Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware infection on XP PC

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware infection on XP PC

Unread postby willpak » July 25th, 2011, 9:23 am

Hi.

I am not very tech savy. so I hope what I describe below makes sense.

My PC got infected with a particularly nasty virus about three months ago. I dont remember what it was called, but it was a trojan that was trying to get me to buy some type of antivir, I think, software.

The virus disabled Malwarebytes and my Avira virus protection. I was able to run Spybot Search and Destroy to remove the virus, but it seems to have damaged files on the PC. I havent been able to access Windows Updates in the last three months, and I've tried a lot of work arounds, or perform a system restore. I have to reset the Proxy settings on Firefox each time I open it, from Manual Proxy Configuration to the No Proxy setting. I never had to do this before the infection.

Since the infection I've had several problems with browsing, mainly pages timing out or freezing, but Malwarebytes and Spybot have sorted them out, superficially, at least.
As of today, I am getting redircted to various sites from google, too many to mention, that have nothing to do with my search queries, or back to a fresh google page. I can not longer run Malwarebytes or Spybot, I get a pop up box "windows cannot access the specified device, path or file" and I've downloaded Super Anti Spyware and Uniblue, for the first time, today, and they crash when I try to run scans.

Any help would be greatly appreciated, thanks. DDS.txt and Attach.txt pasted below:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Owner at 13:15:30 on 2011-07-25
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.846 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
c:\program files\real\realplayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = https://www.facebook.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz2.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - No File
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz2.dll
BHO: {CCC250A6-F877-A9E5-5022-67950E1A08E3} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz2.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\b3e5e2d8-0a15-47a2-9c73-8501bc1dccb5.com
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [SNJQ66R8MU] c:\windows\temp\Ffr.exe
dRun: [NtWqIVLZEWZU] c:\windows\temp\Ffs.exe
dRun: [OO1310T0QS] c:\windows\temp\Ffq.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
IE: &Winamp Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: gestrip.com\secure
Trusted Zone: randhi.com\update
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {33331111-1234-1111-1111-615111193427} - hxxp://www.www2.p0rt2.com/files/epl29bd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resour ... se6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B82C503B-1E75-48D6-807E-134C5247B3A8} : DhcpNameServer = 192.168.1.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mvebkhep.dll
LSA: Notification Packages = scecli scecli
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\3vrrmn6r.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53717
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxps://www.facebook.com
FF - user.js: browser.startup.page - 1
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-19 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-19 136360]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-9-2 479232]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-19 66616]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-19 41272]
S2 AMService;AMService;c:\windows\temp\wbnq\setup.exe run --> c:\windows\temp\wbnq\setup.exe run [?]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-19 269480]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-9-2 241664]
S2 vpiwqtqy;IP Traffic Filter Controller;c:\windows\system32\svchost.exe -k netsvcs [2003-7-16 14336]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2009-2-18 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2009-2-18 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2009-2-18 107304]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2007-6-19 97704]
.
=============== Created Last 30 ================
.
2011-07-25 11:51:09 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2011-07-25 11:51:09 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-07-25 11:50:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-25 09:49:55 -------- dc-h--w- c:\documents and settings\all users\application data\{6DAA3B20-D487-4FA2-81D5-50404CCB868D}
2011-07-25 09:49:48 -------- d-----w- c:\program files\Uniblue
2011-07-25 09:49:32 -------- d-----w- c:\documents and settings\owner\local settings\application data\PackageAware
2011-07-25 09:41:21 -------- d-----w- c:\documents and settings\owner\DoctorWeb
2011-06-25 22:23:15 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-25 22:23:14 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 02:20:39 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-06 09:23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 23:05:19 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-05-05 21:10:12 0 ----a-w- c:\windows\system32\tmp.tmp
2011-05-04 03:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 01:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y080L0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xAD1E2F00]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x89FD5AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8994E030]
\Driver\00001643[0x89ABE6E8] -> IRP_MJ_CREATE -> 0xAD1E2F00
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89F9257B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:19:27.56 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 20/07/2005 21:56:29
System Uptime: 25/07/2011 11:47:54 (2 hours ago)
.
Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel(R) Celeron(R) CPU 2.60GHz | Microprocessor | 2591/400mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 13.767 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP280: 02/06/2011 22:08:15 - Installed Windows XP KB951698.
RP281: 02/06/2011 22:09:47 - Installed Windows XP KB951748.
RP282: 02/06/2011 22:11:21 - Installed Windows XP KB952287.
RP283: 02/06/2011 22:12:45 - Installed Windows XP KB952954.
RP284: 02/06/2011 22:14:15 - Installed Windows XP KB954211.
RP285: 02/06/2011 22:15:40 - Installed Windows XP KB954600.
RP286: 02/06/2011 22:17:06 - Installed Windows XP KB955069.
RP287: 02/06/2011 22:18:50 - Installed Windows XP KB956802.
RP288: 02/06/2011 22:20:19 - Installed Windows XP KB956803.
RP289: 02/06/2011 22:21:48 - Installed Windows XP KB956841.
RP290: 02/06/2011 22:23:22 - Installed Windows XP KB957097.
RP291: 02/06/2011 22:24:49 - Installed Windows XP KB958644.
RP292: 02/06/2011 22:26:12 - Installed Windows XP KB958687.
RP293: 03/06/2011 08:05:45 - Installed Java(TM) 6 Update 24
RP294: 04/06/2011 08:29:21 - System Checkpoint
RP295: 05/06/2011 09:00:21 - System Checkpoint
RP296: 06/06/2011 10:00:14 - System Checkpoint
RP297: 07/06/2011 10:34:33 - System Checkpoint
RP298: 08/06/2011 23:28:59 - System Checkpoint
RP299: 10/06/2011 00:03:45 - System Checkpoint
RP300: 11/06/2011 01:06:51 - System Checkpoint
RP301: 12/06/2011 01:43:55 - System Checkpoint
RP302: 13/06/2011 02:18:21 - System Checkpoint
RP303: 14/06/2011 02:31:21 - System Checkpoint
RP304: 15/06/2011 03:06:57 - System Checkpoint
RP305: 16/06/2011 03:27:49 - System Checkpoint
RP306: 17/06/2011 04:27:57 - System Checkpoint
RP307: 18/06/2011 05:27:52 - System Checkpoint
RP308: 19/06/2011 06:27:50 - System Checkpoint
RP309: 20/06/2011 03:00:29 - Software Distribution Service 3.0
RP310: 21/06/2011 03:00:31 - Software Distribution Service 3.0
RP311: 21/06/2011 17:21:55 - Software Distribution Service 3.0
RP312: 21/06/2011 17:37:58 - Software Distribution Service 3.0
RP313: 21/06/2011 17:56:52 - Software Distribution Service 3.0
RP314: 21/06/2011 19:42:59 - Software Distribution Service 3.0
RP315: 21/06/2011 19:45:19 - Software Distribution Service 3.0
RP316: 21/06/2011 19:57:00 - Restore Operation
RP317: 21/06/2011 20:12:53 - Software Distribution Service 3.0
RP318: 22/06/2011 03:00:32 - Software Distribution Service 3.0
RP319: 23/06/2011 03:00:24 - Software Distribution Service 3.0
RP320: 23/06/2011 08:59:06 - Installed Dell Solution Center
RP321: 23/06/2011 09:03:59 - Software Distribution Service 3.0
RP322: 23/06/2011 17:25:56 - Software Distribution Service 3.0
RP323: 23/06/2011 18:14:52 - Installed %1 %2.
RP324: 24/06/2011 03:00:21 - Software Distribution Service 3.0
RP325: 25/06/2011 03:00:19 - Software Distribution Service 3.0
RP326: 26/06/2011 03:00:28 - Software Distribution Service 3.0
RP327: 27/06/2011 03:00:19 - Software Distribution Service 3.0
RP328: 28/06/2011 03:00:24 - Software Distribution Service 3.0
RP329: 29/06/2011 03:00:19 - Software Distribution Service 3.0
RP330: 30/06/2011 03:00:31 - Software Distribution Service 3.0
RP331: 01/07/2011 03:00:18 - Software Distribution Service 3.0
RP332: 02/07/2011 03:00:38 - Software Distribution Service 3.0
RP333: 03/07/2011 03:00:27 - Software Distribution Service 3.0
RP334: 04/07/2011 03:00:31 - Software Distribution Service 3.0
RP335: 05/07/2011 03:00:30 - Software Distribution Service 3.0
RP336: 06/07/2011 03:00:29 - Software Distribution Service 3.0
RP337: 07/07/2011 03:00:28 - Software Distribution Service 3.0
RP338: 07/07/2011 21:36:31 - Installed Java(TM) 6 Update 26
RP339: 08/07/2011 03:00:20 - Software Distribution Service 3.0
RP340: 24/07/2011 13:33:05 - Software Distribution Service 3.0
RP341: 25/07/2011 03:00:23 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Sansa Media Converter
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Ahead Nero Burning ROM
ALZip
AnyImage Screensaver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
B57Inst
BACS
Bonjour
Broadcom 440x 10/100 Integrated Controller
Broadcom Advanced Control Suite
Broadcom Driver Installer
CCleaner
Conduit Engine
ConvertXtoDVD 2.2.3.258
Critical Update for Windows Media Player 11 (KB959772)
Dell AIO Printer A920
Dell ResourceCD
Dell Solution Center
Disc2Phone
DivXLand Media Subtitler
Drive Manager
DVD Decrypter (Remove Only)
DVD Shrink 3.2
ffdshow [rev 2583] [2009-01-05]
FLAC 1.2.1b (remove only)
FUJIFILM FinePixViewer S Ver.2.1
Haali Media Splitter
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImgBurn
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Q903235
Java Auto Updater
Java(TM) 6 Update 26
JDownloader
K-Lite Codec Pack 4.7.5 (Full)
Malwarebytes' Anti-Malware version 1.51.1.1800
Media Player Classic - Home Cinema v. 1.3.1249.0
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Modem Helper
Mozilla Firefox 5.0 (x86 en-GB)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Picasa 2
PowerDVD
QuickTime
RealPlayer
RealUpgrade 1.0
Rosetta Stone Version 3
Sansa Updater
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sigma REALmagic MPEG-4 Video Codec
Sonic RecordNow!
Sony Ericsson PC Suite
Sothink Video Converter
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SubtitleCreator
SUPERAntiSpyware
SwedishNow!
Uniblue RegistryBooster
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.10
VSO Inspector 2.0.2
Vuze
Vuze Toolbar
Vuze_Remote Toolbar
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinRAR archiver
Wondershare Video to Audio Converter(Build 4.2.0.56)
Yahoo! Detect
ZENcast Organizer
.
==== Event Viewer Messages From Past Week ========
.
25/07/2011 13:07:00, error: Schedule [7901] - The At25.job command failed to start due to the following error: General access denied error
25/07/2011 13:00:00, error: Schedule [7901] - The At14.job command failed to start due to the following error: General access denied error
25/07/2011 12:00:00, error: Schedule [7901] - The At13.job command failed to start due to the following error: General access denied error
25/07/2011 11:46:53, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss sptd ssmdrv Tcpip
25/07/2011 11:46:53, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
25/07/2011 11:46:53, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
25/07/2011 11:46:53, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
25/07/2011 11:46:53, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
25/07/2011 11:46:53, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
25/07/2011 11:46:53, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
25/07/2011 11:45:35, error: sptd [4] - Driver detected an internal error in its data structures for .
25/07/2011 11:26:00, error: Schedule [7901] - The At26.job command failed to start due to the following error: General access denied error
25/07/2011 11:00:00, error: Schedule [7901] - The At12.job command failed to start due to the following error: General access denied error
25/07/2011 10:00:00, error: Schedule [7901] - The At11.job command failed to start due to the following error: General access denied error
25/07/2011 09:00:00, error: Schedule [7901] - The At10.job command failed to start due to the following error: General access denied error
25/07/2011 08:43:11, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
25/07/2011 08:43:04, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ASKUpgrade service to connect.
25/07/2011 08:43:04, error: Service Control Manager [7000] - The IP Traffic Filter Controller service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
25/07/2011 08:43:04, error: Service Control Manager [7000] - The ASKUpgrade service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
25/07/2011 08:00:00, error: Schedule [7901] - The At9.job command failed to start due to the following error: General access denied error
25/07/2011 07:00:00, error: Schedule [7901] - The At8.job command failed to start due to the following error: General access denied error
25/07/2011 06:00:00, error: Schedule [7901] - The At7.job command failed to start due to the following error: General access denied error
25/07/2011 05:00:00, error: Schedule [7901] - The At6.job command failed to start due to the following error: General access denied error
25/07/2011 04:00:00, error: Schedule [7901] - The At5.job command failed to start due to the following error: General access denied error
25/07/2011 03:03:52, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f0f4: Update for Windows XP (KB2443685).
25/07/2011 03:00:00, error: Schedule [7901] - The At4.job command failed to start due to the following error: General access denied error
25/07/2011 02:00:00, error: Schedule [7901] - The At3.job command failed to start due to the following error: General access denied error
25/07/2011 01:00:00, error: Schedule [7901] - The At2.job command failed to start due to the following error: General access denied error
25/07/2011 00:09:00, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
24/07/2011 23:00:00, error: Schedule [7901] - The At24.job command failed to start due to the following error: General access denied error
24/07/2011 22:00:00, error: Schedule [7901] - The At23.job command failed to start due to the following error: General access denied error
24/07/2011 21:00:00, error: Schedule [7901] - The At22.job command failed to start due to the following error: General access denied error
24/07/2011 20:00:00, error: Schedule [7901] - The At21.job command failed to start due to the following error: General access denied error
24/07/2011 19:00:00, error: Schedule [7901] - The At20.job command failed to start due to the following error: General access denied error
24/07/2011 18:00:00, error: Schedule [7901] - The At19.job command failed to start due to the following error: General access denied error
24/07/2011 17:00:00, error: Schedule [7901] - The At18.job command failed to start due to the following error: General access denied error
24/07/2011 16:00:00, error: Schedule [7901] - The At17.job command failed to start due to the following error: General access denied error
24/07/2011 15:00:00, error: Schedule [7901] - The At16.job command failed to start due to the following error: General access denied error
24/07/2011 14:43:00, error: Schedule [7901] - The At27.job command failed to start due to the following error: General access denied error
24/07/2011 14:00:00, error: Schedule [7901] - The At15.job command failed to start due to the following error: General access denied error
.
==== End Of File ===========================
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am
Advertisement
Register to Remove

