Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware preventing mbam.exe or wscript.exe from starting?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware preventing mbam.exe or wscript.exe from starting?

Unread postby kiap » January 27th, 2012, 1:07 am

Hope you can help me please. I'm getting an 'Internet Security 2012' pop up window requesting activation and removal of "UNWANTED" files from my computer.

Before this I'd found iLivid using 'Control Panel -> Add and Remove Programs' and removed/uninstalled it (I am not even sure how this got installed). I then ran a scan using Malwarebtyes which identified about 30 items to be removed which I removed. After rebooting, now I cannot start either DDS or Malwarebtyes and I get dialog bubbles stating (repectively):

"wscript.exe cannot start. File wscript.exe is infected by W32/Blaster.worm. Please activate Internet Security 2012 to protect your computer."

OR

"mbam.exe cannot start. File mbam.exe is infected by W32/Blaster.worm. Please activate Internet Security 2012 to protect your computer.

<EDIT> Ran DDS in safe mode, logs follow:





DDS.TXT
***********
.
DDS (Ver_11-05-19.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by ET123 at 14:06:10 on 2012-01-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.747 [GMT 8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\ET123\Desktop\AV\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page =
uSearch Bar =
uDefault_Page_URL = www.google.com.au/ig/dell?hl=en&client= ... bd=6061102
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant =
uURLSearchHooks: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH_.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH_.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH_.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Internet Security 2012] c:\documents and settings\all users\application data\isecurity.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ApacheTomcatMonitor] "c:\devtools\tomcat\bin\tomcat6w.exe" //MS//Tomcat6
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\et123\start menu\programs\irfanview\startup\NET_USE_LPT1.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Search Image on TinEye - file://c:\documents and settings\et123\my documents\tineye 1.0\TinEye.js
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: localhost
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 2883751609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 2887683843
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/fl ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: cryptnet32 - cryptnet32.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\et123\application data\mozilla\firefox\profiles\d7151wic.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ff ... 06&sr=0&q=
FF - prefs.js: network.proxy.ftp - proxy.starhub.net.sg
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.starhub.net.sg
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\et123\application data\mozilla\firefox\profiles\d7151wic.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\et123\application data\mozilla\firefox\profiles\d7151wic.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.95\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-10-30 142592]
S2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [2008-12-15 234140]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe [2009-6-18 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-30 135664]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-26 35088]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
S2 Tomcat6;Apache Tomcat;c:\devtools\tomcat\bin\tomcat6.exe [2008-7-22 57344]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe [2009-6-18 2732032]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-30 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-27 40776]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2011-12-9 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2011-12-9 61568]
S4 RTWTKRNL;Real-Time Windows Target;\??\c:\windows\system32\drivers\rtwtkrnl.sys --> c:\windows\system32\drivers\RTWTKRNL.sys [?]
.
=============== Created Last 30 ================
.
2012-01-27 04:44:17 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-27 04:23:43 840704 ----a-w- c:\documents and settings\all users\application data\isecurity.exe
2012-01-27 02:52:03 33792 ----a-w- c:\windows\system32\uo2s7P5.com
2012-01-25 09:15:36 -------- d-----w- c:\documents and settings\et123\application data\Ullai
2012-01-25 09:15:36 -------- d-----w- c:\documents and settings\et123\application data\Hupui
2012-01-13 05:25:52 -------- d-----w- c:\documents and settings\et123\local settings\application data\Ilivid Player
2012-01-13 05:22:28 -------- d-----w- c:\documents and settings\et123\AppData
2012-01-13 05:20:54 -------- d-----w- c:\documents and settings\et123\application data\searchquband
2012-01-13 05:18:54 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-01-13 05:17:37 -------- d-----w- c:\documents and settings\et123\local settings\application data\PackageAware
2012-01-11 01:05:13 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-11 01:05:13 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-11 01:05:13 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-11 01:05:12 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
.
==================== Find3M ====================
.
2011-12-10 07:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-19 17:41:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 14:06:23.45 ===============





