2012-01-29 21:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Yzymt
2012-01-29 01:19 . 2012-01-29 01:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-29 01:12 . 2012-01-29 01:12 237 ----a-w- C:\user.js
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-01-27 15:33 . 2012-01-27 15:40 -------- dc----w- c:\windows\ie8
2012-01-23 00:56 . 2012-01-23 00:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-23 00:32 . 2012-01-29 15:46 -------- d-----w- c:\program files\4CE5F
2012-01-15 01:28 . 2012-02-05 05:51 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-15 01:28 . 2012-01-15 01:28 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-15 01:28 . 2012-01-15 01:28 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-15 01:28 . 2012-01-15 01:28 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-05 17:09 . 2004-08-26 16:12 39936 ----a-w- c:\windows\system32\svchost.exe
2011-12-10 20:24 . 2011-08-06 23:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-26 16:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-26 16:12 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-26 16:12 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-18 01:29 . 2011-05-22 13:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 14:21 . 2004-08-26 16:12 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-26 16:12 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-15 00:47 . 2011-12-27 01:53 408648 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2011-11-15 00:47 . 2011-12-27 01:53 363592 ----a-w- c:\windows\system32\dsNcCredProv.dll
2011-11-15 00:43 . 2011-11-15 00:43 225280 ----a-w- c:\windows\system32\dsGinaLoader.dll
2011-11-15 00:14 . 2007-07-16 19:56 26624 ----a-w- c:\windows\system32\drivers\dsNcAdpt.sys
2011-11-08 03:07 . 2011-11-08 03:07 388096 ----a-w- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-05 05:51 . 2011-04-09 05:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe" [2011-04-21 235168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-25 01:06 904768 ----a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2001-09-04 19:31 655360 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2008-06-25 00:52 1325848 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdate]
2011-06-01 19:06 26699616 ----a-w- c:\program files\DriverUpdate\DriverUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-12-17 19:51 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleBackupManager]
c:\documents and settings\All Users\Application Data\GoogleBackupManager.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-07-10 12:13 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 04:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-07-10 12:25 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Last.fm Update]
c:\documents and settings\Owner\Local Settings\Application Data\Apple\AppleUpdate\Appleupdt32.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-06-07 11:32 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 04:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRESET]
2008-01-17 20:00 45056 ----a-w- c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2008-06-25 00:56 136472 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
2007-01-18 18:20 190008 ----a-w- c:\program files\Seagate\SystemTray\StxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
2004-05-27 01:57 139264 ----a-w- c:\program files\Digital Media Reader\shwicon2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-28 01:58 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-03-27 01:20 499712 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-03-27 01:20 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-06-07 02:41 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2010-10-14 14:05 155216 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSSHD Activation State Checker]
2009-04-04 04:42 216320 ----a-w- c:\program files\Bitvise WinSSHD\WinsshdActStateCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"HCLInetd"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [1/21/2011 10:38 PM 56208]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/11/2008 9:03 PM 10384]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2/2/2009 7:43 PM 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [10/30/2010 10:51 AM 91728]
S0 inmm;inmm;c:\windows\system32\drivers\hmhibmfx.sys --> c:\windows\system32\drivers\hmhibmfx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/9/2011 8:18 PM 106104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [7/3/2011 9:51 AM 12984]
S4 OracleDBConsoleorl11g;OracleDBConsoleorl11g; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2012-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2012-01-13 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=usertomc&key=008f383dda2eef7bf7ff30a5dda71c06&ts=4223aca1&A=0&B=1104825600000&C=1034751600000&D=0&I=7.NQ4&N=&O=I
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.0.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mymail.bnymellon.net/dwa85W.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ab7w5xtw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ThreatFire - c:\program files\ThreatFire\TFTray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-05 12:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(2236)
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\QosServM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
c:\program files\Notes6\ntmulti.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Bitvise WinSSHD\WinSSHD.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-05 12:29:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-05 17:29
ComboFix2.txt 2011-06-10 21:09
ComboFix3.txt 2011-05-17 02:42
.
Pre-Run: 38,359,126,016 bytes free
Post-Run: 38,563,033,088 bytes free
.
- - End Of File - - BB95A73D59563BC8A6474F96DC70031C


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.05.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: TOMLAP [administrator]

2/5/2012 12:36:59 PM
mbam-log-2012-02-05 (12-36-59).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 369761
Time elapsed: 1 hour(s), 50 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#6 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 08 February 2012 - 02:20 AM

Hello Tomcos. :)

I will help you with those new errors once the main infection has been dealt with. :thumbup:


Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).
  • There are 3 different versions. If one of them won't run then download and try to run the other one.
  • Vista and Win7 users need to right click and choose Run as Admin.
  • You only need to get one of them to run, not all of them.
rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.
===

Please do not reboot your computer.


Now, please follow these instructions to remove the remaining malicious entries:

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:

    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

    killall::

    DDS::
    uInternet Settings,ProxyOverride = <local>;*.local
    BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
    TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    Trusted Zone: microsoft.com\www.update

    Folder::
    c:\documents and settings\tomc\Application Data\Adoquk
    c:\documents and settings\tomc\Application Data\Cosyymk
    c:\documents and settings\Owner\Application Data\Muvis
    c:\documents and settings\Owner\Application Data\Abokra
    c:\documents and settings\Owner\Application Data\Ypq
    c:\documents and settings\Owner\Application Data\Yzymt


  • Save this as CFScript.txt, in the same location as ComboFix.exe.

    Posted Image
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.


Please post the ComboFix.txt in your next reply.
============

Next, please download to your Desktop SystemLook by jpshortstuff from here or here.
Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:


:filefind
explorer.exe



When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt.
==========

Next, please download to your Desktop:
  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.


Finally, please download aswMBR by gmer to your Desktop.

  • Please visit this site for instructions on how to run the tool.
  • Once familiar with this tool, double click aswMBR.exe to run it.
  • Click the Scan button to start the scan.
  • Once the scan has completed, please save the aswMBR.txt log to the Desktop and post it in your next reply
==========

In your next reply, please post the following:
  • ComboFix.txt.
  • SystemLook.txt.
  • Log from TDSSKiller.
  • aswMBR.txt.
How are things running on your computer at the moment?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#7 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 10 February 2012 - 05:27 PM

Hi Dark Knight, here are the latest Requested logs.


ComboFix 12-02-10.01 - Owner 02/10/2012 9:41.12.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.533 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\skjraaa.tmp
c:\documents and settings\All Users\Application Data\tkjraaa.tmp
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))
.
.
2012-01-29 01:19 . 2012-01-29 01:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-29 01:12 . 2012-01-29 01:12 237 ----a-w- C:\user.js
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-01-27 16:07 . 2012-01-27 16:07 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Yahoo
2012-01-27 15:33 . 2012-01-27 15:40 -------- dc----w- c:\windows\ie8
2012-01-23 02:17 . 2012-01-23 02:17 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2012-01-23 00:56 . 2012-01-23 00:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-23 00:32 . 2012-01-29 15:46 -------- d-----w- c:\program files\4CE5F
2012-01-15 01:28 . 2012-02-05 05:51 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-15 01:28 . 2012-01-15 01:28 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-15 01:28 . 2012-01-15 01:28 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-15 01:28 . 2012-01-15 01:28 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2011-08-06 23:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-26 16:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-26 16:12 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-26 16:12 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-18 01:29 . 2011-05-22 13:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 14:21 . 2004-08-26 16:12 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-26 16:12 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-15 00:47 . 2011-12-27 01:53 408648 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2011-11-15 00:47 . 2011-12-27 01:53 363592 ----a-w- c:\windows\system32\dsNcCredProv.dll
2011-11-15 00:43 . 2011-11-15 00:43 225280 ----a-w- c:\windows\system32\dsGinaLoader.dll
2011-11-15 00:14 . 2007-07-16 19:56 26624 ----a-w- c:\windows\system32\drivers\dsNcAdpt.sys
2012-02-05 05:51 . 2011-04-09 05:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 1BFF879A92D2C4CB6605EEF54DDA3438 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . AF42C56D9426626107DB30A50EB923C8 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . A435B2C1EEAE3953D633730FD5E27C30 . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe" [2011-04-21 235168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-25 01:06 904768 ----a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2001-09-04 19:31 655360 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2008-06-25 00:52 1325848 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdate]
2011-06-01 19:06 26699616 ----a-w- c:\program files\DriverUpdate\DriverUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-12-17 19:51 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleBackupManager]
c:\documents and settings\All Users\Application Data\GoogleBackupManager.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-07-10 12:13 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 04:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-07-10 12:25 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Last.fm Update]
c:\documents and settings\Owner\Local Settings\Application Data\Apple\AppleUpdate\Appleupdt32.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-06-07 11:32 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 04:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRESET]
2008-01-17 20:00 45056 ----a-w- c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2008-06-25 00:56 136472 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
2007-01-18 18:20 190008 ----a-w- c:\program files\Seagate\SystemTray\StxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
2004-05-27 01:57 139264 ----a-w- c:\program files\Digital Media Reader\shwicon2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-28 01:58 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-03-27 01:20 499712 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-03-27 01:20 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-06-07 02:41 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2010-10-14 14:05 155216 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSSHD Activation State Checker]
2009-04-04 04:42 216320 ----a-w- c:\program files\Bitvise WinSSHD\WinsshdActStateCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"HCLInetd"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [1/21/2011 10:38 PM 56208]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/11/2008 9:03 PM 10384]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2/2/2009 7:43 PM 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [10/30/2010 10:51 AM 91728]
S0 inmm;inmm;c:\windows\system32\drivers\hmhibmfx.sys --> c:\windows\system32\drivers\hmhibmfx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [7/3/2011 9:51 AM 12984]
S4 OracleDBConsoleorl11g;OracleDBConsoleorl11g; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2012-01-13 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=usertomc&key=008f383dda2eef7bf7ff30a5dda71c06&ts=4223aca1&A=0&B=1104825600000&C=1034751600000&D=0&I=7.NQ4&N=&O=I
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mymail.bnymellon.net/dwa85W.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ab7w5xtw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-dplaysvr - c:\documents and settings\Owner\Application Data\dplaysvr.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\Owner\Application Data\dplaysvr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-10 10:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(1752)
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\program files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\QosServM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
c:\program files\Notes6\ntmulti.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Bitvise WinSSHD\WinSSHD.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-10 10:11:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-10 15:11
ComboFix2.txt 2012-02-09 02:28
ComboFix3.txt 2012-02-08 02:23
ComboFix4.txt 2012-02-05 17:29
ComboFix5.txt 2012-02-10 14:36
.
Pre-Run: 38,213,402,624 bytes free
Post-Run: 38,953,820,160 bytes free
.
- - End Of File - - 3AE913EA538C7918F219EDE6ED0DE2FB

SystemLook 30.07.11 by jpshortstuff
Log created at 10:26 on 10/02/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1058816 bytes [16:11 26/08/2004] [00:12 14/04/2008] A435B2C1EEAE3953D633730FD5E27C30
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1033216 bytes [03:52 06/09/2008] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c- 1032192 bytes [22:39 16/08/2007] [19:00 04/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [21:04 10/06/2011] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [00:49 20/08/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

-= EOF =-

10:34:19.0468 2508 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
10:34:19.0703 2508 ============================================================
10:34:19.0703 2508 Current date / time: 2012/02/10 10:34:19.0703
10:34:19.0703 2508 SystemInfo:
10:34:19.0703 2508
10:34:19.0703 2508 OS Version: 5.1.2600 ServicePack: 3.0
10:34:19.0703 2508 Product type: Workstation
10:34:19.0703 2508 ComputerName: TOMLAP
10:34:19.0703 2508 UserName: Owner
10:34:19.0703 2508 Windows directory: C:\WINDOWS
10:34:19.0703 2508 System windows directory: C:\WINDOWS
10:34:19.0703 2508 Processor architecture: Intel x86
10:34:19.0703 2508 Number of processors: 2
10:34:19.0703 2508 Page size: 0x1000
10:34:19.0703 2508 Boot type: Normal boot
10:34:19.0703 2508 ============================================================
10:34:22.0203 2508 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:34:22.0203 2508 \Device\Harddisk0\DR0:
10:34:22.0203 2508 MBR used
10:34:22.0203 2508 \Device\Harddisk0\DR0\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x8654E5
10:34:22.0203 2508 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x865524, BlocksNum 0x8CA50DC
10:34:22.0250 2508 Initialize success
10:34:22.0250 2508 ============================================================
10:34:36.0187 2732 ============================================================
10:34:36.0187 2732 Scan started
10:34:36.0187 2732 Mode: Manual; SigCheck; TDLFS;
10:34:36.0187 2732 ============================================================
10:34:36.0640 2732 Abiosdsk - ok
10:34:36.0687 2732 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
10:34:37.0093 2732 abp480n5 - ok
10:34:37.0125 2732 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:34:37.0312 2732 ACPI - ok
10:34:37.0375 2732 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
10:34:37.0531 2732 ACPIEC - ok
10:34:37.0578 2732 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
10:34:37.0734 2732 adpu160m - ok
10:34:37.0796 2732 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:34:37.0984 2732 aec - ok
10:34:38.0046 2732 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:34:38.0109 2732 AFD - ok
10:34:38.0281 2732 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:34:38.0484 2732 agp440 - ok
10:34:38.0500 2732 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
10:34:38.0687 2732 agpCPQ - ok
10:34:38.0718 2732 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
10:34:38.0765 2732 Aha154x - ok
10:34:38.0796 2732 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
10:34:38.0937 2732 aic78u2 - ok
10:34:38.0968 2732 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
10:34:39.0109 2732 aic78xx - ok
10:34:39.0140 2732 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
10:34:39.0312 2732 AliIde - ok
10:34:39.0359 2732 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
10:34:39.0515 2732 alim1541 - ok
10:34:39.0531 2732 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
10:34:39.0687 2732 amdagp - ok
10:34:39.0703 2732 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
10:34:39.0765 2732 amsint - ok
10:34:39.0812 2732 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:34:39.0968 2732 Arp1394 - ok
10:34:39.0984 2732 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
10:34:40.0203 2732 asc - ok
10:34:40.0218 2732 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
10:34:40.0281 2732 asc3350p - ok
10:34:40.0296 2732 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
10:34:40.0468 2732 asc3550 - ok
10:34:40.0593 2732 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:34:40.0796 2732 AsyncMac - ok
10:34:40.0812 2732 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:34:40.0984 2732 atapi - ok
10:34:41.0000 2732 Atdisk - ok
10:34:41.0062 2732 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:34:41.0250 2732 Atmarpc - ok
10:34:41.0359 2732 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:34:41.0515 2732 audstub - ok
10:34:41.0609 2732 BCM43XX (d87b4e14e890091d8e64fb5c570cf192) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
10:34:41.0703 2732 BCM43XX - ok
10:34:41.0937 2732 bcm4sbxp (b60f57b4d9cdbc663cc03eb8af7ec34e) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
10:34:42.0015 2732 bcm4sbxp - ok
10:34:42.0046 2732 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:34:42.0250 2732 Beep - ok
10:34:42.0390 2732 CAMCAUD (631fb586a927969147d706c8e09babb3) C:\WINDOWS\system32\drivers\camcaud.sys
10:34:42.0468 2732 CAMCAUD - ok
10:34:42.0562 2732 CAMCHALA (d0331a53dcfd06d9fa33dfe1d4393c2b) C:\WINDOWS\system32\drivers\camchal.sys
10:34:42.0609 2732 CAMCHALA - ok
10:34:42.0609 2732 catchme - ok
10:34:42.0656 2732 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
10:34:42.0812 2732 cbidf - ok
10:34:42.0828 2732 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:34:42.0968 2732 cbidf2k - ok
10:34:43.0078 2732 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:34:43.0250 2732 CCDECODE - ok
10:34:43.0281 2732 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
10:34:43.0406 2732 cd20xrnt - ok
10:34:43.0437 2732 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:34:43.0625 2732 Cdaudio - ok
10:34:43.0687 2732 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:34:43.0859 2732 Cdfs - ok
10:34:44.0031 2732 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:34:44.0218 2732 Cdrom - ok
10:34:44.0406 2732 CFcatchme - ok
10:34:44.0421 2732 Changer - ok
10:34:44.0484 2732 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
10:34:44.0703 2732 CmBatt - ok
10:34:44.0750 2732 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
10:34:44.0921 2732 CmdIde - ok
10:34:44.0953 2732 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
10:34:45.0171 2732 Compbatt - ok
10:34:45.0234 2732 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
10:34:45.0375 2732 Cpqarray - ok
10:34:45.0406 2732 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
10:34:45.0562 2732 dac2w2k - ok
10:34:45.0578 2732 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
10:34:45.0781 2732 dac960nt - ok
10:34:45.0812 2732 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:34:45.0968 2732 Disk - ok
10:34:46.0093 2732 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:34:46.0312 2732 dmboot - ok
10:34:46.0500 2732 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:34:46.0718 2732 dmio - ok
10:34:46.0734 2732 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:34:46.0890 2732 dmload - ok
10:34:46.0937 2732 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:34:47.0125 2732 DMusic - ok
10:34:47.0265 2732 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
10:34:47.0437 2732 dpti2o - ok
10:34:47.0531 2732 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:34:47.0703 2732 drmkaud - ok
10:34:47.0781 2732 dsNcAdpt (e6b6dd5a355c432045219fad8512fb70) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
10:34:47.0828 2732 dsNcAdpt - ok
10:34:48.0046 2732 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
10:34:48.0109 2732 eeCtrl - ok
10:34:48.0328 2732 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:34:48.0562 2732 Fastfat - ok
10:34:48.0640 2732 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:34:48.0812 2732 Fdc - ok
10:34:48.0875 2732 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:34:49.0046 2732 Fips - ok
10:34:49.0140 2732 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:34:49.0328 2732 Flpydisk - ok
10:34:49.0437 2732 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:34:49.0625 2732 FltMgr - ok
10:34:49.0734 2732 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:34:49.0906 2732 Fs_Rec - ok
10:34:49.0968 2732 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:34:50.0140 2732 Ftdisk - ok
10:34:50.0265 2732 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:34:50.0265 2732 GEARAspiWDM - ok
10:34:50.0484 2732 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:34:50.0703 2732 Gpc - ok
10:34:50.0796 2732 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:34:50.0937 2732 HidUsb - ok
10:34:51.0015 2732 hotcore3 (39ae0be51f51a660ce2b14af9be8548f) C:\WINDOWS\system32\DRIVERS\hotcore3.sys
10:34:51.0031 2732 hotcore3 - ok
10:34:51.0046 2732 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
10:34:51.0203 2732 hpn - ok
10:34:51.0234 2732 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:34:51.0296 2732 HPZid412 - ok
10:34:51.0312 2732 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:34:51.0390 2732 HPZipr12 - ok
10:34:51.0437 2732 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:34:51.0531 2732 HPZius12 - ok
10:34:51.0609 2732 HSFHWICH (2d9f10d6e7baa20c4526ce6a16444581) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
10:34:51.0671 2732 HSFHWICH - ok
10:34:51.0796 2732 HSF_DP (2d566a7f0b4c54b417ac637cb608444b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
10:34:51.0937 2732 HSF_DP - ok
10:34:52.0156 2732 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:34:52.0218 2732 HTTP - ok
10:34:52.0312 2732 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
10:34:52.0500 2732 i2omgmt - ok
10:34:52.0531 2732 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
10:34:52.0703 2732 i2omp - ok
10:34:52.0750 2732 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:34:52.0937 2732 i8042prt - ok
10:34:53.0046 2732 ialm (50d909fdaf6df35b04c6b6a4bcb6d675) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
10:34:53.0296 2732 ialm - ok
10:34:53.0343 2732 imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:34:53.0546 2732 imapi - ok
10:34:53.0921 2732 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
10:34:54.0109 2732 ini910u - ok
10:34:54.0125 2732 inmm - ok
10:34:54.0140 2732 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:34:54.0296 2732 IntelIde - ok
10:34:54.0359 2732 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:34:54.0515 2732 intelppm - ok
10:34:54.0625 2732 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:34:54.0796 2732 Ip6Fw - ok
10:34:54.0812 2732 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:34:55.0015 2732 IpInIp - ok
10:34:55.0125 2732 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:34:55.0281 2732 IpNat - ok
10:34:55.0343 2732 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:34:55.0484 2732 IPSec - ok
10:34:55.0500 2732 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:34:55.0593 2732 IRENUM - ok
10:34:55.0640 2732 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:34:55.0796 2732 isapnp - ok
10:34:55.0921 2732 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:34:56.0078 2732 Kbdclass - ok
10:34:56.0125 2732 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:34:56.0281 2732 kmixer - ok
10:34:56.0312 2732 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:34:56.0406 2732 KSecDD - ok
10:34:56.0671 2732 LBeepKE (8f4d784b3f22f468eea99da02b0e39e5) C:\WINDOWS\system32\Drivers\LBeepKE.sys
10:34:56.0671 2732 LBeepKE - ok
10:34:56.0703 2732 lbrtfdc - ok
10:34:56.0781 2732 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
10:34:56.0796 2732 LHidFilt - ok
10:34:56.0828 2732 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
10:34:56.0843 2732 LMouFilt - ok
10:34:56.0890 2732 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
10:34:56.0890 2732 LUsbFilt - ok
10:34:56.0937 2732 mdmxsdk (b72d7ea394d5f1c5053368783ad7f7ed) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
10:34:56.0968 2732 mdmxsdk - ok
10:34:57.0046 2732 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:34:57.0234 2732 mnmdd - ok
10:34:57.0328 2732 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:34:57.0484 2732 Modem - ok
10:34:57.0531 2732 motmodem (5023875a94b0766d98a62a72bc4cb055) C:\WINDOWS\system32\DRIVERS\motmodem.sys
10:34:57.0843 2732 motmodem - ok
10:34:58.0093 2732 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:34:58.0312 2732 Mouclass - ok
10:34:58.0421 2732 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:34:58.0562 2732 mouhid - ok
10:34:58.0609 2732 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:34:58.0765 2732 MountMgr - ok
10:34:58.0796 2732 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
10:34:58.0968 2732 mraid35x - ok
10:34:59.0000 2732 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:34:59.0203 2732 MRxDAV - ok
10:34:59.0312 2732 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:34:59.0484 2732 Msfs - ok
10:34:59.0515 2732 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:34:59.0656 2732 MSKSSRV - ok
10:34:59.0671 2732 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:34:59.0859 2732 MSPCLOCK - ok
10:34:59.0875 2732 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:35:00.0015 2732 MSPQM - ok
10:35:00.0109 2732 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:35:00.0281 2732 mssmbios - ok
10:35:00.0312 2732 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
10:35:00.0468 2732 MSTEE - ok
10:35:00.0750 2732 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:35:00.0781 2732 Mup - ok
10:35:00.0796 2732 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
10:35:00.0953 2732 mxnic - ok
10:35:00.0984 2732 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:35:01.0156 2732 NABTSFEC - ok
10:35:01.0437 2732 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120131.017\NAVENG.SYS
10:35:01.0453 2732 NAVENG - ok
10:35:01.0625 2732 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120131.017\NAVEX15.SYS
10:35:01.0718 2732 NAVEX15 - ok
10:35:02.0078 2732 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:35:02.0265 2732 NDIS - ok
10:35:02.0328 2732 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:35:02.0500 2732 NdisIP - ok
10:35:02.0625 2732 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:35:02.0671 2732 NdisTapi - ok
10:35:02.0765 2732 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:35:02.0984 2732 Ndisuio - ok
10:35:03.0093 2732 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:35:03.0265 2732 NdisWan - ok
10:35:03.0312 2732 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:35:03.0343 2732 NDProxy - ok
10:35:03.0375 2732 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:35:03.0531 2732 NetBIOS - ok
10:35:03.0593 2732 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:35:03.0796 2732 NetBT - ok
10:35:04.0062 2732 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:35:04.0234 2732 NIC1394 - ok
10:35:04.0250 2732 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:35:04.0390 2732 Npfs - ok
10:35:04.0546 2732 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:35:04.0734 2732 Ntfs - ok
10:35:04.0812 2732 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:35:04.0968 2732 Null - ok
10:35:05.0156 2732 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:35:05.0484 2732 nv - ok
10:35:05.0859 2732 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:35:06.0015 2732 NwlnkFlt - ok
10:35:06.0046 2732 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:35:06.0187 2732 NwlnkFwd - ok
10:35:06.0312 2732 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:35:06.0468 2732 ohci1394 - ok
10:35:06.0593 2732 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
10:35:06.0765 2732 P3 - ok
10:35:06.0781 2732 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:35:06.0921 2732 Parport - ok
10:35:06.0937 2732 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:35:07.0093 2732 PartMgr - ok
10:35:07.0109 2732 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:35:07.0343 2732 ParVdm - ok
10:35:07.0390 2732 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:35:07.0562 2732 PCI - ok
10:35:07.0578 2732 PCIDump - ok
10:35:07.0625 2732 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:35:07.0765 2732 PCIIde - ok
10:35:07.0796 2732 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
10:35:07.0968 2732 Pcmcia - ok
10:35:07.0984 2732 Pcouffin - ok
10:35:08.0000 2732 PDCOMP - ok
10:35:08.0031 2732 PDFRAME - ok
10:35:08.0046 2732 PDRELI - ok
10:35:08.0062 2732 PDRFRAME - ok
10:35:08.0093 2732 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
10:35:08.0234 2732 perc2 - ok
10:35:08.0406 2732 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
10:35:08.0546 2732 perc2hib - ok
10:35:08.0625 2732 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:35:08.0765 2732 PptpMiniport - ok
10:35:08.0781 2732 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:35:08.0921 2732 PSched - ok
10:35:08.0953 2732 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:35:09.0078 2732 Ptilink - ok
10:35:09.0109 2732 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
10:35:09.0265 2732 ql1080 - ok
10:35:09.0281 2732 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
10:35:09.0421 2732 Ql10wnt - ok
10:35:09.0437 2732 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
10:35:09.0562 2732 ql12160 - ok
10:35:09.0609 2732 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
10:35:09.0765 2732 ql1240 - ok
10:35:09.0781 2732 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
10:35:09.0921 2732 ql1280 - ok
10:35:09.0968 2732 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:35:10.0109 2732 RasAcd - ok
10:35:10.0171 2732 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:35:10.0328 2732 Rasl2tp - ok
10:35:10.0359 2732 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:35:10.0484 2732 RasPppoe - ok
10:35:10.0515 2732 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:35:10.0671 2732 Raspti - ok
10:35:10.0843 2732 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:35:11.0015 2732 Rdbss - ok
10:35:11.0062 2732 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:35:11.0218 2732 RDPCDD - ok
10:35:11.0296 2732 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:35:11.0500 2732 rdpdr - ok
10:35:11.0703 2732 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:35:11.0812 2732 RDPWD - ok
10:35:11.0875 2732 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:35:12.0078 2732 redbook - ok
10:35:12.0171 2732 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:35:12.0265 2732 Secdrv - ok
10:35:12.0312 2732 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:35:12.0515 2732 serenum - ok
10:35:12.0593 2732 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:35:12.0781 2732 Serial - ok
10:35:12.0796 2732 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
10:35:12.0953 2732 Sfloppy - ok
10:35:12.0984 2732 Simbad - ok
10:35:13.0046 2732 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
10:35:13.0265 2732 sisagp - ok
10:35:13.0296 2732 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:35:13.0468 2732 SLIP - ok
10:35:13.0531 2732 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys
10:35:13.0546 2732 snapman - ok
10:35:13.0750 2732 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
10:35:13.0828 2732 Sparrow - ok
10:35:13.0859 2732 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:35:14.0015 2732 splitter - ok
10:35:14.0046 2732 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:35:14.0140 2732 sr - ok
10:35:14.0203 2732 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:35:14.0312 2732 Srv - ok
10:35:14.0406 2732 StreamDispatcher (3e5aa17e13fba9969d17b5455bde8efd) C:\WINDOWS\system32\DRIVERS\strmdisp.sys
10:35:14.0453 2732 StreamDispatcher - ok
10:35:14.0484 2732 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:35:14.0671 2732 streamip - ok
10:35:14.0796 2732 SWDUMon (19d1458487a1aadf4feb3d74a8ed0634) C:\WINDOWS\system32\DRIVERS\SWDUMon.sys
10:35:14.0812 2732 SWDUMon - ok
10:35:14.0859 2732 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:35:15.0015 2732 swenum - ok
10:35:15.0187 2732 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:35:15.0375 2732 swmidi - ok
10:35:15.0421 2732 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
10:35:15.0562 2732 symc810 - ok
10:35:15.0578 2732 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
10:35:15.0718 2732 symc8xx - ok
10:35:15.0750 2732 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
10:35:15.0890 2732 sym_hi - ok
10:35:15.0906 2732 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
10:35:16.0062 2732 sym_u3 - ok
10:35:16.0125 2732 SynTP (b6396adc5b0aa50e20e7a7169843af59) C:\WINDOWS\system32\DRIVERS\SynTP.sys
10:35:16.0203 2732 SynTP - ok
10:35:16.0250 2732 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:35:16.0375 2732 sysaudio - ok
10:35:16.0500 2732 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:35:16.0593 2732 Tcpip - ok
10:35:16.0812 2732 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:35:17.0015 2732 TDPIPE - ok
10:35:17.0109 2732 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys
10:35:17.0140 2732 tdrpman - ok
10:35:17.0203 2732 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:35:17.0359 2732 TDTCP - ok
10:35:17.0390 2732 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:35:17.0531 2732 TermDD - ok
10:35:17.0562 2732 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
10:35:17.0578 2732 tifsfilter - ok
10:35:17.0609 2732 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys
10:35:17.0640 2732 timounter - ok
10:35:17.0671 2732 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
10:35:17.0859 2732 TosIde - ok
10:35:17.0937 2732 TotRec7 (18b201f34f5fe3d60a6c48d955166280) C:\WINDOWS\system32\drivers\TotRec7.sys
10:35:17.0953 2732 TotRec7 - ok
10:35:17.0984 2732 TotRec8 (0715a69f50bdc84f1b9c63f364ac61bf) C:\WINDOWS\system32\drivers\TotRec8.sys
10:35:17.0984 2732 TotRec8 - ok
10:35:18.0046 2732 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:35:18.0203 2732 Udfs - ok
10:35:18.0406 2732 UimBus (e0e3268453c3d4ed68a632099482b543) C:\WINDOWS\system32\DRIVERS\UimBus.sys
10:35:18.0421 2732 UimBus - ok
10:35:18.0468 2732 Uim_IM (71fc84677af3f6416338b14efe02ddd7) C:\WINDOWS\system32\Drivers\Uim_IM.sys
10:35:18.0500 2732 Uim_IM - ok
10:35:18.0515 2732 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
10:35:18.0640 2732 ultra - ok
10:35:18.0750 2732 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32&#

#8 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 10 February 2012 - 06:59 PM

Howdy Tomcos. :)

Please print out this set of instructions or save them in a Notepad. Read the entire post before proceeding, because it will make following the instructions easier.

To get started:

Please go to Start>Run>write cmd and click OK...

In the command prompt write (or copy and right-click paste):

copy C:\WINDOWS\ERDNT\cache\explorer.exe c:\svchost.exe
copy c:\windows\ERDNT\cache\winlogon.exe c:\winlogon.exe
copy c:\windows\ERDNT\cache\svchost.exe c:\explorer.exe


Then click Enter.

Close the command prompt and ensure these files have been created:

c:\svchost.exe
c:\winlogon.exe
c:\explorer.exe


If yes, please start the Recovery Console.

Once in the Recovery Console, please execute the following commands (watch the spaces) in bold - click Enter after every one of them:

ren c:\windows\system32\winlogon.exe
copy c:\winlogon.exe c:\windows\system32\winlogon.exe
ren c:\windows\system32\svchost.exe
copy c:\svchost.exe c:\windows\system32\svchost.exe
ren c:\windows\explorer.exe
copy c:\explorer.exe c:\windows\explorer.exe
exit


It should reboot automatically - boot into Normal Mode... If these commands were executed properly, the infection should be removed now.


Finally, to confirm a successful removal:

Please download GMER from one of the following locations and save it to your Desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your Desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress).
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Please post its logfile in your next reply.
===========

Next, please delete your current copy of ComboFix. Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

Please include the C:\ComboFix.txt in your next reply for further review.
==========

Finally, please re-run aswMBR and post its log in your next reply.
==========

In your next reply, please provide the following:
  • Log from gmer.
  • ComboFix.txt.
  • aswMBR.txt.
How is your computer currently running?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#9 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 10 February 2012 - 10:15 PM

Hi Blacknight, I'm getting invalid parameter with the ren command from the recover console. Am I suppose to give it a second parameter that the file should be renamed to.

#10 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 11 February 2012 - 06:51 AM

Hi Tomcos. :)

You are getting an error because I didn't give you the full script. :blush2:


Please go to Start>Run>write cmd and click OK...

In the command prompt write (or copy and right-click paste):

copy C:\WINDOWS\ERDNT\cache\explorer.exe c:\svchost.exe
copy c:\windows\ERDNT\cache\winlogon.exe c:\winlogon.exe
copy c:\windows\ERDNT\cache\svchost.exe c:\explorer.exe


Then click Enter.

Close the command prompt and ensure these files have been created:

c:\svchost.exe
c:\winlogon.exe
c:\explorer.exe


If yes, please start the Recovery Console.

Once in the Recovery Console, please execute the following commands (watch the spaces) in bold - click Enter after every one of them:

ren c:\windows\system32\winlogon.exe c:\windows\system32\winlogon.old
copy c:\winlogon.exe c:\windows\system32\winlogon.exe
ren c:\windows\system32\svchost.exe c:\windows\system32\svchost.old
copy c:\svchost.exe c:\windows\system32\svchost.exe
ren c:\windows\explorer.exe c:\windows\explorer.old
copy c:\explorer.exe c:\windows\explorer.exe
exit


It should reboot automatically - boot into Normal Mode... If these commands were executed properly, the infection should be removed now.

Then, please follow the rest of the instructions in my previous post. :thumbup:

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#11 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 11 February 2012 - 10:51 AM

Hi Tomcos. :)

You are getting an error because I didn't give you the full script. :blush2:


Please go to Start>Run>write cmd and click OK...

In the command prompt write (or copy and right-click paste):

copy C:\WINDOWS\ERDNT\cache\explorer.exe c:\svchost.exe
copy c:\windows\ERDNT\cache\winlogon.exe c:\winlogon.exe
copy c:\windows\ERDNT\cache\svchost.exe c:\explorer.exe


Then click Enter.

Close the command prompt and ensure these files have been created:

c:\svchost.exe
c:\winlogon.exe
c:\explorer.exe


If yes, please start the Recovery Console.

Once in the Recovery Console, please execute the following commands (watch the spaces) in bold - click Enter after every one of them:

ren c:\windows\system32\winlogon.exe c:\windows\system32\winlogon.old
copy c:\winlogon.exe c:\windows\system32\winlogon.exe
ren c:\windows\system32\svchost.exe c:\windows\system32\svchost.old
copy c:\svchost.exe c:\windows\system32\svchost.exe
ren c:\windows\explorer.exe c:\windows\explorer.old
copy c:\explorer.exe c:\windows\explorer.exe
exit


It should reboot automatically - boot into Normal Mode... If these commands were executed properly, the infection should be removed now.

Then, please follow the rest of the instructions in my previous post. :thumbup:



#12 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 11 February 2012 - 10:58 AM

Dark Knight,
I followed your instructions on the renaming and copying of files in recovery mode. When the computer rebooted into normal mode, I did not get my desktop environment and there were not many processes running.

Is this initial set of copy commands correct. Why am I changing the file names on those two copy commands below.

copy C:\WINDOWS\ERDNT\cache\explorer.exe c:\svchost.exe
copy c:\windows\ERDNT\cache\winlogon.exe c:\winlogon.exe
copy c:\windows\ERDNT\cache\svchost.exe c:\explorer.exe


#13 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 11 February 2012 - 04:34 PM

Hey Tomcos. :)

A switch is needed. :thumbup:


Please go to Start>Run>write cmd and click OK...

In the command prompt write (or copy and right-click paste):

copy C:\WINDOWS\ERDNT\cache\explorer.exe c:\explorer.exe
copy c:\windows\ERDNT\cache\winlogon.exe c:\winlogon.exe
copy c:\windows\ERDNT\cache\svchost.exe c:\svchost.exe


Then click Enter.

Close the command prompt and ensure these files have been created:

c:\svchost.exe
c:\winlogon.exe
c:\explorer.exe


If yes, please start the Recovery Console.

Once in the Recovery Console, please execute the following commands (watch the spaces) in bold - click Enter after every one of them:

ren c:\windows\system32\winlogon.exe c:\windows\system32\winlogon.old
copy c:\winlogon.exe c:\windows\system32\winlogon.exe
ren c:\windows\system32\svchost.exe c:\windows\system32\svchost.old
copy c:\svchost.exe c:\windows\system32\svchost.exe
ren c:\windows\explorer.exe c:\windows\explorer.old
copy c:\explorer.exe c:\windows\explorer.exe
exit


It should reboot automatically - boot into Normal Mode... If these commands were executed properly, the infection should be removed now.

Then, please follow the rest of the instructions in my previous post. :thumbup:

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#14 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 12 February 2012 - 01:06 PM

ok here's the latest logs:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-11 16:45:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC25N080ATMR04-0 rev.MO4OAD4A
Running: sg5o2zg1.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxtdipod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


ComboFix 12-02-11.03 - Owner 02/11/2012 16:58:55.13.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.450 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\llmraaa.tmp
c:\documents and settings\All Users\Application Data\mlmraaa.tmp
c:\documents and settings\All Users\Application Data\qkjraaa.tmp
c:\documents and settings\All Users\Application Data\tkjraaa.tmp
c:\documents and settings\All Users\Application Data\ukjraaa.tmp
C:\explorer.exe
C:\svchost.exe
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
C:\winlogon.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 02:46 . 2008-04-14 00:12 507904 ----a-w- c:\windows\system32\winlogon.exe
2012-02-11 02:41 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2012-02-11 02:41 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\svchost.exe
2012-02-04 03:18 . 2012-02-04 03:18 -------- d-----w- c:\documents and settings\tomc\Local Settings\Application Data\Identities
2012-01-29 01:19 . 2012-01-29 01:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-29 01:12 . 2012-01-29 01:12 237 ----a-w- C:\user.js
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-01-27 15:33 . 2012-01-27 15:40 -------- dc----w- c:\windows\ie8
2012-01-23 00:56 . 2012-01-23 00:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-23 00:32 . 2012-01-29 15:46 -------- d-----w- c:\program files\4CE5F
2012-01-15 01:28 . 2012-02-05 05:51 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-15 01:28 . 2012-01-15 01:28 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-15 01:28 . 2012-01-15 01:28 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-15 01:28 . 2012-01-15 01:28 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2011-08-06 23:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-26 16:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-26 16:12 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-26 16:12 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-18 01:29 . 2011-05-22 13:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 14:21 . 2004-08-26 16:12 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-26 16:12 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-15 00:47 . 2011-12-27 01:53 408648 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2011-11-15 00:47 . 2011-12-27 01:53 363592 ----a-w- c:\windows\system32\dsNcCredProv.dll
2011-11-15 00:43 . 2011-11-15 00:43 225280 ----a-w- c:\windows\system32\dsGinaLoader.dll
2011-11-15 00:14 . 2007-07-16 19:56 26624 ----a-w- c:\windows\system32\drivers\dsNcAdpt.sys
2012-02-05 05:51 . 2011-04-09 05:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe" [2011-04-21 235168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-25 01:06 904768 ----a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2001-09-04 19:31 655360 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2008-06-25 00:52 1325848 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdate]
2011-06-01 19:06 26699616 ----a-w- c:\program files\DriverUpdate\DriverUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-12-17 19:51 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleBackupManager]
c:\documents and settings\All Users\Application Data\GoogleBackupManager.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-07-10 12:13 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 04:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-07-10 12:25 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Last.fm Update]
c:\documents and settings\Owner\Local Settings\Application Data\Apple\AppleUpdate\Appleupdt32.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-06-07 11:32 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 04:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRESET]
2008-01-17 20:00 45056 ----a-w- c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2008-06-25 00:56 136472 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
2007-01-18 18:20 190008 ----a-w- c:\program files\Seagate\SystemTray\StxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
2004-05-27 01:57 139264 ----a-w- c:\program files\Digital Media Reader\shwicon2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-28 01:58 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-03-27 01:20 499712 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-03-27 01:20 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-06-07 02:41 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2010-10-14 14:05 155216 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSSHD Activation State Checker]
2009-04-04 04:42 216320 ----a-w- c:\program files\Bitvise WinSSHD\WinsshdActStateCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"HCLInetd"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [1/21/2011 10:38 PM 56208]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/11/2008 9:03 PM 10384]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2/2/2009 7:43 PM 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [10/30/2010 10:51 AM 91728]
S0 inmm;inmm;c:\windows\system32\drivers\hmhibmfx.sys --> c:\windows\system32\drivers\hmhibmfx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [7/3/2011 9:51 AM 12984]
S4 OracleDBConsoleorl11g;OracleDBConsoleorl11g; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uxtdipod
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2012-02-10 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=usertomc&key=008f383dda2eef7bf7ff30a5dda71c06&ts=4223aca1&A=0&B=1104825600000&C=1034751600000&D=0&I=7.NQ4&N=&O=I
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mymail.bnymellon.net/dwa85W.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ab7w5xtw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-11 17:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2012-02-11 17:17:57
ComboFix-quarantined-files.txt 2012-02-11 22:17
ComboFix2.txt 2012-02-10 15:11
ComboFix3.txt 2012-02-09 02:28
ComboFix4.txt 2012-02-08 02:23
ComboFix5.txt 2012-02-11 21:55
.
Pre-Run: 38,725,586,944 bytes free
Post-Run: 38,813,138,944 bytes free
.
- - End Of File - - 2DFB5D01D91041829F258FBC672A516A


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-10 10:49:26
-----------------------------
10:49:26.796 OS Version: Windows 5.1.2600 Service Pack 3
10:49:26.796 Number of processors: 2 586 0x401
10:49:26.796 ComputerName: TOMLAP UserName: Owner
10:49:27.343 Initialize success
10:52:41.468 AVAST engine defs: 12021000
10:54:21.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:54:21.281 Disk 0 Vendor: IC25N080ATMR04-0 MO4OAD4A Size: 76319MB BusType: 3
10:54:21.609 Disk 0 MBR read successfully
10:54:21.625 Disk 0 MBR scan
10:54:21.671 Disk 0 Windows XP default MBR code
10:54:21.671 Disk 0 Partition 1 00 0B FAT32 RECOVERY 4298 MB offset 63
10:54:21.687 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72010 MB offset 8803620
10:54:21.703 Disk 0 scanning sectors +156280320
10:54:21.781 Disk 0 scanning C:\WINDOWS\system32\drivers
10:54:38.187 Service scanning
10:54:39.546 Modules scanning
10:54:47.515 Disk 0 trace - called modules:
10:54:47.546 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:54:47.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b85ab8]
10:54:47.562 3 CLASSPNP.SYS[f790ffd7] -> nt!IofCallDriver -> \Device\000000a0[0x86b89e90]
10:54:47.562 5 ACPI.sys[f7806620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86b61940]
10:54:48.265 AVAST engine scan C:\WINDOWS
10:54:53.578 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:Patched-AET [Trj]
10:55:00.765 AVAST engine scan C:\WINDOWS\system32
10:57:04.359 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:Patched-AET [Trj]
10:57:19.921 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:Patched-AET [Trj]
10:58:57.312 AVAST engine scan C:\WINDOWS\system32\drivers
10:59:21.781 AVAST engine scan C:\Documents and Settings\Owner
11:25:40.015 AVAST engine scan C:\Documents and Settings\All Users
11:28:40.812 Scan finished successfully
11:35:37.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
11:35:37.703 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-10 10:49:26
-----------------------------
10:49:26.796 OS Version: Windows 5.1.2600 Service Pack 3
10:49:26.796 Number of processors: 2 586 0x401
10:49:26.796 ComputerName: TOMLAP UserName: Owner
10:49:27.343 Initialize success
10:52:41.468 AVAST engine defs: 12021000
10:54:21.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:54:21.281 Disk 0 Vendor: IC25N080ATMR04-0 MO4OAD4A Size: 76319MB BusType: 3
10:54:21.609 Disk 0 MBR read successfully
10:54:21.625 Disk 0 MBR scan
10:54:21.671 Disk 0 Windows XP default MBR code
10:54:21.671 Disk 0 Partition 1 00 0B FAT32 RECOVERY 4298 MB offset 63
10:54:21.687 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72010 MB offset 8803620
10:54:21.703 Disk 0 scanning sectors +156280320
10:54:21.781 Disk 0 scanning C:\WINDOWS\system32\drivers
10:54:38.187 Service scanning
10:54:39.546 Modules scanning
10:54:47.515 Disk 0 trace - called modules:
10:54:47.546 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:54:47.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b85ab8]
10:54:47.562 3 CLASSPNP.SYS[f790ffd7] -> nt!IofCallDriver -> \Device\000000a0[0x86b89e90]
10:54:47.562 5 ACPI.sys[f7806620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86b61940]
10:54:48.265 AVAST engine scan C:\WINDOWS
10:54:53.578 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:Patched-AET [Trj]
10:55:00.765 AVAST engine scan C:\WINDOWS\system32
10:57:04.359 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:Patched-AET [Trj]
10:57:19.921 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:Patched-AET [Trj]
10:58:57.312 AVAST engine scan C:\WINDOWS\system32\drivers
10:59:21.781 AVAST engine scan C:\Documents and Settings\Owner
11:25:40.015 AVAST engine scan C:\Documents and Settings\All Users
11:28:40.812 Scan finished successfully
11:35:37.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
11:35:37.703 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"
11:35:50.656 Verifying
11:36:00.656 Disk 0 Windows 501 MBR fixed successfully
11:36:37.937 File "C:\WINDOWS\explorer.exe" has been saved successfully to:
11:36:37.937 "C:\Documents and Settings\Owner\Desktop\logs\copy_explorer.exe"
11:36:44.578 File "C:\WINDOWS\system32\svchost.exe" has been saved successfully to:
11:36:44.578 "C:\Documents and Settings\Owner\Desktop\logs\copy_svchost.exe"
11:36:55.109 File "C:\WINDOWS\system32\winlogon.exe" has been saved successfully to:
11:36:55.109 "C:\Documents and Settings\Owner\Desktop\logs\copy_winlogon.exe"
11:37:25.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
11:37:25.484 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-10 10:49:26
-----------------------------
10:49:26.796 OS Version: Windows 5.1.2600 Service Pack 3
10:49:26.796 Number of processors: 2 586 0x401
10:49:26.796 ComputerName: TOMLAP UserName: Owner
10:49:27.343 Initialize success
10:52:41.468 AVAST engine defs: 12021000
10:54:21.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:54:21.281 Disk 0 Vendor: IC25N080ATMR04-0 MO4OAD4A Size: 76319MB BusType: 3
10:54:21.609 Disk 0 MBR read successfully
10:54:21.625 Disk 0 MBR scan
10:54:21.671 Disk 0 Windows XP default MBR code
10:54:21.671 Disk 0 Partition 1 00 0B FAT32 RECOVERY 4298 MB offset 63
10:54:21.687 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72010 MB offset 8803620
10:54:21.703 Disk 0 scanning sectors +156280320
10:54:21.781 Disk 0 scanning C:\WINDOWS\system32\drivers
10:54:38.187 Service scanning
10:54:39.546 Modules scanning
10:54:47.515 Disk 0 trace - called modules:
10:54:47.546 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:54:47.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b85ab8]
10:54:47.562 3 CLASSPNP.SYS[f790ffd7] -> nt!IofCallDriver -> \Device\000000a0[0x86b89e90]
10:54:47.562 5 ACPI.sys[f7806620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86b61940]
10:54:48.265 AVAST engine scan C:\WINDOWS
10:54:53.578 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:Patched-AET [Trj]
10:55:00.765 AVAST engine scan C:\WINDOWS\system32
10:57:04.359 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:Patched-AET [Trj]
10:57:19.921 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:Patched-AET [Trj]
10:58:57.312 AVAST engine scan C:\WINDOWS\system32\drivers
10:59:21.781 AVAST engine scan C:\Documents and Settings\Owner
11:25:40.015 AVAST engine scan C:\Documents and Settings\All Users
11:28:40.812 Scan finished successfully
11:35:37.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
11:35:37.703 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"
11:35:50.656 Verifying
11:36:00.656 Disk 0 Windows 501 MBR fixed successfully
11:36:37.937 File "C:\WINDOWS\explorer.exe" has been saved successfully to:
11:36:37.937 "C:\Documents and Settings\Owner\Desktop\logs\copy_explorer.exe"
11:36:44.578 File "C:\WINDOWS\system32\svchost.exe" has been saved successfully to:
11:36:44.578 "C:\Documents and Settings\Owner\Desktop\logs\copy_svchost.exe"
11:36:55.109 File "C:\WINDOWS\system32\winlogon.exe" has been saved successfully to:
11:36:55.109 "C:\Documents and Settings\Owner\Desktop\logs\copy_winlogon.exe"
11:37:25.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
11:37:25.484 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"
11:37:39.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
11:37:39.328 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-10 12:23:03
-----------------------------
12:23:03.046 OS Version: Windows 5.1.2600 Service Pack 3
12:23:03.046 Number of processors: 2 586 0x401
12:23:03.046 ComputerName: TOMLAP UserName: Owner
12:23:06.984 Initialize success
12:23:23.531 AVAST engine defs: 12021000
12:23:30.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:23:30.796 Disk 0 Vendor: IC25N080ATMR04-0 MO4OAD4A Size: 76319MB BusType: 3
12:23:30.906 Disk 0 MBR read successfully
12:23:30.906 Disk 0 MBR scan
12:23:30.953 Disk 0 Windows XP default MBR code
12:23:30.968 Disk 0 Partition 1 00 0B FAT32 RECOVERY 4298 MB offset 63
12:23:31.000 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72010 MB offset 8803620
12:23:31.031 Disk 0 scanning sectors +156280320
12:23:31.218 Disk 0 scanning C:\WINDOWS\system32\drivers
12:24:19.421 Service scanning
12:24:21.250 Modules scanning
12:25:03.328 Disk 0 trace - called modules:
12:25:03.375 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:25:03.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b85ab8]
12:25:03.390 3 CLASSPNP.SYS[f790ffd7] -> nt!IofCallDriver -> \Device\000000a0[0x86b89e90]
12:25:03.390 5 ACPI.sys[f7806620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86b61940]
12:25:04.156 AVAST engine scan C:\
14:26:37.312 File: C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir **INFECTED** Win32:Patched-AET [Trj]
14:26:38.109 File: C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir **INFECTED** Win32:Patched-AET [Trj]
14:26:51.265 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000043.exe **INFECTED** Win32:Patched-AET [Trj]
14:26:51.562 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000045.exe **INFECTED** Win32:Patched-AET [Trj]
14:26:53.093 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001019.exe **INFECTED** Win32:Patched-AET [Trj]
14:27:15.890 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001142.exe **INFECTED** Win32:Patched-AET [Trj]
14:27:16.140 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001144.exe **INFECTED** Win32:Patched-AET [Trj]
14:27:32.875 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001256.exe **INFECTED** Win32:Patched-AET [Trj]
14:27:33.171 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001258.exe **INFECTED** Win32:Patched-AET [Trj]
14:28:13.390 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001522.exe **INFECTED** Win32:Patched-AET [Trj]
14:28:13.640 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001524.exe **INFECTED** Win32:Patched-AET [Trj]
14:28:24.515 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001604.exe **INFECTED** Win32:Patched-AET [Trj]
14:28:24.640 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001605.exe **INFECTED** Win32:Patched-AET [Trj]
14:28:24.906 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001606.exe **INFECTED** Win32:Patched-AET [Trj]
14:28:32.609 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:28:33.046 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:28:33.296 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:28:33.906 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:34.109 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:35.203 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:28:35.640 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:28:35.875 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:28:36.500 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:36.718 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:37.781 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:28:38.312 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:28:38.562 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:28:39.187 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:39.375 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:52.296 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:28:52.750 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:28:52.984 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:28:53.625 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:53.828 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:54.312 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:28:54.765 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:28:55.015 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:28:55.656 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:28:55.875 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:29:05.421 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:29:05.875 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:29:06.093 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:29:06.718 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:29:06.906 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:29:08.140 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:29:08.562 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:29:08.796 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:29:09.421 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:29:09.625 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:29:16.109 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
14:29:16.562 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
14:29:16.828 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
14:29:17.406 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
14:29:17.593 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
15:19:57.328 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:Patched-AET [Trj]
16:11:08.765 File: C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\3c75ba08-3198664f **INFECTED** Win32:Downloader-MYA [Trj]
16:11:09.250 File: C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\3c75ba08-6a2fe298 **INFECTED** Win32:Downloader-MYA [Trj]
16:47:56.375 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:Patched-AET [Trj]
16:49:38.093 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:Patched-AET [Trj]
16:52:13.468 Scan finished successfully
17:15:16.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
17:15:16.046 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-12 08:05:45
-----------------------------
08:05:45.093 OS Version: Windows 5.1.2600 Service Pack 3
08:05:45.093 Number of processors: 2 586 0x401
08:05:45.093 ComputerName: TOMLAP UserName: Owner
08:05:47.109 Initialize success
08:06:18.031 AVAST engine defs: 12021101
08:06:27.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:06:27.281 Disk 0 Vendor: IC25N080ATMR04-0 MO4OAD4A Size: 76319MB BusType: 3
08:06:27.296 Disk 0 MBR read successfully
08:06:27.296 Disk 0 MBR scan
08:06:27.390 Disk 0 Windows XP default MBR code
08:06:27.390 Disk 0 Partition 1 00 0B FAT32 RECOVERY 4298 MB offset 63
08:06:27.406 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72010 MB offset 8803620
08:06:27.421 Disk 0 scanning sectors +156280320
08:06:27.562 Disk 0 scanning C:\WINDOWS\system32\drivers
08:06:57.031 Service scanning
08:07:00.625 Modules scanning
08:07:16.375 Disk 0 trace - called modules:
08:07:16.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
08:07:16.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b72ab8]
08:07:16.421 3 CLASSPNP.SYS[f790ffd7] -> nt!IofCallDriver -> \Device\000000a0[0x86b84030]
08:07:16.437 5 ACPI.sys[f7806620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86bab5c0]
08:07:18.281 AVAST engine scan C:\
10:23:46.250 File: C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir **INFECTED** Win32:Patched-AET [Trj]
10:23:46.828 File: C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir **INFECTED** Win32:Patched-AET [Trj]
10:23:57.546 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000043.exe **INFECTED** Win32:Patched-AET [Trj]
10:23:57.671 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000045.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:00.000 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001019.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:13.343 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001142.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:13.656 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001144.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:25.343 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001256.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:25.437 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001258.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:45.921 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001522.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:46.312 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001524.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:54.343 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001604.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:54.562 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001605.exe **INFECTED** Win32:Patched-AET [Trj]
10:24:55.187 File: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001606.exe **INFECTED** Win32:Patched-AET [Trj]
10:25:16.640 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:16.781 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:16.859 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:16.937 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:16.984 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:17.343 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:17.437 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:17.515 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:17.593 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:17.640 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:17.890 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:17.984 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:18.062 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:18.203 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:18.250 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:21.437 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:21.546 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:21.609 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:21.703 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:21.765 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:21.906 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:22.000 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:22.078 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:22.281 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:22.375 File: C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:25.515 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:25.687 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:25.734 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:25.812 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:25.843 File: C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:26.203 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:26.390 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:26.453 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:26.562 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:26.609 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:28.937 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0001.dta **INFECTED** Win32:DNSChanger-VJ [Trj]
10:25:29.062 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0003.dta **INFECTED** Win32:Rootkit-gen [Rtk]
10:25:29.234 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0004.dta **INFECTED** MBR:Pihar-C [Rtk]
10:25:29.343 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0008.dta **INFECTED** Win32:Alureon-ANW [Rtk]
10:25:29.406 File: C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0009.dta **INFECTED** Win32:Alureon-ANW [Rtk]
11:11:16.265 File: C:\WINDOWS\explorer.old **INFECTED** Win32:Patched-AET [Trj]
11:43:21.921 File: C:\WINDOWS\svchost.old **INFECTED** Win32:Patched-AET [Trj]
11:45:20.765 File: C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\3c75ba08-3198664f **INFECTED** Win32:Downloader-MYA [Trj]
11:45:21.109 File: C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\3c75ba08-6a2fe298 **INFECTED** Win32:Downloader-MYA [Trj]
12:25:35.578 File: C:\WINDOWS\winlogon.old **INFECTED** Win32:Patched-AET [Trj]
12:27:09.953 Scan finished successfully
12:56:23.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\MBR.dat"
12:56:23.828 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\logs\aswMBR.txt"

#15 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 13 February 2012 - 03:57 PM

Hello Tomcos. :)

How is your computer running at this point in time?


Please delete your current copy of ComboFix. Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

Please include the C:\ComboFix.txt in your next reply for further review.
==========

Next, please run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
==========

In your next post please post the following:
  • ComboFix.txt.
  • log.txt.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#16 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 February 2012 - 11:52 AM

Hi Black Knight. here's the latest:


ComboFix 12-02-15.01 - Owner 02/15/2012 20:42:42.14.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.647 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-11 02:46 . 2008-04-14 00:12 507904 ----a-w- c:\windows\system32\winlogon.exe
2012-02-11 02:41 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2012-02-11 02:41 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\svchost.exe
2012-02-04 03:18 . 2012-02-04 03:18 -------- d-----w- c:\documents and settings\tomc\Local Settings\Application Data\Identities
2012-01-29 01:19 . 2012-01-29 01:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-29 01:12 . 2012-01-29 01:12 237 ----a-w- C:\user.js
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Babylon
2012-01-29 01:12 . 2012-01-29 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2012-01-27 15:33 . 2012-01-27 15:40 -------- dc----w- c:\windows\ie8
2012-01-23 00:56 . 2012-01-23 00:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-23 00:32 . 2012-01-29 15:46 -------- d-----w- c:\program files\4CE5F
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2011-08-06 23:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-26 16:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-26 16:12 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-26 16:12 60416 ----a-w- c:\windows\system32\packager.exe
2012-02-05 05:51 . 2011-04-09 05:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe" [2011-04-21 235168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-25 01:06 904768 ----a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2001-09-04 19:31 655360 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2008-06-25 00:52 1325848 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdate]
2011-06-01 19:06 26699616 ----a-w- c:\program files\DriverUpdate\DriverUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-12-17 19:51 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleBackupManager]
c:\documents and settings\All Users\Application Data\GoogleBackupManager.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-07-10 12:13 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 04:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-07-10 12:25 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Last.fm Update]
c:\documents and settings\Owner\Local Settings\Application Data\Apple\AppleUpdate\Appleupdt32.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-06-07 11:32 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 04:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRESET]
2008-01-17 20:00 45056 ----a-w- c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2008-06-25 00:56 136472 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
2007-01-18 18:20 190008 ----a-w- c:\program files\Seagate\SystemTray\StxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
2004-05-27 01:57 139264 ----a-w- c:\program files\Digital Media Reader\shwicon2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-28 01:58 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-03-27 01:20 499712 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-03-27 01:20 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-06-07 02:41 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2010-10-14 14:05 155216 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSSHD Activation State Checker]
2009-04-04 04:42 216320 ----a-w- c:\program files\Bitvise WinSSHD\WinsshdActStateCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"HCLInetd"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [1/21/2011 10:38 PM 56208]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/11/2008 9:03 PM 10384]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2/2/2009 7:43 PM 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [10/30/2010 10:51 AM 91728]
S0 inmm;inmm;c:\windows\system32\drivers\hmhibmfx.sys --> c:\windows\system32\drivers\hmhibmfx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Owner\LOCALS~1\Temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2009 12:19 AM 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [7/3/2011 9:51 AM 12984]
S4 OracleDBConsoleorl11g;OracleDBConsoleorl11g; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 05:19]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2005-02-26 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
2012-02-10 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=usertomc&key=008f383dda2eef7bf7ff30a5dda71c06&ts=4223aca1&A=0&B=1104825600000&C=1034751600000&D=0&I=7.NQ4&N=&O=I
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mymail.bnymellon.net/dwa85W.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ab7w5xtw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-15 20:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,b7,0f,68,43,53,7f,44,b0,44,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(1628)
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2012-02-15 21:05:53
ComboFix-quarantined-files.txt 2012-02-16 02:05
ComboFix2.txt 2012-02-10 15:11
ComboFix3.txt 2012-02-09 02:28
ComboFix4.txt 2012-02-08 02:23
ComboFix5.txt 2012-02-11 21:55
.
Pre-Run: 38,664,597,504 bytes free
Post-Run: 38,756,528,128 bytes free
.
- - End Of File - - 9750544ADE248C6C691979160C6906B7








ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=35ad3c847e51d049925235e1a16bff9f
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2012-02-16 02:43:36
# local_time=2012-02-15 09:43:36 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 7719234 7719234 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=34543
# found=0
# cleaned=0
# scan_time=1352
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=35ad3c847e51d049925235e1a16bff9f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2012-02-17 03:37:29
# local_time=2012-02-17 10:37:29 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 7845012 7845012 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=143000
# found=79
# cleaned=0
# scan_time=8407
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\edbepclmgkcchoapednghcgklhajpmnp\contentscript.js Win32/TrojanDownloader.Tracur.F trojan 7A80CA1F2F61D750111E1DEF3BFBF490 I
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\igciaaomihcifpgkmjhecapdeadloddj\contentscript.js Win32/TrojanDownloader.Tracur.F trojan 82DE340F497D8F291F8AD5C091FBA59F I
C:\Documents and Settings\Owner\My Documents\Downloads\cnet_IDTv087_zip.exe a variant of Win32/InstallCore.D application 0F9DA2393D417158413C836016DAA6A5 I
C:\Documents and Settings\Owner\My Documents\Downloads\cnet_InstallFreeRARExtractFrog_exe.exe a variant of Win32/InstallCore.D application 68EFCC574EECF1F28BB4760EAAE588D0 I
C:\Documents and Settings\tomc\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\edbepclmgkcchoapednghcgklhajpmnp\contentscript.js Win32/TrojanDownloader.Tracur.F trojan 7A80CA1F2F61D750111E1DEF3BFBF490 I
C:\Documents and Settings\tomc\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\igciaaomihcifpgkmjhecapdeadloddj\contentscript.js Win32/TrojanDownloader.Tracur.F trojan 82DE340F497D8F291F8AD5C091FBA59F I
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ab7w5xtw.default\extensions\{442a3b1d-9ad2-4463-9eae-3692b330985f}\chrome\xulcache.jar.vir JS/Agent.NDO trojan 10BCFC787938FAA3344AE79F31D31192 I
C:\Qoobox\Quarantine\C\Documents and Settings\tomc\Application Data\Mozilla\Firefox\Profiles\igtmo5ra.default\extensions\{442a3b1d-9ad2-4463-9eae-3692b330985f}\chrome\xulcache.jar.vir JS/Agent.NDO trojan 10BCFC787938FAA3344AE79F31D31192 I
C:\Qoobox\Quarantine\C\Documents and Settings\tomc\Application Data\Mozilla\Firefox\Profiles\igtmo5ra.default\extensions\{75e3d351-1e3a-43a6-9b7c-46f353ab8ae5}\chrome\xulcache.jar.vir JS/Agent.NDO trojan 10BCFC787938FAA3344AE79F31D31192 I
C:\Qoobox\Quarantine\C\Documents and Settings\tomc\Application Data\Mozilla\Firefox\Profiles\igtmo5ra.default\extensions\{75e3d351-1e3a-43a6-9b7c-46f353ab8ae5}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan 87140DDDAE1EC77B149C5E9FA04278C8 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\a182fc26fbe3d24f.sys.vir a variant of Win32/Rootkit.Kryptik.HT trojan 2BFB754276FF44A1C11ED231F22F3B04 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir Win32/Patched.NBG.Gen trojan AF42C56D9426626107DB30A50EB923C8 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000043.exe Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000045.exe Win32/Patched.NBG.Gen trojan AF42C56D9426626107DB30A50EB923C8 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001018.sys a variant of Win32/Rootkit.Kryptik.HT trojan 2BFB754276FF44A1C11ED231F22F3B04 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001019.exe Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001142.exe Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001144.exe Win32/Patched.NBG.Gen trojan AF42C56D9426626107DB30A50EB923C8 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001256.exe Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0001258.exe Win32/Patched.NBG.Gen trojan AF42C56D9426626107DB30A50EB923C8 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001522.exe Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001524.exe Win32/Patched.NBG.Gen trojan AF42C56D9426626107DB30A50EB923C8 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001604.exe Win32/Patched.NBG.Gen trojan A435B2C1EEAE3953D633730FD5E27C30 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001605.exe Win32/Patched.NBG.Gen trojan AF42C56D9426626107DB30A50EB923C8 I
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0001606.exe Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0001\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\mbr0002\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.14.18\tdlfs0001\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.34.27\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan B1C665B394B66165562A1D6B79319FB3 I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan F233AEABECAFAB7FB66CF7DEE832A6A1 I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan A5F790EE9BC044A67E90C8A677633873 I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan F375DC0EC25528579673A64F5B8EAF9D I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan 6B46484C227D8BEFA04C7A8F5A07399D I
C:\TDSSKiller_Quarantine\28.01.2012_20.43.45\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan 3E345F65F914F8C0B7141ED3A0EE4B3E I
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\3c75ba08-3198664f a variant of Win32/Kryptik.AAJL trojan BBBCDCA752308E10C0045F602AC99AF8 I
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\3c75ba08-6a2fe298 a variant of Win32/Kryptik.AAJL trojan BBBCDCA752308E10C0045F602AC99AF8 I
C:\WINDOWS\explorer.old Win32/Patched.NBG.Gen trojan A435B2C1EEAE3953D633730FD5E27C30 I
C:\WINDOWS\svchost.old Win32/Patched.NBG.Gen trojan AF42C56D9426626107DB30A50EB923C8 I
C:\WINDOWS\winlogon.old Win32/Patched.NBG.Gen trojan 1BFF879A92D2C4CB6605EEF54DDA3438 I

#17 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 19 February 2012 - 06:23 AM

Hello Tomcos. :)

Please navigate to these files (in bold) and delete them if present:

C:\Documents and Settings\Owner\My Documents\Downloads\cnet_IDTv087_zip.exe
C:\Documents and Settings\Owner\My Documents\Downloads\cnet_InstallFreeRARExtractFrog_exe.exe


Your logs seem pretty good other than that. Have the problems gone away?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#18 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 February 2012 - 11:45 AM

Thanks Black Knight,
Computer is running good. I'm just getting the below errors during start-up in event viewer.

Source: Workstation
Could not load RDR device driver
Source: Service Control Manager
The Workstation service terminated with service-specfic
error 2250
Source: Workstation Control Manager
The Computer Browser Service depends on The Workstation service
which failed to start because of the following error:
EventID 7001

I did a little research, and this problem seems to relate to the file mrxsmb.sys. I ran a
search on my computer and I see the file was located in several different areas. One thing that
caught my eye was: Service_mrxsmb.reg C:\Qoobox\Quarantine\Registry_backups
I was wondering if this is related to my issue on the service not starting. Thanks...

#19 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 20 February 2012 - 02:50 AM

Hey Tomcos. :)

Absolutely splendid to hear your computer is running fine. :thumbup:

The infection may have damaged the file so let's see if we can find a good copy.

Please download to your Desktop SystemLook by jpshortstuff from here or here.
Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:


:filefind
mrxsmb.sys



When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#20 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 20 February 2012 - 12:01 PM

Hey Tomcos. :)

Absolutely splendid to hear your computer is running fine. :thumbup:

The infection may have damaged the file so let's see if we can find a good copy.

Please download to your Desktop SystemLook by jpshortstuff from here or here.
Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:


:filefind
mrxsmb.sys



When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt.



#21 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 20 February 2012 - 12:01 PM


Hey Tomcos. :)

Absolutely splendid to hear your computer is running fine. :thumbup:

The infection may have damaged the file so let's see if we can find a good copy.

Please download to your Desktop SystemLook by jpshortstuff from here or here.
Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:


:filefind
mrxsmb.sys



When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt.



SystemLook 30.07.11 by jpshortstuff
Log created at 11:49 on 20/02/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "mrxsmb.sys"
C:\WINDOWS\$hf_mig$\KB2511455\SP3QFE\mrxsmb.sys --a---- 457472 bytes [02:50 07/05/2011] [13:19 17/02/2011] FB7DFD15D760AD339837A470F0E780D3
C:\WINDOWS\$hf_mig$\KB2536276\SP3QFE\mrxsmb.sys --a---- 457856 bytes [00:18 17/06/2011] [16:47 29/04/2011] 8DD801E28EB76FDA2A38907882A0036F
C:\WINDOWS\$hf_mig$\KB2536276-v2\SP3QFE\mrxsmb.sys --a---- 457856 bytes [00:58 11/08/2011] [13:29 15/07/2011] FB2FCCC70F7174C7BF64F48E96D3ADF4
C:\WINDOWS\$hf_mig$\KB885250\SP2QFE\mrxsmb.sys --a---- 451584 bytes [03:51 19/01/2005] [03:51 19/01/2005] 7B195060FF456FA65954C72C5C1640FF
C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys --a---- 448128 bytes [01:15 28/10/2004] [01:15 28/10/2004] A1BE3CB080DCC0A8270D21E3CA3B7005
C:\WINDOWS\$hf_mig$\KB914389\SP2QFE\mrxsmb.sys --a---- 454400 bytes [10:16 05/05/2006] [10:16 05/05/2006] 7412CE77C6FD823F8889B4DF420C680B
C:\WINDOWS\$hf_mig$\KB957097\SP3QFE\mrxsmb.sys --a---- 455936 bytes [01:31 12/11/2008] [11:41 24/10/2008] 7170AB42B51954DEF2781A4D1CCE65F4
C:\WINDOWS\$hf_mig$\KB978251\SP3QFE\mrxsmb.sys --a---- 456832 bytes [00:43 12/02/2010] [17:25 04/12/2009] 602549D1E8A622E5746991F6C56B21CA
C:\WINDOWS\$hf_mig$\KB980232\SP3QFE\mrxsmb.sys --a---- 457216 bytes [00:30 15/04/2010] [11:57 24/02/2010] D09B9F0B9960DD41E73127B7814C115F
C:\WINDOWS\$NtServicePackUninstall$\mrxsmb.sys -----c- 453120 bytes [03:51 06/09/2008] [09:41 05/05/2006] 025AF03CE51645C62F3B6907A7E2BE5E
C:\WINDOWS\$NtUninstallKB2511455$\mrxsmb.sys -----c- 455680 bytes [03:01 07/05/2011] [13:11 24/02/2010] F3AEFB11ABC521122B67095044169E98
C:\WINDOWS\$NtUninstallKB2536276$\mrxsmb.sys -----c- 455936 bytes [01:45 17/06/2011] [13:18 17/02/2011] 0EA4D8ED179B75F8AFA7998BA22285CA
C:\WINDOWS\$NtUninstallKB2536276-v2$\mrxsmb.sys -----c- 456320 bytes [01:37 11/08/2011] [16:19 29/04/2011] 0DC719E9B15E902346E87E9DCD5751FA
C:\WINDOWS\$NtUninstallKB885250$\mrxsmb.sys -----c- 451456 bytes [14:05 06/03/2005] [19:00 04/08/2004] 1FD607FC67F7F7C633C3DA65BFC53D18
C:\WINDOWS\$NtUninstallKB914389$\mrxsmb.sys -----c- 451584 bytes [00:56 15/06/2006] [04:26 19/01/2005] 5DDC9A1B2EB5A4BF010CE8C019A18C1F
C:\WINDOWS\$NtUninstallKB957097$\mrxsmb.sys -----c- 456576 bytes [02:20 12/11/2008] [19:17 13/04/2008] 68755F0FF16070178B54674FE5B847B0
C:\WINDOWS\$NtUninstallKB978251$\mrxsmb.sys -----c- 455296 bytes [03:56 12/02/2010] [11:21 24/10/2008] 60AE98742484E7AB80C3C1450E708148
C:\WINDOWS\$NtUninstallKB980232$\mrxsmb.sys -----c- 455424 bytes [00:51 15/04/2010] [18:22 04/12/2009] 421F7B922CEC5A5F340E7574A98F7B7C
C:\WINDOWS\Driver Cache\i386\mrxsmb.sys ------- 456320 bytes [01:31 12/11/2008] [13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\WINDOWS\ServicePackFiles\i386\mrxsmb.sys ------- 456576 bytes [00:49 20/08/2008] [19:17 13/04/2008] 68755F0FF16070178B54674FE5B847B0
C:\WINDOWS\system32\dllcache\mrxsmb.sys --a--c- 456320 bytes [16:12 26/08/2004] [13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\WINDOWS\system32\drivers\mrxsmb.sys --a---- 456320 bytes [16:12 26/08/2004] [13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0

-= EOF =-

#22 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 21 February 2012 - 09:47 PM

Hey Tomcos. :)

Please go to Start>Run>write cmd and click OK...

In the command prompt write (or copy and right-click paste):

copy C:\WINDOWS\ServicePackFiles\i386\mrxsmb.sys c:\mrxsmb.sys

Then click Enter.

Close the command prompt and ensure this file has been created:

c:\mrxsmb.sys

If yes, please start the Recovery Console.

Once in the Recovery Console, please execute the following commands (watch the spaces) in bold - click Enter after every one of them:

ren C:\WINDOWS\system32\dllcache\mrxsmb.sys C:\WINDOWS\system32\dllcache\mrxsmb.sys.old
copy c:\mrxsmb.sys C:\WINDOWS\system32\dllcache\mrxsmb.sys
ren C:\WINDOWS\system32\drivers\mrxsmb.sys C:\WINDOWS\system32\drivers\mrxsmb.sys.old
copy c:\mrxsmb.sys C:\WINDOWS\system32\drivers\mrxsmb.sys
exit


It should reboot automatically - boot into Normal Mode.

Please see if the error continues to appear after you have tried this and let me know if you see any change. :thumbup:

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#23 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 February 2012 - 09:10 PM

Hey Tomcos. :)

Please go to Start>Run>write cmd and click OK...

In the command prompt write (or copy and right-click paste):

copy C:\WINDOWS\ServicePackFiles\i386\mrxsmb.sys c:\mrxsmb.sys

Then click Enter.

Close the command prompt and ensure this file has been created:

c:\mrxsmb.sys

If yes, please start the Recovery Console.

Once in the Recovery Console, please execute the following commands (watch the spaces) in bold - click Enter after every one of them:

ren C:\WINDOWS\system32\dllcache\mrxsmb.sys C:\WINDOWS\system32\dllcache\mrxsmb.sys.old
copy c:\mrxsmb.sys C:\WINDOWS\system32\dllcache\mrxsmb.sys
ren C:\WINDOWS\system32\drivers\mrxsmb.sys C:\WINDOWS\system32\drivers\mrxsmb.sys.old
copy c:\mrxsmb.sys C:\WINDOWS\system32\drivers\mrxsmb.sys
exit


It should reboot automatically - boot into Normal Mode.

Please see if the error continues to appear after you have tried this and let me know if you see any change. :thumbup:


I tried, it came up with the same errors?

#24 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 24 February 2012 - 07:53 AM

Howdy Tomcos. :)

Please give these steps a shot. :thumbup:


Please go to the following Microsoft article and follow their instructions:

http://support.micro...b;en-us;Q197157
==========

Next, please visit the site below to run the System File Checker:

http://www.bleepingc...topic43051.html
==========

Please let me know if you see any improvement. :thumbup:

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#25 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 24 February 2012 - 10:35 PM

Howdy Tomcos. :)

Please give these steps a shot. :thumbup:


Please go to the following Microsoft article and follow their instructions:

http://support.micro...b;en-us;Q197157
==========

Next, please visit the site below to run the System File Checker:

http://www.bleepingc...topic43051.html
==========

Hi Black Knight,

I ran the SFC scan and it didn't find anything.

As far as the microsoft instructions, I can't seem to locate where these binding settings are located.


To resolve this issue, disable the NetBEUI protocol that is bound to one of the network adapters. To do this:

Click Start, point to Settings, click Control Panel, and then double- click Network.
Click the Bindings tab, and then click All Adapters in the Show Bindings For box.
Click the plus sign next to the second network adapter.
Click NetBEUI Protocol, and then click Disable.

Click Close, and then restart the computer.

Back to the top

Please let me know if you see any improvement. :thumbup:



#26 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 26 February 2012 - 06:14 AM

Hi Tomcos. :)

Please stop quoting my posts. I missed your previous post because it was concealed in a quote. I also do not need to see my previous post in your post.


Please follow these instructions instead:

http://www.outpostfi...php/t-3976.html


Please let me know how it goes. :thumbup:

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#27 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 26 February 2012 - 10:51 AM

Sorry for the return Posts,
I followed the last set of instructions, but i'm still getting the same startup messages?

#28 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 27 February 2012 - 10:05 PM

Hey Tomcos. :)

Please follow the steps in the link below carefully and see if the errors disappear:

http://www.jasonhart...server-and.html

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#29 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 03 March 2012 - 11:21 AM

Hi Dark Knight,
I read the article in your last post, and I have those Reg Values already defined.
I think my problem is that the client for microsoft networks is not installed on my
Local Area Connection, nor is File and Printer sharing (unchecked box).
The problem is I don't know how to go about installing it, when I click
on ADD then install, it doesn't find what I need. I even loaded the installation disk
to try to get it from there, but I don't know what the file is named? Any suggestions. Thanks

#30 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 04 March 2012 - 07:20 AM

Hey Tomcos. :)

At this point I do not think I can help you any further, as I am unfamiliar with this sort of issue. I recommend going to BleepingComputer as they will be better equipped to handle your request.
==========

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall


Next, to remove all of the tools used and the files and folders they created please do the following:

Double click OTL.exe.
Click the CleanUp button.
Select Yes when the Begin cleanup Process? prompt appears.
If you are prompted to reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.


Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.
==========

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:


IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.


As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewa...nti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.


Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like Adblock Plus, NoScript and Web of Trust, can make it even more secure. Google Chrome or Opera are other good options.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Edited by The Dark Knight, 04 March 2012 - 07:21 AM.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif


#31 Tomcos

Tomcos

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 05 March 2012 - 07:41 PM

Thanks for all your help.....

#32 The Dark Knight

The Dark Knight

    Malware Vigilante

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,214 posts

Posted 05 March 2012 - 11:04 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!

If I have helped you please consider donating to help keep this forum running; see this topic for more details.

unite_zpse83e3a16.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button