Re: Malware infection on XP PC

Unread postby Dakeyras » July 26th, 2011, 5:37 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome to Malware Removal. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

P2P Advice:

Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs, it is posted here.

As a condition of receiving our help, I have included everything Vuze related in the removal instructions below, so we are not wasting our time. If you have used the aforementioned, you can be fairly confident this is a principal reason your computer is infected.

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze.
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.
It's also very important to avoid any "cracks" or "Keygens" that allow unauthorized use of programs. Besides being illegal, these files also are loaded with "planted" malware.

Next:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 9.4.4 We will update this in due course
Conduit Engine
Spybot - Search & Destroy <-- Will hinder the Malware Removal process.
Spybot - Search & Destroy 1.4
SUPERAntiSpyware <-- Will hinder the Malware Removal process.
Uniblue RegistryBooster
Vuze
Vuze Toolbar
Vuze_Remote Toolbar


To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Scan with RogueKiller:

Please download RogueKiller to your desktop

Alternate download is here.

  • Quit all running programs
  • Double-click on RogueKiller.exe to start the application.
  • When prompted, type 1 then depress the Enter/Return key.
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Scan with TDSSKiller:

Please download TDSSKiller.zip and extract (unzip) it to your Desktop.

  • Double click on TDSSKiller.exe to launch it.
  • Click on Start Scan, the scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • To find the log go to Start > Computer > C:
  • Post the contents of that log in your next reply please.

Note: Do not have TDSSKiller remove anything if found at this point in time!

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • RogueKiller Log.
  • TDSSKiller Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware infection on XP PC

Unread postby willpak » July 26th, 2011, 5:43 pm

Hi Dakeyras. Thanks for the quick reply.

I removed all the items you mentioned and downloaded the two programmes you recommended. I cant get Rougekiller to run properly. Everytime I run it it crashes, even after I changed it's name, as you suggested. I could run TDSSKiller, report posted below. PC Seems the same as before, no improvement, but also nothing new seems to be wrong with it.

Thanks for your help, it really is appreciated.

TDSSKiller Report:

2011/07/26 22:03:45.0968 2904 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/26 22:03:47.0968 2904 ================================================================================
2011/07/26 22:03:47.0968 2904 SystemInfo:
2011/07/26 22:03:47.0984 2904
2011/07/26 22:03:47.0984 2904 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/26 22:03:47.0984 2904 Product type: Workstation
2011/07/26 22:03:47.0984 2904 ComputerName: LIAM-UG3OC511ZL
2011/07/26 22:03:47.0984 2904 UserName: Owner
2011/07/26 22:03:47.0984 2904 Windows directory: C:\WINDOWS
2011/07/26 22:03:47.0984 2904 System windows directory: C:\WINDOWS
2011/07/26 22:03:47.0984 2904 Processor architecture: Intel x86
2011/07/26 22:03:47.0984 2904 Number of processors: 1
2011/07/26 22:03:47.0984 2904 Page size: 0x1000
2011/07/26 22:03:47.0984 2904 Boot type: Normal boot
2011/07/26 22:03:47.0984 2904 ================================================================================
2011/07/26 22:03:50.0890 2904 Initialize success
2011/07/26 22:04:00.0000 2072 ================================================================================
2011/07/26 22:04:00.0000 2072 Scan started
2011/07/26 22:04:00.0000 2072 Mode: Manual;
2011/07/26 22:04:00.0000 2072 ================================================================================
2011/07/26 22:04:02.0390 2072 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/26 22:04:02.0515 2072 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/26 22:04:02.0687 2072 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/07/26 22:04:02.0796 2072 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/26 22:04:02.0921 2072 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/26 22:04:03.0703 2072 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/26 22:04:03.0828 2072 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/26 22:04:04.0046 2072 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/26 22:04:04.0234 2072 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/26 22:04:04.0343 2072 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/07/26 22:04:04.0453 2072 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/07/26 22:04:04.0531 2072 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/07/26 22:04:04.0671 2072 bcm4sbxp (b60f57b4d9cdbc663cc03eb8af7ec34e) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/07/26 22:04:04.0781 2072 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/26 22:04:04.0953 2072 bvrp_pci (c915a416f265149471d74e0815c928b2) C:\WINDOWS\System32\drivers\bvrp_pci.sys
2011/07/26 22:04:05.0046 2072 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/26 22:04:05.0218 2072 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/26 22:04:05.0343 2072 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/26 22:04:05.0484 2072 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/26 22:04:06.0125 2072 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/26 22:04:06.0343 2072 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/26 22:04:06.0531 2072 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/26 22:04:06.0671 2072 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/26 22:04:06.0796 2072 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/26 22:04:07.0031 2072 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/26 22:04:07.0281 2072 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/26 22:04:07.0421 2072 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/26 22:04:07.0562 2072 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/26 22:04:07.0687 2072 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/26 22:04:07.0765 2072 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/26 22:04:07.0953 2072 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/26 22:04:08.0078 2072 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/26 22:04:08.0187 2072 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/07/26 22:04:08.0296 2072 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/26 22:04:08.0515 2072 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/26 22:04:08.0750 2072 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/26 22:04:08.0906 2072 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/26 22:04:09.0109 2072 Imagedrv (fccf4ae4ef72cbaba6d6befefd77e940) C:\WINDOWS\system32\DRIVERS\imagedrv.sys
2011/07/26 22:04:09.0265 2072 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/26 22:04:09.0546 2072 IntelC51 (8e51bf1696821a72656444e0fd5081a3) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/07/26 22:04:09.0703 2072 IntelC52 (331ce31882754000ca2afbf7bd480513) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/07/26 22:04:09.0828 2072 IntelC53 (8001fac548eb0285d0085f4eb53c1e3f) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/07/26 22:04:09.0953 2072 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/26 22:04:10.0062 2072 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/26 22:04:10.0234 2072 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/26 22:04:10.0359 2072 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/26 22:04:10.0484 2072 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/26 22:04:10.0593 2072 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/26 22:04:10.0734 2072 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/26 22:04:10.0843 2072 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/26 22:04:10.0953 2072 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/26 22:04:11.0078 2072 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/26 22:04:11.0203 2072 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/26 22:04:11.0312 2072 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/26 22:04:11.0562 2072 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/26 22:04:11.0703 2072 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/26 22:04:11.0796 2072 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/07/26 22:04:11.0906 2072 mohfilt (bdd406003c0c340cf6c5501165e83dcd) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/07/26 22:04:12.0000 2072 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/26 22:04:12.0093 2072 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/26 22:04:12.0281 2072 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/26 22:04:12.0421 2072 MRxSmb (6e554efc4d2c77a5b1327375afe2cc2c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/26 22:04:12.0437 2072 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 6e554efc4d2c77a5b1327375afe2cc2c, Fake md5: 0dc719e9b15e902346e87e9dcd5751fa
2011/07/26 22:04:12.0468 2072 MRxSmb - detected ForgedFile.Multi.Generic (1)
2011/07/26 22:04:12.0562 2072 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/26 22:04:12.0718 2072 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/26 22:04:12.0812 2072 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/26 22:04:12.0968 2072 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/26 22:04:13.0062 2072 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/26 22:04:13.0140 2072 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/26 22:04:13.0265 2072 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/26 22:04:13.0390 2072 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/26 22:04:13.0500 2072 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/26 22:04:13.0609 2072 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/26 22:04:13.0750 2072 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/26 22:04:13.0859 2072 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/26 22:04:13.0984 2072 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/26 22:04:14.0171 2072 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/26 22:04:14.0296 2072 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/26 22:04:14.0453 2072 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/26 22:04:14.0562 2072 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/26 22:04:14.0687 2072 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/26 22:04:14.0812 2072 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/07/26 22:04:14.0906 2072 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/26 22:04:14.0984 2072 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/26 22:04:15.0125 2072 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/26 22:04:15.0296 2072 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/26 22:04:15.0500 2072 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/07/26 22:04:15.0656 2072 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/26 22:04:15.0781 2072 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/07/26 22:04:16.0421 2072 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/26 22:04:16.0562 2072 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/26 22:04:16.0703 2072 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/26 22:04:16.0828 2072 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/26 22:04:16.0968 2072 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/07/26 22:04:17.0546 2072 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/26 22:04:17.0671 2072 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/26 22:04:17.0828 2072 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/26 22:04:17.0968 2072 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/26 22:04:18.0109 2072 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/26 22:04:18.0281 2072 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/26 22:04:18.0453 2072 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/26 22:04:18.0593 2072 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/26 22:04:18.0781 2072 s816bus (8c156e6b568aa927eb5deadeb870bdd2) C:\WINDOWS\system32\DRIVERS\s816bus.sys
2011/07/26 22:04:18.0921 2072 s816mdfl (d4ed429953a2b8b09c702805813a26c8) C:\WINDOWS\system32\DRIVERS\s816mdfl.sys
2011/07/26 22:04:19.0078 2072 s816mdm (94306f371a6ff8b690bea81157111b3b) C:\WINDOWS\system32\DRIVERS\s816mdm.sys
2011/07/26 22:04:19.0218 2072 s816unic (e2090b041b935430abc8e184b7d6cd75) C:\WINDOWS\system32\DRIVERS\s816unic.sys
2011/07/26 22:04:19.0390 2072 SE2Ebus (97ec6c60112ebd40c07fe295a38ab1ea) C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys
2011/07/26 22:04:19.0500 2072 SE2Emdfl (abfe402ba200e82568a5606719397afa) C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys
2011/07/26 22:04:19.0609 2072 SE2Emdm (4acfe8a2a3c1624964429e83bc7148a4) C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys
2011/07/26 22:04:19.0734 2072 SE2Emgmt (9b7d9390cc663e5352d965683f94a8f2) C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys
2011/07/26 22:04:19.0890 2072 se2End5 (76e23aa90d58fddeeabd32a33f357fa5) C:\WINDOWS\system32\DRIVERS\se2End5.sys
2011/07/26 22:04:20.0031 2072 SE2Eobex (baa5c376bd54bd3327a8680ae73b114b) C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys
2011/07/26 22:04:20.0218 2072 se2Eunic (ee8208650571f71d430cf2da15c1f02a) C:\WINDOWS\system32\DRIVERS\se2Eunic.sys
2011/07/26 22:04:20.0343 2072 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/26 22:04:20.0484 2072 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/26 22:04:20.0562 2072 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/26 22:04:20.0687 2072 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/26 22:04:20.0906 2072 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/26 22:04:21.0187 2072 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/26 22:04:21.0375 2072 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/07/26 22:04:21.0375 2072 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/07/26 22:04:21.0390 2072 sptd - detected LockedFile.Multi.Generic (1)
2011/07/26 22:04:21.0500 2072 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/26 22:04:21.0640 2072 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/26 22:04:21.0750 2072 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/07/26 22:04:21.0906 2072 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/26 22:04:22.0031 2072 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/26 22:04:22.0312 2072 SymEvent (46ae80304322442cf5d971e63f138551) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/07/26 22:04:22.0562 2072 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/26 22:04:22.0718 2072 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/26 22:04:22.0843 2072 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/26 22:04:22.0953 2072 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/26 22:04:23.0093 2072 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/26 22:04:23.0375 2072 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/26 22:04:23.0734 2072 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/26 22:04:23.0921 2072 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/26 22:04:24.0046 2072 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/26 22:04:24.0234 2072 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/26 22:04:24.0375 2072 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/26 22:04:24.0500 2072 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/26 22:04:24.0593 2072 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/26 22:04:24.0718 2072 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/26 22:04:24.0828 2072 USB_RNDIS (f39039d5c96c1d3ac2a637a659dbf282) C:\WINDOWS\system32\DRIVERS\usb8023k.sys
2011/07/26 22:04:24.0937 2072 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/26 22:04:25.0156 2072 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/26 22:04:25.0343 2072 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/26 22:04:25.0500 2072 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/26 22:04:25.0765 2072 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/07/26 22:04:25.0921 2072 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/26 22:04:26.0000 2072 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/26 22:04:26.0140 2072 {6080A529-897E-4629-A488-ABA0C29B635E} (61002db7b6efb5711685b9d79b8e8ce6) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/07/26 22:04:26.0375 2072 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (35ce2baa708ea038ab72359de87bab87) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/07/26 22:04:26.0421 2072 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/07/26 22:04:26.0437 2072 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/26 22:04:26.0468 2072 Boot (0x1200) (ec48dd64b23f77f29e688833007af44f) \Device\Harddisk0\DR0\Partition0
2011/07/26 22:04:26.0484 2072 ================================================================================
2011/07/26 22:04:26.0484 2072 Scan finished
2011/07/26 22:04:26.0484 2072 ================================================================================
2011/07/26 22:04:26.0531 2112 Detected object count: 3
2011/07/26 22:04:26.0531 2112 Actual detected object count: 3
2011/07/26 22:06:01.0718 2112 ForgedFile.Multi.Generic(MRxSmb) - User select action: Skip
2011/07/26 22:06:01.0718 2112 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/07/26 22:06:01.0718 2112 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Skip
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am