ATTACH.TXT
***********

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/11/2006 15:03:13
System Uptime: 27/01/2012 13:52:01 (0 hours ago)
.
Motherboard: Dell Inc. | | 0KD882
Processor: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz | Microprocessor | 1828/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 70 GiB total, 6.767 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 298 GiB total, 270.642 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10228086&REV_02\4&6C79FC5&0&00E0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10228086&REV_02\4&6C79FC5&0&00E0
Service: NETw4x32
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Beep
Device ID: ROOT\LEGACY_BEEP\0000
Manufacturer:
Name: Beep
PNP Device ID: ROOT\LEGACY_BEEP\0000
Service: Beep
.
==== System Restore Points ===================
.
RP1244: 27/10/2011 19:58:26 - System Checkpoint
RP1245: 29/10/2011 02:19:33 - System Checkpoint
RP1246: 30/10/2011 03:25:39 - System Checkpoint
RP1247: 31/10/2011 05:22:54 - System Checkpoint
RP1248: 1/11/2011 05:51:03 - System Checkpoint
RP1249: 2/11/2011 09:08:35 - System Checkpoint
RP1250: 3/11/2011 19:10:09 - System Checkpoint
RP1251: 5/11/2011 06:12:16 - System Checkpoint
RP1252: 6/11/2011 07:56:17 - System Checkpoint
RP1253: 7/11/2011 13:57:45 - System Checkpoint
RP1254: 8/11/2011 19:56:27 - System Checkpoint
RP1255: 9/11/2011 20:35:54 - System Checkpoint
RP1256: 11/11/2011 02:33:29 - System Checkpoint
RP1257: 12/11/2011 03:39:42 - System Checkpoint
RP1258: 13/11/2011 06:18:58 - System Checkpoint
RP1259: 14/11/2011 06:32:58 - System Checkpoint
RP1260: 15/11/2011 14:37:51 - System Checkpoint
RP1261: 17/11/2011 01:01:54 - System Checkpoint
RP1262: 18/11/2011 02:29:48 - System Checkpoint
RP1263: 19/11/2011 04:14:09 - System Checkpoint
RP1264: 20/11/2011 05:37:59 - System Checkpoint
RP1265: 21/11/2011 07:07:27 - System Checkpoint
RP1266: 22/11/2011 13:14:23 - System Checkpoint
RP1267: 23/11/2011 15:56:27 - System Checkpoint
RP1268: 24/11/2011 19:16:39 - System Checkpoint
RP1269: 26/11/2011 02:50:32 - System Checkpoint
RP1270: 27/11/2011 05:30:41 - System Checkpoint
RP1271: 28/11/2011 06:58:53 - System Checkpoint
RP1272: 29/11/2011 07:18:06 - System Checkpoint
RP1273: 30/11/2011 14:30:41 - System Checkpoint
RP1274: 1/12/2011 16:58:41 - System Checkpoint
RP1275: 2/12/2011 18:32:40 - System Checkpoint
RP1276: 3/12/2011 23:48:14 - System Checkpoint
RP1277: 5/12/2011 03:23:06 - System Checkpoint
RP1278: 6/12/2011 04:03:54 - System Checkpoint
RP1279: 7/12/2011 07:23:17 - System Checkpoint
RP1280: 8/12/2011 07:24:17 - System Checkpoint
RP1281: 9/12/2011 12:11:49 - System Checkpoint
RP1282: 9/12/2011 13:45:00 - Removed C Miner Proxy
RP1283: 9/12/2011 13:46:48 - Unsigned driver install
RP1284: 9/12/2011 14:00:01 - Removed C Miner Proxy
RP1285: 9/12/2011 14:16:47 - Unsigned driver install
RP1286: 9/12/2011 14:41:34 - Installed Silicon Laboratories CP210x VCP Drivers for Windows 20
RP1287: 9/12/2011 15:29:21 - Removed C Miner Proxy
RP1288: 9/12/2011 15:46:38 - Removed Silicon Laboratories CP210x VCP Drivers for Windows 2000
RP1289: 9/12/2011 15:49:51 - Installed Silicon Laboratories CP210x VCP Drivers for Windows 20
RP1290: 9/12/2011 15:58:06 - Removed Silicon Laboratories CP210x VCP Drivers for Windows 2000
RP1291: 9/12/2011 16:08:15 - Removed LM Flash Programmer
RP1292: 10/12/2011 16:13:52 - System Checkpoint
RP1293: 11/12/2011 20:49:19 - System Checkpoint
RP1294: 12/12/2011 22:22:13 - System Checkpoint
RP1295: 16/12/2011 17:25:51 - System Checkpoint
RP1296: 18/12/2011 07:46:08 - System Checkpoint
RP1297: 19/12/2011 08:09:34 - System Checkpoint
RP1298: 20/12/2011 14:43:47 - System Checkpoint
RP1299: 22/12/2011 04:03:31 - System Checkpoint
RP1300: 23/12/2011 08:02:04 - System Checkpoint
RP1301: 24/12/2011 18:16:56 - System Checkpoint
RP1302: 25/12/2011 18:18:13 - System Checkpoint
RP1303: 26/12/2011 18:57:56 - System Checkpoint
RP1304: 28/12/2011 01:50:45 - System Checkpoint
RP1305: 29/12/2011 14:26:19 - System Checkpoint
RP1306: 31/12/2011 03:24:24 - System Checkpoint
RP1307: 1/01/2012 12:26:44 - System Checkpoint
RP1308: 2/01/2012 22:41:19 - System Checkpoint
RP1309: 4/01/2012 12:42:15 - System Checkpoint
RP1310: 5/01/2012 18:53:57 - System Checkpoint
RP1311: 10/01/2012 11:33:18 - System Checkpoint
RP1312: 11/01/2012 11:41:14 - System Checkpoint
RP1313: 12/01/2012 13:55:16 - System Checkpoint
RP1314: 13/01/2012 14:20:38 - System Checkpoint
RP1315: 14/01/2012 20:38:09 - System Checkpoint
RP1316: 15/01/2012 21:32:49 - System Checkpoint
RP1317: 17/01/2012 01:59:01 - System Checkpoint
RP1318: 18/01/2012 02:21:22 - System Checkpoint
RP1319: 19/01/2012 06:21:26 - System Checkpoint
RP1320: 20/01/2012 10:21:23 - System Checkpoint
RP1321: 21/01/2012 14:21:25 - System Checkpoint
RP1322: 22/01/2012 18:21:25 - System Checkpoint
RP1323: 23/01/2012 19:19:04 - System Checkpoint
RP1324: 24/01/2012 23:37:50 - System Checkpoint
RP1325: 27/01/2012 10:54:16 - Removed CmdHere Powertoy For Windows XP
.
==== Installed Programs ======================
.
7-Zip 4.57
Active GIF Creator 3.1
ADF7xxx Evaluation Software
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
Apache Tomcat 6.0 (remove only)
Apple Application Support
Apple Software Update
Bonjour
C Miner Modem Setup Tool 1.0.8
CCleaner
Clock 2.3
Compatibility Pack for the 2007 Office system
Conduit Engine
Conexant HDA D110 MDC V.92 Modem
Convexsoft Video to FLV SWF GIF Converter
Critical Update for Windows Media Player 11 (KB959772)
Digital Line Detect
DMX Update
ESET Online Scanner v3
Firebird 2.1.2.18118 (Win32)
GIMP 2.4.2
Glary Utilities 2.29.0.1032
Google Earth
Google Update Helper
GWGSP810
GWGSP810 (C:\Program Files\GWGSP810\)
GWGSP810Try
High Definition Audio Driver Package - KB835221
HK-Software IBExpert Developer Studio Personal Edition
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
IAR Embedded Workbench Evaluation for MSP430 V3.42A
IAR Embedded Workbench KickStart for MSP430 V4.11A
IBEasy+ 1.5.1
Image Resizer Powertoy for Windows XP
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
Java DB 10.4.2.1
Java(TM) 6 Update 26
Java(TM) SE Development Kit 6 Update 14
LM Flash Programmer
Malwarebytes Anti-Malware version 1.60.0.1800
Mask Surf Pro
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MixPad Audio Mixer
Modem Helper
Mozilla Firefox 9.0.1 (x86 en-US)
MSI to redistribute MS VS2005 CRT libraries
MSP430 Flash Programmer - FET-Pro430 v1.18 - Lite version from Elprotronic
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
MySQL Server 5.1
NCH EN Toolbar
NetWaiting
Notepad++
Nullsoft Install System
OGA Notifier 1.7.0105.35.0
PaperPort Image Printer
PhotoPad Image Editor
PhotoScape
PL-2303 USB-to-Serial
PRFIntermod Version 1
Prism Video File Converter
QuickSet
Samsung SCX-4x16 Series
Samsung SCX-4x16 Series (TWAIN)
ScanSoft PaperPort 11
Secunia PSI (2.0.0.3003)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
shadeBlue Indigo Terminal Emulator
SmartRF Studio (6.9.1)
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SopCast 3.2.9
Spyware Terminator
Synaptics Pointing Device Driver
TinEye Internet Explorer plugin 1.0
TinEyeClient
TortoiseSVN 1.6.7.18415 (32 bit)
Total Video Converter 3.71 100812
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veetle TV 0.9.18
VideoPad Video Editor
Viewpoint Media Player (Remove Only)
VLC media player 1.1.11
vShare.tv plugin 1.3
WavePad Sound Editor
WebFldrs XP
Western Australian Time Zone Update
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WinPcap 4.1.2
Wireshark 1.2.17
Wisdom-soft ScreenHunter 5.0 Free
XML Notepad 2007
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
27/01/2012 13:54:05, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sp_rsdrv2 Tcpip
27/01/2012 13:54:05, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
27/01/2012 13:54:05, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
27/01/2012 13:54:05, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
27/01/2012 13:54:05, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
27/01/2012 13:54:05, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
27/01/2012 13:54:02, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
27/01/2012 13:53:33, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
27/01/2012 12:59:00, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402
27/01/2012 11:59:00, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
27/01/2012 11:44:12, error: Service Control Manager [7034] - The Secunia Update Agent service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:12, error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:09, error: Service Control Manager [7034] - The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:08, error: Service Control Manager [7034] - The Spyware Terminator Realtime Shield Service service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:06, error: Service Control Manager [7034] - The Secunia PSI Agent service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:05, error: Service Control Manager [7034] - The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:05, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:05, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 11:44:05, error: Service Control Manager [7031] - The Firebird Guardian - DefaultInstance service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
27/01/2012 10:59:07, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
25/01/2012 19:49:52, error: Service Control Manager [7034] - The Firebird Server - DefaultInstance service terminated unexpectedly. It has done this 1 time(s).
25/01/2012 19:49:43, error: Service Control Manager [7034] - The Apache Tomcat service terminated unexpectedly. It has done this 1 time(s).
25/01/2012 18:26:31, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
25/01/2012 18:26:30, error: System Error [1003] - Error code 1000000a, parameter1 000000b0, parameter2 00000002, parameter3 00000000, parameter4 804ef42a.
24/01/2012 18:26:34, error: Dhcp [1002] - The IP address lease 192.168.1.13 for the Network Card with network address 0015C5BB5772 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
24/01/2012 09:39:09, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
.
==== End Of File ===========================
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am
Advertisement
Register to Remove

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby Gary R » January 27th, 2012, 1:23 pm

Looking over your log, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21864
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby Gary R » January 27th, 2012, 1:40 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "malware removal" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi kiap

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


There are a number of issues showing in your DDS log, the most serious of which is that you have a Zero Access rootkit infection.

This infection has remote access capabilities, so you should do the following at once ....

1. Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, and financial institutions. Inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.

You may want to consider backing up your personal files and folders then reformatting your hard drive and reinstalling Windows. If you do online banking using your machine, I would recommend this as the best course of action to take.

Some versions of Zero Access can be extremely difficult to remove, and we may have to reformat anyway. If you decide to attempt a clean up, there is definitely a chance that you may lose your connection, in which case you'll need to be able to connect to us with another computer. If there is a loss of connection we will make all efforts to restore it, but I can give you no guarantees.

So, if after all that you want me to attempt to clean your computer, then please do the following ....

Download ComboFix from one of these locations and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21864
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 27th, 2012, 6:54 pm

Hi GaryR, thank you very much for your help - this problem feels nasty.

If possible, I would like to try to clean the computer before reformatting and reinstalling, please. I hope to be able use the machine for a few days before having to wipe it afresh.

The critical files and folders are backed up to a portable external hard drive (although I'm now concerned whether this drive, and another computer that was occasionally connected to the drive, might also be infected - n.b. The portable drive was not connected when running Combofix as logged below). As per your instructions I disconnected the infected computer whilst checking with financial institutions and changing my online passwords using a clean machine - this took quite a while.

Started in safe mode (with networking enabled) to run Combofix. It downloaded Microsoft Recovery, although I did not get the associated message box. Combofix performed it's scan and rebooted the machine twice automatically. The internet connection is now working ok as I am sending the Combofix log from the machine now.


log.txt:
********


ComboFix 12-01-27.01 - ET123 28/01/2012 5:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.614 [GMT 8:00]
Running from: c:\documents and settings\ET123\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\iSecurity.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TorrentEasy\extensions.exe
c:\documents and settings\All Users\Application Data\TorrentEasy\fdmbtsupp.dll
c:\documents and settings\ET123\Application Data\PriceGong
c:\documents and settings\ET123\Application Data\PriceGong\Data\1.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\a.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\b.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\c.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\d.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\e.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\f.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\g.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\h.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\i.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\J.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\k.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\l.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\m.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\n.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\o.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\p.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\q.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\r.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\s.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\t.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\u.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\v.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\w.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\x.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\y.xml
c:\documents and settings\ET123\Application Data\PriceGong\Data\z.xml
C:\Thumbs.db
c:\windows\$NtUninstallKB47208$\4181142536
c:\windows\$NtUninstallKB47208$\710513201\@
c:\windows\$NtUninstallKB47208$\710513201\bckfg.tmp
c:\windows\$NtUninstallKB47208$\710513201\cfg.ini
c:\windows\$NtUninstallKB47208$\710513201\Desktop.ini
c:\windows\$NtUninstallKB47208$\710513201\keywords
c:\windows\$NtUninstallKB47208$\710513201\kwrd.dll
c:\windows\$NtUninstallKB47208$\710513201\L\iahonoel
c:\windows\$NtUninstallKB47208$\710513201\U\00000001.@
c:\windows\$NtUninstallKB47208$\710513201\U\00000002.@
c:\windows\$NtUninstallKB47208$\710513201\U\00000004.@
c:\windows\$NtUninstallKB47208$\710513201\U\80000000.@
c:\windows\$NtUninstallKB47208$\710513201\U\80000004.@
c:\windows\$NtUninstallKB47208$\710513201\U\80000032.@
c:\windows\Downloaded Installations\BMP
c:\windows\Downloaded Installations\BMP\{77976D5E-C17A-49E5-A91B-D7BFA08301CB}\1033.MST
c:\windows\Downloaded Installations\BMP\{77976D5E-C17A-49E5-A91B-D7BFA08301CB}\BACS.msi
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\shimg.dll
c:\windows\system32\Thumbs.db
c:\windows\Tab16d20.dll
c:\windows\$NtUninstallKB47208$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 21:05 . 2008-06-20 11:59 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-27 04:44 . 2012-01-27 04:45 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-27 02:52 . 2012-01-27 02:52 33792 ----a-w- c:\windows\system32\uo2s7P5.com
2012-01-25 09:15 . 2012-01-27 04:19 -------- d-----w- c:\documents and settings\ET123\Application Data\Hupui
2012-01-25 09:15 . 2012-01-27 02:54 -------- d-----w- c:\documents and settings\ET123\Application Data\Ullai
2012-01-13 05:25 . 2012-01-13 05:26 -------- d-----w- c:\documents and settings\ET123\Local Settings\Application Data\Ilivid Player
2012-01-13 05:22 . 2012-01-13 05:22 -------- d-----w- c:\documents and settings\ET123\AppData
2012-01-13 05:20 . 2012-01-13 05:20 -------- d-----w- c:\documents and settings\ET123\Application Data\searchquband
2012-01-13 05:18 . 2012-01-24 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-01-13 05:17 . 2012-01-13 05:17 -------- d-----w- c:\documents and settings\ET123\Local Settings\Application Data\PackageAware
2012-01-11 01:05 . 2012-01-11 01:05 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-11 01:05 . 2012-01-11 01:05 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-11 01:05 . 2012-01-11 01:05 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-11 01:05 . 2012-01-11 01:05 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 07:24 . 2010-10-29 19:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-19 17:41 . 2011-05-14 09:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-11 01:05 . 2011-07-20 05:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-01-16 03:51 . 2009-01-16 03:52 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 08:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
2011-01-17 08:54 175912 ----a-w- c:\program files\NCH_EN\prxtbNCH_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{37483B40-C254-4A72-BDA4-22EE90182C1E}"= "c:\program files\NCH_EN\prxtbNCH_.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ApacheTomcatMonitor"="c:\devtools\tomcat\bin\tomcat6w.exe" [2008-07-22 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
c:\documents and settings\ET123\Start Menu\Programs\IrfanView\Startup\
NET_USE_LPT1.bat [2006-10-30 64]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiSpyWareDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\devtools\\eclipse\\eclipse.exe"=
"c:\\devtools\\tomcat\\bin\\tomcat6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"55555:TCP"= 55555:TCP:ET TMS55555
"5058:UDP"= 5058:UDP:ETTMS 5058
.
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [30/10/2010 01:30 142592]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [15/12/2008 13:49 234140]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [18/06/2009 12:40 81920]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [26/06/2010 01:07 35088]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19/04/2011 14:44 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19/04/2011 14:44 399416]
R2 Tomcat6;Apache Tomcat;c:\devtools\tomcat\bin\tomcat6.exe [22/07/2008 08:01 57344]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [18/06/2009 12:40 2732032]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/10/2010 05:19 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/10/2010 05:19 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [27/01/2012 12:44 40776]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [1/09/2010 16:30 15544]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [9/12/2011 14:41 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [9/12/2011 14:41 61568]
S4 RTWTKRNL;Real-Time Windows Target;\??\c:\windows\system32\drivers\RTWTKRNL.sys --> c:\windows\system32\drivers\RTWTKRNL.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 03:50]
.
2012-01-27 c:\windows\Tasks\At1.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At11.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At13.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At15.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At17.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At19.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At21.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At23.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At25.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At27.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At29.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At3.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At31.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At33.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At35.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At37.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At39.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At41.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At43.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At45.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At47.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At5.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At7.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At9.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-11-11 13:55]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-29 21:19]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-29 21:19]
.
2011-07-17 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2011-03-08 06:54]
.
2012-01-27 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]
.
2012-01-27 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]
.
2011-12-10 c:\windows\Tasks\photopadShakeIcon.job
- c:\program files\NCH Software\PhotoPad\photopad.exe [2011-03-08 13:32]
.
2011-12-10 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-03-08 06:52]
.
2011-09-12 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-03-08 06:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Search Image on TinEye - file://c:\documents and settings\ET123\My Documents\TinEye 1.0\TinEye.js
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
Trusted Zone: localhost
FF - ProfilePath - c:\documents and settings\ET123\Application Data\Mozilla\Firefox\Profiles\d7151wic.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ff ... 06&sr=0&q=
FF - prefs.js: network.proxy.ftp - proxy.starhub.net.sg
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.starhub.net.sg
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Internet Security 2012 - c:\documents and settings\All Users\Application Data\isecurity.exe
SafeBoot-WinDefend
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-28 05:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2132)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\stsystra.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2012-01-28 05:27:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-27 21:27
.
Pre-Run: 11,525,791,744 bytes free
Post-Run: 12,040,466,432 bytes free
.
- - End Of File - - 66F7C590D8A52FDB7D0822092CACBF45
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby Gary R » January 27th, 2012, 9:02 pm

Looking better, still some work to do.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"=-
[-HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[-HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{37483B40-C254-4A72-BDA4-22EE90182C1E}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55555:TCP"=-
"5058:UDP"=-

Folder::
c:\program files\NCH_EN
c:\program files\ConduitEngine

File::
c:\windows\system32\uo2s7P5.com

AtJob::

  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.

Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

Next

Download TDSSKiller.zip and extract it to your Desktop.
  • Double click on TDSSKiller.exe to launch it.
    • If using Vista or Windows7, when prompted by UAC allow the prompt.
  • Click on Start Scan
  • The scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • Post the contents in your next reply please.
  • DO NOT TRY TO FIX ANYTHING AT THIS POINT

Next

Please download Junction.zip and save it to your desktop.
  • Right click Junction.zip and choose extract all...
  • When the Compressed Folders Extraction wizard opens, click Next
  • Click Browse
  • When the "select a destination" box opens, click My Computer > Local Disk (C:) > Windows > OK
  • Back at the Extraction Wizard, click Next.
  • Untick "Show Extracted Files" and click Finish
    • Click Start > Run. Copy and paste the contents of the codebox below into the run box.
    • (Do Not include Code:) Then click OK:

Code: Select all
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt


  • A command window will open and the system will be scanned. (Click Agree to the prompt)
  • Please be patient & wait untill a log file opens in notepad.
  • Copy and paste the contents of that file in your next reply.


Summary of the logs I need from you in your next post:
  • Latest Combofix log.
  • TDSSKiller log
  • Junction log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21864
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 27th, 2012, 10:52 pm

Part 1: Ran ComboFix with the script which prompted something like "a newer version is available, do you want to download" (I clicked No). Then got two messages saying there was a Zero Access rootkit infection and it did an automatic reboot. It did not to choose Recovery Console optoin but normal Windows XP boot. Anyway this was the log:
********

ComboFix 12-01-27.01 - ET123 28/01/2012 9:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.575 [GMT 8:00]
Running from: c:\documents and settings\ET123\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ET123\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\uo2s7P5.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\ConduitEngine
c:\program files\ConduitEngine\appContextMenu.xml
c:\program files\ConduitEngine\ConduitEngine.dll
c:\program files\ConduitEngine\ConduitEngineHelper.exe
c:\program files\ConduitEngine\ConduitEngineUninstall.exe
c:\program files\ConduitEngine\engineContextMenu.xml
c:\program files\ConduitEngine\EngineSettings.json
c:\program files\ConduitEngine\INSTALL.LOG
c:\program files\ConduitEngine\prxConduitEngine.dll
c:\program files\ConduitEngine\toolbar.cfg
c:\program files\NCH_EN
c:\program files\NCH_EN\GottenAppsContextMenu.xml
c:\program files\NCH_EN\NCH_ENToolbarHelper.exe
c:\program files\NCH_EN\OtherAppsContextMenu.xml
c:\program files\NCH_EN\prxtbNCH_.dll
c:\program files\NCH_EN\SharedAppsContextMenu.xml
c:\program files\NCH_EN\tbNCH_.dll
c:\program files\NCH_EN\toolbar.cfg
c:\program files\NCH_EN\ToolbarContextMenu.xml
c:\program files\NCH_EN\uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-28 )))))))))))))))))))))))))))))))
.
.
2012-01-27 21:05 . 2008-06-20 11:59 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-27 04:44 . 2012-01-27 04:45 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-27 02:52 . 2012-01-27 02:52 33792 ----a-w- c:\windows\system32\uo2s7P5.com
2012-01-25 09:15 . 2012-01-27 04:19 -------- d-----w- c:\documents and settings\ET123\Application Data\Hupui
2012-01-25 09:15 . 2012-01-27 02:54 -------- d-----w- c:\documents and settings\ET123\Application Data\Ullai
2012-01-13 05:25 . 2012-01-13 05:26 -------- d-----w- c:\documents and settings\ET123\Local Settings\Application Data\Ilivid Player
2012-01-13 05:22 . 2012-01-13 05:22 -------- d-----w- c:\documents and settings\ET123\AppData
2012-01-13 05:20 . 2012-01-13 05:20 -------- d-----w- c:\documents and settings\ET123\Application Data\searchquband
2012-01-13 05:18 . 2012-01-24 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-01-13 05:17 . 2012-01-13 05:17 -------- d-----w- c:\documents and settings\ET123\Local Settings\Application Data\PackageAware
2012-01-11 01:05 . 2012-01-11 01:05 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-11 01:05 . 2012-01-11 01:05 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-11 01:05 . 2012-01-11 01:05 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-11 01:05 . 2012-01-11 01:05 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 07:24 . 2010-10-29 19:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-19 17:41 . 2011-05-14 09:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-11 01:05 . 2011-07-20 05:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-01-16 03:51 . 2009-01-16 03:52 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 11:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ApacheTomcatMonitor"="c:\devtools\tomcat\bin\tomcat6w.exe" [2008-07-22 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
c:\documents and settings\ET123\Start Menu\Programs\IrfanView\Startup\
NET_USE_LPT1.bat [2006-10-30 64]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiSpyWareDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\devtools\\eclipse\\eclipse.exe"=
"c:\\devtools\\tomcat\\bin\\tomcat6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [30/10/2010 01:30 142592]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [15/12/2008 13:49 234140]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [18/06/2009 12:40 81920]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [26/06/2010 01:07 35088]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19/04/2011 14:44 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19/04/2011 14:44 399416]
R2 Tomcat6;Apache Tomcat;c:\devtools\tomcat\bin\tomcat6.exe [22/07/2008 08:01 57344]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [18/06/2009 12:40 2732032]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [1/09/2010 16:30 15544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/10/2010 05:19 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/10/2010 05:19 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [27/01/2012 12:44 40776]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [9/12/2011 14:41 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [9/12/2011 14:41 61568]
S4 RTWTKRNL;Real-Time Windows Target;\??\c:\windows\system32\drivers\RTWTKRNL.sys --> c:\windows\system32\drivers\RTWTKRNL.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 03:50]
.
2012-01-27 c:\windows\Tasks\At1.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At11.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At13.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At15.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At17.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At19.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At21.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At23.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At25.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At27.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At29.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At3.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At31.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At33.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At35.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At37.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At39.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At41.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At43.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At45.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At47.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At5.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At7.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-27 c:\windows\Tasks\At9.job
- c:\windows\system32\uo2s7P5.com [2012-01-27 02:52]
.
2012-01-28 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-11-11 13:55]
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-29 21:19]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-29 21:19]
.
2011-07-17 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2011-03-08 06:54]
.
2012-01-27 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]
.
2012-01-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]
.
2011-12-10 c:\windows\Tasks\photopadShakeIcon.job
- c:\program files\NCH Software\PhotoPad\photopad.exe [2011-03-08 13:32]
.
2011-12-10 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-03-08 06:52]
.
2011-09-12 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-03-08 06:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Search Image on TinEye - file://c:\documents and settings\ET123\My Documents\TinEye 1.0\TinEye.js
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
Trusted Zone: localhost
TCP: DhcpNameServer = 203.161.127.1 203.153.224.42
FF - ProfilePath - c:\documents and settings\ET123\Application Data\Mozilla\Firefox\Profiles\d7151wic.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ff ... 06&sr=0&q=
FF - prefs.js: network.proxy.ftp - proxy.starhub.net.sg
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.starhub.net.sg
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-conduitEngine - c:\progra~1\CONDUI~1\ConduitEngineUninstall.exe
AddRemove-NCH_EN Toolbar - c:\progra~1\NCH_EN\UNINST~1.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-28 09:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-01-28 10:01:10
ComboFix-quarantined-files.txt 2012-01-28 02:01
ComboFix2.txt 2012-01-27 21:27
.
Pre-Run: 12,202,217,472 bytes free
Post-Run: 12,180,922,368 bytes free
.
- - End Of File - - E826523ED97A62AAC749CE2042F45433
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 27th, 2012, 10:58 pm

Part 2:TDSSKiller did not seem to find anything for me to skip:
*******

10:10:10.0531 1224 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
10:10:11.0500 1224 ============================================================
10:10:11.0500 1224 Current date / time: 2012/01/28 10:10:11.0500
10:10:11.0500 1224 SystemInfo:
10:10:11.0500 1224
10:10:11.0500 1224 OS Version: 5.1.2600 ServicePack: 3.0
10:10:11.0500 1224 Product type: Workstation
10:10:11.0500 1224 ComputerName: ET-LAPTOP1
10:10:11.0500 1224 UserName: ET123
10:10:11.0500 1224 Windows directory: C:\WINDOWS
10:10:11.0500 1224 System windows directory: C:\WINDOWS
10:10:11.0500 1224 Processor architecture: Intel x86
10:10:11.0500 1224 Number of processors: 2
10:10:11.0500 1224 Page size: 0x1000
10:10:11.0500 1224 Boot type: Normal boot
10:10:11.0500 1224 ============================================================
10:10:13.0828 1224 Drive \Device\Harddisk0\DR0 - Size: 0x1248119400 (73.13 Gb), SectorSize: 0x200, Cylinders: 0x254A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:10:14.0140 1224 Initialize success
10:10:18.0781 2528 ============================================================
10:10:18.0781 2528 Scan started
10:10:18.0781 2528 Mode: Manual;
10:10:18.0781 2528 ============================================================
10:10:20.0640 2528 Abiosdsk - ok
10:10:20.0859 2528 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
10:10:20.0890 2528 abp480n5 - ok
10:10:21.0187 2528 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:10:21.0218 2528 ACPI - ok
10:10:21.0515 2528 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:10:21.0515 2528 ACPIEC - ok
10:10:21.0859 2528 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
10:10:21.0859 2528 adpu160m - ok
10:10:22.0281 2528 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:10:22.0281 2528 aec - ok
10:10:22.0375 2528 AF15BDA - ok
10:10:22.0703 2528 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
10:10:22.0703 2528 AFD - ok
10:10:22.0796 2528 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:10:22.0796 2528 agp440 - ok
10:10:22.0890 2528 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
10:10:22.0890 2528 agpCPQ - ok
10:10:23.0062 2528 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
10:10:23.0078 2528 Aha154x - ok
10:10:23.0171 2528 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
10:10:23.0171 2528 aic78u2 - ok
10:10:23.0421 2528 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
10:10:23.0437 2528 aic78xx - ok
10:10:23.0546 2528 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
10:10:23.0546 2528 AliIde - ok
10:10:23.0796 2528 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
10:10:23.0796 2528 alim1541 - ok
10:10:23.0921 2528 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
10:10:23.0921 2528 amdagp - ok
10:10:24.0125 2528 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
10:10:24.0140 2528 amsint - ok
10:10:24.0218 2528 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
10:10:24.0234 2528 APPDRV - ok
10:10:24.0671 2528 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:10:24.0687 2528 Arp1394 - ok
10:10:25.0078 2528 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
10:10:25.0093 2528 asc - ok
10:10:25.0171 2528 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
10:10:25.0187 2528 asc3350p - ok
10:10:25.0421 2528 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
10:10:25.0437 2528 asc3550 - ok
10:10:25.0562 2528 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:10:25.0562 2528 AsyncMac - ok
10:10:25.0781 2528 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:10:25.0796 2528 atapi - ok
10:10:25.0843 2528 Atdisk - ok
10:10:25.0937 2528 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:10:25.0953 2528 Atmarpc - ok
10:10:26.0171 2528 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:10:26.0187 2528 audstub - ok
10:10:26.0250 2528 bcm4sbxp (6489310d11971f6ba6c7f49be0baf6e0) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
10:10:26.0265 2528 bcm4sbxp - ok
10:10:26.0312 2528 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:10:26.0312 2528 Beep - ok
10:10:26.0578 2528 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
10:10:26.0593 2528 BrScnUsb - ok
10:10:26.0718 2528 catchme - ok
10:10:26.0796 2528 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
10:10:26.0812 2528 cbidf - ok
10:10:27.0375 2528 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:10:27.0375 2528 cbidf2k - ok
10:10:27.0515 2528 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:10:27.0515 2528 CCDECODE - ok
10:10:27.0609 2528 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
10:10:27.0609 2528 cd20xrnt - ok
10:10:27.0796 2528 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:10:27.0796 2528 Cdaudio - ok
10:10:28.0000 2528 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:10:28.0000 2528 Cdfs - ok
10:10:28.0125 2528 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:10:28.0140 2528 Cdrom - ok
10:10:28.0218 2528 Changer - ok
10:10:28.0312 2528 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
10:10:28.0312 2528 CmBatt - ok
10:10:28.0484 2528 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
10:10:28.0515 2528 CmdIde - ok
10:10:28.0640 2528 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
10:10:28.0640 2528 Compbatt - ok
10:10:28.0906 2528 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
10:10:28.0906 2528 Cpqarray - ok
10:10:29.0046 2528 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
10:10:29.0078 2528 dac2w2k - ok
10:10:29.0437 2528 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
10:10:29.0453 2528 dac960nt - ok
10:10:30.0062 2528 DgiVecp (a5034f77b278f07e224fe07cf98a8b76) C:\WINDOWS\system32\Drivers\DgiVecp.sys
10:10:30.0078 2528 DgiVecp - ok
10:10:30.0203 2528 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:10:30.0218 2528 Disk - ok
10:10:30.0375 2528 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:10:30.0468 2528 dmboot - ok
10:10:30.0718 2528 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:10:30.0718 2528 dmio - ok
10:10:30.0781 2528 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:10:30.0781 2528 dmload - ok
10:10:30.0828 2528 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:10:30.0828 2528 DMusic - ok
10:10:30.0968 2528 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
10:10:30.0968 2528 dpti2o - ok
10:10:31.0156 2528 DriverX (d27a3a309da2f9122b64b556a9a2cc71) C:\WINDOWS\System32\Drivers\driverx.sys
10:10:31.0171 2528 DriverX - ok
10:10:31.0265 2528 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:10:31.0265 2528 drmkaud - ok
10:10:31.0406 2528 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
10:10:31.0437 2528 drvmcdb - ok
10:10:31.0484 2528 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
10:10:31.0484 2528 drvnddm - ok
10:10:31.0609 2528 DS1410D (20747e2cd3ae1f390feb8b18b522aac8) C:\WINDOWS\system32\drivers\DS1410D.SYS
10:10:31.0609 2528 DS1410D - ok
10:10:31.0734 2528 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
10:10:31.0750 2528 E100B - ok
10:10:31.0937 2528 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:10:31.0968 2528 Fastfat - ok
10:10:32.0421 2528 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:10:32.0421 2528 Fdc - ok
10:10:32.0531 2528 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:10:32.0531 2528 Fips - ok
10:10:32.0609 2528 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:10:32.0609 2528 Flpydisk - ok
10:10:32.0750 2528 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:10:32.0750 2528 FltMgr - ok
10:10:32.0859 2528 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:10:32.0859 2528 Fs_Rec - ok
10:10:33.0046 2528 FTDIBUS (a36e8beedb3aaca09bf55a1d17904bc8) C:\WINDOWS\system32\drivers\ftdibus.sys
10:10:33.0046 2528 FTDIBUS - ok
10:10:33.0218 2528 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:10:33.0218 2528 Ftdisk - ok
10:10:33.0437 2528 FTSER2K (a14a1f4bb391df9c233cb5dbd05feb70) C:\WINDOWS\system32\drivers\ftser2k.sys
10:10:33.0437 2528 FTSER2K - ok
10:10:33.0578 2528 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:10:33.0593 2528 Gpc - ok
10:10:33.0734 2528 Hardlock (ed32d389f8b0e74e400932e020bcfbdf) C:\WINDOWS\system32\drivers\hardlock.sys
10:10:33.0750 2528 Hardlock - ok
10:10:34.0031 2528 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys
10:10:34.0031 2528 Haspnt - ok
10:10:34.0125 2528 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:10:34.0140 2528 HDAudBus - ok
10:10:34.0406 2528 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:10:34.0437 2528 HidUsb - ok
10:10:34.0984 2528 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
10:10:35.0031 2528 hpn - ok
10:10:35.0250 2528 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
10:10:35.0281 2528 HSFHWAZL - ok
10:10:35.0390 2528 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
10:10:35.0468 2528 HSF_DPV - ok
10:10:35.0843 2528 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:10:35.0875 2528 HTTP - ok
10:10:36.0281 2528 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
10:10:36.0296 2528 i2omgmt - ok
10:10:36.0453 2528 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
10:10:36.0453 2528 i2omp - ok
10:10:36.0609 2528 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:10:36.0625 2528 i8042prt - ok
10:10:37.0984 2528 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
10:10:40.0296 2528 ialm - ok
10:10:41.0562 2528 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:10:41.0640 2528 Imapi - ok
10:10:42.0171 2528 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
10:10:42.0171 2528 ini910u - ok
10:10:42.0843 2528 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:10:42.0859 2528 IntelIde - ok
10:10:44.0718 2528 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:10:44.0734 2528 intelppm - ok
10:10:45.0125 2528 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:10:45.0125 2528 Ip6Fw - ok
10:10:47.0062 2528 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:10:47.0078 2528 IpFilterDriver - ok
10:10:47.0515 2528 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:10:47.0578 2528 IpInIp - ok
10:10:48.0250 2528 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:10:48.0296 2528 IpNat - ok
10:10:49.0593 2528 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:10:49.0593 2528 IPSec - ok
10:10:50.0015 2528 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:10:50.0015 2528 IRENUM - ok
10:10:50.0468 2528 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:10:50.0468 2528 isapnp - ok
10:10:50.0906 2528 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:10:50.0906 2528 Kbdclass - ok
10:10:51.0406 2528 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:10:51.0406 2528 kbdhid - ok
10:10:52.0406 2528 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:10:52.0515 2528 kmixer - ok
10:10:53.0125 2528 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:10:53.0125 2528 KSecDD - ok
10:10:53.0421 2528 lbrtfdc - ok
10:10:53.0765 2528 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
10:10:53.0796 2528 MBAMSwissArmy - ok
10:10:54.0296 2528 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
10:10:54.0312 2528 mdmxsdk - ok
10:10:54.0750 2528 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:10:54.0750 2528 mnmdd - ok
10:10:55.0265 2528 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:10:55.0265 2528 Modem - ok
10:10:55.0578 2528 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:10:55.0578 2528 Mouclass - ok
10:10:55.0968 2528 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:10:55.0968 2528 mouhid - ok
10:10:56.0906 2528 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:10:56.0921 2528 MountMgr - ok
10:10:57.0265 2528 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
10:10:57.0281 2528 MPE - ok
10:10:57.0468 2528 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
10:10:57.0468 2528 mraid35x - ok
10:10:57.0593 2528 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:10:57.0609 2528 MRxDAV - ok
10:10:57.0890 2528 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:10:58.0000 2528 MRxSmb - ok
10:10:59.0234 2528 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:10:59.0250 2528 Msfs - ok
10:10:59.0734 2528 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:10:59.0750 2528 MSKSSRV - ok
10:11:00.0156 2528 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:11:00.0171 2528 MSPCLOCK - ok
10:11:00.0656 2528 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:11:00.0687 2528 MSPQM - ok
10:11:01.0109 2528 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:11:01.0109 2528 mssmbios - ok
10:11:01.0343 2528 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
10:11:01.0343 2528 MSTEE - ok
10:11:01.0968 2528 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
10:11:01.0984 2528 Mup - ok
10:11:02.0484 2528 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:11:02.0515 2528 NABTSFEC - ok
10:11:02.0609 2528 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:11:02.0625 2528 NDIS - ok
10:11:02.0781 2528 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:11:02.0781 2528 NdisIP - ok
10:11:02.0968 2528 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:11:02.0968 2528 NdisTapi - ok
10:11:03.0171 2528 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:11:03.0171 2528 Ndisuio - ok
10:11:03.0375 2528 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:11:03.0375 2528 NdisWan - ok
10:11:03.0859 2528 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
10:11:03.0890 2528 NDProxy - ok
10:11:04.0296 2528 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:11:04.0296 2528 NetBIOS - ok
10:11:04.0546 2528 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:11:04.0546 2528 NetBT - ok
10:11:04.0765 2528 NETw4x32 (12b0d99865434387f784268b70e23360) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
10:11:04.0812 2528 NETw4x32 - ok
10:11:04.0953 2528 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:11:04.0953 2528 NIC1394 - ok
10:11:05.0031 2528 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
10:11:05.0046 2528 NPF - ok
10:11:05.0328 2528 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:11:05.0328 2528 Npfs - ok
10:11:05.0703 2528 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:11:05.0812 2528 Ntfs - ok
10:11:06.0171 2528 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:11:06.0187 2528 Null - ok
10:11:06.0734 2528 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:11:06.0859 2528 nv - ok
10:11:07.0125 2528 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:11:07.0125 2528 NwlnkFlt - ok
10:11:07.0390 2528 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:11:07.0390 2528 NwlnkFwd - ok
10:11:07.0437 2528 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:11:07.0437 2528 ohci1394 - ok
10:11:07.0625 2528 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys
10:11:07.0625 2528 omci - ok
10:11:07.0671 2528 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:11:07.0687 2528 Parport - ok
10:11:07.0687 2528 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:11:07.0687 2528 PartMgr - ok
10:11:07.0734 2528 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:11:07.0734 2528 ParVdm - ok
10:11:07.0781 2528 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:11:07.0781 2528 PCI - ok
10:11:07.0796 2528 PCIDump - ok
10:11:07.0828 2528 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:11:07.0828 2528 PCIIde - ok
10:11:08.0000 2528 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:11:08.0000 2528 Pcmcia - ok
10:11:08.0015 2528 PDCOMP - ok
10:11:08.0078 2528 PDFRAME - ok
10:11:08.0093 2528 PDRELI - ok
10:11:08.0109 2528 PDRFRAME - ok
10:11:08.0156 2528 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
10:11:08.0156 2528 perc2 - ok
10:11:08.0171 2528 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
10:11:08.0171 2528 perc2hib - ok
10:11:08.0234 2528 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:11:08.0234 2528 PptpMiniport - ok
10:11:08.0250 2528 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:11:08.0265 2528 PSched - ok
10:11:08.0328 2528 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
10:11:08.0328 2528 PSI - ok
10:11:08.0468 2528 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:11:08.0468 2528 Ptilink - ok
10:11:08.0500 2528 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
10:11:08.0500 2528 PxHelp20 - ok
10:11:08.0531 2528 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
10:11:08.0531 2528 ql1080 - ok
10:11:08.0546 2528 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
10:11:08.0546 2528 Ql10wnt - ok
10:11:08.0562 2528 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
10:11:08.0562 2528 ql12160 - ok
10:11:08.0578 2528 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
10:11:08.0578 2528 ql1240 - ok
10:11:08.0593 2528 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
10:11:08.0593 2528 ql1280 - ok
10:11:08.0625 2528 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:11:08.0625 2528 RasAcd - ok
10:11:08.0703 2528 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:11:08.0703 2528 Rasl2tp - ok
10:11:09.0015 2528 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:11:09.0015 2528 RasPppoe - ok
10:11:09.0078 2528 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:11:09.0078 2528 Raspti - ok
10:11:09.0093 2528 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:11:09.0109 2528 Rdbss - ok
10:11:09.0156 2528 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:11:09.0156 2528 RDPCDD - ok
10:11:09.0187 2528 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:11:09.0187 2528 rdpdr - ok
10:11:09.0343 2528 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
10:11:09.0343 2528 RDPWD - ok
10:11:09.0406 2528 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:11:09.0406 2528 redbook - ok
10:11:09.0468 2528 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
10:11:09.0468 2528 rimmptsk - ok
10:11:09.0484 2528 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
10:11:09.0484 2528 rimsptsk - ok
10:11:09.0500 2528 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
10:11:09.0515 2528 rismxdp - ok
10:11:09.0531 2528 RTWTKRNL - ok
10:11:09.0546 2528 s24trans - ok
10:11:09.0593 2528 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
10:11:09.0609 2528 sdbus - ok
10:11:09.0656 2528 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:11:09.0656 2528 Secdrv - ok
10:11:09.0843 2528 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
10:11:09.0843 2528 Ser2pl - ok
10:11:09.0875 2528 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:11:09.0875 2528 serenum - ok
10:11:09.0937 2528 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:11:09.0953 2528 Serial - ok
10:11:10.0015 2528 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
10:11:10.0015 2528 sermouse - ok
10:11:10.0062 2528 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:11:10.0062 2528 Sfloppy - ok
10:11:10.0234 2528 silabenm (c16173316918a1360dc22947c4ff6352) C:\WINDOWS\system32\DRIVERS\silabenm.sys
10:11:10.0234 2528 silabenm - ok
10:11:10.0296 2528 silabser (f016ea11c5da9406b118b70dee89ca34) C:\WINDOWS\system32\DRIVERS\silabser.sys
10:11:10.0312 2528 silabser - ok
10:11:10.0328 2528 Simbad - ok
10:11:10.0453 2528 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
10:11:10.0453 2528 sisagp - ok
10:11:10.0515 2528 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:11:10.0515 2528 SLIP - ok
10:11:10.0562 2528 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
10:11:10.0562 2528 Sparrow - ok
10:11:10.0687 2528 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:11:10.0687 2528 splitter - ok
10:11:10.0765 2528 sp_rsdrv2 (6175806b11f19a5e531a66a71361e297) C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
10:11:10.0765 2528 sp_rsdrv2 - ok
10:11:10.0812 2528 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:11:10.0828 2528 sr - ok
10:11:10.0906 2528 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
10:11:10.0906 2528 Srv - ok
10:11:10.0953 2528 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
10:11:10.0953 2528 sscdbhk5 - ok
10:11:11.0109 2528 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
10:11:11.0109 2528 ssrtln - ok
10:11:11.0218 2528 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
10:11:11.0234 2528 STHDA - ok
10:11:11.0437 2528 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:11:11.0453 2528 streamip - ok
10:11:11.0531 2528 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:11:11.0562 2528 swenum - ok
10:11:11.0625 2528 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:11:11.0640 2528 swmidi - ok
10:11:11.0687 2528 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
10:11:11.0703 2528 symc810 - ok
10:11:11.0703 2528 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
10:11:11.0718 2528 symc8xx - ok
10:11:11.0734 2528 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
10:11:11.0734 2528 sym_hi - ok
10:11:11.0750 2528 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
10:11:11.0750 2528 sym_u3 - ok
10:11:11.0828 2528 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
10:11:11.0828 2528 SynTP - ok
10:11:12.0000 2528 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:11:12.0000 2528 sysaudio - ok
10:11:12.0078 2528 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:11:12.0093 2528 Tcpip - ok
10:11:12.0250 2528 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:11:12.0250 2528 TDPIPE - ok
10:11:12.0281 2528 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:11:12.0296 2528 TDTCP - ok
10:11:12.0312 2528 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:11:12.0312 2528 TermDD - ok
10:11:12.0390 2528 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
10:11:12.0390 2528 tfsnboio - ok
10:11:12.0437 2528 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
10:11:12.0453 2528 tfsncofs - ok
10:11:12.0453 2528 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
10:11:12.0468 2528 tfsndrct - ok
10:11:12.0500 2528 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
10:11:12.0500 2528 tfsndres - ok
10:11:12.0640 2528 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
10:11:12.0640 2528 tfsnifs - ok
10:11:12.0656 2528 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
10:11:12.0656 2528 tfsnopio - ok
10:11:12.0671 2528 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
10:11:12.0671 2528 tfsnpool - ok
10:11:12.0687 2528 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
10:11:12.0687 2528 tfsnudf - ok
10:11:12.0703 2528 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
10:11:12.0703 2528 tfsnudfa - ok
10:11:12.0765 2528 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
10:11:12.0765 2528 TosIde - ok
10:11:12.0812 2528 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:11:12.0812 2528 Udfs - ok
10:11:12.0828 2528 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
10:11:12.0828 2528 ultra - ok
10:11:12.0875 2528 umpusbxp (4685ca976167ef2bbab18694346062df) C:\WINDOWS\system32\DRIVERS\umpusbxp.sys
10:11:12.0875 2528 umpusbxp - ok
10:11:12.0937 2528 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:11:12.0953 2528 Update - ok
10:11:13.0140 2528 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:11:13.0156 2528 usbccgp - ok
10:11:13.0281 2528 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:11:13.0281 2528 usbehci - ok
10:11:13.0390 2528 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:11:13.0390 2528 usbhub - ok
10:11:13.0546 2528 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:11:13.0546 2528 usbprint - ok
10:11:13.0625 2528 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:11:13.0625 2528 USBSTOR - ok
10:11:13.0671 2528 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:11:13.0703 2528 usbuhci - ok
10:11:14.0859 2528 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:11:14.0859 2528 VgaSave - ok
10:11:17.0734 2528 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
10:11:17.0750 2528 viaagp - ok
10:11:18.0250 2528 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:11:18.0250 2528 ViaIde - ok
10:11:18.0296 2528 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:11:18.0296 2528 VolSnap - ok
10:11:18.0875 2528 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys
10:11:19.0031 2528 w39n51 - ok
10:11:19.0406 2528 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:11:19.0406 2528 Wanarp - ok
10:11:19.0859 2528 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
10:11:19.0906 2528 Wdf01000 - ok
10:11:20.0171 2528 WDICA - ok
10:11:20.0296 2528 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:11:20.0328 2528 wdmaud - ok
10:11:20.0953 2528 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
10:11:21.0000 2528 winachsf - ok
10:11:21.0765 2528 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
10:11:21.0765 2528 WmiAcpi - ok
10:11:22.0234 2528 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:11:22.0234 2528 WS2IFSL - ok
10:11:22.0531 2528 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:11:22.0531 2528 WSTCODEC - ok
10:11:22.0750 2528 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:11:22.0781 2528 WudfPf - ok
10:11:22.0953 2528 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:11:22.0953 2528 WudfRd - ok
10:11:23.0031 2528 MBR (0x1B8) (dea9e81f0228b68c9adaf84c9b0cf931) \Device\Harddisk0\DR0
10:11:23.0078 2528 \Device\Harddisk0\DR0 - ok
10:11:23.0109 2528 Boot (0x1200) (d50f26819add23cd6a5d1431f22c4839) \Device\Harddisk0\DR0\Partition0
10:11:23.0218 2528 \Device\Harddisk0\DR0\Partition0 - ok
10:11:23.0218 2528 ============================================================
10:11:23.0218 2528 Scan finished
10:11:23.0218 2528 ============================================================
10:11:23.0218 2636 Detected object count: 0
10:11:23.0218 2636 Actual detected object count: 0
10:12:42.0281 0480 Deinitialize success
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 27th, 2012, 11:07 pm

Part 3 Junction. I think I may have stuffed up on this one as I opened the junction.exe file directly instead of via the cmd line provided. After I had already agreed to the scanner's prompt I closed the console window and ran it via the cmd line as intended. After many minutes I got a log file but it looks to have errors:

*********

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities 2010\TTUSvc.tt: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

...

...

...

...
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby Gary R » January 28th, 2012, 2:50 am

When Combofix offered a new version you should have answered Yes, but no problem, there's no need to run another scan. Junction logs are meant to look like the one you posted so no problem there either.

We still have work to do though ....

First

Download the OTL Scanner
Please download OTL.exe by OldTimer and save it to your desktop.
----------------------------------------------
Perform a Custom Fix with OTL
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box:
    Code: Select all
    :processes
    killallprocesses
    
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [-HKEY_CURRENT_USER\Software\AppDataLow\Software\searchqutoolbar]
    [-HKEY_CURRENT_USER\Software\DataMngr]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bandoo]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Searchqu 406 MediaBar]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\menuorder\start menu2\programs\bandoo]
    [-HKEY_CURRENT_USER\Software\Trolltech]
    [-HKEY_CURRENT_USER\Software\ilivid]
    [-HKEY_CURRENT_USER\Software\searchqutoolbar]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Bandoo]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BandooCore.EXE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iLividSetupV1.exe]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971}
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\ilivid.exe]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\SearchquMediabarTb]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{27f69c85-64e1-43ce-98b5-3c9f22fb408e}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{b543ef05-9758-464e-9f37-4c28525b4a4c}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{8f5f1cb6-ea9e-40af-a5ca-c7fd63cc1971}\1.0]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\app management\arpcache\searchqu 406 mediabar]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{a40dc6c5-79d0-4ca8-a185-8ff989af1115}\inprocserver32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{cc1ac828-bb47-4361-afb5-96eee259dd87}\inprocserver32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{fefd3af5-a346-4451-aa23-a3ad54915515}\inprocserver32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{5b4144e1-b61d-495a-9a50-cd1a95d86d15}\1.0]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{6a4bcaba-c437-4c76-a54e-af31b8a76cb9}\1.0]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{841d5a49-e48d-413c-9c28-eb3d9081d705}\1.0]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{99079a25-328f-4bd4-be04-00955acaa0a7}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{d0a4be92-2216-42db-ab35-d72efb9f0176}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\shared tools\msconfig\startupreg\datamngr]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}]
    
    :Files
    C:\Program Files\Windows iLivid Toolbar
    C:\Program Files\iLivid
    C:\Windows\Prefetch\ILIVID*
    C:\Windows\Prefetch\SEARCHQUMEDIABAR*
    C:\Windows\Prefetch\SETUPDATAMNGR*
    c:\windows\Tasks\At*.job
    c:\windows\system32\uo2s7P5.com
    
    :Commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, it will reboot the PC when it is done.
  • It should open a log on your desktop.
  • Please post me the log it creates.

Next

Download SystemLook from one of the links below and save it to your Desktop.
Download links for 32 bit Windows:
Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *Fun4IM*
    *Bandoo*
    *Searchqu*
    *iLivid*
    *whitesmoke*
    *datamngr*
    *trolltech*
    *SweetIM*
    
    :folderfind
    *Fun4IM*
    *Bandoo*
    *Searchqu*
    *iLivid*
    *whitesmoke*
    *datamngr*
    *trolltech*
    *SweetIM*
    
    :Regfind
    Fun4IM
    Bandoo
    Searchqu
    iLivid
    whitesmoke
    datamngr
    kelkoopartners
    trolltech
    SweetIM
    
    
  • Click the Look button to start the scan.
    Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Summary of the logs I need from you in your next post:
  • OTL fix log
  • SystemLook.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21864
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 28th, 2012, 4:45 am

Many thanks. Yeah, should've checked on the Combofix update question. Was wary of changing midstream after only downloading it a few hours earlier and the computer having been off-line since.

Part1: OTL did an auto reboot, and produced this log:
*********

All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry key HKEY_CURRENT_USER\Software\AppDataLow\Software\searchqutoolbar\ not found.
Registry key HKEY_CURRENT_USER\Software\DataMngr\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Searchqu 406 MediaBar\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\menuorder\start menu2\programs\bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Trolltech\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\ilivid\ not found.
Registry key HKEY_CURRENT_USER\Software\searchqutoolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Bandoo\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BandooCore.EXE\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1301A8A5-3DFB-4731-A162-B357D00C9644}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iLividSetupV1.exe\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{477F210A-2A86-4666-9C4B-1189634D2C84}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF871E51-2655-4D06-AED5-745962A96B32}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7f000001-db8e-f89c-2fec-49bf726f8c12}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9189560-573A-4fde-B055-AE7B0F4CF080}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\ilivid.exe\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\SearchquMediabarTb\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{27f69c85-64e1-43ce-98b5-3c9f22fb408e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27f69c85-64e1-43ce-98b5-3c9f22fb408e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{b543ef05-9758-464e-9f37-4c28525b4a4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b543ef05-9758-464e-9f37-4c28525b4a4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{8f5f1cb6-ea9e-40af-a5ca-c7fd63cc1971}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\app management\arpcache\searchqu 406 mediabar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{a40dc6c5-79d0-4ca8-a185-8ff989af1115}\inprocserver32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{cc1ac828-bb47-4361-afb5-96eee259dd87}\inprocserver32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{fefd3af5-a346-4451-aa23-a3ad54915515}\inprocserver32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{5b4144e1-b61d-495a-9a50-cd1a95d86d15}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{6a4bcaba-c437-4c76-a54e-af31b8a76cb9}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{841d5a49-e48d-413c-9c28-eb3d9081d705}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{d0a4be92-2216-42db-ab35-d72efb9f0176}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0a4be92-2216-42db-ab35-d72efb9f0176}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\shared tools\msconfig\startupreg\datamngr\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
========== FILES ==========
File\Folder C:\Program Files\Windows iLivid Toolbar not found.
File\Folder C:\Program Files\iLivid not found.
File\Folder C:\Windows\Prefetch\ILIVID* not found.
File\Folder C:\Windows\Prefetch\SEARCHQUMEDIABAR* not found.
File\Folder C:\Windows\Prefetch\SETUPDATAMNGR* not found.
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
c:\windows\system32\uo2s7P5.com moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: ET123
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 14244 bytes
->FireFox cache emptied: 30389428 bytes
->Flash cache emptied: 566 bytes

User: John M
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 4932 bytes
->Flash cache emptied: 4070 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 439 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 29.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 01282012_150143

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 28th, 2012, 4:47 am

Part2 SystemLook took quite a long time. Log:
*********

SystemLook 30.07.11 by jpshortstuff
Log created at 15:10 on 28/01/2012 by ET123
Administrator - Elevation successful

========== filefind ==========

Searching for "*Fun4IM*"
No files found.

Searching for "*Bandoo*"
No files found.

Searching for "*Searchqu*"
C:\devtools\eclipse\plugins\org.eclipse.platform.source_3.3.3.r33x_r20080129-_19UEl7Ezk_gXF1kouft\src\org.eclipse.search_3.3.1.r331_v20070831-0800\schema\textSearchQueryProvider.exsd --a---- 4253 bytes [01:33 15/01/2009] [12:18 21/02/2008] 3FE41F0287FF94D36EAA319EA5244517
C:\devtools\eclipse3.2\plugins\org.eclipse.platform.source_3.2.1.r321_v20060921-b_XVA-INSQSyMtx\src\org.eclipse.search_3.2.1.r321_v20060726\schema\textSearchQueryProvider.exsd --a---- 4253 bytes [03:20 01/12/2006] [03:58 21/09/2006] 3FE41F0287FF94D36EAA319EA5244517
C:\devtools\rhdevstudio\eclipse\plugins\org.eclipse.platform.source_3.3.2.R33x_v20071022-_19UEksF-G8Yc6bUv3Dz\src\org.eclipse.search_3.3.1.r331_v20070831-0800\schema\textSearchQueryProvider.exsd --a---- 4253 bytes [08:22 16/01/2008] [23:43 23/10/2007] 3FE41F0287FF94D36EAA319EA5244517

Searching for "*iLivid*"
No files found.

Searching for "*whitesmoke*"
C:\Documents and Settings\ET123\Application Data\Mozilla\Firefox\Profiles\d7151wic.default\searchplugins\isearch.whitesmoke.com.xml --a---- 2269 bytes [04:22 30/11/2011] [04:22 30/11/2011] A99972FBF0469108F3DBA8F7844B97DD

Searching for "*datamngr*"
No files found.

Searching for "*trolltech*"
No files found.

Searching for "*SweetIM*"
No files found.

========== folderfind ==========

Searching for "*Fun4IM*"
No folders found.

Searching for "*Bandoo*"
No folders found.

Searching for "*Searchqu*"
C:\Documents and Settings\ET123\Application Data\searchquband d------ [05:20 13/01/2012]

Searching for "*iLivid*"
C:\Documents and Settings\ET123\Local Settings\Application Data\Ilivid Player d------ [05:25 13/01/2012]

Searching for "*whitesmoke*"
No folders found.

Searching for "*datamngr*"
C:\Documents and Settings\ET123\AppData\LocalLow\DataMngr d------ [05:22 13/01/2012]

Searching for "*trolltech*"
No folders found.

Searching for "*SweetIM*"
No folders found.

========== Regfind ==========

Searching for "Fun4IM"
No data found.

Searching for "Bandoo"
No data found.

Searching for "Searchqu"
[HKEY_CURRENT_USER\Software\NCH_EN\toolbar\settings\FeatureProtector]
"IntruderProviderName"="www.searchqu.com"
[HKEY_CURRENT_USER\Software\NCH_EN\toolbar\settings\FeatureProtector]
"IntruderProviderDomain"="www.searchqu.com"
[HKEY_CURRENT_USER\Software\NCH_EN\toolbar\settings\FeatureProtector\HomePage]
"LastIntruderDomain"="www.searchqu.com"
[HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\NCH_EN\toolbar\settings\FeatureProtector]
"IntruderProviderName"="www.searchqu.com"
[HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\NCH_EN\toolbar\settings\FeatureProtector]
"IntruderProviderDomain"="www.searchqu.com"
[HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\NCH_EN\toolbar\settings\FeatureProtector\HomePage]
"LastIntruderDomain"="www.searchqu.com"

Searching for "iLivid"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}\iLividSetupV1.exe"="iLivid Installation "
[HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid]
[HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}\iLividSetupV1.exe"="iLivid Installation "

Searching for "whitesmoke"
No data found.

Searching for "datamngr"
No data found.

Searching for "kelkoopartners"
No data found.

Searching for "trolltech"
No data found.

Searching for "SweetIM"
No data found.

-= EOF =-
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby Gary R » January 28th, 2012, 10:05 am

Still a little to do ....

First

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\Documents and Settings\ET123\Application Data\Mozilla\Firefox\Profiles\d7151wic.default\searchplugins\isearch.whitesmoke.com.xml
C:\Documents and Settings\ET123\Application Data\searchquband
C:\Documents and Settings\ET123\Local Settings\Application Data\Ilivid Player
C:\Documents and Settings\ET123\AppData\LocalLow\DataMngr

:Reg
[-HKEY_CURRENT_USER\Software\NCH_EN]
[-HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\NCH_EN]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}\iLividSetupV1.exe"=-
[-HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid]
[HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}\iLividSetupV1.exe"=-

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Next

See if you can run a scan with Malwarebytes Anti-Malware now.

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Quick Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Check all items except items in the C:\System Volume Information folder and click on Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.

You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open

If Malwarebytes still won't run let me know.

Next

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)

Summary of the logs I need from you in your next post:
  • Latest OTL fix log
  • MBAM log (if available)
  • E-Set log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21864
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 29th, 2012, 2:50 am

Thanks for sticking with this,

Part1: OTL
*******


========== FILES ==========
C:\Documents and Settings\ET123\Application Data\Mozilla\Firefox\Profiles\d7151wic.default\searchplugins\isearch.whitesmoke.com.xml moved successfully.
C:\Documents and Settings\ET123\Application Data\searchquband folder moved successfully.
C:\Documents and Settings\ET123\Local Settings\Application Data\Ilivid Player folder moved successfully.
C:\Documents and Settings\ET123\AppData\LocalLow\DataMngr folder moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\NCH_EN\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\NCH_EN\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\\C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}\iLividSetupV1.exe deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid\ not found.
Registry value HKEY_USERS\S-1-5-21-1845647569-1489800997-1204271635-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache\\C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}\iLividSetupV1.exe not found.

OTL by OldTimer - Version 3.2.31.0 log created on 01282012_221508
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 29th, 2012, 2:52 am

Part2 mbam log
******

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.28.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Enabling Technology :: ET-LAPTOP1 [administrator]

28/01/2012 22:23:05
mbam-log-2012-01-28 (22-23-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204915
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am

Re: Malware preventing mbam.exe or wscript.exe from starting

Unread postby kiap » January 29th, 2012, 2:54 am

Part3 ESET
*****


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=aeda99679e6046479ce9fc820e532610
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-29 10:58:51
# local_time=2010-10-30 06:58:51 (+0800, W. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=7937 16777213 100 100 10140 3807597 0 0
# compatibility_mode=8192 67108863 100 0 371 371 0 0
# scanned=197002
# found=0
# cleaned=0
# scan_time=4131
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=aeda99679e6046479ce9fc820e532610
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-28 06:14:27
# local_time=2012-01-29 02:14:27 (+0800, W. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768446 80 100 163190588 173303052 0 164040384
# compatibility_mode=7937 16777213 100 100 23664283 43180578 0 0
# compatibility_mode=8192 67108863 100 0 39373352 39373352 0 0
# scanned=247609
# found=66
# cleaned=0
# scan_time=12485
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Conver And Studio (LiveX).rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\ConvexSoft.Video.iPod.Converter.v1.3-TBE.rar Win32/Delf.OAH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\ConvexSoft.Video.to.FLV.SWF.GIF.Converter.v3.1-TBE.rar Win32/Delf.OAH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\ConvexSoft.Video.Zune.Converter.v1.4-TBE.rar Win32/Delf.OAH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 2 27 26 394Track ( kk ).rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 3 4 1060e And Studio.rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 3 304+4Track ( kk ).rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 3 lod+4Track ( kk ).rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 97 475 more 4Track ( kk ) (12) .rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 147 304+4Track ( kk ).rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 24 67+4Track ( kk ).rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 489 304+4Track ( kk ).rar MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 1 19 80 20094Trac\ConvertXtoDVD 1 19 80 20094Track ( kk ).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 2009 4 0 3 +4Trac\ConvertXtoDVD 2009 4 0 3 +4Track ( kk ).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 (Scene Shack c\ConvertXtoDVD 3 (Scene Shack co uk).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 0 0 1 Final (I\ConvertXtoDVD 3 0 0 1 Final (Inc Registered 4Track) by WildguyReturns.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 19 8 1 2andDummy\ConvertXtoDVD 3 19 8 1 2andStudio (LiveX).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 3 4 106e And K\ConvertXtoDVD 3 3 4 106e And Studio LiveX.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 3 4 106e And K (2)\ConvertXtoDVD 3 3 4 106e And Studio (LiveX) rar .exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 3 4 106e And K (3)\ConvertXtoDVD 3 3 4 106e And Studio (LiveX) rar.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 3 4 106e And K (4)\ConvertXtoDVD 3 3 4 106e And Studio (LiveX).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 3 4 106e And K (5)\ConvertXtoDVD 3 3 4 106e And Studio.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 3 4 106e Dummyge\ConvertXtoDVD 3 3 4 106e Studio (LiveX).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 5 4 106e And K\ConvertXtoDVD 3 5 4 106e And Studio (LiveX).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 5 78 123 andDumm\ConvertXtoDVD 3 5 78 123 andStudio (LiveX) rar.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 7 2 188 (WwW Q\ConvertXtoDVD 3 7 2 188 (WwW Quebec Team Net).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 7 2 188 2lions\ConvertXtoDVD 3 7 2 188 2lions team.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 8 0 193 Workin\ConvertXtoDVD 3 8 0 193 Working With Dummys.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 8 0 193f\ConvertXtoDVD 3 8 0 193f .exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 8 0 193f xspeia\ConvertXtoDVD 3 8 0 193f xspeials incl.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 8 168 49 12and\ConvertXtoDVD 3 8 168 49 12andStudio (LiveX) .exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 u3 u3p by DrEz\ConvertXtoDVD 3 u3 u3p by DrEzNiA u3p.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3 v3 8 0 193\ConvertXtoDVD 3 v3 8 0 193.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3.3.0.96 And Dummy\ConvertXtoDVD 3.3.0.96 And Studio.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 3.3.4.106e And K\ConvertXtoDVD 3.3.4.106e And Studio (NiZa).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 25 49 49+4Tra\ConvertXtoDVD 4 0 25 49 49+4Track ( kk ).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 3 +4Track ( k\ConvertXtoDVD 4 0 3 +4Track ( kk ).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 3 304(BETA)+\ConvertXtoDVD 4 0 3 304(BETA)+4Track ( kk ).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 3 313 Repack\ConvertXtoDVD 4 0 3 313 Repack.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 0 5 315 Beta\ConvertXtoDVD 4 0 5 315 Beta.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 1 10 348 + xSpec\ConvertXtoDVD 4 1 10 348 + xSpecial (Br).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4 v4.0.10.324 (i\ConvertXtoDVD 4 v4.0.10.324 (including 4track).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4.0.9.322\ConvertXtoDVD 4.0.9.322.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4.1.10.348\ConvertXtoDVD 4.1.10.348.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4.1.10.348 + xSpec\ConvertXtoDVD 4.1.10.348 + xSpecial (Br).exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\ConvertXtoDVD V4 Studio Convert to - LiveX 4Track A\ConvertXtoDVD 4.1.7.343\ConvertXtoDVD 4.1.7.343.exe MSIL/Restamdos.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\convexsoft.video.ipod.converter.v1.3-tbe\setup.exe Win32/Delf.OAH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\convexsoft.video.to.flv.swf.gif.converter.v3.1-tbe\setup.exe Win32/Delf.OAH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ET123\My Documents\Usenet.nl\Filemaster\convexsoft.video.zune.converter.v1.4-tbe\setup.exe Win32/Delf.OAH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\RegQuick\RegistryQuick.exe a variant of Win32/Adware.RegistryQuick application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\iSecurity.exe.vir a variant of Win32/Kryptik.ZPH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\TorrentEasy\extensions.exe.vir Win32/Adware.GoodMedia.C application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1324\A0199399.sys a variant of Win32/Rootkit.Kryptik.IF trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1324\A0199424.sys a variant of Win32/Rootkit.Kryptik.IF trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0200465.dll a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0200466.exe a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0200467.dll a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0200492.dll Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0200493.dll a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0201409.sys a variant of Win32/Rootkit.Kryptik.IF trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0201449.sys a variant of Win32/Rootkit.Kryptik.IF trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0202467.sys a variant of Win32/Rootkit.Kryptik.IF trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0203690.exe a variant of Win32/Kryptik.ZPH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1325\A0203691.exe Win32/Adware.GoodMedia.C application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\sp_rsdrv2.sys a variant of Win32/Rootkit.Kryptik.IF trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\01282012_150143\c_windows\system32\uo2s7P5.com Win32/TrojanDownloader.Unruy.BN trojan (unable to clean) 00000000000000000000000000000000 I
kiap
Active Member
 
Posts: 12
Joined: January 27th, 2012, 12:55 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 18 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware