Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Is this residual damage, or do I still have the trojan?

Started by nenadrew, Jan 08 2013 04:10 PM

This topic is locked

58 replies to this topic

#1 nenadrew

Member

Full Member
56 posts

Posted 08 January 2013 - 04:10 PM

Yesterday I didn't get into the computer until early afternoon. Checked email (didn't have any), went to Facebook to check my crops on Farm Town, then went to my garden forum (a site hosted by Invision; been going there for years with no problems.) My point being that I hadn't been anywhere weird, hadn't run any Google searches, and hadn't clicked on any emails at all.

What I did do was click on a bird call that one of my garden friends had posted, which opened up in a new window. Those little QuickTime files usually pop right up, but this one took a long time to load; in fact, I was about to X out of it when the thing finally played. After listening to the call of the saw-whet owl, I closed that screen and went back to my garden forum.

Almost instantly, I found myself chucked out of the browser and looking at one of those rogue security pop-ups. Well, I'd seen that before and knew it was trouble. I immediately started running SuperAntiSpyware, and was relieved to see that it was working. Or seemed to be. When I realized that it was taking an unusually long time to complete the scan, I sat down and started watching it; after awhile I could see that it seemed to be stuck in a loop, scanning the same files over and over. However, it did show that it had found two Trojan.Win32 files, so I stopped the scan and let the program delete those. (Or appear to.)

When I next tried to run MalwareBytes, the 'Open With' window popped up. When I tried to run Disk Cleanup, Windows told me it couldn't locate that program. I soon discovered that there was very little in my computer that I could access; even clcking on Google Chrome only got me another 'Open With' window. IE was still working; I was able to download MalwareBytes with no problem. But when I tried to run the setup file, all I got was the 'Open With' window again.

Well, I won't bore you with all the other things I tried. Finally went to my daughter's house and burned a Kaspersky rescue disk from her computer. It ran for almost 12 hours and found 10 threats to delete, all of them either Trojan.Win32 or Backdoor.Win32.

The problem is that even though the malware is supposedly cleaned off, I'm still having most of the same problems I had yesterday. The hot keys on my keyboard still don't work. Can't open or reinstall MalwareBytes, etc. because I still keep getting the 'Open With' window. In Control Panel, clicking on System or Add/Remove Programs results in an error message that says

C:\WINDOWS\system32\rundll32,exe
Application not found.

So my question is, do I still have a malware issue, or is this just the aftermath of the attack?

Thanks for your help!

Nena

Edit: Please read the Instructions and post the requested logs. We need the information about your system in order to help you.

Edited by cnm, 08 January 2013 - 04:27 PM.

#2 nenadrew

Member

Full Member
56 posts

Posted 08 January 2013 - 04:58 PM

Sorry about that. Here is the DDS.txt report:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Nena at 15:56:45 on 2013-01-08
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
TB: Ask Toolbar: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\nena\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320181966656
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{DA041DF9-FF1F-47BF-997E-A48F0C9BD29A} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{DA041DF9-FF1F-47BF-997E-A48F0C9BD29A} : DHCPNameServer = 24.116.2.50 24.116.2.34
Notify: !SASWinLogon - <no file>
Notify: crypt32chain - <no file>
Notify: cryptnet - <no file>
Notify: cscdll - <no file>
Notify: dimsntfy - <no file>
Notify: igfxcui - <no file>
Notify: ScCertProp - <no file>
Notify: Schedule - <no file>
Notify: sclgntfy - <no file>
Notify: SensLogn - <no file>
Notify: termsrv - <no file>
Notify: wlballoon - <no file>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
FileExt: .exe: exefile="c:\documents and settings\nena\local settings\application data\yjx.exe" -a "%1" %*
ShellExec: QPW.EXE: open="c:\corel\office7\quattro7\QPW.EXE"
ShellExec: QPW.EXE: print="c:\corel\office7\quattro7\QPW.EXE"
.
=============== Created Last 30 ================
.
2012-12-12 17:38:23 -------- d-----w- c:\documents and settings\nena\local settings\application data\Zugo
.
==================== Find3M ====================
.
2012-12-17 08:49:34 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-17 08:49:33 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 22:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 23:27:01 1838 ----a-w- c:\windows\~~UFILE.TMP
.
============= FINISH: 15:57:03.93 ===============

#3 nenadrew

Member

Full Member
56 posts

Posted 08 January 2013 - 05:00 PM

I downloaded SecurityCheck, but when I try to run it I just get the 'Open With' window again.

Nena

#4 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 08 January 2013 - 06:57 PM

Hi nenadrew, and welcome back.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

It looks like your EXE file association has been tampered with by the malware.

What version of Windows do you have? I see from the DDS log that it's an x86 version, but not the Windows version number.

While I wait for that answer, try and run Malwarebytes Anti-Malware and Security check this way:

Press CTRL-ALT-DEL to open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window.

It will likely open up with the prompt - C:\Windows\System32

Enter C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe and hit Enter (if you have MBAM in a different folder, you will need to adjust that line).

If MBAM starts, update it and run the scan and post the log. You can try to start Security Check the same way, using the full path to your file. If you stored it on the Desktop, in the Command Prompt window enter:
CD %USERPROFILE%\Desktop and hit Enter
Then enter securitycheck.exe and hit Enter to run SecurityCheck.

If you were able to run MBAM and Security Check, please post the logs and note any errors, and please let me know what version of Windows you are running.

Free Tools for Fighting Malware
Anti-Virus: Avira AntiVir PersonalEdition Classic / AVG Anti-Virus Free / avast! Free Antivirus
OnLine Anti-Virus: BitDefender / ESET / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: Spybot S & D / MVPS HOSTS File / SpywareBlaster
Firewall: ZoneAlarm firewall / Agnitum Outpost Free
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005

#5 nenadrew

Member

Full Member
56 posts

Posted 08 January 2013 - 07:24 PM

Joker! Omg, am I glad to see you! (You may not remember, but you saved my computer three years ago.) Sorry I forgot to post the relevant info. I have A Dell Vostro 300 desktop running Windows XP Home Edition with IE8. I'd give you the exact version number, but when I do Start-Run-winver I get the 'Open With' screen again. Just printed out your instructions and am going now to try them. Thanks!

Nena

P.S. Can't get either MBAM or SecurityCheck to run through Task Manager; still getting the 'Open With' window even from there.

Edited by nenadrew, 08 January 2013 - 07:32 PM.

#6 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 08 January 2013 - 08:26 PM

I'm glad you remember me.

Please go here:
http://www.dougknox..../file_assoc.htm

and download this file and save it to your Desktop:
EXE File Association Fix

Extract the only file it contains (xp_exe_fix.reg) to the Desktop, and double-click it to merge it with your registry.

If you can't successfully do that, try it this way just like above:

Press CTRL-ALT-DEL to open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window.

In the Command Prompt window Enter REGEDIT.EXE and press Enter.

Once the Registry Editor opens, go to File > Import, and in the Window that opens navigate to your Desktop, click once on xp_exe_fix.reg, and then click the Open button.

Restart your system. Can you now open EXE files properly?

#7 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 06:18 AM

Yes, that was like magic! EXE files are working again, hot keys and Control Panel are functioning properly. I started running MalwareBytes and noticed that it was taking a lot longer than usual to do a Quick Scan; it seemed to be getting bogged down in temporary internet files again. I stopped the scan and cleaned out cache/history in both Chrome and IE, ran Disk Cleanup, then started the scan again and just let it run to completion. It took about three times longer than usual to finish in both MBAM and SuperAntiSpyware, if that means anything.

MBAM, SuperAntiSpyware, and Spybot all found threats to remove; I took screenshots to show you, but can't attach them as it says the files are too big even after cropping. Is there some way to insert them into the body of the posting, and I'm just missing it? If not, I'll type out a list.

The only obvious problem I see right now is that my desktop icons won't stay sorted and the View settings in directory windows won't stick; I have to reset them every time I go in. This has actually been happening off and on for awhile now, but it's back again, so just thought I'd mention it.

Do I need to run some more logs to be sure it's all squeaky clean?

Nena

#8 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 09 January 2013 - 07:23 AM

That's excellent news! Don't try to post the logs as attached screenshots, post them as plain text in a reply. Try one log per reply so they don't get as long, check to see if it has posted completely or if it has cut off, and if one cuts off, find where it cuts off, and post the remainder in an additional post. I need the logs from:
MBAM
SecurityCheck
a new DDS log would be good as well.

Even if something was found and removed, what was identified and removed is important.

#9 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 08:23 AM

Here's the MBAM log:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.09.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Nena :: NENADREW [administrator]

1/9/2013 3:37:10 AM
mbam-log-2013-01-09 (03-37-10).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Documents and Settings\Nena\Local Settings\Application Data\yjx.exe" -a "%1" %* -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$d99d673cfcb2ab4cd9ddc2b553a73fb9\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-448539723-1606980848-839522115-1004\$d99d673cfcb2ab4cd9ddc2b553a73fb9\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Nena\Local Settings\Application Data\yjx.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 08:25 AM

SecurityCheck log:

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
ESET Online Scanner v3
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
JavaFX 2.1.1
Java™ 6 Update 29
Java™ 7 Update 5
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 2%
````````````````````End of Log``````````````````````

#11 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 08:30 AM

DDS log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Nena at 7:28:36 on 2013-01-09
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
TB: Ask Toolbar: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\nena\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320181966656
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{DA041DF9-FF1F-47BF-997E-A48F0C9BD29A} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{DA041DF9-FF1F-47BF-997E-A48F0C9BD29A} : DHCPNameServer = 24.116.2.50 24.116.2.34
Notify: !SASWinLogon - <no file>
Notify: crypt32chain - <no file>
Notify: cryptnet - <no file>
Notify: cscdll - <no file>
Notify: dimsntfy - <no file>
Notify: igfxcui - <no file>
Notify: ScCertProp - <no file>
Notify: Schedule - <no file>
Notify: sclgntfy - <no file>
Notify: SensLogn - <no file>
Notify: termsrv - <no file>
Notify: wlballoon - <no file>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
ShellExec: QPW.EXE: open="c:\corel\office7\quattro7\QPW.EXE"
ShellExec: QPW.EXE: print="c:\corel\office7\quattro7\QPW.EXE"
.
=============== Created Last 30 ================
.
2012-12-12 17:38:23 -------- d-----w- c:\documents and settings\nena\local settings\application data\Zugo
.
==================== Find3M ====================
.
2012-12-17 08:49:34 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-17 08:49:33 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-14 22:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 23:27:01 1838 ----a-w- c:\windows\~~UFILE.TMP
.
============= FINISH: 7:28:47.75 ===============

#12 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 08:35 AM

In the scans I ran earlier, SuperAntiSpyware found and removed System.BrokenFileAssociation.

Spybot found/removed Microsoft.WindowsSecurityCenter.AntiVirusOverride and Microsoft.WindowsSecurityCenter.FirewallOverride.

Thought I would mention it in case you need to see those logs, too. Thank you!

Nena

#13 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 09 January 2013 - 08:39 AM

I see several added toolbars that don't have a good reputation and were likely added when you installed other software.

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Follow the prompts to reboot the computer. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next, I don't see evidence of a resident antivirus program. I see ESET's online scanner, but that doesn't provide real-time protection.If cost is an issue, try Avira AntiVir PersonalEdition Classic available at http://www.free-av.com, AVG Anti-Virus Free at http://free.grisoft....2/lng/us/tpl/v5, or Free avast! 4 Home Edition at http://www.avast.com...virus-download. After you download and install an antivirus program, you need to do a complete system scan and clean anything found.

Please post the log from AdwCleaner, and let me know how the antivirus installation and scanning went.

#14 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 09:06 AM

You're right; I haven't used a resident antivirus for awhile now, after AVG slowed my computer to a crawl and Comodo didn't seem to actually protect me from anything. I just got into the habit of running MBAM, etc. every few days, and if anything feels remotely hinky I stop everything and run scans immediately. (Yes; we can see how well that plan worked.) Cost is definitely an issue, so I appreciate your suggesting some free programs. I will go now and download the Avira. Thank you!

Nena

Adw log:

# AdwCleaner v2.105 - Logfile created 01/09/2013 at 07:55:34
# Updated 08/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Nena - NENADREW
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Nena\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\Nena\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Nena\Application Data\Qwiklinx
Folder Deleted : C:\Documents and Settings\Nena\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Nena\Local Settings\Application Data\ConduitEngine
Folder Deleted : C:\Documents and Settings\Nena\Local Settings\Application Data\uTorrentBar
Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Zynga
Folder Deleted : C:\Program Files\AskBarDis
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\ConduitEngine
Folder Deleted : C:\Program Files\DefaultTab
Folder Deleted : C:\Program Files\Qwiklinx
Folder Deleted : C:\Program Files\uTorrentBar

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\AskBarDis
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\conduitEngine
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0702A2B6-13AA-4090-9E01-BCDC85DD933F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{77050DB5-048B-49EE-BA05-636B35BC5A0E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\uTorrentBar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\Software\AskBarDis
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0702A2B6-13AA-4090-9E01-BCDC85DD933F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{08993A7C-E764-4172-9627-BFB5EA6897B2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{128A6C66-AC6A-4617-8268-AB7F47B7215E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{571715D7-3395-4DF0-B43C-784836209E60}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{622FD888-4E91-4D68-84D4-7262FD0811BF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{77050DB5-048B-49EE-BA05-636B35BC5A0E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B0DE3308-5D5A-470D-81B9-634FC078393B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\f
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4634804A-F0B0-4A74-A550-FC0EEF8A4362}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4C07EA4F-5F52-4222-B170-4CD9ED33BAEA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C44FEFF4-EF0C-4CF7-83D0-92B4266A32B9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F131923C-381D-4E4C-A472-4A17118FD742}
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4B1C1E16-6B34-430E-B074-5928ECA4C150}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D2E5FA06-DCC7-46F9-BEFF-BFD06F69B9B2}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C28EC76-B8F5-4F44-960F-9E156BBC0596}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A8FAB1E6-5AFD-441E-A679-467CB7D213D4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Ask Toolbar_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\uTorrentBar Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{77050DB5-048B-49EE-BA05-636B35BC5A0E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ask Toolbar_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentBar Toolbar
Key Deleted : HKLM\Software\uTorrentBar
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{3041D03E-FD4B-44E0-B742-2D9B88305F98}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{3041D03E-FD4B-44E0-B742-2D9B88305F98}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{30F9B915-B755-4826-820B-08FBA6BD249D}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\Nena\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.51] : icon_url = "hxxp://search.conduit.com/fav.ico",
Deleted [l.54] : keyword = "search.conduit.com",
Deleted [l.57] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&hl=en&SelfSearch=1&Searc[...]
Deleted [l.58] : suggest_url = "hxxp://search.conduit.com/"

*************************

AdwCleaner[S1].txt - [6881 octets] - [09/01/2013 07:55:34]

########## EOF - C:\AdwCleaner[S1].txt - [6941 octets] ##########

#15 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 09 January 2013 - 11:19 AM

Once you have Avira installed, remember to do a full scan, and to quarantine anything found.

After that, I want to do some more checking as you didn't have an antivirus installed. That may have prevented some of the damage, but possibly not all of it. Do you ever do online banking or store any account information on the system? Not having an antivirus installed and running, and not having a firewall installed and protecting your system is like leaving your front door open at home.

I didn't see a firewall installed and running. Please read this article on how to configure the Windows Firewall in Windows XP:
http://www.bleepingc...ws-xp-firewall/
If you are unable to start the firewall, please let me know.

Download RogueKiller (by tigzy) and save it to your the desktop

Quit all programs
Start RogueKiller.exe.
Wait until Prescan has finished ...
Click on Scan. Click on Report and copy/paste the content of the notepad

Please post the log from RogueKiller, let me know the results of a full system scan with your newly installed Avira, whether or not you were able to successfully start the Windows Firewall, and note any errors encountered.

#16 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 04:28 PM

When I saw that Avira wanted me to uninstall Spybot and MalwareBytes, I skipped it and went to Avast instead. Avast seems to be doing fine so far; it found a bunch of script stuff, redirects, and some Java agents/malware, which are all quarantined.

I set up the Windows firewall when I first got this computer and never really thought about it again; since I never turned it off, I assumed it was still running. However, when I went to Control Panel to check it today, I got the following message: Due to an unidentified problem, Windows cannot display Windows Firewall settings.

Yes, I do go into the checking account online, just to check the balance; we don't do any business from there. I know you're right, that not having firewall and antivirus protection is like leaving your front door open. (Though I did think I had firewall protection.) I will keep Avast up and running from now on, I promise, and hopefully you can tell me how to fix my firewall.

Here is the RogueKiller report:

RogueKiller V8.4.2 [Jan 6 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Nena [Admin rights]
Mode : Remove -- Date : 01/09/2013 15:00:55

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[Tr.Karagany][FOLDER] ROOT : C:\Documents and Settings\Nena\Application Data\Adobe\plugs --> REMOVED
[Tr.Karagany][FOLDER] ROOT : C:\Documents and Settings\Nena\Application Data\Adobe\shed --> REMOVED
[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{d99d673c-fcb2-ab4c-d9dd-c2b553a73fb9}\@ --> REMOVED
[ZeroAccess][FILE] @ : C:\Documents and Settings\Nena\Local Settings\Application Data\{d99d673c-fcb2-ab4c-d9dd-c2b553a73fb9}\@ --> REMOVED
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$d99d673cfcb2ab4cd9ddc2b553a73fb9\@ --> REMOVED
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-448539723-1606980848-839522115-1004\$d99d673cfcb2ab4cd9ddc2b553a73fb9\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{d99d673c-fcb2-ab4c-d9dd-c2b553a73fb9}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\Nena\Local Settings\Application Data\{d99d673c-fcb2-ab4c-d9dd-c2b553a73fb9}\U --> REMOVED
[Del.Parent][FILE] 00000001.@ : C:\RECYCLER\S-1-5-18\$d99d673cfcb2ab4cd9ddc2b553a73fb9\U\00000001.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$d99d673cfcb2ab4cd9ddc2b553a73fb9\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-448539723-1606980848-839522115-1004\$d99d673cfcb2ab4cd9ddc2b553a73fb9\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{d99d673c-fcb2-ab4c-d9dd-c2b553a73fb9}\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\Nena\Local Settings\Application Data\{d99d673c-fcb2-ab4c-d9dd-c2b553a73fb9}\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$d99d673cfcb2ab4cd9ddc2b553a73fb9\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-448539723-1606980848-839522115-1004\$d99d673cfcb2ab4cd9ddc2b553a73fb9\L --> REMOVED

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 85d98a577e1dadf5d0579f83382860d1
[BSP] cd259a7e0bfcd91535aaa70e4712df6c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 5c371c82fe24aa62ecb13ba668014474
[BSP] 4cac816d4009e010bfb8c850b7815779 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_01092013_02d1500.txt >>
RKreport[1]_S_01092013_02d1458.txt ; RKreport[2]_D_01092013_02d1500.txt

#17 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 09 January 2013 - 06:09 PM

When I saw that Avira wanted me to uninstall Spybot and MalwareBytes, I skipped it and went to Avast instead.

That will work just as well for you. I think even Kaspersky (which is what I use) says to uninstall MBAM first, but reinstalling it afterwards works just fine.

It looks like you skipped a step and used Remove on RougeKiller instead of just the log first. That's fine. However, your system was thoroughly infected. Those entries that say ZeroAccess are for a trojan that uses an advanced rootkit to hide itself. It can also create a hidden file system, download more malware, and opens a back door on the compromised computer. You can check here for more information on it. I highly recommends that since you do banking with this system that you call your financial institution and advise them of the situation so you can secure your accounts.

Please download tdsskiller.exe and save it to your Desktop. Go here for information.

Double-click on TDSSKiller.exe to run the application.
Click on the Start Scan button and wait for the scan and disinfection process to be over.
If an infected file is detected, the default action will be Cure, click on Continue
If a suspicious file is detected, the default action will be Skip, click on Continue
If you are asked to reboot the computer to complete the process, click on the Reboot Now button.
- A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).
Please copy and paste the contents of that file in your next reply.
If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center/Action Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Please post the logs from TDDSKiller and Farbar Service Scanner and note any errors encountered.

#18 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 07:17 PM

Yikes! I had no idea! I will call the bank first thing tomorrow.

Here is the TDSSKiller log:

18:14:13.0859 1988 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

18:14:14.0250 1988 ============================================================

18:14:14.0250 1988 Current date / time: 2013/01/09 18:14:14.0250

18:14:14.0250 1988 SystemInfo:

18:14:14.0250 1988

18:14:14.0250 1988 OS Version: 5.1.2600 ServicePack: 3.0

18:14:14.0250 1988 Product type: Workstation

18:14:14.0250 1988 ComputerName: NENADREW

18:14:14.0250 1988 UserName: Nena

18:14:14.0250 1988 Windows directory: C:\WINDOWS

18:14:14.0250 1988 System windows directory: C:\WINDOWS

18:14:14.0250 1988 Processor architecture: Intel x86

18:14:14.0250 1988 Number of processors: 2

18:14:14.0250 1988 Page size: 0x1000

18:14:14.0250 1988 Boot type: Normal boot

18:14:14.0250 1988 ============================================================

18:14:15.0515 1988 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

18:14:15.0515 1988 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

18:14:15.0515 1988 ============================================================

18:14:15.0515 1988 \Device\Harddisk0\DR0:

18:14:15.0515 1988 MBR partitions:

18:14:15.0515 1988 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74701AC1

18:14:15.0515 1988 \Device\Harddisk1\DR1:

18:14:15.0515 1988 MBR partitions:

18:14:15.0515 1988 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982

18:14:15.0515 1988 ============================================================

18:14:15.0546 1988 C: <-> \Device\Harddisk0\DR0\Partition1

18:14:15.0546 1988 N: <-> \Device\Harddisk1\DR1\Partition1

18:14:15.0546 1988 ============================================================

18:14:15.0546 1988 Initialize success

18:14:15.0546 1988 ============================================================

18:14:24.0218 1072 ============================================================

18:14:24.0218 1072 Scan started

18:14:24.0218 1072 Mode: Manual;

18:14:24.0218 1072 ============================================================

18:14:24.0500 1072 ================ Scan system memory ========================

18:14:24.0500 1072 System memory - ok

18:14:24.0500 1072 ================ Scan services =============================

18:14:24.0609 1072 [ C0393EB99A6C72C6BEF9BFC4A72B33A6 ] !SASCORE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

18:14:24.0609 1072 !SASCORE - ok

18:14:24.0734 1072 [ 149A8F7ADF9742554DC323E290551E3E ] Aavmker4 C:\WINDOWS\system32\drivers\Aavmker4.sys

18:14:24.0734 1072 Aavmker4 - ok

18:14:24.0734 1072 Abiosdsk - ok

18:14:24.0734 1072 abp480n5 - ok

18:14:24.0765 1072 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys

18:14:24.0781 1072 ACPI - ok

18:14:24.0812 1072 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys

18:14:24.0812 1072 ACPIEC - ok

18:14:24.0812 1072 adpu160m - ok

18:14:24.0828 1072 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys

18:14:24.0828 1072 aec - ok

18:14:24.0859 1072 [ 7618D5218F2A614672EC61A80D854A37 ] AFD C:\WINDOWS\System32\drivers\afd.sys

18:14:24.0875 1072 AFD - ok

18:14:24.0875 1072 Aha154x - ok

18:14:24.0875 1072 aic78u2 - ok

18:14:24.0890 1072 aic78xx - ok

18:14:24.0921 1072 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll

18:14:24.0921 1072 Alerter - ok

18:14:24.0937 1072 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe

18:14:24.0937 1072 ALG - ok

18:14:24.0937 1072 AliIde - ok

18:14:24.0937 1072 amsint - ok

18:14:25.0015 1072 [ 7EF47644B74EBE721CC32211D3C35E76 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

18:14:25.0031 1072 Apple Mobile Device - ok

18:14:25.0031 1072 AppMgmt - ok

18:14:25.0031 1072 asc - ok

18:14:25.0031 1072 asc3350p - ok

18:14:25.0046 1072 asc3550 - ok

18:14:25.0078 1072 [ DE6ED95AEF259979B2830450072A627B ] aswFsBlk C:\WINDOWS\system32\drivers\aswFsBlk.sys

18:14:25.0078 1072 aswFsBlk - ok

18:14:25.0093 1072 [ 84F0BE324EE111338589F448C3E8BAB2 ] aswMon2 C:\WINDOWS\system32\drivers\aswMon2.sys

18:14:25.0093 1072 aswMon2 - ok

18:14:25.0109 1072 [ 7C9F0A2AB17D52261A9252A2EB320884 ] AswRdr C:\WINDOWS\system32\drivers\AswRdr.sys

18:14:25.0109 1072 AswRdr - ok

18:14:25.0140 1072 [ B32E9AD44A1DBB3E8095E80F8DF32B03 ] aswSnx C:\WINDOWS\system32\drivers\aswSnx.sys

18:14:25.0140 1072 aswSnx - ok

18:14:25.0171 1072 [ 67B558895695545FB0568B7541F3BCA7 ] aswSP C:\WINDOWS\system32\drivers\aswSP.sys

18:14:25.0171 1072 aswSP - ok

18:14:25.0187 1072 [ E3E73B2B73A4DFADFDDF557192C4B08A ] aswTdi C:\WINDOWS\system32\drivers\aswTdi.sys

18:14:25.0187 1072 aswTdi - ok

18:14:25.0203 1072 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys

18:14:25.0203 1072 AsyncMac - ok

18:14:25.0218 1072 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys

18:14:25.0218 1072 atapi - ok

18:14:25.0218 1072 Atdisk - ok

18:14:25.0234 1072 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys

18:14:25.0234 1072 Atmarpc - ok

18:14:25.0265 1072 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll

18:14:25.0265 1072 AudioSrv - ok

18:14:25.0296 1072 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys

18:14:25.0296 1072 audstub - ok

18:14:25.0359 1072 [ 8FA553E9AE69808D99C164733A0F9590 ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe

18:14:25.0359 1072 avast! Antivirus - ok

18:14:25.0390 1072 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys

18:14:25.0390 1072 Beep - ok

18:14:25.0421 1072 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll

18:14:25.0421 1072 BITS - ok

18:14:25.0468 1072 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe

18:14:25.0468 1072 Bonjour Service - ok

18:14:25.0484 1072 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll

18:14:25.0484 1072 Browser - ok

18:14:25.0500 1072 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys

18:14:25.0500 1072 cbidf2k - ok

18:14:25.0546 1072 [ 5753532C476B83119D85AA43B1B10AB3 ] CCALib8 C:\Program Files\Canon\CAL\CALMAIN.exe

18:14:25.0546 1072 CCALib8 - ok

18:14:25.0562 1072 cd20xrnt - ok

18:14:25.0562 1072 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys

18:14:25.0562 1072 Cdaudio - ok

18:14:25.0578 1072 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys

18:14:25.0578 1072 Cdfs - ok

18:14:25.0578 1072 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys

18:14:25.0578 1072 Cdrom - ok

18:14:25.0609 1072 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys

18:14:25.0609 1072 cercsr6 - ok

18:14:25.0609 1072 Changer - ok

18:14:25.0625 1072 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe

18:14:25.0625 1072 CiSvc - ok

18:14:25.0625 1072 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe

18:14:25.0625 1072 ClipSrv - ok

18:14:25.0640 1072 CmdIde - ok

18:14:25.0640 1072 COMSysApp - ok

18:14:25.0656 1072 Cpqarray - ok

18:14:25.0671 1072 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll

18:14:25.0671 1072 CryptSvc - ok

18:14:25.0671 1072 dac2w2k - ok

18:14:25.0687 1072 dac960nt - ok

18:14:25.0718 1072 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll

18:14:25.0734 1072 DcomLaunch - ok

18:14:25.0750 1072 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll

18:14:25.0750 1072 Dhcp - ok

18:14:25.0765 1072 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys

18:14:25.0765 1072 Disk - ok

18:14:25.0828 1072 [ 0659E6E0A95564F958D9DF7313F7701E ] DLABMFSM C:\WINDOWS\system32\DLA\DLABMFSM.SYS

18:14:25.0828 1072 DLABMFSM - ok

18:14:25.0859 1072 [ 8691C78908F0BD66170669DB268369F2 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS

18:14:25.0859 1072 DLABOIOM - ok

18:14:25.0875 1072 [ 76167B5EB2DFFC729EDC36386876B40B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

18:14:25.0875 1072 DLACDBHM - ok

18:14:25.0890 1072 [ 5615744A1056933B90E6AC54FEB86F35 ] DLADResM C:\WINDOWS\system32\DLA\DLADResM.SYS

18:14:25.0890 1072 DLADResM - ok

18:14:25.0906 1072 [ 1AECA2AFA5005CE4A550CF8EB55A8C88 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

18:14:25.0921 1072 DLAIFS_M - ok

18:14:25.0921 1072 [ 840E7F6ABB885C72B9FFDDB022EF5B6D ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

18:14:25.0921 1072 DLAOPIOM - ok

18:14:25.0937 1072 [ 0294D18731AC05DA80132CE88F8A876B ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS

18:14:25.0937 1072 DLAPoolM - ok

18:14:25.0953 1072 [ 91886FED52A3F9966207BCE46CFD794F ] DLARTL_M C:\WINDOWS\system32\Drivers\DLARTL_M.SYS

18:14:25.0953 1072 DLARTL_M - ok

18:14:25.0968 1072 [ CCA4E121D599D7D1706A30F603731E59 ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

18:14:25.0968 1072 DLAUDFAM - ok

18:14:25.0968 1072 [ 7DAB85C33135DF24419951DA4E7D38E5 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

18:14:25.0984 1072 DLAUDF_M - ok

18:14:25.0984 1072 dmadmin - ok

18:14:26.0015 1072 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys

18:14:26.0015 1072 dmboot - ok

18:14:26.0031 1072 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys

18:14:26.0031 1072 dmio - ok

18:14:26.0031 1072 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys

18:14:26.0031 1072 dmload - ok

18:14:26.0062 1072 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll

18:14:26.0062 1072 dmserver - ok

18:14:26.0078 1072 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys

18:14:26.0093 1072 DMusic - ok

18:14:26.0109 1072 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll

18:14:26.0109 1072 Dnscache - ok

18:14:26.0125 1072 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll

18:14:26.0140 1072 Dot3svc - ok

18:14:26.0140 1072 dpti2o - ok

18:14:26.0156 1072 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys

18:14:26.0156 1072 drmkaud - ok

18:14:26.0187 1072 [ C00440385CF9F3D142917C63F989E244 ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

18:14:26.0187 1072 DRVMCDB - ok

18:14:26.0187 1072 [ 6E6AB29D3C06E64CE81FEACDA85394B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

18:14:26.0187 1072 DRVNDDM - ok

18:14:26.0203 1072 [ 34AAA3B298A852B3663E6E0D94D12945 ] e1express C:\WINDOWS\system32\DRIVERS\e1e5132.sys

18:14:26.0203 1072 e1express - ok

18:14:26.0234 1072 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll

18:14:26.0234 1072 EapHost - ok

18:14:26.0265 1072 [ 6E883BF518296A40959131C2304AF714 ] EL90XBC C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

18:14:26.0265 1072 EL90XBC - ok

18:14:26.0296 1072 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll

18:14:26.0296 1072 ERSvc - ok

18:14:26.0296 1072 etwbjrhp - ok

18:14:26.0312 1072 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe

18:14:26.0312 1072 Eventlog - ok

18:14:26.0343 1072 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll

18:14:26.0359 1072 EventSystem - ok

18:14:26.0390 1072 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys

18:14:26.0406 1072 Fastfat - ok

18:14:26.0437 1072 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll

18:14:26.0437 1072 FastUserSwitchingCompatibility - ok

18:14:26.0453 1072 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys

18:14:26.0453 1072 Fdc - ok

18:14:26.0468 1072 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys

18:14:26.0468 1072 Fips - ok

18:14:26.0468 1072 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys

18:14:26.0468 1072 Flpydisk - ok

18:14:26.0500 1072 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys

18:14:26.0500 1072 FltMgr - ok

18:14:26.0515 1072 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys

18:14:26.0515 1072 Fs_Rec - ok

18:14:26.0531 1072 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys

18:14:26.0531 1072 Ftdisk - ok

18:14:26.0546 1072 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

18:14:26.0546 1072 GEARAspiWDM - ok

18:14:26.0562 1072 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys

18:14:26.0562 1072 Gpc - ok

18:14:26.0609 1072 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe

18:14:26.0609 1072 gupdate - ok

18:14:26.0625 1072 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe

18:14:26.0625 1072 gupdatem - ok

18:14:26.0671 1072 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

18:14:26.0671 1072 gusvc - ok

18:14:26.0703 1072 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

18:14:26.0703 1072 HDAudBus - ok

18:14:26.0765 1072 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

18:14:26.0765 1072 helpsvc - ok

18:14:26.0781 1072 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll

18:14:26.0781 1072 HidServ - ok

18:14:26.0781 1072 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys

18:14:26.0781 1072 hidusb - ok

18:14:26.0796 1072 [ 30B90793A568281BEF70FA57DDE305A2 ] hitmanpro35 C:\WINDOWS\system32\drivers\hitmanpro35.sys

18:14:26.0796 1072 hitmanpro35 - ok

18:14:26.0812 1072 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll

18:14:26.0812 1072 hkmsvc - ok

18:14:26.0812 1072 hpn - ok

18:14:26.0859 1072 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys

18:14:26.0859 1072 HTTP - ok

18:14:26.0859 1072 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll

18:14:26.0875 1072 HTTPFilter - ok

18:14:26.0875 1072 i2omgmt - ok

18:14:26.0875 1072 i2omp - ok

18:14:27.0000 1072 [ 28423512370705AEDA6A652FEDB25468 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

18:14:27.0031 1072 ialm - ok

18:14:27.0046 1072 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys

18:14:27.0046 1072 Imapi - ok

18:14:27.0062 1072 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe

18:14:27.0062 1072 ImapiService - ok

18:14:27.0078 1072 ini910u - ok

18:14:27.0171 1072 [ 17BBBABB21F86B650B2626045A9D016C ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys

18:14:27.0203 1072 IntcAzAudAddService - ok

18:14:27.0218 1072 IntelIde - ok

18:14:27.0234 1072 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys

18:14:27.0234 1072 intelppm - ok

18:14:27.0265 1072 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys

18:14:27.0265 1072 Ip6Fw - ok

18:14:27.0281 1072 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

18:14:27.0281 1072 IpFilterDriver - ok

18:14:27.0296 1072 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys

18:14:27.0296 1072 IpInIp - ok

18:14:27.0296 1072 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys

18:14:27.0296 1072 IpNat - ok

18:14:27.0328 1072 [ 57EDB35EA2FECA88F8B17C0C095C9A56 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe

18:14:27.0343 1072 iPod Service - ok

18:14:27.0343 1072 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys

18:14:27.0343 1072 IPSec - ok

18:14:27.0359 1072 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys

18:14:27.0359 1072 IRENUM - ok

18:14:27.0375 1072 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys

18:14:27.0375 1072 isapnp - ok

18:14:27.0421 1072 [ 4F2143570D2250CA4C4A4C98553C82CD ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe

18:14:27.0421 1072 JavaQuickStarterService - ok

18:14:27.0437 1072 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys

18:14:27.0437 1072 Kbdclass - ok

18:14:27.0437 1072 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys

18:14:27.0453 1072 kbdhid - ok

18:14:27.0453 1072 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys

18:14:27.0453 1072 kmixer - ok

18:14:27.0468 1072 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys

18:14:27.0468 1072 KSecDD - ok

18:14:27.0500 1072 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll

18:14:27.0500 1072 lanmanserver - ok

18:14:27.0515 1072 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll

18:14:27.0531 1072 lanmanworkstation - ok

18:14:27.0531 1072 lbrtfdc - ok

18:14:27.0546 1072 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll

18:14:27.0546 1072 LmHosts - ok

18:14:27.0546 1072 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll

18:14:27.0546 1072 Messenger - ok

18:14:27.0578 1072 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys

18:14:27.0578 1072 mnmdd - ok

18:14:27.0593 1072 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe

18:14:27.0593 1072 mnmsrvc - ok

18:14:27.0609 1072 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys

18:14:27.0609 1072 Modem - ok

18:14:27.0609 1072 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys

18:14:27.0609 1072 Mouclass - ok

18:14:27.0609 1072 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys

18:14:27.0609 1072 mouhid - ok

18:14:27.0625 1072 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys

18:14:27.0625 1072 MountMgr - ok

18:14:27.0625 1072 mraid35x - ok

18:14:27.0640 1072 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys

18:14:27.0640 1072 MRxDAV - ok

18:14:27.0671 1072 [ 0EA4D8ED179B75F8AFA7998BA22285CA ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

18:14:27.0671 1072 MRxSmb - ok

18:14:27.0671 1072 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe

18:14:27.0687 1072 MSDTC - ok

18:14:27.0687 1072 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys

18:14:27.0687 1072 Msfs - ok

18:14:27.0687 1072 MSIServer - ok

18:14:27.0703 1072 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys

18:14:27.0703 1072 MSKSSRV - ok

18:14:27.0703 1072 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys

18:14:27.0703 1072 MSPCLOCK - ok

18:14:27.0703 1072 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys

18:14:27.0703 1072 MSPQM - ok

18:14:27.0718 1072 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys

18:14:27.0718 1072 mssmbios - ok

18:14:27.0718 1072 [ 2F625D11385B1A94360BFC70AAEFDEE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys

18:14:27.0718 1072 Mup - ok

18:14:27.0734 1072 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll

18:14:27.0734 1072 napagent - ok

18:14:27.0765 1072 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys

18:14:27.0765 1072 NDIS - ok

18:14:27.0781 1072 [ 1AB3D00C991AB086E69DB84B6C0ED78F ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys

18:14:27.0781 1072 NdisTapi - ok

18:14:27.0796 1072 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys

18:14:27.0796 1072 Ndisuio - ok

18:14:27.0796 1072 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys

18:14:27.0796 1072 NdisWan - ok

18:14:27.0828 1072 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys

18:14:27.0828 1072 NDProxy - ok

18:14:27.0828 1072 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys

18:14:27.0828 1072 NetBIOS - ok

18:14:27.0843 1072 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys

18:14:27.0843 1072 NetBT - ok

18:14:27.0843 1072 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe

18:14:27.0843 1072 NetDDE - ok

18:14:27.0859 1072 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe

18:14:27.0859 1072 NetDDEdsdm - ok

18:14:27.0859 1072 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe

18:14:27.0875 1072 Netlogon - ok

18:14:27.0875 1072 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll

18:14:27.0890 1072 Netman - ok

18:14:27.0906 1072 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll

18:14:27.0921 1072 Nla - ok

18:14:27.0953 1072 [ 431ADA51E9D032F533548688CE5A2A24 ] nosGetPlusHelper C:\Program Files\NOS\bin\getPlus_Helper_3004.dll

18:14:27.0953 1072 nosGetPlusHelper - ok

18:14:27.0953 1072 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys

18:14:27.0953 1072 Npfs - ok

18:14:27.0968 1072 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys

18:14:27.0968 1072 Ntfs - ok

18:14:27.0984 1072 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe

18:14:27.0984 1072 NtLmSsp - ok

18:14:28.0000 1072 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll

18:14:28.0000 1072 NtmsSvc - ok

18:14:28.0015 1072 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys

18:14:28.0015 1072 Null - ok

18:14:28.0046 1072 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

18:14:28.0062 1072 NwlnkFlt - ok

18:14:28.0062 1072 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

18:14:28.0062 1072 NwlnkFwd - ok

18:14:28.0203 1072 [ 84DE1DD996B48B05ACE31AD015FA108A ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

18:14:28.0203 1072 odserv - ok

18:14:28.0250 1072 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

18:14:28.0250 1072 ose - ok

18:14:28.0265 1072 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys

18:14:28.0265 1072 Parport - ok

18:14:28.0281 1072 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys

18:14:28.0281 1072 PartMgr - ok

18:14:28.0296 1072 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys

18:14:28.0296 1072 ParVdm - ok

18:14:28.0312 1072 [ 3ADB8BD6154A3EF87496E8FCE9C22493 ] pavboot C:\WINDOWS\system32\drivers\pavboot.sys

18:14:28.0312 1072 pavboot - ok

18:14:28.0312 1072 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys

18:14:28.0328 1072 PCI - ok

18:14:28.0328 1072 PCIDump - ok

18:14:28.0328 1072 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys

18:14:28.0328 1072 PCIIde - ok

18:14:28.0343 1072 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys

18:14:28.0343 1072 Pcmcia - ok

18:14:28.0343 1072 PDCOMP - ok

18:14:28.0359 1072 PDFRAME - ok

18:14:28.0359 1072 PDRELI - ok

18:14:28.0359 1072 PDRFRAME - ok

18:14:28.0375 1072 perc2 - ok

18:14:28.0375 1072 perc2hib - ok

18:14:28.0406 1072 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe

18:14:28.0406 1072 PlugPlay - ok

18:14:28.0406 1072 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe

18:14:28.0421 1072 PolicyAgent - ok

18:14:28.0421 1072 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys

18:14:28.0437 1072 PptpMiniport - ok

18:14:28.0437 1072 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe

18:14:28.0437 1072 ProtectedStorage - ok

18:14:28.0437 1072 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys

18:14:28.0453 1072 PSched - ok

18:14:28.0468 1072 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys

18:14:28.0468 1072 Ptilink - ok

18:14:28.0484 1072 [ E42E3433DBB4CFFE8FDD91EAB29AEA8E ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys

18:14:28.0484 1072 PxHelp20 - ok

18:14:28.0484 1072 ql1080 - ok

18:14:28.0484 1072 Ql10wnt - ok

18:14:28.0500 1072 ql12160 - ok

18:14:28.0500 1072 ql1240 - ok

18:14:28.0500 1072 ql1280 - ok

18:14:28.0515 1072 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys

18:14:28.0515 1072 RasAcd - ok

18:14:28.0515 1072 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll

18:14:28.0515 1072 RasAuto - ok

18:14:28.0546 1072 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

18:14:28.0546 1072 Rasl2tp - ok

18:14:28.0562 1072 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll

18:14:28.0578 1072 RasMan - ok

18:14:28.0578 1072 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys

18:14:28.0578 1072 RasPppoe - ok

18:14:28.0578 1072 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys

18:14:28.0578 1072 Raspti - ok

18:14:28.0593 1072 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys

18:14:28.0593 1072 Rdbss - ok

18:14:28.0593 1072 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

18:14:28.0593 1072 RDPCDD - ok

18:14:28.0609 1072 [ 6728E45B66F93C08F11DE2E316FC70DD ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys

18:14:28.0609 1072 RDPWD - ok

18:14:28.0625 1072 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe

18:14:28.0625 1072 RDSessMgr - ok

18:14:28.0656 1072 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys

18:14:28.0656 1072 redbook - ok

18:14:28.0656 1072 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll

18:14:28.0656 1072 RemoteAccess - ok

18:14:28.0687 1072 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe

18:14:28.0703 1072 RpcLocator - ok

18:14:28.0734 1072 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll

18:14:28.0750 1072 RpcSs - ok

18:14:28.0765 1072 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe

18:14:28.0781 1072 RSVP - ok

18:14:28.0796 1072 SABProcEnum - ok

18:14:28.0812 1072 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe

18:14:28.0812 1072 SamSs - ok

18:14:28.0843 1072 [ 39763504067962108505BFF25F024345 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

18:14:28.0843 1072 SASDIFSV - ok

18:14:28.0875 1072 [ 7CE61C25C159F50F9EAF6D77FC83FA35 ] SASENUM C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

18:14:28.0875 1072 SASENUM - ok

18:14:28.0875 1072 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

18:14:28.0875 1072 SASKUTIL - ok

18:14:28.0890 1072 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe

18:14:28.0890 1072 SCardSvr - ok

18:14:28.0906 1072 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll

18:14:28.0921 1072 Schedule - ok

18:14:28.0937 1072 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys

18:14:28.0937 1072 Secdrv - ok

18:14:28.0953 1072 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll

18:14:28.0953 1072 seclogon - ok

18:14:28.0968 1072 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll

18:14:28.0984 1072 SENS - ok

18:14:28.0984 1072 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys

18:14:28.0984 1072 Serial - ok

18:14:29.0000 1072 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys

18:14:29.0000 1072 Sfloppy - ok

18:14:29.0015 1072 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll

18:14:29.0015 1072 ShellHWDetection - ok

18:14:29.0031 1072 Simbad - ok

18:14:29.0031 1072 Sparrow - ok

18:14:29.0046 1072 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys

18:14:29.0046 1072 splitter - ok

18:14:29.0062 1072 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe

18:14:29.0078 1072 Spooler - ok

18:14:29.0078 1072 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys

18:14:29.0078 1072 sr - ok

18:14:29.0109 1072 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll

18:14:29.0109 1072 srservice - ok

18:14:29.0140 1072 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys

18:14:29.0140 1072 Srv - ok

18:14:29.0156 1072 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll

18:14:29.0171 1072 SSDPSRV - ok

18:14:29.0171 1072 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll

18:14:29.0187 1072 stisvc - ok

18:14:29.0234 1072 [ 51778FD315C9882F1CBD932743E62A72 ] stllssvr C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

18:14:29.0234 1072 stllssvr - ok

18:14:29.0265 1072 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys

18:14:29.0265 1072 swenum - ok

18:14:29.0281 1072 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys

18:14:29.0281 1072 swmidi - ok

18:14:29.0296 1072 SwPrv - ok

18:14:29.0296 1072 symc810 - ok

18:14:29.0296 1072 symc8xx - ok

18:14:29.0312 1072 sym_hi - ok

18:14:29.0312 1072 sym_u3 - ok

18:14:29.0328 1072 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys

18:14:29.0328 1072 sysaudio - ok

18:14:29.0328 1072 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe

18:14:29.0343 1072 SysmonLog - ok

18:14:29.0343 1072 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll

18:14:29.0359 1072 TapiSrv - ok

18:14:29.0375 1072 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys

18:14:29.0375 1072 Tcpip - ok

18:14:29.0390 1072 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys

18:14:29.0390 1072 TDPIPE - ok

18:14:29.0390 1072 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys

18:14:29.0390 1072 TDTCP - ok

18:14:29.0406 1072 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys

18:14:29.0406 1072 TermDD - ok

18:14:29.0421 1072 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll

18:14:29.0437 1072 TermService - ok

18:14:29.0437 1072 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll

18:14:29.0437 1072 Themes - ok

18:14:29.0453 1072 TosIde - ok

18:14:29.0453 1072 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll

18:14:29.0468 1072 TrkWks - ok

18:14:29.0468 1072 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys

18:14:29.0468 1072 Udfs - ok

18:14:29.0484 1072 ultra - ok

18:14:29.0484 1072 [ AB0A7CA90D9E3D6A193905DC1715DED0 ] UMWdf C:\WINDOWS\system32\wdfmgr.exe

18:14:29.0500 1072 UMWdf - ok

18:14:29.0515 1072 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys

18:14:29.0515 1072 Update - ok

18:14:29.0531 1072 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll

18:14:29.0531 1072 upnphost - ok

18:14:29.0531 1072 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe

18:14:29.0546 1072 UPS - ok

18:14:29.0562 1072 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys

18:14:29.0562 1072 usbccgp - ok

18:14:29.0578 1072 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys

18:14:29.0578 1072 usbehci - ok

18:14:29.0578 1072 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys

18:14:29.0578 1072 usbhub - ok

18:14:29.0609 1072 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys

18:14:29.0609 1072 usbprint - ok

18:14:29.0640 1072 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys

18:14:29.0640 1072 usbscan - ok

18:14:29.0640 1072 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

18:14:29.0656 1072 USBSTOR - ok

18:14:29.0656 1072 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys

18:14:29.0656 1072 usbuhci - ok

18:14:29.0656 1072 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys

18:14:29.0656 1072 VgaSave - ok

18:14:29.0671 1072 ViaIde - ok

18:14:29.0671 1072 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys

18:14:29.0671 1072 VolSnap - ok

18:14:29.0687 1072 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe

18:14:29.0687 1072 VSS - ok

18:14:29.0718 1072 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll

18:14:29.0734 1072 W32Time - ok

18:14:29.0734 1072 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys

18:14:29.0750 1072 Wanarp - ok

18:14:29.0750 1072 WDICA - ok

18:14:29.0796 1072 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys

18:14:29.0796 1072 wdmaud - ok

18:14:29.0796 1072 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll

18:14:29.0812 1072 WebClient - ok

18:14:29.0875 1072 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll

18:14:29.0875 1072 winmgmt - ok

18:14:29.0875 1072 [ 140EF97B64F560FD78643CAE2CDAD838 ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll

18:14:29.0890 1072 WmdmPmSN - ok

18:14:29.0890 1072 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe

18:14:29.0890 1072 WmiApSrv - ok

18:14:29.0921 1072 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll

18:14:29.0937 1072 WZCSVC - ok

18:14:29.0953 1072 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll

18:14:29.0968 1072 xmlprov - ok

18:14:29.0968 1072 ================ Scan global ===============================

18:14:30.0000 1072 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll

18:14:30.0031 1072 [ 42B5427FAC23BF6F1F31E466B7FEB084 ] C:\WINDOWS\system32\winsrv.dll

18:14:30.0046 1072 [ 42B5427FAC23BF6F1F31E466B7FEB084 ] C:\WINDOWS\system32\winsrv.dll

18:14:30.0062 1072 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe

18:14:30.0062 1072 [Global] - ok

18:14:30.0062 1072 ================ Scan MBR ==================================

18:14:30.0078 1072 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0

18:14:30.0218 1072 \Device\Harddisk0\DR0 - ok

18:14:30.0218 1072 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR1

18:14:30.0234 1072 \Device\Harddisk1\DR1 - ok

18:14:30.0234 1072 ================ Scan VBR ==================================

18:14:30.0234 1072 [ 74A0634162E4D16A33F51E12EC80242A ] \Device\Harddisk0\DR0\Partition1

18:14:30.0234 1072 \Device\Harddisk0\DR0\Partition1 - ok

18:14:30.0234 1072 [ C5BB8E4C0638AEFA7E990FF0311888BA ] \Device\Harddisk1\DR1\Partition1

18:14:30.0234 1072 \Device\Harddisk1\DR1\Partition1 - ok

18:14:30.0234 1072 ============================================================

18:14:30.0234 1072 Scan finished

18:14:30.0234 1072 ============================================================

18:14:30.0250 3212 Detected object count: 0

18:14:30.0250 3212 Actual detected object count: 0

#19 nenadrew

Member

Full Member
56 posts

Posted 09 January 2013 - 07:27 PM

And here is the Farbar log:

Farbar Service Scanner Version: 05-01-2013
Ran by Nena (administrator) on 09-01-2013 at 18:25:52
Running from "C:\Documents and Settings\Nena\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-04 04:00] - [2008-10-16 08:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#20 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 09 January 2013 - 11:28 PM

Download the following and save them to your Desktop.

wscsvc.reg
wuauserv.reg

Double-click on each and confirm to merge with the Registry.

Download SWReg and save it to your Windows folder (C:\Windows).
http://fstaal01.home...loads/swreg.exe

Download the following and save to your Desktop:
LEGACY_SHAREDACCESS.reg
LEGACY_WSCSVC.reg
LEGACY_WUAUSERV.reg

Launch Notepad (Start > Run > notepad), and copy/paste the contents of the box below into a new text file. Select "all files" in the "save as type" field. Save it as Legacy1.bat and save it on your Desktop.

swreg acl "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /g Everyone:F >log.txt 2>&1
notepad log.txt

Double-click Legacy1.bat to run it.

Now double-click the following that you previously saved to your Desktop:
LEGACY_SHAREDACCESS.reg
LEGACY_WSCSVC.reg
LEGACY_WUAUSERV.reg

After each, confirm that you want to merge with the Registry.

Launch Notepad (Start > Run > notepad), and copy/paste the contents of the box below into a new text file. Select "all files" in the "save as type" field. Save it as Legacy2.bat and save it on your Desktop.

swreg acl "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /p /g System:F >log.txt 2>&1
notepad log.txt

Double-click Legacy2.bat to run it.
There will be a log file on the Desktop, log.txt, please post that in your next reply.
Restart your system

Please download Windows Repair (all in one) from here.

Install the program.
Please proceed to run it.
Go to Step 2 and allow it to run CheckDisk by clicking on the Do It button:
Once that is done please go to Step 3 and allow it to run the System File Check by clicking on the Do It button:
Go to Step 4 and under System Restore click on the Create button:
Next, go to the Start Repairs tab and click the Start button.
Please ensure that ONLY items I've listed below are checked (they're all checked by default):
Note: Only check these, NOT as shown in the graphic.

Reset Registry Permissions
Reset File Permissions
Repair File Permissions
Register System FIles
Repair Windows Firewall
Remove Policies Set by Infections
Repair Icons
Remove Temp Files
Set Windows Services to Default Startup

Place a checkmark in the box for Restart/Shutdown System When Finished
Select Restart System. Then click on Start.

Now re-run Farbar Service Scanner that you downloaded and ran earlier and post the new log, along with the contents of log.txt.

#21 nenadrew

Member

Full Member
56 posts

Posted 10 January 2013 - 01:30 AM

Here is the Legacy log; off to work on the next parts.

Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root"
Granting Registry rights (F access for This Key) for "System"

#22 nenadrew

Member

Full Member
56 posts

Posted 10 January 2013 - 03:07 AM

Ok, all done. Here is the Farbar log:

Farbar Service Scanner Version: 05-01-2013
Ran by Nena (administrator) on 10-01-2013 at 02:05:18
Running from "C:\Documents and Settings\Nena\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#23 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 10 January 2013 - 07:14 AM

That looks much better.
Can you now start the Windows Firewall?
http://www.bleepingc...ws-xp-firewall/

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:
http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).
Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**
**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the log at C:\ComboFix.txt in your next reply and note any errors encountered.

Rerun SecurityCheck and post the new log from that as well.

Please post the logs from ComboFix, the log from SecurityCheck, and note any errors encountered.

#24 nenadrew

Member

Full Member
56 posts

Posted 10 January 2013 - 09:28 AM

Yes, the firewall has been up and running since yesterday.

Here's the ComboFix log:

ComboFix 13-01-08.01 - Nena 01/10/2013   8:04.1.2 - x86
Running from: c:\documents and settings\Nena\Desktop\ComboFix.exe
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Nena\Local Settings\Application Data\{A37A9BB0-F61F-41AD-88E6-F809B89CC1AE}
c:\documents and settings\Nena\Local Settings\Application Data\{A37A9BB0-F61F-41AD-88E6-F809B89CC1AE}\chrome.manifest
c:\documents and settings\Nena\Local Settings\Application Data\{A37A9BB0-F61F-41AD-88E6-F809B89CC1AE}\chrome\content\_cfg.js
c:\documents and settings\Nena\Local Settings\Application Data\{A37A9BB0-F61F-41AD-88E6-F809B89CC1AE}\chrome\content\overlay.xul
c:\documents and settings\Nena\Local Settings\Application Data\{A37A9BB0-F61F-41AD-88E6-F809B89CC1AE}\install.rdf
c:\documents and settings\Nena\WINDOWS
c:\program files\TelevisionFanaticEI
C:\readme.txt
c:\windows\system32\DC120fc7_32.dll
c:\windows\winhelp.ini
c:\windows\wininit.ini
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\system32\dllcache\i8042prt.sys
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-10 to 2013-01-10 )))))))))))))))))))))))))))))))
.
.
2013-01-10 14:08 . 2008-04-13 20:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2013-01-10 14:08 . 2008-04-13 20:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2013-01-10 07:24 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe
2013-01-10 07:16 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2013-01-10 07:16 . 2001-08-18 04:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2013-01-10 07:16 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2013-01-10 07:16 . 2001-08-18 04:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2013-01-10 07:16 . 2001-08-18 04:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2013-01-10 07:16 . 2001-08-18 04:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2013-01-10 07:16 . 2001-08-17 18:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2013-01-10 07:16 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2013-01-10 07:16 . 2008-04-13 19:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2013-01-10 07:16 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2013-01-10 07:16 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2013-01-10 07:14 . 2001-08-17 18:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2013-01-10 07:13 . 2001-08-17 19:28 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys
2013-01-10 07:12 . 2001-08-17 19:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2013-01-10 07:11 . 2001-08-17 18:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2013-01-10 07:10 . 2001-08-17 19:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2013-01-10 07:09 . 2001-08-17 20:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2013-01-10 07:08 . 2001-08-18 04:36 28160 -c--a-w- c:\windows\system32\dllcache\sm91w.dll
2013-01-10 07:07 . 2001-08-18 04:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2013-01-10 07:06 . 2001-08-17 18:50 61504 -c--a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2013-01-10 07:05 . 2001-08-18 04:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2013-01-10 07:04 . 2008-04-14 01:12 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2013-01-10 07:03 . 2001-08-17 20:07 27296 -c--a-w- c:\windows\system32\dllcache\perc2.sys
2013-01-10 07:02 . 2001-08-17 18:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2013-01-10 07:01 . 2001-08-18 04:36 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2013-01-10 07:00 . 2001-08-17 19:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2013-01-10 06:59 . 2001-08-17 19:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2013-01-10 06:58 . 2001-08-17 18:12 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2013-01-10 06:57 . 2001-08-17 19:50 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2013-01-10 06:56 . 2001-08-17 18:11 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2013-01-10 06:55 . 2001-08-18 04:36 13312 -c--a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2013-01-10 06:54 . 2001-08-17 18:15 454912 -c--a-w- c:\windows\system32\dllcache\fxusbase.sys
2013-01-10 06:53 . 2004-08-04 05:32 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2013-01-10 06:52 . 2001-08-17 18:12 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2013-01-10 06:51 . 2001-08-17 18:11 24649 -c--a-w- c:\windows\system32\dllcache\dfe650d.sys
2013-01-10 06:50 . 2001-08-18 04:36 44032 -c--a-w- c:\windows\system32\dllcache\cnusd.dll
2013-01-10 06:49 . 2001-08-17 19:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2013-01-10 06:48 . 2001-08-17 20:55 382592 -c--a-w- c:\windows\system32\dllcache\atidrab.dll
2013-01-10 06:46 . 2001-08-17 20:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2013-01-10 06:46 . 2001-08-17 18:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2013-01-10 06:46 . 2004-08-04 05:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2013-01-10 06:46 . 2001-08-17 18:19 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2013-01-10 06:46 . 2001-08-17 18:19 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2013-01-10 06:46 . 2001-08-17 18:19 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2013-01-10 06:46 . 2001-08-17 18:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2013-01-10 06:46 . 2001-08-17 19:53 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
2013-01-10 06:46 . 2001-08-18 04:36 61440 -c--a-w- c:\windows\system32\dllcache\acerscad.dll
2013-01-10 06:42 . 2013-01-10 06:42 -------- d-----w- C:\found.000
2013-01-10 06:37 . 2013-01-10 07:47 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-01-10 06:37 . 2012-11-01 12:17 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-01-10 06:36 . 2013-01-10 07:47 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2013-01-10 06:36 . 2013-01-10 06:36 -------- d-----w- c:\program files\Tweaking.com
2013-01-10 06:36 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2013-01-10 06:36 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2013-01-10 00:20 . 2013-01-10 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2013-01-10 00:18 . 2013-01-10 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\APN
2013-01-09 14:36 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-09 14:36 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-09 14:36 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-01-09 14:36 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-09 14:36 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-09 14:36 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2013-01-09 14:36 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2013-01-09 14:36 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2013-01-09 14:36 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-09 14:36 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-09 14:35 . 2013-01-09 14:35 -------- d-----w- c:\program files\AVAST Software
2013-01-09 14:35 . 2013-01-09 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-12-12 17:38 . 2012-12-13 18:19 -------- d-----w- c:\documents and settings\Nena\Local Settings\Application Data\Zugo
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-17 08:49 . 2012-10-08 01:41 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-17 08:49 . 2012-10-08 01:41 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2004-08-04 10:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 22:49 . 2010-04-04 21:40 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 23:27 . 2010-03-29 20:44 1838 ----a-w- c:\windows\~~UFILE.TMP
2012-11-13 01:25 . 2004-08-04 10:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-04-14 00:12 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2004-08-04 10:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-05 1505144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
c:\documents and settings\Nena\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-31 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nena^Start Menu^Programs^Startup^Corel Desktop Application Director.LNK]
path=c:\documents and settings\Nena\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup=c:\windows\pss\Corel Desktop Application Director.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
1996-10-16 07:02 46080 ----a-w- c:\corel\Office7\Shared\QFinder7\QFSCHED.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/30/2011 5:23 AM 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/9/2013 8:36 AM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/9/2013 8:36 AM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 10:42 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [11/26/2010 2:01 AM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/9/2013 8:36 AM 21256]
S0 etwbjrhp;etwbjrhp; [x]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [12/20/2010 6:10 PM 16968]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 12872]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-01-10 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-01-09 23:50]
.
2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-30 00:13]
.
2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-30 00:13]
.
2011-03-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-11-05 20:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: what.cd\ssl
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{DA041DF9-FF1F-47BF-997E-A48F0C9BD29A}: NameServer = 8.8.8.8,8.8.4.4
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-10 08:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaodobemamjnmbljemlh"=hex:6a,61,6a,62,6f,6a,6b,6e,67,6f,69,6f,66,6f,67,61,6f,
   6b,62,6d,00,01
"iaededgccokabhkfkl"=hex:6a,61,6a,62,6f,6a,6b,6e,67,6f,69,6f,66,6f,67,61,6f,6b,
   62,6d,00,01
"hakdoabjngpmafpn"=hex:62,62,67,64,63,61,68,6c,6d,69,65,63,6e,66,63,66,69,61,
   70,6f,6d,63,6a,61,68,61,64,66,6c,6f,67,6b,6c,6a,68,67,00,00
"hakdoabjagmnpodo"=hex:70,62,6e,61,6a,66,6c,6d,62,6f,66,68,65,61,66,6d,6e,64,
   64,6c,68,64,6c,69,6d,70,62,64,62,65,6e,70,69,68,70,6d,64,67,6e,63,62,6c,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1692)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2013-01-10 08:16:29 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-10 14:16
.
Pre-Run: 732,104,310,784 bytes free
Post-Run: 733,532,987,392 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - CDD3E8EE5D95B764CED096819C0E8006

#25 nenadrew

Member

Full Member
56 posts

Posted 10 January 2013 - 09:31 AM

SecurityCheck log:

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
JavaFX 2.1.1
Java™ 6 Update 29
Java™ 7 Update 5
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 2%
````````````````````End of Log``````````````````````

#26 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 10 January 2013 - 06:26 PM

This is looking so much better.

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

Save the file to your Desktop.

Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.
For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

Driver::
etwbjrhp
RegLockDel::
[HKEY_USERS\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

Your Java is outdated and vulnerable.
Updating Java:

Download the latest version of Java Runtime Environment (JRE) 7.
In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
In the Window that opens, click the "Accept License Agreement" button.
Download the file for Windows x86 Offline (jre-7u9-windows-i586.exe) and save to your Desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
- Java™ 6 Update 29
- Java™ 7 Update 5
- Any other version listed
Then from your Desktop double-click on the new version you downloaded and install it.

Your version of JavaFX 2.1.1 is also outdated and should be uninstalled and if still needed and updated. It's available from the same link above (current verison is JavaFX 2.2.4.

Your version of Adobe Acrobat Reader is outdated and vulnerable. Go to Start > Control Panel > Add or Remove Programs and remove the following program:
Adobe Reader
Then go to to http://www.adobe.com and download and install the current version, When you download it, be careful to UNcheck any optional toolbar installation unless you really want the toolbar.

Please post the log from Combofix, and note any errors encountered. How is the system running now?

#27 nenadrew

Member

Full Member
56 posts

Posted 10 January 2013 - 08:15 PM

Here's the ComboFix log; I'm off to update Java and Adobe Reader. Thanks, Joker!

ComboFix 13-01-08.01 - Nena 01/10/2013 18:56:14.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3317.2563 [GMT -6:00]
Running from: c:\documents and settings\Nena\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nena\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ETWBJRHP
-------\Service_etwbjrhp
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-11 to 2013-01-11 )))))))))))))))))))))))))))))))
.
.
2013-01-10 14:08 . 2008-04-13 20:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2013-01-10 14:08 . 2008-04-13 20:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2013-01-10 07:24 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe
2013-01-10 07:16 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2013-01-10 07:16 . 2001-08-18 04:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2013-01-10 07:16 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2013-01-10 07:16 . 2001-08-18 04:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2013-01-10 07:16 . 2001-08-18 04:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2013-01-10 07:16 . 2001-08-18 04:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2013-01-10 07:16 . 2001-08-17 18:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2013-01-10 07:16 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2013-01-10 07:16 . 2008-04-13 19:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2013-01-10 07:16 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2013-01-10 07:16 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2013-01-10 07:14 . 2001-08-17 18:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2013-01-10 07:13 . 2001-08-17 19:28 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys
2013-01-10 07:12 . 2001-08-17 19:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2013-01-10 07:11 . 2001-08-17 18:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2013-01-10 07:10 . 2001-08-17 19:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2013-01-10 07:09 . 2001-08-17 20:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2013-01-10 07:08 . 2001-08-18 04:36 28160 -c--a-w- c:\windows\system32\dllcache\sm91w.dll
2013-01-10 07:07 . 2001-08-18 04:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2013-01-10 07:06 . 2001-08-17 18:50 61504 -c--a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2013-01-10 07:05 . 2001-08-18 04:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2013-01-10 07:04 . 2008-04-14 01:12 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2013-01-10 07:03 . 2001-08-17 20:07 27296 -c--a-w- c:\windows\system32\dllcache\perc2.sys
2013-01-10 07:02 . 2001-08-17 18:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2013-01-10 07:01 . 2001-08-18 04:36 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2013-01-10 07:00 . 2001-08-17 19:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2013-01-10 06:59 . 2001-08-17 19:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2013-01-10 06:58 . 2001-08-17 18:12 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2013-01-10 06:57 . 2001-08-17 19:50 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2013-01-10 06:56 . 2001-08-17 18:11 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2013-01-10 06:55 . 2001-08-18 04:36 13312 -c--a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2013-01-10 06:54 . 2001-08-17 18:15 454912 -c--a-w- c:\windows\system32\dllcache\fxusbase.sys
2013-01-10 06:53 . 2004-08-04 05:32 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2013-01-10 06:52 . 2001-08-17 18:12 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2013-01-10 06:51 . 2001-08-17 18:11 24649 -c--a-w- c:\windows\system32\dllcache\dfe650d.sys
2013-01-10 06:50 . 2001-08-18 04:36 44032 -c--a-w- c:\windows\system32\dllcache\cnusd.dll
2013-01-10 06:49 . 2001-08-17 19:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2013-01-10 06:48 . 2001-08-17 20:55 382592 -c--a-w- c:\windows\system32\dllcache\atidrab.dll
2013-01-10 06:46 . 2001-08-17 20:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2013-01-10 06:46 . 2001-08-17 18:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2013-01-10 06:46 . 2004-08-04 05:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2013-01-10 06:46 . 2001-08-17 18:19 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2013-01-10 06:46 . 2001-08-17 18:19 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2013-01-10 06:46 . 2001-08-17 18:19 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2013-01-10 06:46 . 2001-08-17 18:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2013-01-10 06:46 . 2001-08-17 19:53 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
2013-01-10 06:46 . 2001-08-18 04:36 61440 -c--a-w- c:\windows\system32\dllcache\acerscad.dll
2013-01-10 06:42 . 2013-01-10 06:42 -------- d-----w- C:\found.000
2013-01-10 06:37 . 2013-01-10 07:47 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-01-10 06:37 . 2012-11-01 12:17 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-01-10 06:36 . 2013-01-10 07:47 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2013-01-10 06:36 . 2013-01-10 06:36 -------- d-----w- c:\program files\Tweaking.com
2013-01-10 06:36 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2013-01-10 06:36 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2013-01-10 00:20 . 2013-01-10 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2013-01-10 00:18 . 2013-01-10 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\APN
2013-01-09 14:36 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-09 14:36 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-09 14:36 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-01-09 14:36 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-09 14:36 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-09 14:36 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2013-01-09 14:36 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2013-01-09 14:36 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2013-01-09 14:36 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-09 14:36 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-09 14:35 . 2013-01-09 14:35 -------- d-----w- c:\program files\AVAST Software
2013-01-09 14:35 . 2013-01-09 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-12-12 17:38 . 2012-12-13 18:19 -------- d-----w- c:\documents and settings\Nena\Local Settings\Application Data\Zugo
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-17 08:49 . 2012-10-08 01:41 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-17 08:49 . 2012-10-08 01:41 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2004-08-04 10:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 22:49 . 2010-04-04 21:40 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 23:27 . 2010-03-29 20:44 1838 ----a-w- c:\windows\~~UFILE.TMP
2012-11-13 01:25 . 2004-08-04 10:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-04-14 00:12 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2004-08-04 10:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-05 1505144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
c:\documents and settings\Nena\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-31 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nena^Start Menu^Programs^Startup^Corel Desktop Application Director.LNK]
path=c:\documents and settings\Nena\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup=c:\windows\pss\Corel Desktop Application Director.LNKStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
1996-10-16 07:02 46080 ----a-w- c:\corel\Office7\Shared\QFinder7\QFSCHED.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/30/2011 5:23 AM 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/9/2013 8:36 AM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/9/2013 8:36 AM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 10:42 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [11/26/2010 2:01 AM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/9/2013 8:36 AM 21256]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [12/20/2010 6:10 PM 16968]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-01-11 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-01-09 23:50]
.
2013-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-30 00:13]
.
2013-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-30 00:13]
.
2011-03-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-11-05 20:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: what.cd\ssl
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{DA041DF9-FF1F-47BF-997E-A48F0C9BD29A}: NameServer = 8.8.8.8,8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-10 19:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaodobemamjnmbljemlh"=hex:6a,61,6a,62,6f,6a,6b,6e,67,6f,69,6f,66,6f,67,61,6f,
   6b,62,6d,00,01
"iaededgccokabhkfkl"=hex:6a,61,6a,62,6f,6a,6b,6e,67,6f,69,6f,66,6f,67,61,6f,6b,
   62,6d,00,01
"hakdoabjngpmafpn"=hex:62,62,67,64,63,61,68,6c,6d,69,65,63,6e,66,63,66,69,61,
   70,6f,6d,63,6a,61,68,61,64,66,6c,6f,67,6b,6c,6a,68,67,00,00
"hakdoabjagmnpodo"=hex:70,62,6e,61,6a,66,6c,6d,62,6f,66,68,65,61,66,6d,6e,64,
   64,6c,68,64,6c,69,6d,70,62,64,62,65,6e,70,69,68,70,6d,64,67,6e,63,62,6c,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2144)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2013-01-10 19:06:09 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-11 01:06
ComboFix2.txt 2013-01-10 14:16
.
Pre-Run: 733,373,837,312 bytes free
Post-Run: 733,089,144,832 bytes free
.
- - End Of File - - B88A8CBE35FC0A5FF5A5163CAE8F5D9A

#28 nenadrew

Member

Full Member
56 posts

Posted 10 January 2013 - 08:51 PM

Ok, Java and Adobe Reader are updated. There is one thing I'm curious about... my Folder Views are holding nicely now, but the desktop icons still won't stay where I put 'em. Can you tell me how to fix that?

Nena

#29 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 01:14 AM

Please download SystemLook and save it to your Desktop.
http://jpshortstuff.247fixes.com/SystemLook.exe

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:regfind 
A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop as SystemLook.txt

For the Desktop Icons, Right Click on an empty space on the Desktop - VIEW - uncheck AutoArrange.
Did that help the icon problem?

#30 nenadrew

Member

Full Member
56 posts

Posted 11 January 2013 - 01:29 AM

Here's the System:Look log; did I not do that right?

SystemLook 30.07.11 by jpshortstuff
Log created at 00:22 on 11/01/2013 by Nena
Administrator - Elevation successful

Invalid Context: regfindA40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6

-= EOF =-

I keep Autoarrange unchecked, but I did go look, and it is still unchecked. Anyway, I know that's not my biggest issue right now, just a minor annoyance.

Nena

#31 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 08:19 AM

Try again and be sure when you copy the text that you get the colon at the begining of the text.

#32 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 01:59 PM

There was a format error in the boxed text that was corrected, but apparently after you had already seen it and copied the text to paste into SystemLook. Go ahead and try it again, it should work now.

#33 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 02:08 PM

For the Desktop icons, you can try the fix listed here:
http://www.winhelpon...op-icon-layout/

#34 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 02:42 PM

You can also try this to see if it helps:

If Lock Web Items on Desktop is checked...
Items can be moved, but they are moved back after reboot.

Right click Desktop | Arrange Icons By |

UNCheck: Lock Web Items on Desktop
[[Specifies whether Web content windows or items that *you* have placed on your desktop are locked in place and can’t be moved. Select the check box to lock place. Clear if you want able move content.]]

http://www.tomshardw...range-unchecked

Was any of that helpful in addressing the moving Desktop icons?

#35 nenadrew

Member

Full Member
56 posts

Posted 11 January 2013 - 03:13 PM

Well, yesterday the desktop icons had scrambled themselves again, so I reorganized them last night. Today when I rebooted they stayed put, but I am definitely saving that WinHelp link just in case.

Here's the SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 13:54 on 11/01/2013 by Nena
Administrator - Elevation successful

========== regfind ==========

Searching for "A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}]
[HKEY_USERS\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}]

-= EOF =-

#36 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 04:58 PM

Let's do another search:

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

:regfind 
jaodobemamjnmbljemlh
iaededgccokabhkfkl
hakdoabjngpmafpn
hakdoabjagmnpodo

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop as SystemLook.txt

#37 nenadrew

Member

Full Member
56 posts

Posted 11 January 2013 - 05:53 PM

SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:50 on 11/01/2013 by Nena
Administrator - Elevation successful

========== regfind ==========

Searching for "jaodobemamjnmbljemlh"
No data found.

Searching for "iaededgccokabhkfkl"
No data found.

Searching for "hakdoabjngpmafpn"
No data found.

Searching for "hakdoabjagmnpodo"
No data found.

-= EOF =-

#38 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 06:14 PM

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

Save the file to your Desktop.

Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.
For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

Killall::
RegLockDel::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}]
[HKEY_USERS\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}]

#39 nenadrew

Member

Full Member
56 posts

Posted 11 January 2013 - 07:08 PM

Here's the new ComboFix log:

ComboFix 13-01-11.02 - Nena 01/11/2013 17:53:54.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3317.2597 [GMT -6:00]
Running from: c:\documents and settings\Nena\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nena\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-12 to 2013-01-12 )))))))))))))))))))))))))))))))
.
.
2013-01-11 01:40 . 2013-01-11 01:40 -------- d-----w- c:\program files\Common Files\Adobe
2013-01-11 01:32 . 2013-01-11 01:32 -------- d-----w- c:\program files\Common Files\Java
2013-01-11 01:32 . 2013-01-11 01:31 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-11 01:32 . 2013-01-11 01:31 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-10 14:08 . 2008-04-13 20:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2013-01-10 14:08 . 2008-04-13 20:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2013-01-10 07:24 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe
2013-01-10 06:56 . 2001-08-17 18:11 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2013-01-10 06:55 . 2001-08-18 04:36 13312 -c--a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2013-01-10 06:54 . 2001-08-17 18:15 454912 -c--a-w- c:\windows\system32\dllcache\fxusbase.sys
2013-01-10 06:53 . 2004-08-04 05:32 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2013-01-10 06:52 . 2001-08-17 18:12 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2013-01-10 06:51 . 2001-08-17 18:11 24649 -c--a-w- c:\windows\system32\dllcache\dfe650d.sys
2013-01-10 06:50 . 2001-08-18 04:36 44032 -c--a-w- c:\windows\system32\dllcache\cnusd.dll
2013-01-10 06:49 . 2001-08-17 19:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2013-01-10 06:48 . 2001-08-17 20:55 382592 -c--a-w- c:\windows\system32\dllcache\atidrab.dll
2013-01-10 06:46 . 2001-08-17 20:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2013-01-10 06:46 . 2001-08-17 18:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2013-01-10 06:46 . 2004-08-04 05:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2013-01-10 06:46 . 2001-08-17 18:19 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2013-01-10 06:46 . 2001-08-17 18:19 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2013-01-10 06:46 . 2001-08-17 18:19 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2013-01-10 06:46 . 2001-08-17 18:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2013-01-10 06:46 . 2001-08-17 19:53 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
2013-01-10 06:46 . 2001-08-18 04:36 61440 -c--a-w- c:\windows\system32\dllcache\acerscad.dll
2013-01-10 06:42 . 2013-01-10 06:42 -------- d-----w- C:\found.000
2013-01-10 06:37 . 2013-01-10 07:47 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-01-10 06:36 . 2013-01-10 07:47 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2013-01-10 06:36 . 2013-01-10 06:36 -------- d-----w- c:\program files\Tweaking.com
2013-01-10 06:36 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2013-01-10 06:36 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2013-01-10 00:20 . 2013-01-10 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2013-01-10 00:18 . 2013-01-10 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\APN
2013-01-09 14:36 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-09 14:36 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-09 14:36 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-01-09 14:36 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-09 14:36 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-09 14:36 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2013-01-09 14:36 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2013-01-09 14:36 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2013-01-09 14:36 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-09 14:36 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-09 14:35 . 2013-01-09 14:35 -------- d-----w- c:\program files\AVAST Software
2013-01-09 14:35 . 2013-01-09 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-12-18 19:08 . 2012-12-18 19:08 209112 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-11 19:59 . 2012-10-08 01:41 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-11 19:59 . 2012-10-08 01:41 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-11 01:31 . 2012-08-03 04:24 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-11 01:31 . 2010-04-22 23:00 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-16 12:23 . 2004-08-04 10:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 22:49 . 2010-04-04 21:40 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 23:27 . 2010-03-29 20:44 1838 ----a-w- c:\windows\~~UFILE.TMP
2012-11-13 01:25 . 2004-08-04 10:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-04-14 00:12 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2004-08-04 10:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-05 1505144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
c:\documents and settings\Nena\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-31 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nena^Start Menu^Programs^Startup^Corel Desktop Application Director.LNK]
path=c:\documents and settings\Nena\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup=c:\windows\pss\Corel Desktop Application Director.LNKStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-18 19:08 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
1996-10-16 07:02 46080 ----a-w- c:\corel\Office7\Shared\QFinder7\QFSCHED.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/30/2011 5:23 AM 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/9/2013 8:36 AM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/9/2013 8:36 AM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 10:42 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [11/26/2010 2:01 AM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/9/2013 8:36 AM 21256]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [12/20/2010 6:10 PM 16968]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-01-12 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-01-09 23:50]
.
2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-30 00:13]
.
2013-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-30 00:13]
.
2011-03-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-11-05 20:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: what.cd\ssl
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
TCP: Interfaces\{DA041DF9-FF1F-47BF-997E-A48F0C9BD29A}: NameServer = 8.8.8.8,8.8.4.4
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-11 18:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A40E7BAB-571E-AA5D-B2C2-B8B7B9BF2FB6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaodobemamjnmbljemlh"=hex:6a,61,6a,62,6f,6a,6b,6e,67,6f,69,6f,66,6f,67,61,6f,
   6b,62,6d,00,01
"iaededgccokabhkfkl"=hex:6a,61,6a,62,6f,6a,6b,6e,67,6f,69,6f,66,6f,67,61,6f,6b,
   62,6d,00,01
"hakdoabjngpmafpn"=hex:62,62,67,64,63,61,68,6c,6d,69,65,63,6e,66,63,66,69,61,
   70,6f,6d,63,6a,61,68,61,64,66,6c,6f,67,6b,6c,6a,68,67,00,00
"hakdoabjagmnpodo"=hex:70,62,6e,61,6a,66,6c,6d,62,6f,66,68,65,61,66,6d,6e,64,
   64,6c,68,64,6c,69,6d,70,62,64,62,65,6e,70,69,68,70,6d,64,67,6e,63,62,6c,64,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2013-01-11 18:05:19 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-12 00:05
ComboFix2.txt 2013-01-11 01:06
ComboFix3.txt 2013-01-10 14:16
.
Pre-Run: 732,642,697,216 bytes free
Post-Run: 732,547,784,704 bytes free
.
- - End Of File - - FFF3383A6EFA50FBED1E3E42961C705B

#40 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 11 January 2013 - 11:44 PM

Please download aswMBR.exe to your Desktop.

Visit this Webpage
for the download link, and instructions for running the tool.
Run a Scan only, at this time, and then click on Save log, and save the results to your Desktop.
Please include aswMBR.txt in your next reply for further review.

#41 nenadrew

Member

Full Member
56 posts

Posted 12 January 2013 - 12:21 AM

Here's the aswMBR log:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-11 23:01:31
-----------------------------
23:01:31.796    OS Version: Windows 5.1.2600 Service Pack 3
23:01:31.796    Number of processors: 2 586 0xF0D
23:01:31.796    ComputerName: NENADREW UserName: Nena
23:01:33.265    Initialize success
23:01:33.359    AVAST engine defs: 13011101
23:01:41.750    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:01:41.750    Disk 0 Vendor: WDC_WD1001FALS-00E3A0 05.01D05 Size: 953869MB BusType: 3
23:01:41.750    Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-24
23:01:41.750    Disk 1 Vendor: ST31000528AS CC3E Size: 953869MB BusType: 3
23:01:41.765    Disk 0 MBR read successfully
23:01:41.781    Disk 0 MBR scan
23:01:41.781    Disk 0 Windows XP default MBR code
23:01:41.781    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       953859 MB offset 63
23:01:41.781    Disk 0 scanning sectors +1953504000
23:01:41.828    Disk 0 scanning C:\WINDOWS\system32\drivers
23:01:45.234    Service scanning
23:01:50.828    Modules scanning
23:01:55.859    Disk 0 trace - called modules:
23:01:55.875    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:01:55.875    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a625ab8]
23:01:55.890    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000065[0x8a6ec640]
23:01:55.890    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a62dd98]
23:01:57.265    AVAST engine scan C:\WINDOWS
23:02:07.687    AVAST engine scan C:\WINDOWS\system32
23:03:45.859    AVAST engine scan C:\WINDOWS\system32\drivers
23:04:21.593    AVAST engine scan C:\Documents and Settings\Nena
23:09:18.671    File: C:\Documents and Settings\Nena\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\42\3938fcea-1032b6b8 **INFECTED** Win32:Rootkit-gen [Rtk]
23:13:59.000    AVAST engine scan C:\Documents and Settings\All Users
23:17:55.015    Scan finished successfully
23:18:19.625    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Nena\Desktop\MBR.dat"
23:18:19.625    The log file has been saved successfully to "C:\Documents and Settings\Nena\Desktop\aswMBR.txt"

(Wait, I have an infected Java file? I just uninstalled all the Java yesterday and downloaded the newest version!)

Nena

#42 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 12 January 2013 - 10:23 AM

There have been recent warnings on a zero-day vulnerability currently being exploited by several malware packages. See these two articles:
Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B
Apple and Mozilla - 'Just say no to Java'

The January 10 article gives information on how to turn off Jave i your browser to protect yourself. The problem is that many sites require Java. I't doesn't look like that file that was detected was furrently infected, as aswMBR showed you to have an uninfected MBR. It may not have been deleted from the Java cach (where it's located) when you uninstalled and updated. All it takes is for you to load a web site in your browser that has had malicious java code added to it because it wasn't completely secure and that weakness was exploited. That's why I tend to say there is no such thing as a "trusted" web site. There are "legitimate" web sites, but many legitimate web sites have previously been exploited either on their own server or through insertion of an infected ad into the ad server that they use. It's happened to the NY Times twice, and many that viewed the infected ad had their system infected. That's one of the reasons you should always have a current, updated, antivirus program and a firewall to block intruders.

To delete that infected file, all you need to do is to clear the Java cache.
Go to the Control Panel and double-click on Java.
When the Java Control Panel opens, click the General Tab if not there already.
In the Temporary Internet Files area, click the "Settings" button, click the "Delete Files" button, and then UNcheck the box for "Keep temporary files on my computer".

Unfortunately, there is no single scanner that will detect everything. As you can see as we continue to use other tools, you continue to find additional infected files. That file may have been there for days or weeks, or may have been there from yesterday's browsing.

Please download Malwarebytes Anti-Rootkit here.

Unzip the contents to a folder on the Desktop.
Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Please post the two logs produced.
Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

Download the Sophos Virus Removal Tool and save it to your desktop:

Be sure to view the 3 short How-to videos on that page.
Double-click Sophos Virus Removal Tool.exe. The installation files will extract and the installer will automatically run.
Follow the prompts to accept the license agreement, and accept the default location.
A message will appear "InstallShield Wizard Completed".
Click 'Finish' to start the program.
After it updates and a "Start Scanning" button appears in the lower right:
- Disconnect from the Internet or physically unplug you Internet cable connection.
- Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
- Temporarily disable your anti-virus and real-time anti-spyware protection.
Click the "Start Scanning" button in the lower right to start the scan.
After starting the scan, do not use the computer until the scan has completed.
When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
A log will be in the following location:
Vista and above: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
--for 64-bit C:\Program Files (x86)\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
2000/XP/Server 2003: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
Please post the log in your next reply.

Please post the logs from Malwarebytes Anti-Rootkit and the Sophos Virus Removal Tool, and note any errors encountered.

#43 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 12 January 2013 - 10:53 AM

Another thing I would modify if you don't disable Java entirely (which some sites require so that's a decision you need to make based on usability) is in the Java Control Panel referred to above, on the Security tab I would move the slider for Security Level to High.

#44 nenadrew

Member

Full Member
56 posts

Posted 12 January 2013 - 01:33 PM

Mbar log #1:

Malwarebytes Anti-Rootkit BETA 1.01.0.1016
www.malwarebytes.org

Database version: v2013.01.12.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Nena :: NENADREW [administrator]

1/12/2013 12:28:33 PM
mbar-log-2013-01-12 (12-28-33).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#45 nenadrew

Member

Full Member
56 posts

Posted 12 January 2013 - 01:34 PM

Mbar log #2:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1016

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, N:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3478233088, free: 2847490048

------------ Kernel report ------------
01/12/2013 12:19:49
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
pavboot.sys
VolSnap.sys
atapi.sys
cercsr6.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\el90xbc5.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_M.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\Drivers\aswTdi.SYS
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\Drivers\AswRdr.SYS
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\aswSP.SYS
\SystemRoot\System32\Drivers\aswSnx.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\Aavmker4.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\aswFsBlk.SYS
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResM.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\SystemRoot\System32\DLA\DLABMFSM.SYS
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\aswMon2.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8a67bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-24\
Lower Device Object: 0xffffffff8a67fb00
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a67cab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff8a686d98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Downloaded database version: v2013.01.12.08
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a67cab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a695e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a67cab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a68af18, DeviceName: \Device\00000065\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a686d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe4220418, 0xffffffff8a67cab8, 0xffffffff8938a2c8
Lower DeviceData: 0xffffffffe2a01ad0, 0xffffffff8a686d98, 0xffffffff896795c8
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D63AD63A

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 1953503937
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-1953505168-1953525168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8a67bab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a695bf0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a67bab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a67fb00, DeviceName: \Device\Ide\IdeDeviceP3T0L0-24\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe37a3320, 0xffffffff8a67bab8, 0xffffffff89561040
Lower DeviceData: 0xffffffffe10c0608, 0xffffffff8a67fb00, 0xffffffff896eb958
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4201002D

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 1953520002

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

#46 nenadrew

Member

Full Member
56 posts

Posted 12 January 2013 - 01:35 PM

Another thing I would modify if you don't disable Java entirely (which some sites require so that's a decision you need to make based on usability) is in the Java Control Panel referred to above, on the Security tab I would move the slider for Security Level to High.

I did that as soon as I read your earlier posting.

#47 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 12 January 2013 - 01:38 PM

The Malwarebytes Anti-Rootkit scan didn't fine anything, hopefully Sophos Virus removal Tool won't either.

#48 nenadrew

Member

Full Member
56 posts

Posted 12 January 2013 - 03:59 PM

Sorry it took so long; the Sophos scan was taking awhile, and I fell asleep, lol. Here's the log:

2013-01-12 12:52:23 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2013-01-12 12:52:23 Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
2013-01-12 12:52:23 Checking for updates...
2013-01-12 12:52:32 Option all = no
2013-01-12 12:52:32 Option recurse = yes
2013-01-12 12:52:32 Option archive = no
2013-01-12 12:52:32 Option service = yes
2013-01-12 12:52:32 Option confirm = yes
2013-01-12 12:52:32 Option sxl = yes
2013-01-12 12:52:32 Option max-data-age = 35
2013-01-12 12:52:32 Component SVRTcli.exe version 2.3
2013-01-12 12:52:32 Component control.dll version 2.3
2013-01-12 12:52:32 Component SVRTservice.exe version 2.3
2013-01-12 12:52:32 Component engine\osdp.dll version 1.44.0.2040
2013-01-12 12:52:32 Component engine\veex.dll version 3.39.0.2040
2013-01-12 12:52:32 Component engine\savi.dll version 7.5.11.2040
2013-01-12 12:52:32 Component rkdisk.dll version 1.5.30.0
2013-01-12 12:52:32 Version info: Product version 2.3
2013-01-12 12:52:32 Version info: Detection engine 3.39.0
2013-01-12 12:52:32 Version info: Detection data 4.85
2013-01-12 12:52:32 Version info: Build date 1/7/2013
2013-01-12 12:52:32 Version info: Data files added 286
2013-01-12 12:52:32 Version info: Last successful update (not yet updated)
2013-01-12 12:52:37 Update progress: proxy server not available
2013-01-12 12:52:44 Downloading updates...
2013-01-12 12:52:44 Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2013-01-12 12:52:44 Update progress: [I49502] Found supplement SAVIW32 NEXT 4
2013-01-12 12:52:44 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2013-01-12 12:52:44 Update progress: [I19463] Syncing product SAVIW32 23
2013-01-12 12:52:49 Installing updates...
2013-01-12 12:53:05 Update successful
2013-01-12 12:53:13 Option all = no
2013-01-12 12:53:13 Option recurse = yes
2013-01-12 12:53:13 Option archive = no
2013-01-12 12:53:13 Option service = yes
2013-01-12 12:53:13 Option confirm = yes
2013-01-12 12:53:13 Option sxl = yes
2013-01-12 12:53:13 Option max-data-age = 35
2013-01-12 12:53:13 Component SVRTcli.exe version 2.3
2013-01-12 12:53:13 Component control.dll version 2.3
2013-01-12 12:53:13 Component SVRTservice.exe version 2.3
2013-01-12 12:53:13 Component engine\osdp.dll version 1.44.0.2040
2013-01-12 12:53:13 Component engine\veex.dll version 3.39.0.2040
2013-01-12 12:53:13 Component engine\savi.dll version 7.5.11.2040
2013-01-12 12:53:13 Component rkdisk.dll version 1.5.30.0
2013-01-12 12:53:13 Version info: Product version 2.3
2013-01-12 12:53:13 Version info: Detection engine 3.39.0
2013-01-12 12:53:13 Version info: Detection data 4.85G
2013-01-12 12:53:13 Version info: Build date 1/7/2013
2013-01-12 12:53:13 Version info: Data files added 0
2013-01-12 12:53:13 Version info: Last successful update 1/12/2013 12:53:05 PM

2013-01-12 13:06:09 >>> Virus 'Mal/FakeAvCn-C' found in file C:\Documents and Settings\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl
2013-01-12 13:06:09 >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:06:17 >>> Virus 'Mal/FakeAvCn-E' found in file C:\Documents and Settings\All Users\Application Data\F4D55F3E00007902000022A1D151FC84\F4D55F3E00007902000022A1D151FC84
2013-01-12 13:06:17 >>> Virus 'Mal/FakeAvCn-E' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:06:40 >>> Virus 'Mal/FakeAvCn-C' found in file C:\Documents and Settings\All Users\Application Data\mncleotu8bxhx2j6rih3pir8
2013-01-12 13:06:40 >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:07:42 >>> Virus 'Mal/FakeAvCn-C' found in file C:\Documents and Settings\Nena\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl
2013-01-12 13:07:42 >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:08:17 >>> Virus 'Mal/FakeAvCn-C' found in file C:\Documents and Settings\Nena\Local Settings\Application Data\mncleotu8bxhx2j6rih3pir8
2013-01-12 13:08:17 >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:10:40 >>> Virus 'Mal/FakeAvCn-C' found in file C:\Documents and Settings\Nena\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl
2013-01-12 13:10:40 >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:10:45 >>> Virus 'Mal/FakeAvCn-C' found in file C:\Documents and Settings\Nena\Templates\mncleotu8bxhx2j6rih3pir8
2013-01-12 13:10:45 >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:38:37 >>> Virus 'Mal/FakeAvCn-C' found in file N:\Documents and Settings\All Users\Application Data\mncleotu8bxhx2j6rih3pir8
2013-01-12 13:38:37 >>> Virus 'Mal/FakeAvCn-C' found in file HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
2013-01-12 13:45:27 The following items will be cleaned up:
2013-01-12 13:45:27 Mal/FakeAvCn-C
2013-01-12 13:45:27 Mal/FakeAvCn-E
2013-01-12 14:27:26 Threat 'Mal/FakeAvCn-C' has been cleaned up.
2013-01-12 14:27:26 File "C:\Documents and Settings\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 File "C:\Documents and Settings\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl" has been cleaned up.
2013-01-12 14:27:26 File "C:\Documents and Settings\All Users\Application Data\mncleotu8bxhx2j6rih3pir8" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 File "C:\Documents and Settings\All Users\Application Data\mncleotu8bxhx2j6rih3pir8" has been cleaned up.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl" has been cleaned up.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Local Settings\Application Data\mncleotu8bxhx2j6rih3pir8" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Local Settings\Application Data\mncleotu8bxhx2j6rih3pir8" has been cleaned up.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl" has been cleaned up.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Templates\mncleotu8bxhx2j6rih3pir8" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 File "C:\Documents and Settings\Nena\Templates\mncleotu8bxhx2j6rih3pir8" has been cleaned up.
2013-01-12 14:27:26 File "N:\Documents and Settings\All Users\Application Data\mncleotu8bxhx2j6rih3pir8" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 File "N:\Documents and Settings\All Users\Application Data\mncleotu8bxhx2j6rih3pir8" has been cleaned up.
2013-01-12 14:27:26 Registry value "HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" belongs to malware 'Mal/FakeAvCn-C'.
2013-01-12 14:27:26 Registry value "HKU\S-1-5-21-448539723-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures" has been cleaned up.
2013-01-12 14:27:26 Removal successful
2013-01-12 14:27:29 Threat 'Mal/FakeAvCn-E' has been cleaned up.
2013-01-12 14:27:29 File "C:\Documents and Settings\All Users\Application Data\F4D55F3E00007902000022A1D151FC84\F4D55F3E00007902000022A1D151FC84" belongs to malware 'Mal/FakeAvCn-E'.
2013-01-12 14:27:29 File "C:\Documents and Settings\All Users\Application Data\F4D55F3E00007902000022A1D151FC84\F4D55F3E00007902000022A1D151FC84" has been cleaned up.
2013-01-12 14:27:29 Removal successful

2013-01-12 14:47:54 Scan completed.
2013-01-12 14:47:54

------------------------------------------------------------

#49 TheJoker

Forum Deity

Global Moderator
12,465 posts

Posted 13 January 2013 - 12:42 AM

Let's try one more scan. You've run this before according to your first DDS log, so you're likely familiar with it.

Please scan your system with ESET Online Scanner

Click the "Run ESET Online Scanner" button.
- For browsers other then Internet Explorer such as Firefox, Chrome, or Opera (Microsoft Internet Explorer users can skip this step) another page will open to download the ESET Smart Installer
- Click on esetsmartinstaller_enu.exe
- Save it to your desktop, and double-click to run it.
Check "YES, I accept the Terms of Use."
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

Please post the log from ESET Online Scanner you saved to the Desktop, and note any errors encountered.

#50 nenadrew

Member

Full Member
56 posts

Posted 13 January 2013 - 12:51 PM

Here's the ESET log:

C:\Documents and Settings\Nena\Desktop\Joker\7zip_installer_d162802.exe probably a variant of Win32/InstallIQ application cleaned by deleting - quarantined