Re: Malware infection on XP PC

Unread postby Dakeyras » July 27th, 2011, 5:38 am

Hi. :)

Thanks for your help, it really is appreciated.
You're welcome and thanks for the update also!

Re-scan with TDSSKiller:

  • Double click TDSSKiller.exe
  • Under "Objects to scan" ensure both "Services and drivers" & "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If Malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt.
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents in your next reply

Scan with OTL:

Please download OTL and save it to your Desktop.

Alternate downloads are here and here if the first download will not run.

  • Double-click on OTL.exe to start OTL.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • TDSSKiller Log.
  • Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware infection on XP PC

Unread postby willpak » July 27th, 2011, 5:07 pm

Hi Dakeyras.

The PC seems to be the same, but again, nothing new seems to be wrong with it.

I scaned with TDSSKiller, report below.

I downloaded OTL but the programme crashed when I tried to run a scan. I tried a 2nd time but got this pop up box "windows cannot access the specified device, path or file".

2011/07/27 21:33:33.0343 1900 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/27 21:33:33.0796 1900 ================================================================================
2011/07/27 21:33:33.0796 1900 SystemInfo:
2011/07/27 21:33:33.0796 1900
2011/07/27 21:33:33.0812 1900 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/27 21:33:33.0812 1900 Product type: Workstation
2011/07/27 21:33:33.0812 1900 ComputerName: LIAM-UG3OC511ZL
2011/07/27 21:33:33.0812 1900 UserName: Owner
2011/07/27 21:33:33.0812 1900 Windows directory: C:\WINDOWS
2011/07/27 21:33:33.0812 1900 System windows directory: C:\WINDOWS
2011/07/27 21:33:33.0812 1900 Processor architecture: Intel x86
2011/07/27 21:33:33.0812 1900 Number of processors: 1
2011/07/27 21:33:33.0812 1900 Page size: 0x1000
2011/07/27 21:33:33.0812 1900 Boot type: Normal boot
2011/07/27 21:33:33.0812 1900 ================================================================================
2011/07/27 21:33:41.0671 1900 Initialize success
2011/07/27 21:34:02.0546 3128 ================================================================================
2011/07/27 21:34:02.0546 3128 Scan started
2011/07/27 21:34:02.0546 3128 Mode: Manual;
2011/07/27 21:34:02.0546 3128 ================================================================================
2011/07/27 21:34:03.0984 3128 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/27 21:34:04.0093 3128 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/27 21:34:04.0312 3128 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/07/27 21:34:04.0468 3128 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/27 21:34:04.0625 3128 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/27 21:34:05.0328 3128 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/27 21:34:05.0468 3128 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/27 21:34:05.0750 3128 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/27 21:34:05.0906 3128 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/27 21:34:06.0031 3128 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/07/27 21:34:06.0171 3128 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/07/27 21:34:06.0296 3128 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/07/27 21:34:06.0437 3128 bcm4sbxp (b60f57b4d9cdbc663cc03eb8af7ec34e) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/07/27 21:34:06.0593 3128 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/27 21:34:06.0781 3128 bvrp_pci (c915a416f265149471d74e0815c928b2) C:\WINDOWS\System32\drivers\bvrp_pci.sys
2011/07/27 21:34:06.0890 3128 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/27 21:34:07.0062 3128 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/27 21:34:07.0187 3128 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/27 21:34:07.0296 3128 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/27 21:34:07.0828 3128 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/27 21:34:08.0031 3128 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/27 21:34:08.0250 3128 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/27 21:34:08.0390 3128 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/27 21:34:08.0531 3128 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/27 21:34:08.0718 3128 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/27 21:34:08.0906 3128 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/27 21:34:09.0062 3128 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/27 21:34:09.0187 3128 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/27 21:34:09.0312 3128 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/27 21:34:09.0453 3128 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/27 21:34:09.0593 3128 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/27 21:34:09.0718 3128 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/27 21:34:09.0812 3128 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/07/27 21:34:09.0921 3128 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/27 21:34:10.0156 3128 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/27 21:34:11.0000 3128 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/27 21:34:11.0453 3128 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/27 21:34:12.0203 3128 Imagedrv (fccf4ae4ef72cbaba6d6befefd77e940) C:\WINDOWS\system32\DRIVERS\imagedrv.sys
2011/07/27 21:34:12.0593 3128 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/27 21:34:13.0531 3128 IntelC51 (8e51bf1696821a72656444e0fd5081a3) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/07/27 21:34:14.0375 3128 IntelC52 (331ce31882754000ca2afbf7bd480513) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/07/27 21:34:15.0015 3128 IntelC53 (8001fac548eb0285d0085f4eb53c1e3f) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/07/27 21:34:15.0328 3128 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/27 21:34:15.0734 3128 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/27 21:34:16.0062 3128 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/27 21:34:16.0390 3128 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/27 21:34:16.0843 3128 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/27 21:34:17.0171 3128 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/27 21:34:17.0546 3128 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/27 21:34:17.0875 3128 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/27 21:34:18.0250 3128 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/27 21:34:18.0671 3128 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/27 21:34:19.0062 3128 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/27 21:34:19.0500 3128 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/27 21:34:20.0203 3128 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/27 21:34:20.0593 3128 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/27 21:34:20.0968 3128 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/07/27 21:34:21.0312 3128 mohfilt (bdd406003c0c340cf6c5501165e83dcd) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/07/27 21:34:21.0703 3128 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/27 21:34:22.0015 3128 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/27 21:34:22.0656 3128 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/27 21:34:23.0078 3128 MRxSmb (6e554efc4d2c77a5b1327375afe2cc2c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/27 21:34:23.0562 3128 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/27 21:34:23.0937 3128 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/27 21:34:24.0250 3128 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/27 21:34:24.0640 3128 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/27 21:34:24.0968 3128 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/27 21:34:25.0265 3128 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/27 21:34:25.0734 3128 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/27 21:34:26.0046 3128 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/27 21:34:26.0359 3128 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/27 21:34:26.0781 3128 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/27 21:34:27.0140 3128 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/27 21:34:27.0562 3128 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/27 21:34:28.0031 3128 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/27 21:34:28.0500 3128 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/27 21:34:29.0046 3128 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/27 21:34:29.0734 3128 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/27 21:34:30.0093 3128 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/27 21:34:30.0546 3128 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/27 21:34:30.0921 3128 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/07/27 21:34:31.0296 3128 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/27 21:34:31.0703 3128 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/27 21:34:31.0984 3128 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/27 21:34:32.0250 3128 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/27 21:34:32.0906 3128 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/07/27 21:34:33.0312 3128 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/27 21:34:33.0718 3128 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/07/27 21:34:35.0375 3128 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/27 21:34:35.0656 3128 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/27 21:34:35.0812 3128 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/27 21:34:36.0000 3128 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/27 21:34:36.0156 3128 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/07/27 21:34:36.0953 3128 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/27 21:34:37.0109 3128 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/27 21:34:37.0265 3128 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/27 21:34:37.0437 3128 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/27 21:34:37.0578 3128 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/27 21:34:37.0750 3128 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/27 21:34:37.0906 3128 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/27 21:34:38.0125 3128 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/27 21:34:38.0343 3128 s816bus (8c156e6b568aa927eb5deadeb870bdd2) C:\WINDOWS\system32\DRIVERS\s816bus.sys
2011/07/27 21:34:38.0546 3128 s816mdfl (d4ed429953a2b8b09c702805813a26c8) C:\WINDOWS\system32\DRIVERS\s816mdfl.sys
2011/07/27 21:34:38.0750 3128 s816mdm (94306f371a6ff8b690bea81157111b3b) C:\WINDOWS\system32\DRIVERS\s816mdm.sys
2011/07/27 21:34:38.0921 3128 s816unic (e2090b041b935430abc8e184b7d6cd75) C:\WINDOWS\system32\DRIVERS\s816unic.sys
2011/07/27 21:34:39.0140 3128 SE2Ebus (97ec6c60112ebd40c07fe295a38ab1ea) C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys
2011/07/27 21:34:39.0296 3128 SE2Emdfl (abfe402ba200e82568a5606719397afa) C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys
2011/07/27 21:34:39.0453 3128 SE2Emdm (4acfe8a2a3c1624964429e83bc7148a4) C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys
2011/07/27 21:34:39.0640 3128 SE2Emgmt (9b7d9390cc663e5352d965683f94a8f2) C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys
2011/07/27 21:34:39.0828 3128 se2End5 (76e23aa90d58fddeeabd32a33f357fa5) C:\WINDOWS\system32\DRIVERS\se2End5.sys
2011/07/27 21:34:39.0968 3128 SE2Eobex (baa5c376bd54bd3327a8680ae73b114b) C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys
2011/07/27 21:34:40.0093 3128 se2Eunic (ee8208650571f71d430cf2da15c1f02a) C:\WINDOWS\system32\DRIVERS\se2Eunic.sys
2011/07/27 21:34:40.0250 3128 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/27 21:34:40.0375 3128 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/27 21:34:40.0546 3128 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/27 21:34:40.0718 3128 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/27 21:34:41.0062 3128 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/27 21:34:41.0296 3128 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/27 21:34:41.0468 3128 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/07/27 21:34:41.0468 3128 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/07/27 21:34:41.0484 3128 sptd - detected LockedFile.Multi.Generic (1)
2011/07/27 21:34:41.0656 3128 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/27 21:34:41.0828 3128 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/27 21:34:41.0968 3128 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/07/27 21:34:42.0093 3128 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/27 21:34:42.0203 3128 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/27 21:34:42.0453 3128 SymEvent (46ae80304322442cf5d971e63f138551) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/07/27 21:34:42.0750 3128 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/27 21:34:42.0890 3128 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/27 21:34:43.0015 3128 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/27 21:34:43.0125 3128 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/27 21:34:43.0234 3128 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/27 21:34:43.0531 3128 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/27 21:34:43.0828 3128 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/27 21:34:44.0046 3128 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/27 21:34:44.0171 3128 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/27 21:34:44.0312 3128 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/27 21:34:44.0437 3128 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/27 21:34:44.0562 3128 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/27 21:34:44.0718 3128 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/27 21:34:44.0875 3128 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/27 21:34:45.0015 3128 USB_RNDIS (f39039d5c96c1d3ac2a637a659dbf282) C:\WINDOWS\system32\DRIVERS\usb8023k.sys
2011/07/27 21:34:45.0187 3128 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/27 21:34:45.0484 3128 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/27 21:34:45.0703 3128 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/27 21:34:45.0968 3128 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/27 21:34:46.0265 3128 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/07/27 21:34:46.0437 3128 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/27 21:34:46.0625 3128 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/27 21:34:46.0812 3128 {6080A529-897E-4629-A488-ABA0C29B635E} (61002db7b6efb5711685b9d79b8e8ce6) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/07/27 21:34:46.0968 3128 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (35ce2baa708ea038ab72359de87bab87) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/07/27 21:34:47.0015 3128 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/07/27 21:34:47.0015 3128 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/27 21:34:47.0062 3128 MBR (0x1B8) (739b36f7a373fc81121d831231b6d311) \Device\Harddisk1\DR2
2011/07/27 21:34:47.0187 3128 Boot (0x1200) (ec48dd64b23f77f29e688833007af44f) \Device\Harddisk0\DR0\Partition0
2011/07/27 21:34:47.0234 3128 Boot (0x1200) (58c308a3c4f053b520ff471c42c95385) \Device\Harddisk1\DR2\Partition0
2011/07/27 21:34:47.0265 3128 ================================================================================
2011/07/27 21:34:47.0265 3128 Scan finished
2011/07/27 21:34:47.0265 3128 ================================================================================
2011/07/27 21:34:47.0296 3776 Detected object count: 2
2011/07/27 21:34:47.0296 3776 Actual detected object count: 2
2011/07/27 21:41:05.0484 3776 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/07/27 21:41:05.0484 3776 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/27 21:41:05.0484 3776 \Device\Harddisk0\DR0 - ok
2011/07/27 21:41:05.0484 3776 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/27 21:42:03.0171 2556 Deinitialize success
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am

Re: Malware infection on XP PC

Unread postby Dakeyras » July 28th, 2011, 3:38 am

Hi. :)

Please reboot your machine after the last scan with TDSSKiller if you have not done so.

I downloaded OTL but the programme crashed when I tried to run a scan.
Did you try one of the alternate downloads for OTL as the executable for those has different extensions? If in the event you did check your user-profile has admin permissions...

Click on Start >> Control Panel >> User Accounts

In the event it does try...

Click on Start >> Control Panel >> Internet Options >> Advanced >> Reset...

Then try running a scan with OTL again. Now in the event still the same issue download/run the below and then try OTL again...

Please download exeHelper to your desktop.

  • Double-click on exehelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware infection on XP PC

Unread postby willpak » July 28th, 2011, 2:03 pm

Hi Dakeyras.

The PC seems to be the same, no changes. I reset my user profile (I am the only user) and tried OTL, but I got the same message "windows cannot access the specified device, path or file". I downloaded the other OTL files, the first one crashed when I tried to run a scan and on the 2nd I got the above message.

I ran exeHelper with no problems, report posted below, and tried OTL again, but I got the above message again.


exeHelper by Raktor
Build 20100414
Run at 18:41:53 on 07/28/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am

Re: Malware infection on XP PC

Unread postby Dakeyras » July 28th, 2011, 3:19 pm

Hi. :)

The PC seems to be the same, no changes. I reset my user profile (I am the only user) and tried OTL, but I got the same message "windows cannot access the specified device, path or file". I downloaded the other OTL files, the first one crashed when I tried to run a scan and on the 2nd I got the above message.
OK not to worry I am quite the tenacious individual and we will try a further two specific methodologies to see if OTL will run...In the event still a issue which is undoubtedly due to the malware on your machine we will merely take a different approach OK. :thumbup:

Download & Run OTH:

Please download OTH to your Desktop.

  • Now double click on OTH.scr to start the application.
  • Click on Kill All Processes <-- The desktop and taskbar etc will disappear, this is normal as all running process will have been stopped.
  • Then click on Start Misc Program
  • Navigate to OTL.exe >> Open >> Run

If OTL launches, run per my instructions in my previous post to your good self.

Note: Try the above with any version of OTL.

Next:

In the event OTL will still not run, reboot your machine and proceed to the below...

Download & Run GrantPerms:

Please download GrantPerms.zip then extract it to your Desktop.

  • Now double click on GrantPerms to start the application.
  • Copy and paste in the below to the edit box:-
Code: Select all
"%userprofile%\desktop\otl.exe
  • Then click on the Unlock tab.
  • At the prompt Unlock operation complete >> click on OK
  • Close/exit GrantPerms.

Now check if OTL will launch, if so it run per my instructions in my previous post to your good self.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware infection on XP PC

Unread postby willpak » July 30th, 2011, 10:53 am

Hi Dakeyras.

We got OTL working! I tip my hat to you, sir.

PC seems to be working a little better now. Google searches seem to be ok, too. Windows update still isnt working properly, and I cant turn on Avira Antivir guard.

OTL text:

OTL logfile created on: 30/07/2011 00:21:23 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.50 Gb Total Physical Memory | 1.02 Gb Available Physical Memory | 68.11% Memory free
2.85 Gb Paging File | 2.57 Gb Available in Paging File | 89.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 12.60 Gb Free Space | 16.91% Space Free | Partition Type: NTFS

Computer Name: LIAM-UG3OC511ZL | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.com (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - c:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe (Maxtor Corporation)
PRC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe (Seagate Technology LLC)
PRC - C:\Program Files\FinePixViewerS\QuickDCF2.exe (FUJIFILM Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.com (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (vpiwqtqy) -- File not found
SRV - (HidServ) -- File not found
SRV - (ASKUpgrade) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (AMService) -- File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (Basics Service) -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe (Seagate Technology LLC)


========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NetBT) -- C:\WINDOWS\system32\drivers\netbt.sys ()
DRV - (s816mdm) -- C:\WINDOWS\system32\drivers\s816mdm.sys (MCCI Corporation)
DRV - (s816mdfl) -- C:\WINDOWS\system32\drivers\s816mdfl.sys (MCCI Corporation)
DRV - (s816bus) Sony Ericsson Device 816 driver (WDM) -- C:\WINDOWS\system32\drivers\s816bus.sys (MCCI Corporation)
DRV - (s816unic) Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM) -- C:\WINDOWS\system32\drivers\s816unic.sys (MCCI)
DRV - (se2Eunic) Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM) -- C:\WINDOWS\system32\drivers\se2Eunic.sys (MCCI)
DRV - (se2End5) Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS) -- C:\WINDOWS\system32\drivers\se2End5.sys (MCCI)
DRV - (SE2Eobex) -- C:\WINDOWS\system32\drivers\SE2Eobex.sys (MCCI)
DRV - (SE2Emgmt) Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\SE2Emgmt.sys (MCCI)
DRV - (SE2Emdm) -- C:\WINDOWS\system32\drivers\SE2Emdm.sys (MCCI)
DRV - (SE2Emdfl) -- C:\WINDOWS\system32\drivers\SE2Emdfl.sys (MCCI)
DRV - (SE2Ebus) Sony Ericsson Device 046 Driver driver (WDM) -- C:\WINDOWS\system32\drivers\SE2Ebus.sys (MCCI)
DRV - (IntelC52) -- C:\WINDOWS\system32\drivers\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\system32\drivers\IntelC51.sys (Intel Corporation)
DRV - (IntelC53) -- C:\WINDOWS\system32\drivers\IntelC53.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\system32\drivers\mohfilt.sys (Intel Corporation)
DRV - (bvrp_pci) -- C:\WINDOWS\system32\drivers\bvrp_pci.sys ()
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (Imagedrv) -- C:\WINDOWS\system32\DRIVERS\imagedrv.sys (Ahead Software AG and its licensors)
DRV - (USB_RNDIS) -- C:\WINDOWS\system32\drivers\usb8023k.sys (Microsoft Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.facebook.com
IE - HKU\S-1-5-21-1659004503-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1659004503-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://www.facebook.com"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53717
FF - prefs.js..network.proxy.type: 0

FF - user.js..browser.startup.homepage: "https://www.facebook.com"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.732: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.732: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.732: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/25 23:23:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/26 17:52:07 | 000,000,000 | ---D | M]

[2009/09/16 20:29:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/06/02 08:07:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\extensions
[2011/04/29 09:03:27 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}(2)
[2010/12/24 22:44:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/02 08:07:48 | 000,000,000 | ---D | M] (ChatZilla) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
[2011/04/29 09:08:38 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}(2)
[2011/03/19 13:21:32 | 000,000,000 | ---D | M] (Clear Cache) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\extensions\clearcache@michel.de.almeida
[2010/08/15 18:42:53 | 000,000,266 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\searchplugins\Search.xml
[2011/07/07 21:37:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/07 19:45:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/08 23:02:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/12/07 09:32:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/06/03 08:06:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/07 21:37:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
File not found (No name found) --
[2011/06/25 23:23:13 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/07/12 17:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2011/05/10 08:14:34 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/05/10 08:14:34 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/05/10 08:14:34 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/05/10 08:14:35 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/05/10 08:14:35 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O2 - BHO: (no name) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - No CLSID value found.
O2 - BHO: (no name) - {CCC250A6-F877-A9E5-5022-67950E1A08E3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-746137067-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-746137067-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-746137067-839522115-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [basicsmssmenu] C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe (Maxtor Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKU\.DEFAULT..\Run: [NtWqIVLZEWZU] File not found
O4 - HKU\.DEFAULT..\Run: [OO1310T0QS] File not found
O4 - HKU\.DEFAULT..\Run: [SNJQ66R8MU] File not found
O4 - HKU\S-1-5-18..\Run: [NtWqIVLZEWZU] File not found
O4 - HKU\S-1-5-18..\Run: [OO1310T0QS] File not found
O4 - HKU\S-1-5-18..\Run: [SNJQ66R8MU] File not found
O4 - HKU\S-1-5-21-1659004503-746137067-839522115-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-1659004503-746137067-839522115-1003..\Run: [RegistryBooster] File not found
O4 - HKU\S-1-5-21-1659004503-746137067-839522115-1003..\Run: [SUPERAntiSpyware] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe (FUJIFILM Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/200 ... oader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {33331111-1234-1111-1111-615111193427} http://www.www2.p0rt2.com/files/epl29bd.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resour ... se6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 () - file:///C:/Documents%20and%20Settings/Owner/My%20Documents/New%20Folder/The%20DVD%20Maniacs%20-%20Forum%20-%20What's%20on%20your%20desktop01_files/4gg1gdw.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (mvebkhep.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/20 21:50:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{12259fdb-757f-11df-a43a-000d566a37d4}\Shell - "" = AutoRun
O33 - MountPoints2\{12259fdb-757f-11df-a43a-000d566a37d4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{12259fdb-757f-11df-a43a-000d566a37d4}\Shell\AutoRun\command - "" = "G:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1659004503-746137067-839522115-1003..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/25 12:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2011/07/25 12:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/07/25 10:49:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware
[2011/07/25 10:41:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\DoctorWeb
[2011/07/07 21:39:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/07/07 21:37:29 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/07/07 21:37:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/07/07 21:37:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/02 18:55:55 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Owner\Application Data\pcouffin.sys
[8 C:\*.tmp files -> C:\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[18 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/30 00:15:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/30 00:14:55 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-746137067-839522115-1003.job
[2011/07/30 00:14:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/30 00:09:26 | 000,145,920 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/30 00:09:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/07/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2011/07/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2011/07/29 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2011/07/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2011/07/29 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2011/07/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2011/07/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2011/07/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2011/07/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2011/07/29 14:43:00 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2011/07/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2011/07/29 13:07:00 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2011/07/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2011/07/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2011/07/29 11:26:00 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2011/07/29 11:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2011/07/29 10:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2011/07/29 09:04:23 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\names.wps
[2011/07/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2011/07/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2011/07/29 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2011/07/29 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2011/07/29 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2011/07/29 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2011/07/29 03:19:34 | 000,044,560 | -HS- | M] () -- C:\WINDOWS\System32\c_07046.nl_
[2011/07/29 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/07/29 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/07/29 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/07/26 19:58:26 | 000,526,848 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\winlogon.exe
[2011/07/25 12:12:51 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/25 09:05:17 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/07/25 03:22:30 | 000,146,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/25 03:02:54 | 049,089,992 | ---- | M] () -- C:\WINDOWS\System32\MRT.exe
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/02 14:26:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-746137067-839522115-1003.job
[2011/07/02 08:29:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/01 03:20:39 | 000,138,192 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/07/01 03:20:39 | 000,066,616 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[8 C:\*.tmp files -> C:\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[18 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/29 03:19:34 | 000,044,560 | -HS- | C] () -- C:\WINDOWS\System32\c_07046.nl_
[2011/07/26 19:58:28 | 000,526,848 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\winlogon.exe
[2011/05/25 23:19:15 | 000,001,546 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\6i543n7kxh567jlxwrlqes3duwrc
[2011/05/25 23:19:15 | 000,001,546 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6i543n7kxh567jlxwrlqes3duwrc
[2011/05/18 23:57:47 | 000,013,166 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ueu4ue45lg20w7c4ddf
[2011/05/18 23:57:47 | 000,013,166 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
[2011/05/18 23:57:36 | 000,023,303 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\02C6.083
[2011/04/25 19:46:06 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\AdsI5U8.dat
[2010/10/06 19:32:21 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\vso_ts_preview.xml
[2010/05/12 22:58:21 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/08 03:35:16 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\ypgovd.dat
[2010/04/18 11:52:56 | 000,021,432 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/02/02 18:55:55 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\inst.exe
[2010/02/02 18:55:55 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.cat
[2010/02/02 18:55:55 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.inf
[2010/01/13 09:31:47 | 000,001,042 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\DVDSubEdit.ini
[2010/01/11 22:18:06 | 000,000,085 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/09/16 20:29:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/07/29 10:32:21 | 000,000,107 | ---- | C] () -- C:\WINDOWS\IfoEdit.INI
[2009/06/12 19:35:04 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/06/12 19:35:04 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/06/12 19:35:03 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/06/12 19:35:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/12/13 21:51:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2006/09/11 21:18:48 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/09/11 21:18:48 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/09/11 21:18:48 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/09/11 21:13:53 | 000,000,025 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2006/08/22 20:05:57 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/05/03 19:57:31 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2006/02/03 01:06:36 | 000,000,742 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/12/30 04:48:42 | 000,000,001 | ---- | C] () -- C:\WINDOWS\twainx.bin
[2005/11/02 21:55:59 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2005/10/04 12:39:06 | 000,062,464 | ---- | C] () -- C:\WINDOWS\System32\ALZALZ.BIN
[2005/10/04 12:39:06 | 000,042,496 | ---- | C] () -- C:\WINDOWS\System32\ALZZip.BIN
[2005/08/27 01:04:25 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/07/26 20:01:04 | 000,145,920 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/26 18:12:41 | 049,089,992 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2005/07/25 00:35:30 | 000,004,796 | ---- | C] () -- C:\WINDOWS\anyimage.ini
[2005/07/24 13:18:22 | 000,000,236 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2005/07/24 13:17:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbkvs.dll
[2005/07/24 13:17:21 | 000,000,255 | ---- | C] () -- C:\WINDOWS\System32\dlbkcoin.ini
[2005/07/24 13:13:38 | 000,000,192 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/07/21 14:10:16 | 000,000,417 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/20 23:01:55 | 000,000,000 | R--- | C] () -- C:\WINDOWS\System32\drivers\DVEMODEM.DAT
[2005/07/20 23:01:24 | 000,004,272 | R--- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys
[2005/07/20 22:58:38 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/20 22:58:37 | 001,288,192 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2005/07/20 22:42:41 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/07/20 22:41:40 | 000,146,016 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/07/20 21:56:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/07/20 21:48:22 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/11/20 22:39:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/07/16 21:54:55 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 21:54:54 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 21:41:25 | 000,493,974 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 21:41:25 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 21:41:23 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 21:41:21 | 000,092,802 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 21:40:01 | 000,151,808 | ---- | C] () -- C:\WINDOWS\System32\zaiftikk.dat
[2003/07/16 21:40:01 | 000,135,936 | ---- | C] () -- C:\WINDOWS\System32\fdsgqlqg.dat
[2003/07/16 21:40:01 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\mikmabdi.dat
[2003/07/16 21:39:07 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 21:37:40 | 000,162,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\netbt.sys
[2003/07/16 21:33:50 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 21:33:39 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 21:27:41 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 21:26:37 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/10/15 23:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002/08/07 13:06:22 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\dsrmp4.dll
[2000/11/10 14:57:04 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am

Re: Malware infection on XP PC

Unread postby willpak » July 30th, 2011, 10:55 am

OTL Extras Report:

OTL Extras logfile created on: 30/07/2011 00:21:23 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.50 Gb Total Physical Memory | 1.02 Gb Available Physical Memory | 68.11% Memory free
2.85 Gb Paging File | 2.57 Gb Available in Paging File | 89.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 12.60 Gb Free Space | 16.91% Space Free | Partition Type: NTFS

Computer Name: LIAM-UG3OC511ZL | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"4662:TCP" = 4662:TCP:*:Enabled:will
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Disabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\eMule\emule.exe" = C:\Program Files\eMule\emule.exe:*:Disabled:eMule
"C:\Sierra\Empire Earth\Empire Earth.exe" = C:\Sierra\Empire Earth\Empire Earth.exe:*:Enabled:Empire Earth
"C:\Program Files\NavDiag\Navini Diagnostics.exe" = C:\Program Files\NavDiag\Navini Diagnostics.exe:*:Enabled:LaunchAnywhere GUI
"C:\Documents and Settings\Owner\Local Settings\Temp\I1180545918\Windows\NavDiag.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\I1180545918\Windows\NavDiag.exe:*:Enabled:LaunchAnywhere GUI
"C:\Documents and Settings\Owner\Local Settings\Temp\I1180550778\Windows\NavDiag.exe" = C:\Documents and Settings\Owner\Local Settings\Temp\I1180550778\Windows\NavDiag.exe:*:Enabled:LaunchAnywhere GUI
"C:\Program Files\Navini Diagnostics.exe" = C:\Program Files\Navini Diagnostics.exe:*:Enabled:LaunchAnywhere GUI
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus
"C:\Program Files\Avira\AntiVir Desktop\ApnStub.exe" = C:\Program Files\Avira\AntiVir Desktop\ApnStub.exe:*:Disabled:AskStub Application -- (Ask.com)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Avira\AntiVir Desktop\update.exe" = C:\Program Files\Avira\AntiVir Desktop\update.exe:*:Enabled:product updater -- (Avira GmbH)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- ()
"C:\Program Files\CCleaner\CCleaner.exe" = C:\Program Files\CCleaner\CCleaner.exe:*:Enabled:CCleaner -- ()
"C:\Documents and Settings\Owner\My Documents\Downloads\ccsetup308.exe" = C:\Documents and Settings\Owner\My Documents\Downloads\ccsetup308.exe:*:Enabled:CCleaner Installer -- (Piriform Ltd)
"C:\Program Files\Uniblue\RegistryBooster\rb_track_install.exe" = C:\Program Files\Uniblue\RegistryBooster\rb_track_install.exe:*:Enabled:Uniblue RegistryBooster Install Tracker
"C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe" = C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe:*:Enabled:Uniblue RegistryBooster
"C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe" = C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe:*:Enabled:Uniblue RegistryBooster Monitor
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe:*:Enabled:SUPERAntiSpyware Application
"C:\Program Files\Vuze\uninstall.exe" = C:\Program Files\Vuze\uninstall.exe:*:Enabled:Vuze
"C:\Documents and Settings\Owner\My Documents\Downloads\tdsskiller\TDSSKiller.exe" = C:\Documents and Settings\Owner\My Documents\Downloads\tdsskiller\TDSSKiller.exe:*:Enabled:TDSS rootkit removing tool -- (Kaspersky Lab ZAO)
"C:\Program Files\Mozilla Firefox\crashreporter.exe" = C:\Program Files\Mozilla Firefox\crashreporter.exe:*:Enabled:crashreporter -- (Mozilla Foundation)
"C:\Documents and Settings\Owner\Application Data\U3\0001A6710233048C\LaunchPad.exe" = C:\Documents and Settings\Owner\Application Data\U3\0001A6710233048C\LaunchPad.exe:*:Enabled:LaunchPad Application -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0FD155A3-DF78-43ee-84B0-3CC86BA962F2}_is1" = Sothink Video Converter
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{148E08FF-D7C4-46ED-8D4D-601C67FE0AFD}" = Rosetta Stone Version 3
"{18B85E0C-3E70-415E-8F0C-1F6143F9E1A6}" = SwedishNow!
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v. 1.3.1249.0
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 26
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{48B0F38D-1913-44F3-99AA-D4C55A2B038E}" = Drive Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{7F261841-CE84-46BB-B0DE-B91D9C42CEF5}" = AnyImage Screensaver
"{88B32652-CAE0-4909-A463-5840D2689D93}" = FUJIFILM FinePixViewer S Ver.2.1
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.2.3.258
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = B57Inst
"{C01408FC-117C-44B7-8B0C-17794E526A01}" = Disc2Phone
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" = Sansa Media Converter
"{FC906D5C-91F9-4DA4-A765-6DCBB669F317}" = Sony Ericsson PC Suite
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ALZip_is1" = ALZip
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dell AIO Printer A920" = Dell AIO Printer A920
"DivXLand Media Subtitler" = DivXLand Media Subtitler
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"ffdshow_is1" = ffdshow [rev 2583] [2009-01-05]
"FLAC" = FLAC 1.2.1b (remove only)
"HaaliMkx" = Haali Media Splitter
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallShield_{48B0F38D-1913-44F3-99AA-D4C55A2B038E}" = Drive Manager
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Driver Installer
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"JDownloader" = JDownloader
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.7.5 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 5.0 (x86 en-GB)" = Mozilla Firefox 5.0 (x86 en-GB)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Ahead Nero Burning ROM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa2" = Picasa 2
"Q903235" = Internet Explorer Q903235
"RealPlayer 12.0" = RealPlayer
"rmp4" = Sigma REALmagic MPEG-4 Video Codec
"SubtitleCreator" = SubtitleCreator
"VLC media player" = VLC media player 1.1.10
"VSO Inspector_is1" = VSO Inspector 2.0.2
"Winamp" = Winamp
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wondershare Video to Audio Converter_is1" = Wondershare Video to Audio Converter(Build 4.2.0.56)
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YTdetect" = Yahoo! Detect
"ZENcast Organizer" = ZENcast Organizer

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Sansa Updater" = Sansa Updater
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/07/2011 15:00:02 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application roguekiller.exe, version 5.2.8.0, faulting module
roguekiller.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 15:00:32 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application roguekiller.exe, version 5.2.8.0, faulting module
roguekiller.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 15:00:48 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application roguekiller.exe, version 5.2.8.0, faulting module
roguekiller.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 15:57:19 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application roguekiller.exe, version 5.2.8.0, faulting module
roguekiller.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 15:58:27 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application roguekiller.exe, version 5.2.8.0, faulting module
roguekiller.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 16:50:59 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application winlogon.exe, version 5.2.8.0, faulting module
winlogon.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 17:22:32 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application winlogon.exe, version 5.2.8.0, faulting module
winlogon.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 17:40:04 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application winlogon.exe, version 5.2.8.0, faulting module
winlogon.exe, version 5.2.8.0, fault address 0x00022333.

Error - 26/07/2011 17:40:23 | Computer Name = LIAM-UG3OC511ZL | Source = Application Error | ID = 1000
Description = Faulting application winlogon.exe, version 5.2.8.0, faulting module
winlogon.exe, version 5.2.8.0, fault address 0x00022333.

Error - 29/07/2011 03:17:18 | Computer Name = LIAM-UG3OC511ZL | Source = Application Hang | ID = 1002
Description = Hanging application vlc.exe, version 1.1.10.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 29/07/2011 14:00:00 | Computer Name = LIAM-UG3OC511ZL | Source = Schedule | ID = 7901
Description = The At20.job command failed to start due to the following error: %%2147942405

Error - 29/07/2011 15:00:00 | Computer Name = LIAM-UG3OC511ZL | Source = Schedule | ID = 7901
Description = The At21.job command failed to start due to the following error: %%2147942405

Error - 29/07/2011 16:00:00 | Computer Name = LIAM-UG3OC511ZL | Source = Schedule | ID = 7901
Description = The At22.job command failed to start due to the following error: %%2147942405

Error - 29/07/2011 17:00:00 | Computer Name = LIAM-UG3OC511ZL | Source = Schedule | ID = 7901
Description = The At23.job command failed to start due to the following error: %%2147942405

Error - 29/07/2011 18:00:00 | Computer Name = LIAM-UG3OC511ZL | Source = Schedule | ID = 7901
Description = The At24.job command failed to start due to the following error: %%2147942405

Error - 29/07/2011 18:32:38 | Computer Name = LIAM-UG3OC511ZL | Source = Service Control Manager | ID = 7034
Description = The LexBce Server service terminated unexpectedly. It has done this
1 time(s).

Error - 29/07/2011 18:32:38 | Computer Name = LIAM-UG3OC511ZL | Source = Service Control Manager | ID = 7031
Description = The Avira AntiVir Scheduler service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 29/07/2011 19:09:00 | Computer Name = LIAM-UG3OC511ZL | Source = Schedule | ID = 7901
Description = The At1.job command failed to start due to the following error: %%2147942405

Error - 29/07/2011 19:14:56 | Computer Name = LIAM-UG3OC511ZL | Source = Service Control Manager | ID = 7000
Description = The ASKUpgrade service failed to start due to the following error:
%%2

Error - 29/07/2011 19:14:56 | Computer Name = LIAM-UG3OC511ZL | Source = Service Control Manager | ID = 7000
Description = The IP Traffic Filter Controller service failed to start due to the
following error: %%1083


< End of report >
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am

Re: Malware infection on XP PC

Unread postby Dakeyras » July 30th, 2011, 2:39 pm

Hi. :)

We got OTL working! I tip my hat to you, sir.
Which particularr method was of use if I may enquire.

PC seems to be working a little better now. Google searches seem to be ok, too.
Good.

Windows update still isnt working properly, and I cant turn on Avira Antivir guard.
We should be able to address such in due course...

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double-click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say No to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK
Code: Select all
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Custom OTL Script:

  • Double-click OTL.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code: Select all
:OTL
SRV - (vpiwqtqy) -- File not found
SRV - (HidServ) -- File not found
SRV - (ASKUpgrade) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (AMService) -- File not found
FF - prefs.js..network.proxy.http_port: 53717
O2 - BHO: (no name) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - No CLSID value found.
O2 - BHO: (no name) - {CCC250A6-F877-A9E5-5022-67950E1A08E3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-746137067-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-746137067-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-746137067-839522115-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKU\.DEFAULT..\Run: [NtWqIVLZEWZU] File not found
O4 - HKU\.DEFAULT..\Run: [OO1310T0QS] File not found
O4 - HKU\.DEFAULT..\Run: [SNJQ66R8MU] File not found
O4 - HKU\S-1-5-18..\Run: [NtWqIVLZEWZU] File not found
O4 - HKU\S-1-5-18..\Run: [OO1310T0QS] File not found
O4 - HKU\S-1-5-18..\Run: [SNJQ66R8MU] File not found
O4 - HKU\S-1-5-21-1659004503-746137067-839522115-1003..\Run: [RegistryBooster] File not found
O4 - HKU\S-1-5-21-1659004503-746137067-839522115-1003..\Run: [SUPERAntiSpyware] File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O16 - DPF: {33331111-1234-1111-1111-615111193427} http://www.www2.p0rt2.com/files/epl29bd.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O29 - HKLM SecurityProviders - (mvebkhep.dll) - File not found
[2011/07/25 12:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2011/07/25 12:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/07/25 10:49:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware
[2011/07/25 10:41:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\DoctorWeb
[8 C:\*.tmp files -> C:\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[18 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]
[2011/07/29 03:19:34 | 000,044,560 | -HS- | M] () -- C:\WINDOWS\System32\c_07046.nl_
[2011/05/25 23:19:15 | 000,001,546 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\6i543n7kxh567jlxwrlqes3duwrc
[2011/05/25 23:19:15 | 000,001,546 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6i543n7kxh567jlxwrlqes3duwrc
[2011/05/18 23:57:47 | 000,013,166 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ueu4ue45lg20w7c4ddf
[2011/05/18 23:57:47 | 000,013,166 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
[2011/05/18 23:57:36 | 000,023,303 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\02C6.083
[2011/04/25 19:46:06 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\AdsI5U8.dat
[2010/05/08 03:35:16 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\ypgovd.dat
[2010/02/02 18:55:55 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\inst.exe
[2010/01/11 22:18:06 | 000,000,085 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

:Files 
ipconfig /flushdns /c 
%systemroot%\prefetch\*.* 
C:\WINDOWS\tasks\At*.job

:Commands
[Purity]
[ResetHosts]
[EmptyFlash]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]
  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware infection on XP PC

Unread postby willpak » July 30th, 2011, 7:14 pm

Hi

[quote]We got OTL working! I tip my hat to you, sir.

Which particularr method was of use if I may enquire.
[quote]


I used GrantPerms, OTH didnt work, to fix OTL. I had to download OTL again before I could run it, though.

After I ran your fix in OTL I had to restart the PC manually, as it froze after completing the fix. After I rebooted I had no access to the internet. I used explorer to replair the connection, there was some problem with Winsock, seemingly. After the reboot, I could access the net again. OTL generated a report after the reboot, posted below.

PC seems to be the same as in my last post. No obvious new issues, though.

I couldn't open Malwarebytes, got the usual message "windows cannot access the specified device" so I had to download a fresh copy before I could run a scan. The scan found one infection, which I removed. Report posted after the OTL one.

Cheers!

All processes killed
========== OTL ==========
Service vpiwqtqy stopped successfully!
Service vpiwqtqy deleted successfully!
File File not found not found.
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File File not found not found.
Service ASKUpgrade stopped successfully!
Service ASKUpgrade deleted successfully!
File File not found not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File File not found not found.
Service AMService stopped successfully!
Service AMService deleted successfully!
File File not found not found.
Prefs.js: 53717 removed from network.proxy.http_port
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCC250A6-F877-A9E5-5022-67950E1A08E3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC250A6-F877-A9E5-5022-67950E1A08E3}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BA14329E-9550-4989-B3F2-9732E92D17CC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BA14329E-9550-4989-B3F2-9732E92D17CC} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC}\ not found.
Registry value HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\NtWqIVLZEWZU deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\OO1310T0QS deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\SNJQ66R8MU deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\NtWqIVLZEWZU not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\OO1310T0QS not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\SNJQ66R8MU not found.
Registry value HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\\RegistryBooster deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\\SUPERAntiSpyware deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\ deleted successfully.
Starting removal of ActiveX control {33331111-1234-1111-1111-615111193427}
C:\WINDOWS\Downloaded Program Files\startbd.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1234-1111-1111-615111193427}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33331111-1234-1111-1111-615111193427}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33331111-1234-1111-1111-615111193427}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33331111-1234-1111-1111-615111193427}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders:mvebkhep.dll deleted successfully.
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS folder moved successfully.
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine folder moved successfully.
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs folder moved successfully.
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware folder moved successfully.
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com folder moved successfully.
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware folder moved successfully.
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware folder moved successfully.
C:\Documents and Settings\Owner\DoctorWeb folder moved successfully.
C:\LOG17A.tmp deleted successfully.
C:\LOG354.tmp deleted successfully.
C:\LOG35A.tmp deleted successfully.
C:\LOG55A.tmp deleted successfully.
C:\LOG97B.tmp deleted successfully.
C:\LOG97C.tmp deleted successfully.
C:\LOGA8.tmp deleted successfully.
C:\LOGBD.tmp deleted successfully.
C:\WINDOWS\002276_.tmp deleted successfully.
C:\WINDOWS\003037_.tmp deleted successfully.
C:\WINDOWS\005243_.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET7.tmp deleted successfully.
C:\WINDOWS\SETD.tmp deleted successfully.
C:\WINDOWS\System32\ConduitEngine.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\mshtml.tmp deleted successfully.
C:\WINDOWS\System32\SET27.tmp deleted successfully.
C:\WINDOWS\System32\SET2A.tmp deleted successfully.
C:\WINDOWS\System32\SET2D.tmp deleted successfully.
C:\WINDOWS\System32\SET30.tmp deleted successfully.
C:\WINDOWS\System32\SET39.tmp deleted successfully.
C:\WINDOWS\System32\SET3C.tmp deleted successfully.
C:\WINDOWS\System32\SET3F.tmp deleted successfully.
C:\WINDOWS\System32\SET59.tmp deleted successfully.
C:\WINDOWS\System32\SET65.tmp deleted successfully.
C:\WINDOWS\System32\SET6E.tmp deleted successfully.
C:\WINDOWS\System32\SET6F.tmp deleted successfully.
C:\WINDOWS\System32\SET70.tmp deleted successfully.
C:\WINDOWS\System32\SET72.tmp deleted successfully.
C:\WINDOWS\System32\SET73.tmp deleted successfully.
C:\WINDOWS\System32\tmp.tmp deleted successfully.
C:\Documents and Settings\Owner\5873.tmp\remove.exe deleted successfully.
C:\Documents and Settings\Owner\5873.tmp folder deleted successfully.
C:\WINDOWS\system32\c_07046.nl_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\6i543n7kxh567jlxwrlqes3duwrc moved successfully.
C:\Documents and Settings\All Users\Application Data\6i543n7kxh567jlxwrlqes3duwrc moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\ueu4ue45lg20w7c4ddf moved successfully.
C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf moved successfully.
C:\Documents and Settings\Owner\Application Data\02C6.083 moved successfully.
C:\Documents and Settings\All Users\Application Data\AdsI5U8.dat moved successfully.
C:\Documents and Settings\Owner\Application Data\ypgovd.dat moved successfully.
C:\Documents and Settings\Owner\Application Data\inst.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\.zreglib moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.txt deleted successfully.
C:\WINDOWS\prefetch\6852B_XP.EXE-217B6B8A.pf moved successfully.
C:\WINDOWS\prefetch\6852B_XP.EXE-30963B55.pf moved successfully.
C:\WINDOWS\prefetch\93A7CF.EXE-0DA42AD8.pf moved successfully.
C:\WINDOWS\prefetch\93A7CF.EXE-2A6E69A3.pf moved successfully.
C:\WINDOWS\prefetch\ACRORD32INFO.EXE-242CE4AA.pf moved successfully.
C:\WINDOWS\prefetch\ALG.EXE-0F138680.pf moved successfully.
C:\WINDOWS\prefetch\APNSTUB.EXE-35EB6BD4.pf moved successfully.
C:\WINDOWS\prefetch\ASKSERVICE.EXE-0A81249C.pf moved successfully.
C:\WINDOWS\prefetch\ASKUPGRADE.EXE-353D1C34.pf moved successfully.
C:\WINDOWS\prefetch\AVCENTER.EXE-1A970FA0.pf moved successfully.
C:\WINDOWS\prefetch\AVCONFIG.EXE-1ECA67AD.pf moved successfully.
C:\WINDOWS\prefetch\AVCONFIG.EXE-29873B78.pf moved successfully.
C:\WINDOWS\prefetch\AVGUARD.EXE-27095CE7.pf moved successfully.
C:\WINDOWS\prefetch\AVHLP.EXE-1FA70116.pf moved successfully.
C:\WINDOWS\prefetch\AVNOTIFY.EXE-05ED5FD8.pf moved successfully.
C:\WINDOWS\prefetch\AVSCAN.EXE-07FC469C.pf moved successfully.
C:\WINDOWS\prefetch\AVWSC.EXE-0283F9DD.pf moved successfully.
C:\WINDOWS\prefetch\B3E5E2D8-0A15-47A2-9C73-8501B-0D34FD8E.pf moved successfully.
C:\WINDOWS\prefetch\CBAFFREGISTRYBOOSTER.EXE-37679645.pf moved successfully.
C:\WINDOWS\prefetch\CCLEANER.EXE-0BCE437C.pf moved successfully.
C:\WINDOWS\prefetch\CCSETUP308.EXE-0BADE6B5.pf moved successfully.
C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf moved successfully.
C:\WINDOWS\prefetch\CONTROL.EXE-013DBFB5.pf moved successfully.
C:\WINDOWS\prefetch\CSCRIPT.EXE-1C26180C.pf moved successfully.
C:\WINDOWS\prefetch\CSRSS.EXE-12B63473.pf moved successfully.
C:\WINDOWS\prefetch\DDS.SCR-0501269D.pf moved successfully.
C:\WINDOWS\prefetch\DEFRAG.EXE-273F131E.pf moved successfully.
C:\WINDOWS\prefetch\DFRGNTFS.EXE-269967DF.pf moved successfully.
C:\WINDOWS\prefetch\DRWTSN32.EXE-2B4B52AC.pf moved successfully.
C:\WINDOWS\prefetch\DUMPREP.EXE-1B46F901.pf moved successfully.
C:\WINDOWS\prefetch\DWWIN.EXE-30875ADC.pf moved successfully.
C:\WINDOWS\prefetch\EXPLORER.EXE-082F38A9.pf moved successfully.
C:\WINDOWS\prefetch\FINDSTR.EXE-0CA6274B.pf moved successfully.
C:\WINDOWS\prefetch\FIREFOX.EXE-1876365B.pf moved successfully.
C:\WINDOWS\prefetch\FIREFOX.EXE-28641590.pf moved successfully.
C:\WINDOWS\prefetch\FIREFOX.TMP-348C174B.pf moved successfully.
C:\WINDOWS\prefetch\GUARDGUI.EXE-00ECD849.pf moved successfully.
C:\WINDOWS\prefetch\HELPSVC.EXE-2878DDA2.pf moved successfully.
C:\WINDOWS\prefetch\HKCMD.EXE-1D05234B.pf moved successfully.
C:\WINDOWS\prefetch\HYJKX6KT.EXE-36DB0476.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-27122324.pf moved successfully.
C:\WINDOWS\prefetch\IGFXTRAY.EXE-3391579A.pf moved successfully.
C:\WINDOWS\prefetch\IMAPI.EXE-0BF740A4.pf moved successfully.
C:\WINDOWS\prefetch\IPCONFIG.EXE-2395F30B.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-2DC32ABC.pf moved successfully.
C:\WINDOWS\prefetch\JAVAWS.EXE-021AC9A9.pf moved successfully.
C:\WINDOWS\prefetch\JQS.EXE-1D781F77.pf moved successfully.
C:\WINDOWS\prefetch\LAUNCHER.EXE-0A629DC4.pf moved successfully.
C:\WINDOWS\prefetch\Layout.ini moved successfully.
C:\WINDOWS\prefetch\LEXBCES.EXE-00305C02.pf moved successfully.
C:\WINDOWS\prefetch\LOGONUI.EXE-0AF22957.pf moved successfully.
C:\WINDOWS\prefetch\LSASS.EXE-20DB6D1B.pf moved successfully.
C:\WINDOWS\prefetch\MAXBACKSERVICEINT.EXE-1C327347.pf moved successfully.
C:\WINDOWS\prefetch\MAXMENUMGRBASICS.EXE-2C30E4C1.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-RULES.EXE-10176DF1.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-RULES.TMP-153FC8F8.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-SETUP.EXE-07BB094E.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-SETUP.TMP-0E73B94C.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-SETUP.TMP-340E75CB.pf moved successfully.
C:\WINDOWS\prefetch\MBAM.EXE-0BEE0439.pf moved successfully.
C:\WINDOWS\prefetch\MBAMGUI.EXE-1286D63B.pf moved successfully.
C:\WINDOWS\prefetch\MDNSRESPONDER.EXE-02F30C6E.pf moved successfully.
C:\WINDOWS\prefetch\MRT.EXE-1B4A8D49.pf moved successfully.
C:\WINDOWS\prefetch\MRTSTUB.EXE-03CCD100.pf moved successfully.
C:\WINDOWS\prefetch\MSIEXEC.EXE-2F8A8CAE.pf moved successfully.
C:\WINDOWS\prefetch\MSWORKS.EXE-31812CA4.pf moved successfully.
C:\WINDOWS\prefetch\NETSH.EXE-085CFFDE.pf moved successfully.
C:\WINDOWS\prefetch\NS8.TMP-048B7888.pf moved successfully.
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf moved successfully.
C:\WINDOWS\prefetch\PEV.DAT-026D6DDC.pf moved successfully.
C:\WINDOWS\prefetch\PING.EXE-31216D26.pf moved successfully.
C:\WINDOWS\prefetch\PLUGIN-CONTAINER.EXE-15EDC9DD.pf moved successfully.
C:\WINDOWS\prefetch\RBIA.EXE-0FBB745B.pf moved successfully.
C:\WINDOWS\prefetch\RBMONITOR.EXE-3400FC7D.pf moved successfully.
C:\WINDOWS\prefetch\RBNOTIFIER.EXE-195FA8D6.pf moved successfully.
C:\WINDOWS\prefetch\RB_MOVE_SERIAL.EXE-2A0729DA.pf moved successfully.
C:\WINDOWS\prefetch\RB_TRACK_INSTALL.EXE-0B5265E7.pf moved successfully.
C:\WINDOWS\prefetch\REALPLAY.EXE-1BF219BD.pf moved successfully.
C:\WINDOWS\prefetch\REALSCHED.EXE-3282FD31.pf moved successfully.
C:\WINDOWS\prefetch\REGEDIT.EXE-1B606482.pf moved successfully.
C:\WINDOWS\prefetch\REGISTRYBOOSTER.EXE-0E62CFC8.pf moved successfully.
C:\WINDOWS\prefetch\REGSVR32.EXE-25EEFE2F.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-12E27DD0.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-13A0895C.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-1831A4F3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-19948C1B.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-1BE7F8BE.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-1EDA2CF6.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-21D394C8.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-21EA2F0F.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-27026B38.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2852F07E.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2905E326.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2C7B5C4A.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2CF006FF.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2E27BDB3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-3520B5B3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-3A29CCC4.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-442FE5C9.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-4730D88B.pf moved successfully.
C:\WINDOWS\prefetch\RUNSAS.EXE-35F6D404.pf moved successfully.
C:\WINDOWS\prefetch\SCHED.EXE-030F29E1.pf moved successfully.
C:\WINDOWS\prefetch\SED.DAT-0FE6B7DD.pf moved successfully.
C:\WINDOWS\prefetch\SED.DAT-2E943496.pf moved successfully.
C:\WINDOWS\prefetch\SERVICES.EXE-2F433351.pf moved successfully.
C:\WINDOWS\prefetch\SETUP.EXE-231B09A9.pf moved successfully.
C:\WINDOWS\prefetch\SORT.EXE-194AE83C.pf moved successfully.
C:\WINDOWS\prefetch\SPOOLSV.EXE-282F76A7.pf moved successfully.
C:\WINDOWS\prefetch\SPYBOTSD.EXE-1344276B.pf moved successfully.
C:\WINDOWS\prefetch\SUPERANTISPYWARE.EXE-07994D9B.pf moved successfully.
C:\WINDOWS\prefetch\SUPERANTISPYWARE.EXE-370B4298.pf moved successfully.
C:\WINDOWS\prefetch\SVCHOST.EXE-0144C940.pf moved successfully.
C:\WINDOWS\prefetch\SVCHOST.EXE-3530F672.pf moved successfully.
C:\WINDOWS\prefetch\SYNCSERVICESBASICS.EXE-063B8C42.pf moved successfully.
C:\WINDOWS\prefetch\TASKMGR.EXE-20256C55.pf moved successfully.
C:\WINDOWS\prefetch\UPDATE.EXE-1081A106.pf moved successfully.
C:\WINDOWS\prefetch\UPDATE.EXE-1F81A93B.pf moved successfully.
C:\WINDOWS\prefetch\UPDATE.EXE-2577D203.pf moved successfully.
C:\WINDOWS\prefetch\USERINIT.EXE-30B18140.pf moved successfully.
C:\WINDOWS\prefetch\VERCLSID.EXE-3667BD89.pf moved successfully.
C:\WINDOWS\prefetch\VLC.EXE-22DF01AA.pf moved successfully.
C:\WINDOWS\prefetch\WGATRAY.EXE-0ED38BED.pf moved successfully.
C:\WINDOWS\prefetch\WINDOWS-KB890830-V3.21-DELTA.-1ECF572B.pf moved successfully.
C:\WINDOWS\prefetch\WINLOGON.EXE-32C57D49.pf moved successfully.
C:\WINDOWS\prefetch\WINSOCKXPFIX.EXE-2EBF9B44.pf moved successfully.
C:\WINDOWS\prefetch\WKGDCACH.EXE-09BEAA63.pf moved successfully.
C:\WINDOWS\prefetch\WKSWP.EXE-25E36596.pf moved successfully.
C:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf moved successfully.
C:\WINDOWS\prefetch\WSCNTFY.EXE-1B24F5EB.pf moved successfully.
C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf moved successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 2536 bytes

User: Owner
->Flash cache emptied: 118207 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 69612 bytes
->Temporary Internet Files folder emptied: 7388241 bytes

User: NetworkService
->Temp folder emptied: 3596 bytes
->Temporary Internet Files folder emptied: 258490629 bytes
->Java cache emptied: 644 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 82401280 bytes
->Temporary Internet Files folder emptied: 51022697 bytes
->Java cache emptied: 7213707 bytes
->FireFox cache emptied: 562767151 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8208902 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 76192770 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33638114 bytes
RecycleBin emptied: 499958955 bytes

Total Files Cleaned = 1,514.00 mb

Restore point Set: OTL Restore Point (0)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.2.26.1 log created on 07302011_222226

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

-------------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800
http://www.malwarebytes.org

Database version: 7331

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

30/07/2011 23:35:57
mbam-log-2011-07-30 (23-35-57).txt

Scan type: Quick scan
Objects scanned: 149110
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am

Re: Malware infection on XP PC

Unread postby Dakeyras » August 1st, 2011, 2:59 am

Hi. :)

After I ran your fix in OTL I had to restart the PC manually, as it froze after completing the fix. After I rebooted I had no access to the internet. I used explorer to replair the connection, there was some problem with Winsock, seemingly. After the reboot, I could access the net again.
Most unfortunate, please download WinSock XP Fix to your desktop. Then in the event connectivity is lost again during the course of the Malware removal process, merely double click upon the executable >> Fix >> follow the prompts. I do not think you should have any problems again but no harm erring on the side of caution.

I couldn't open Malwarebytes, got the usual message "windows cannot access the specified device" so I had to download a fresh copy before I could run a scan
OK we will check the Hard-Drive shortly but it may be that your actual user-account is corrupted/damaged but we can cross that particular bridge so to speak if the need...Though still entirely possible Malware is the source and or a completely different issue, anyway lets proceed as follows shall we.

FixPolicies:

Please download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here.

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close.
  • Leave FixPolicies on your desktop please until I otherwise advise, thank you.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activitity and asks to reboot the system, please allow this to be done.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


Check Hard Disk For Errors:

Click on Start >> Run.., then copy/paste the following command into the box and press OK:
Code: Select all
cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
A blank command window will open on your desktop, then close in a few minutes. This is normal.

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
  • checkhd.txt
  • A new DDS Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware infection on XP PC

Unread postby willpak » August 3rd, 2011, 3:00 am

Hi Dakeyras.

Combofix ran with no issues, report below. PC seems about the same, nothing new wrong with it, though.

ComboFix 11-08-02.02 - Owner 02/08/2011 22:17:46.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1164 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\download2
c:\documents and settings\Owner\WINDOWS
C:\LOGB8.tmp
c:\windows\$NtUninstallKB19599$
c:\windows\$NtUninstallKB19599$\778411285\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB19599$\778411285\L\aiakmavu
c:\windows\$NtUninstallKB19599$\778411285\loader.tlb
c:\windows\$NtUninstallKB19599$\778411285\U\@00000001
c:\windows\$NtUninstallKB19599$\778411285\U\@000000c0
c:\windows\$NtUninstallKB19599$\778411285\U\@000000cb
c:\windows\$NtUninstallKB19599$\778411285\U\@000000cf
c:\windows\$NtUninstallKB19599$\778411285\U\@80000000
c:\windows\$NtUninstallKB19599$\778411285\U\@800000c0
c:\windows\$NtUninstallKB19599$\778411285\U\@800000cb
c:\windows\$NtUninstallKB19599$\778411285\U\@800000cf
c:\windows\$NtUninstallKB19599$\847600231
c:\windows\system32\c_07046.nls
c:\windows\system32\drivers\fad.sys
c:\windows\system32\windir
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-02 to 2011-08-02 )))))))))))))))))))))))))))))))
.
.
2011-08-02 21:12 . 2008-04-13 23:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-08-02 21:12 . 2008-04-13 23:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-30 21:22 . 2011-07-30 21:22 -------- d-----w- C:\_OTL
2011-07-30 21:17 . 2011-07-30 21:17 -------- d-----w- c:\program files\ERUNT
2011-07-07 20:39 . 2011-07-07 20:39 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 18:52 . 2011-05-19 16:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-05-19 16:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 02:20 . 2009-08-19 12:16 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-01 02:20 . 2009-08-19 12:16 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-06 09:23 . 2011-06-06 09:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2009-01-22 07:42 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-25 22:23 . 2011-05-10 07:14 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-03 202256]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-10-14 303104]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2006-06-12 14:32 700416 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-06-02 18:25 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2006-11-24 01:06 487424 -c--a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [24/01/2010 12:53 691696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [19/08/2009 13:16 136360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [19/05/2011 17:54 41272]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [18/02/2009 20:55 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [18/02/2009 20:56 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [18/02/2009 20:56 107304]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [19/06/2007 07:51 97704]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-08-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-746137067-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-07-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-746137067-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = https://www.facebook.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vrrmn6r.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53717
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxps://www.facebook.com
FF - user.js: browser.startup.page - 1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-02 22:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,c3,25,75,44,d1,3b,4b,a4,c1,e4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,c3,25,75,44,d1,3b,4b,a4,c1,e4,\
.
[HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\Software\Zepter Software\RegLib*f039ec0d\AnyDVD/1]
"1"=dword:4450278b
"2"=dword:4475df29
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-02 22:46:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-02 21:46
.
Pre-Run: 13,925,494,784 bytes free
Post-Run: 13,889,286,144 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 47741A1CB6C698192F655073C1E16904

-----------------------------------------------------------------------
-----------------------------------------------------------------------

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...

Errors found. CHKDSK cannot continue in read-only mode.

-----------------------------------------------------------------------
-----------------------------------------------------------------------
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Owner at 23:07:31 on 2011-08-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.998 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\real\realplayer\RealPlay.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = https://www.facebook.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resour ... se6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B82C503B-1E75-48D6-807E-134C5247B3A8} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\3vrrmn6r.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53717
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxps://www.facebook.com
FF - user.js: browser.startup.page - 1
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-19 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-19 136360]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-19 66616]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-19 269480]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-19 41272]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2009-2-18 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2009-2-18 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2009-2-18 107304]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2007-6-19 97704]
.
=============== Created Last 30 ================
.
2011-08-02 21:12:19 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-08-02 21:12:19 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-02 21:05:34 -------- d-sha-r- C:\cmdcons
2011-08-02 21:02:32 98816 ----a-w- c:\windows\sed.exe
2011-08-02 21:02:32 518144 ----a-w- c:\windows\SWREG.exe
2011-08-02 21:02:32 256000 ----a-w- c:\windows\PEV.exe
2011-08-02 21:02:32 208896 ----a-w- c:\windows\MBR.exe
2011-07-30 21:22:26 -------- d-----w- C:\_OTL
.
==================== Find3M ====================
.
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 02:20:39 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-06 09:23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 23:08:29.93 ===============
willpak
Active Member
 
Posts: 11
Joined: July 25th, 2011, 4:28 am

Re: Malware infection on XP PC

Unread postby Dakeyras » August 3rd, 2011, 6:27 am

Hi. :)

PC seems about the same, nothing new wrong with it, though.
So still the issues with the installed Anti-Virus and Windows Update? If so the latter we will address last of all. In the mean-time if still the installed Anti-Virus issue try the following please...

Go to Start >> Control Panel >> Add/Remove Programs click on the below to highlight...

Avira AntiVir Personal - Free Antivirus >> Uninstall >> Repair

If still the same issue afterwards we will address this again last of all along with the Windows Update issue if still present etc.

Custom ComboFix-Script:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code: Select all
DDS::
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
FF - prefs.js: network.proxy.http_port - 53717

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1659004503-746137067-839522115-1003\Software\Zepter Software\RegLib*f039ec0d\AnyDVD/1]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • ComboFix log from the custom script.
  • Malwarebytes Anti-Malware Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware