johnnycobra
-
Posts
27 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by johnnycobra
-
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Hi Screen 317 I did all that. Everything is running perfectly! Thank you! you: -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Things are running well! The PC is faster to load webpages and alltogether looks good. The online banking popups have gone. I ran the ESET scanner and it found nothing. There is no logfile in the ESET online scanner directory Here is the security check Results of screen317's Security Check version 0.99.9 Windows XP Service Pack 3 Internet Explorer 6 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! avast! Free Antivirus McAfee Security Scan Plus ``````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Malwarebytes' Anti-Malware HijackThis 2.0.2 CCleaner Java 6 Update 24 Adobe Flash Player 10.2.152.32 Adobe Reader X (10.0.1) Mozilla Firefox (3.6.15) ```````````````````````````````` Process Check: objlist.exe by Laurent Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! Alwil Software Avast5 AvastSvc.exe Alwil Software Avast5 avastUI.exe ``````````End of Log```````````` I think the problem is fixed. Screen 317 thank you very much for your help. You are The Dude -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Hi Since posting I have scanned my system with MBAM and Avast. No MBR (or any other virus) was found. It looks like TDSS works. Is there anything else I should to do verify that the system is clean? -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Hi screen 137 I did as you said. Below is the report file. It found the sinowal rootkit. Things are looking better, my machine loads screens faster so this may have cured it. 2011/03/07 20:00:43.0765 3908 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30 2011/03/07 20:00:44.0046 3908 ================================================================================ 2011/03/07 20:00:44.0046 3908 SystemInfo: 2011/03/07 20:00:44.0046 3908 2011/03/07 20:00:44.0046 3908 OS Version: 5.1.2600 ServicePack: 3.0 2011/03/07 20:00:44.0046 3908 Product type: Workstation 2011/03/07 20:00:44.0046 3908 ComputerName: DCM5KS81 2011/03/07 20:00:44.0062 3908 UserName: John and Fran 2011/03/07 20:00:44.0062 3908 Windows directory: C:\WINDOWS 2011/03/07 20:00:44.0062 3908 System windows directory: C:\WINDOWS 2011/03/07 20:00:44.0062 3908 Processor architecture: Intel x86 2011/03/07 20:00:44.0062 3908 Number of processors: 2 2011/03/07 20:00:44.0062 3908 Page size: 0x1000 2011/03/07 20:00:44.0062 3908 Boot type: Normal boot 2011/03/07 20:00:44.0062 3908 ================================================================================ 2011/03/07 20:00:44.0234 3908 Initialize success 2011/03/07 20:00:48.0984 2512 ================================================================================ 2011/03/07 20:00:48.0984 2512 Scan started 2011/03/07 20:00:48.0984 2512 Mode: Manual; 2011/03/07 20:00:48.0984 2512 ================================================================================ 2011/03/07 20:00:50.0406 2512 Aavmker4 (83631291adf2887cffc786d034d3fa15) C:\WINDOWS\system32\drivers\Aavmker4.sys 2011/03/07 20:00:50.0500 2512 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2011/03/07 20:00:50.0578 2512 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/03/07 20:00:50.0625 2512 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/03/07 20:00:50.0656 2512 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2011/03/07 20:00:50.0718 2512 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/03/07 20:00:50.0781 2512 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2011/03/07 20:00:50.0828 2512 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2011/03/07 20:00:50.0890 2512 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2011/03/07 20:00:50.0906 2512 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2011/03/07 20:00:50.0921 2512 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2011/03/07 20:00:50.0953 2512 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2011/03/07 20:00:50.0984 2512 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2011/03/07 20:00:51.0000 2512 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2011/03/07 20:00:51.0046 2512 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2011/03/07 20:00:51.0078 2512 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2011/03/07 20:00:51.0140 2512 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/03/07 20:00:51.0171 2512 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2011/03/07 20:00:51.0234 2512 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2011/03/07 20:00:51.0343 2512 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2011/03/07 20:00:51.0421 2512 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys 2011/03/07 20:00:51.0484 2512 aswFsBlk (1c2e6bb4fe8621b1b863855b02bc33eb) C:\WINDOWS\system32\drivers\aswFsBlk.sys 2011/03/07 20:00:51.0546 2512 aswMon2 (452d0ecd14fa02f9b061f42c8a30dd49) C:\WINDOWS\system32\drivers\aswMon2.sys 2011/03/07 20:00:51.0578 2512 aswRdr (b6a9373619d851be80fb5f1b5eed0d4e) C:\WINDOWS\system32\drivers\aswRdr.sys 2011/03/07 20:00:51.0640 2512 aswSnx (9be41c1ae8bc481eb662d85c98d979c2) C:\WINDOWS\system32\drivers\aswSnx.sys 2011/03/07 20:00:51.0671 2512 aswSP (4b1a54ba2bc5873a774df6b70ab8b0b3) C:\WINDOWS\system32\drivers\aswSP.sys 2011/03/07 20:00:51.0687 2512 aswTdi (c7f1cea32766184911293f4e1ee653f5) C:\WINDOWS\system32\drivers\aswTdi.sys 2011/03/07 20:00:51.0734 2512 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/03/07 20:00:51.0750 2512 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/03/07 20:00:51.0843 2512 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2011/03/07 20:00:51.0890 2512 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/03/07 20:00:51.0937 2512 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/03/07 20:00:51.0984 2512 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys 2011/03/07 20:00:52.0015 2512 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/03/07 20:00:52.0109 2512 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2011/03/07 20:00:52.0109 2512 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/03/07 20:00:52.0140 2512 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2011/03/07 20:00:52.0171 2512 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/03/07 20:00:52.0218 2512 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/03/07 20:00:52.0250 2512 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/03/07 20:00:52.0296 2512 cis1284 (7e1d1616c7e2fbba784e5dbd05d88eca) C:\WINDOWS\system32\drivers\cis1284.sys 2011/03/07 20:00:52.0343 2512 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2011/03/07 20:00:52.0390 2512 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2011/03/07 20:00:52.0468 2512 ctac32k (1e41b8a10b9d78240c8bfacc269db155) C:\WINDOWS\system32\drivers\ctac32k.sys 2011/03/07 20:00:52.0500 2512 ctaud2k (9bf1aa0eac9c7d33ce4d8a152e151f60) C:\WINDOWS\system32\drivers\ctaud2k.sys 2011/03/07 20:00:52.0609 2512 ctdvda2k (29f78d59b053cb8778f8426e4e24099c) C:\WINDOWS\system32\drivers\ctdvda2k.sys 2011/03/07 20:00:52.0671 2512 ctprxy2k (a6f4c70da545230d001915d8eb08d881) C:\WINDOWS\system32\drivers\ctprxy2k.sys 2011/03/07 20:00:52.0734 2512 ctsfm2k (b39e55c1c5e28e016ee3848f2e34c205) C:\WINDOWS\system32\drivers\ctsfm2k.sys 2011/03/07 20:00:52.0843 2512 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2011/03/07 20:00:52.0921 2512 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2011/03/07 20:00:53.0015 2512 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/03/07 20:00:53.0078 2512 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/03/07 20:00:53.0125 2512 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/03/07 20:00:53.0156 2512 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/03/07 20:00:53.0203 2512 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/03/07 20:00:53.0250 2512 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2011/03/07 20:00:53.0281 2512 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/03/07 20:00:53.0328 2512 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys 2011/03/07 20:00:53.0343 2512 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys 2011/03/07 20:00:53.0484 2512 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys 2011/03/07 20:00:53.0546 2512 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 2011/03/07 20:00:53.0593 2512 DVDAccss (937ac237c80b2f0a1b7f88c40bc30334) C:\WINDOWS\system32\drivers\DVDAccss.sys 2011/03/07 20:00:53.0671 2512 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys 2011/03/07 20:00:53.0718 2512 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) C:\WINDOWS\system32\DRIVERS\elagopro.sys 2011/03/07 20:00:53.0750 2512 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\elaunidr.sys 2011/03/07 20:00:53.0796 2512 emupia (5d70013d7e6602ec0a482f2985558c2d) C:\WINDOWS\system32\drivers\emupia2k.sys 2011/03/07 20:00:53.0859 2512 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/03/07 20:00:53.0906 2512 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/03/07 20:00:53.0953 2512 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/03/07 20:00:54.0078 2512 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/03/07 20:00:54.0140 2512 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/03/07 20:00:54.0203 2512 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/03/07 20:00:54.0281 2512 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/03/07 20:00:54.0359 2512 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys 2011/03/07 20:00:54.0390 2512 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2011/03/07 20:00:54.0406 2512 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/03/07 20:00:54.0468 2512 ha10kx2k (7ec50a84b89dae3458cb0308739b80de) C:\WINDOWS\system32\drivers\ha10kx2k.sys 2011/03/07 20:00:54.0500 2512 hap16v2k (02a6bad64177c56d8b86b198b38db361) C:\WINDOWS\system32\drivers\hap16v2k.sys 2011/03/07 20:00:54.0578 2512 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/03/07 20:00:54.0625 2512 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2011/03/07 20:00:54.0671 2512 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/03/07 20:00:54.0703 2512 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2011/03/07 20:00:54.0734 2512 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2011/03/07 20:00:54.0750 2512 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/03/07 20:00:54.0812 2512 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/03/07 20:00:54.0859 2512 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2011/03/07 20:00:54.0937 2512 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys 2011/03/07 20:00:54.0984 2512 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys 2011/03/07 20:00:55.0015 2512 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys 2011/03/07 20:00:55.0046 2512 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/03/07 20:00:55.0109 2512 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/03/07 20:00:55.0234 2512 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/03/07 20:00:55.0265 2512 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/03/07 20:00:55.0281 2512 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/03/07 20:00:55.0343 2512 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/03/07 20:00:55.0406 2512 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/03/07 20:00:55.0437 2512 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/03/07 20:00:55.0484 2512 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/03/07 20:00:55.0500 2512 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/03/07 20:00:55.0546 2512 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/03/07 20:00:55.0578 2512 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/03/07 20:00:55.0609 2512 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/03/07 20:00:55.0750 2512 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys 2011/03/07 20:00:55.0781 2512 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys 2011/03/07 20:00:55.0859 2512 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/03/07 20:00:55.0890 2512 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/03/07 20:00:55.0953 2512 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys 2011/03/07 20:00:56.0000 2512 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys 2011/03/07 20:00:56.0015 2512 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/03/07 20:00:56.0062 2512 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/03/07 20:00:56.0140 2512 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/03/07 20:00:56.0218 2512 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2011/03/07 20:00:56.0234 2512 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/03/07 20:00:56.0296 2512 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/03/07 20:00:56.0375 2512 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/03/07 20:00:56.0406 2512 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/03/07 20:00:56.0531 2512 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/03/07 20:00:56.0562 2512 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/03/07 20:00:56.0609 2512 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/03/07 20:00:56.0625 2512 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/03/07 20:00:56.0656 2512 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/03/07 20:00:56.0671 2512 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/03/07 20:00:56.0687 2512 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/03/07 20:00:56.0703 2512 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/03/07 20:00:56.0750 2512 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/03/07 20:00:56.0765 2512 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/03/07 20:00:56.0796 2512 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/03/07 20:00:56.0843 2512 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/03/07 20:00:56.0859 2512 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/03/07 20:00:56.0906 2512 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/03/07 20:00:56.0937 2512 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/03/07 20:00:57.0031 2512 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/03/07 20:00:57.0078 2512 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/03/07 20:00:57.0093 2512 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/03/07 20:00:57.0109 2512 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/03/07 20:00:57.0171 2512 ossrv (c52548b920482db03af8b49babd9fc48) C:\WINDOWS\system32\drivers\ctoss2k.sys 2011/03/07 20:00:57.0218 2512 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/03/07 20:00:57.0234 2512 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/03/07 20:00:57.0265 2512 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/03/07 20:00:57.0281 2512 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/03/07 20:00:57.0328 2512 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/03/07 20:00:57.0359 2512 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/03/07 20:00:57.0421 2512 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2011/03/07 20:00:57.0437 2512 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2011/03/07 20:00:57.0500 2512 pfc (d1779c14abb7992f5c20c262ba5c7af2) C:\WINDOWS\system32\drivers\pfc.sys 2011/03/07 20:00:57.0531 2512 PfModNT (fefc8ebc170615068c3305dbee2667dd) C:\WINDOWS\system32\drivers\PfModNT.sys 2011/03/07 20:00:57.0625 2512 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/03/07 20:00:57.0703 2512 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/03/07 20:00:57.0718 2512 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/03/07 20:00:57.0796 2512 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/03/07 20:00:57.0828 2512 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2011/03/07 20:00:57.0843 2512 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2011/03/07 20:00:57.0875 2512 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2011/03/07 20:00:57.0890 2512 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2011/03/07 20:00:57.0921 2512 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2011/03/07 20:00:57.0968 2512 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/03/07 20:00:57.0984 2512 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/03/07 20:00:58.0015 2512 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/03/07 20:00:58.0031 2512 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/03/07 20:00:58.0046 2512 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/03/07 20:00:58.0078 2512 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/03/07 20:00:58.0125 2512 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/03/07 20:00:58.0203 2512 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/03/07 20:00:58.0234 2512 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/03/07 20:00:58.0296 2512 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/03/07 20:00:58.0359 2512 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/03/07 20:00:58.0421 2512 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/03/07 20:00:58.0484 2512 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/03/07 20:00:58.0562 2512 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2011/03/07 20:00:58.0593 2512 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2011/03/07 20:00:58.0640 2512 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/03/07 20:00:58.0671 2512 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/03/07 20:00:58.0718 2512 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/03/07 20:00:58.0750 2512 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys 2011/03/07 20:00:58.0781 2512 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys 2011/03/07 20:00:58.0875 2512 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/03/07 20:00:58.0984 2512 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/03/07 20:00:59.0046 2512 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2011/03/07 20:00:59.0062 2512 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2011/03/07 20:00:59.0156 2512 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys 2011/03/07 20:00:59.0203 2512 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2011/03/07 20:00:59.0218 2512 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2011/03/07 20:00:59.0265 2512 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/03/07 20:00:59.0343 2512 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/03/07 20:00:59.0390 2512 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/03/07 20:00:59.0406 2512 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/03/07 20:00:59.0437 2512 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/03/07 20:00:59.0468 2512 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys 2011/03/07 20:00:59.0484 2512 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys 2011/03/07 20:00:59.0500 2512 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys 2011/03/07 20:00:59.0515 2512 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys 2011/03/07 20:00:59.0531 2512 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys 2011/03/07 20:00:59.0546 2512 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys 2011/03/07 20:00:59.0562 2512 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys 2011/03/07 20:00:59.0578 2512 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys 2011/03/07 20:00:59.0609 2512 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys 2011/03/07 20:00:59.0656 2512 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2011/03/07 20:00:59.0687 2512 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/03/07 20:00:59.0718 2512 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2011/03/07 20:00:59.0781 2512 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/03/07 20:00:59.0828 2512 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys 2011/03/07 20:00:59.0890 2512 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/03/07 20:00:59.0937 2512 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/03/07 20:01:00.0031 2512 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/03/07 20:01:00.0046 2512 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/03/07 20:01:00.0093 2512 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/03/07 20:01:00.0250 2512 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/03/07 20:01:00.0312 2512 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/03/07 20:01:00.0328 2512 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/03/07 20:01:00.0390 2512 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2011/03/07 20:01:00.0437 2512 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/03/07 20:01:00.0500 2512 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/03/07 20:01:00.0546 2512 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/03/07 20:01:00.0625 2512 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/03/07 20:01:00.0734 2512 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/03/07 20:01:00.0796 2512 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/03/07 20:01:00.0828 2512 \HardDisk0 - detected Backdoor.Win32.Sinowal.knf (0) 2011/03/07 20:01:00.0843 2512 ================================================================================ 2011/03/07 20:01:00.0843 2512 Scan finished 2011/03/07 20:01:00.0843 2512 ================================================================================ 2011/03/07 20:01:00.0843 2504 Detected object count: 1 2011/03/07 20:01:20.0062 2504 \HardDisk0 - will be cured after reboot 2011/03/07 20:01:20.0062 2504 Backdoor.Win32.Sinowal.knf(\HardDisk0) - User select action: Cure 2011/03/07 20:01:25.0109 0864 Deinitialize success -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
I rebooted and rescanned with Avast and its still reporting an MBR Rootkit Any thoughts? -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Here is the ESET scan.....looks like it found the same file in system restore that the original MBAM scan found ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=6.00.2900.5512 (xpsp.080413-2105) # OnlineScanner.ocx=1.0.0.6425 # api_version=3.0.2 # EOSSerial=f4bf4ca0c679f042b79062e5330f403f # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-03-02 12:31:20 # local_time=2011-03-01 07:31:20 (-0500, Eastern Standard Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777215 100 0 862499 862499 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=131182 # found=1 # cleaned=1 # scan_time=5069 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP622\A0073611.exe probably a variant of MSIL/Injector.CF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Here is the security check log Results of screen317's Security Check version 0.99.9 Windows XP Service Pack 3 Internet Explorer 6 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! avast! Free Antivirus ESET Online Scanner v3 ``````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Malwarebytes' Anti-Malware HijackThis 2.0.2 CCleaner Java 6 Update 18 Java 2 Runtime Environment, SE v1.4.2_03 Out of date Java installed! Adobe Flash Player 10.1.102.64 Adobe Reader 7.0.8 Out of date Adobe Reader installed! Mozilla Firefox (3.6.13) ```````````````````````````````` Process Check: objlist.exe by Laurent Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! ESET ESET Online Scanner OnlineCmdLineScanner.exe Alwil Software Avast5 AvastSvc.exe Alwil Software Avast5 avastUI.exe ``````````End of Log```````````` I tried a dummy run to access an online bank that gave me the popup and it seems to ok. I am going to reboot and try again. Once again thanks for your help Screen -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
here is the DDS UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-12-12.02) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 11/12/2005 7:54:49 PM System Uptime: 2/28/2011 7:06:55 AM (0 hours ago) Motherboard: Dell Inc. | | 0RD203 Processor: Intel® Pentium® 4 CPU 3.40GHz | Microprocessor | 3391/800mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 229 GiB total, 97.234 GiB free. D: is CDROM (CDFS) E: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP560: 11/30/2010 6:42:12 PM - System Checkpoint RP561: 12/1/2010 7:20:38 PM - System Checkpoint RP562: 12/2/2010 8:02:30 PM - System Checkpoint RP563: 12/3/2010 8:31:36 PM - System Checkpoint RP564: 12/4/2010 9:06:30 PM - System Checkpoint RP565: 12/5/2010 9:53:26 PM - System Checkpoint RP566: 12/7/2010 4:15:11 PM - System Checkpoint RP567: 12/8/2010 4:20:47 PM - System Checkpoint RP568: 12/9/2010 6:57:45 PM - System Checkpoint RP569: 12/10/2010 1:18:21 PM - Restore Operation RP570: 12/11/2010 2:00:11 PM - System Checkpoint RP571: 12/12/2010 2:57:08 PM - System Checkpoint RP572: 12/13/2010 6:06:35 PM - System Checkpoint RP573: 12/14/2010 7:06:11 PM - System Checkpoint RP574: 12/15/2010 7:44:07 PM - System Checkpoint RP575: 12/16/2010 8:06:40 PM - System Checkpoint RP576: 12/17/2010 7:27:31 AM - Software Distribution Service 3.0 RP577: 12/18/2010 8:35:57 AM - System Checkpoint RP578: 12/19/2010 9:23:07 AM - System Checkpoint RP579: 12/20/2010 10:07:40 AM - System Checkpoint RP580: 12/21/2010 6:31:12 PM - System Checkpoint RP581: 1/2/2011 7:39:00 AM - System Checkpoint RP582: 1/3/2011 3:00:17 AM - Software Distribution Service 3.0 RP583: 1/4/2011 3:37:00 AM - System Checkpoint RP584: 1/5/2011 7:24:55 AM - Software Distribution Service 3.0 RP585: 1/6/2011 7:55:11 AM - System Checkpoint RP586: 1/7/2011 8:21:34 AM - System Checkpoint RP587: 1/8/2011 8:28:09 AM - System Checkpoint RP588: 1/9/2011 12:01:17 PM - System Checkpoint RP589: 1/10/2011 6:15:50 PM - System Checkpoint RP590: 1/11/2011 6:49:39 PM - System Checkpoint RP591: 1/12/2011 5:57:26 AM - Software Distribution Service 3.0 RP592: 1/13/2011 3:54:42 PM - System Checkpoint RP593: 1/14/2011 6:17:42 PM - System Checkpoint RP594: 1/16/2011 11:24:37 AM - System Checkpoint RP595: 1/17/2011 5:46:23 PM - System Checkpoint RP596: 1/18/2011 6:02:54 PM - System Checkpoint RP597: 1/19/2011 7:02:25 PM - System Checkpoint RP598: 1/20/2011 8:10:48 PM - System Checkpoint RP599: 1/21/2011 11:21:49 PM - System Checkpoint RP600: 1/23/2011 9:17:33 AM - System Checkpoint RP601: 1/24/2011 5:57:09 PM - System Checkpoint RP602: 1/25/2011 7:26:08 PM - System Checkpoint RP603: 1/26/2011 8:11:51 PM - System Checkpoint RP604: 1/27/2011 8:35:23 PM - System Checkpoint RP605: 2/6/2011 6:29:03 AM - System Checkpoint RP606: 2/7/2011 6:16:03 PM - System Checkpoint RP607: 2/8/2011 6:21:43 PM - System Checkpoint RP608: 2/8/2011 10:21:54 PM - Software Distribution Service 3.0 RP609: 2/10/2011 6:00:18 PM - System Checkpoint RP610: 2/11/2011 6:11:55 PM - System Checkpoint RP611: 2/12/2011 6:43:00 PM - System Checkpoint RP612: 2/14/2011 6:13:42 PM - System Checkpoint RP613: 2/15/2011 6:41:26 PM - System Checkpoint RP614: 2/16/2011 6:53:58 PM - System Checkpoint RP615: 2/17/2011 6:57:01 PM - System Checkpoint RP616: 2/18/2011 6:31:16 PM - pre av RP617: 2/18/2011 6:31:54 PM - avast! Free Antivirus Setup RP618: 2/20/2011 5:18:06 PM - System Checkpoint RP619: 2/21/2011 8:22:20 PM - System Checkpoint RP620: 2/22/2011 8:32:34 PM - System Checkpoint RP621: 2/23/2011 10:24:32 PM - System Checkpoint RP622: 2/25/2011 7:08:39 AM - System Checkpoint RP623: 2/26/2011 10:21:09 AM - Removed AVG Free 8.5 RP624: 2/26/2011 10:21:58 AM - Removed AVG Free 8.5 RP625: 2/26/2011 10:25:43 AM - Removed AVG Free 8.5 RP626: 2/27/2011 11:15:02 AM - System Checkpoint ==== Installed Programs ====================== 3ivx MPEG-4 5.0.1 Decoder (remove only) 7-Zip 4.57 Ad-Aware Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 7.0.8 Adobe Shockwave Player Amazon MP3 Downloader 1.0.9 AOLIcon Apple Application Support Apple Mobile Device Support Apple Software Update ATI Control Panel ATI Display Driver avast! Free Antivirus Banctec Service Agreement Battlefield 2 Belarc Advisor 7.2 Belltech Greeting Card Designer 4.2 Camera Window Canon Camera WIA Driver Canon Camera Window for ZoomBrowser EX Canon MultiPASS Suite 4.00 Canon PhotoRecord Canon PowerShot S45 WIA Driver Canon Utilities FileViewerUtility 1.0 Canon Utilities PhotoStitch 3.1 Canon Utilities RemoteCapture 2.6 Canon Utilities ZoomBrowser EX CCleaner Creative Audio Console Creative MediaSource Critical Update for Windows Media Player 11 (KB959772) Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Support Center (Support Software) Dell System Restore DellSupport Digital Content Portal DivX Converter DivX Plus DirectShow Filters DivX Plus Web Player DivX Setup DivX Version Checker Drivers Install For Linksys Easylink Advisor DVD@ccess 2.0.3 EA Download Manager Easy Card 3.1 EducateU Eudora Express Burn FileASSASSIN FileViewerUtility 1.0 Freenet GameSpy Arcade GearDrvs Google Earth GrabIt 1.7.2 Beta 4 (build 997) High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) Image Resizer Powertoy for Windows XP Intel® 537EP V9x DF PCI Modem Intel® PRO Network Connections Drivers Intel® PROSet for Wired Connections Internet Explorer Default Page iPod for Windows 2006-01-10 iPod Updater 2004-10-20 iTunes Java 2 Runtime Environment, SE v1.4.2_03 Java Auto Updater Java 6 Update 18 Learn2 Player (Uninstall Only) Linksys EasyLink Advisor 1.6 (0032) Macromedia Flash Player Malwarebytes' Anti-Malware Media Player Codec Pack 2.2.0 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2416447) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office 2000 Small Business Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Modem Event Monitor Modem Helper Modem On Hold Moyea FLV Player version: 2.0.2.96 Mozilla Firefox (3.6.13) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Musicmatch for Windows Media Player muvee Plugin 1.0 NCH Toolbox NewzToolz NewzToolz v2.0.2 Operation Flashpoint uninstall Optimum Online net guide Panda ActiveScan Photo Click PhotoStitch PicaView32 PowerDVD 5.5 Print Screen Deluxe PunkBuster Services Quake Live Mozilla Plugin QuickBooks Simple Start Special Edition QuickTime RarZilla Free Unrar 2.52 RealPlayer Basic RemoteCapture 2.6 Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2183461) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360131) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2416400) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2482017) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB963027) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974455) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB976325) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981349) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982381) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Skype 2.5 Sonic DLA Sonic MyDVD LE Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sophos Anti-Rootkit 1.5.4 Sound Blaster Audigy 2 ZS Spybot - Search & Destroy Symantec Technical Support Advanced Chat Controls Symantec Technical Support Web Controls TeamSpeak 2 RC2 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update for Windows XP (KB976749) Update for Windows XP (KB978207) Update for Windows XP (KB980182) VC80CRTRedist - 8.0.50727.4053 Viewpoint Media Player Virtual Earth 3D (Beta) Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Defender Signatures Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 11 Windows XP Service Pack 3 WinUHA 2.0 RC1 (2005.02.27) WinZip Yahoo! Messenger ==== Event Viewer Messages From Past Week ======== 2/28/2011 7:05:27 AM, error: PlugPlayManager [11] - The device Root\LEGACY_MEMSWEEP2\0000 disappeared from the system without first being prepared for removal. 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The MpService service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s). 2/28/2011 6:53:00 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). 2/26/2011 10:33:29 AM, error: Print [6161] - The document http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show& owned by John and Fran failed to print on printer Canon MultiPASS F30 Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 327680. Number of bytes printed: 148072. Total number of pages in the document: 2. Number of pages printed: 1. Client machine: \\DCM5KS81. Win32 error code returned by the print processor: 0 (0x0). 2/24/2011 6:45:13 AM, error: Service Control Manager [7016] - The MpService service has reported an invalid current state 0. ==== End Of File =========================== Here is the Combofix ComboFix 11-02-27.02 - John and Fran 02/28/2011 6:53.9.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1676 [GMT -5:00] Running from: c:\documents and settings\John and Fran\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\John and Fran\Desktop\CFScript.txt AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} FILE :: "c:\windows\system32\5.tmp" "c:\windows\system32\drivers\ntrtrgh.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MEMSWEEP2 -------\Service_MEMSWEEP2 -------\Service_rdrmqo ((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 ))))))))))))))))))))))))))))))) . 2011-02-25 23:50 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-02-18 23:32 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-02-18 23:32 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-02-18 23:32 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-02-18 23:32 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-02-18 23:32 . 2011-02-23 14:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-02-18 23:32 . 2011-02-23 14:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-02-18 23:32 . 2011-02-23 14:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-02-18 23:32 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr 2011-02-18 23:31 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe 2011-02-18 23:31 . 2011-02-18 23:31 -------- d-----w- c:\program files\Alwil Software 2011-02-18 23:31 . 2011-02-18 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2011-02-16 15:35 . 2011-02-16 15:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2011-02-16 15:32 . 2011-02-16 15:32 -------- d-----w- c:\documents and settings\John and Fran\Local Settings\Application Data\Sunbelt Software 2011-02-16 15:31 . 2011-02-16 15:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620} 2011-02-15 23:53 . 2011-02-15 23:53 -------- d-----w- c:\program files\Sophos . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-27 23:25 . 2007-09-06 23:56 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2011-02-27 23:23 . 2009-03-26 22:38 234536 ----a-w- c:\windows\system32\PnkBstrB.xtr 2011-02-27 23:23 . 2007-09-06 23:56 234536 ----a-w- c:\windows\system32\PnkBstrB.exe 2011-02-16 15:35 . 2009-04-03 10:39 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-02-16 15:35 . 2009-04-03 02:35 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys 2011-01-21 14:44 . 2004-08-10 18:51 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2004-08-10 18:50 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2004-08-10 18:51 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2004-08-10 18:51 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:09 . 2009-02-18 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-20 23:08 . 2009-02-18 15:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-20 22:15 . 2004-08-10 18:51 667136 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 22:15 . 2004-08-10 18:51 61952 ----a-w- c:\windows\system32\tdc.ocx 2010-12-20 22:15 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll 2010-12-20 17:26 . 2004-08-10 18:51 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 15:30 . 2004-08-10 18:51 369664 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2004-08-10 18:51 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2004-08-10 18:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-02-23 15:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Freenet Tray.lnk - c:\program files\Freenet\bin\freenettray.exe [2010-6-14 465251] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD@ccess.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD@ccess.lnk backup=c:\windows\pss\DVD@ccess.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Freenet Tray.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Freenet Tray.lnk backup=c:\windows\pss\Freenet Tray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] c:\windows\system32\dumprep 0 -u [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2011-02-16 15:34 939848 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2005-08-06 03:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET] 2003-06-18 07:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] 2003-09-17 16:43 57344 ----a-w- c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] 2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter] 2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] 2007-11-15 13:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] 2009-01-09 20:11 3321856 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor] 2007-03-15 23:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] 2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monitr32] 2001-08-21 22:52 311296 ----a-w- c:\program files\Canon\MultiPASS4\monitr32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox] 2001-08-21 22:52 151552 ----a-w- c:\program files\Canon\MultiPASS4\mptbox.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2006-07-06 22:53 20034600 ----a-w- c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 20:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 07:00 90112 ------w- c:\windows\Updreg.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\WINDOWS\\system32\\services.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1559:TCP"= 1559:TCP:Services "1618:TCP"= 1618:TCP:Services "2193:TCP"= 2193:TCP:Services "4383:TCP"= 4383:TCP:Services "7266:TCP"= 7266:TCP:Services R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/2/2009 9:35 PM 64512] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/25/2011 6:50 PM 371544] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/18/2011 6:32 PM 301528] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/18/2011 6:32 PM 19544] R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [4/21/2009 1:54 PM 29156] S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?] S3 freenet;Freenet background service;c:\program files\Freenet\bin\wrapper-windows-x86-32.exe [10/23/2009 1:43 PM 241664] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 4:05 AM 1405384] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 4:05 AM 15232] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = <local> TCP: {C7286E96-F0C4-439A-ACBC-53F753730663} = 195.242.208.40 TCP: {D007FA9F-2198-4403-9A17-E2E55FA1E4B3} = 195.242.208.40 FF - ProfilePath - c:\documents and settings\John and Fran\Application Data\Mozilla\Firefox\Profiles\j9fk5lqv.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-28 07:08 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2430473397-3533442952-3856520278-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-2430473397-3533442952-3856520278-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (S-1-5-21-2430473397-3533442952-3856520278-1006) @Allowed: (Read) (S-1-5-21-2430473397-3533442952-3856520278-1006) @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2540) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\windows\system32\CTsvcCDA.EXE c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\PnkBstrA.exe c:\program files\Dell Support Center\bin\sprtsvc.exe . ************************************************************************** . Completion time: 2011-02-28 07:18:45 - machine was rebooted ComboFix-quarantined-files.txt 2011-02-28 12:18 ComboFix2.txt 2011-02-26 16:20 ComboFix3.txt 2009-04-18 15:08 Pre-Run: 104,404,025,344 bytes free Post-Run: 104,370,270,208 bytes free - - End Of File - - 9E79CEA257A32C9DC7DBC1700CED2B46 Thanks again for your help -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
here is the MBAM quick scan Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5883 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 2/26/2011 10:15:05 AM mbam-log-2011-02-26 (10-15-05).txt Scan type: Quick scan Objects scanned: 158805 Time elapsed: 5 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) __________________________________________________________________________ ____________________________________________________________________________ The forum will not allow me to post the ComboFix Log as it is too long. So I am attaching the text file Thanks again for your help ComboFix.txt -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
I would like to try to get rid of this virus, rather than reformat. Can you advise please? -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
I'll get back to you tomorrow. Thanks for the help. -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Thats not good. Before I take the next steps can you tell me what trojan it is and where the logs indicate that it is present? Is it the PWS trojan shown by MBAM, or is there something else you can see? Thanks again -
malware interfering with online banking
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Thank you for your reply. here is the DDS C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\John and Fran\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = <local> BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\freene~1.lnk - c:\program files\freenet\bin\freenettray.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxps://offsite.cartus.com/msrdp.cab DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TCP: {C7286E96-F0C4-439A-ACBC-53F753730663} = 195.242.208.40 TCP: {D007FA9F-2198-4403-9A17-E2E55FA1E4B3} = 195.242.208.40 Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\johnan~1\applic~1\mozilla\firefox\profiles\j9fk5lqv.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll FF - plugin: c:\documents and settings\john and fran\application data\mozilla\firefox\profiles\j9fk5lqv.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64512] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-18 294608] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-12 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-12 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-12 108552] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-18 17744] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-18 40384] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-12 297752] R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2009-4-21 29156] S0 rdrmqo;rdrmqo;c:\windows\system32\drivers\ntrtrgh.sys --> c:\windows\system32\drivers\ntrtrgh.sys [?] S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?] S3 freenet;Freenet background service;c:\program files\freenet\bin\wrapper-windows-x86-32.exe [2009-10-23 241664] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1405384] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?] =============== Created Last 30 ================ 2011-02-18 23:32:00 38848 ----a-w- c:\windows\avastSS.scr 2011-02-18 23:31:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software 2011-02-16 15:35:40 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2011-02-16 15:32:20 -------- d-----w- c:\docume~1\johnan~1\locals~1\applic~1\Sunbelt Software 2011-02-16 15:31:23 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620} 2011-02-15 23:53:04 -------- d-----w- c:\program files\Sophos ==================== Find3M ==================== 2011-02-24 01:39:00 234536 ----a-w- c:\windows\system32\PnkBstrB.xtr 2011-02-24 01:39:00 234536 ----a-w- c:\windows\system32\PnkBstrB.exe 2011-02-16 15:35:34 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 22:15:52 61952 ----a-w- c:\windows\system32\tdc.ocx 2010-12-20 22:15:51 81920 ----a-w- c:\windows\system32\ieencode.dll 2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 15:30:29 369664 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe ============= FINISH: 6:47:07.39 =============== Here is the MBAM, I ran a full scan last night, before I received your instruction to run a quick scan. It detected trojan PWS but the problem is still there Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5863 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 2/24/2011 6:38:49 AM mbam-log-2011-02-24 (06-38-49).txt Scan type: Full scan (C:\|) Objects scanned: 264176 Time elapsed: 1 hour(s), 13 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP613\A0072823.exe (Trojan.PWS) -> Quarantined and deleted successfully. c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP613\A0072822.exe (Trojan.PWS) -> Quarantined and deleted successfully. Thanks again -
Hello My PC is infected with some malware which interferes when I try to do online banking. It displays a very offical looking popup which asks for personal information like SS# and PIN. There are also processes running in the background all the time (I can hear the disk accessing) but I cant see anything obvious in task manager processes, and my PC runs very slowly especially when i'm online with (I use Firefox 5.0). I ran MBAM and it reported no malicious items detected. I also scanned with Spybot S&D, Adaware and AVG and they all found nothing. I ran Avast and it round sinowal@mbr which it removed and each subsequent scan found rootkit: hidden boot sector which does not go away after each clean up. and the popup still shows every time I try to log on to the bank site . Can you help please?
-
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Im not sure> my machine has an automatic reset to factoiry spec facility which will wipe and reinstall automatically. Either way I think you have done all you can and i am very grateful for your help. Thanks. John -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Hi Advancedsetup. I did the things you suggest Its just getting worse. I get more frequent lock ups, the hard drive is constantly accessing, and many apps dont run ie itunes, windows medis, divxplayer, Battlefield 2. I have been backing up my data and the CD burner also keeps locking up. I amthiinking of doing format C and reloading XP and starting again. What do you think? -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
OK thanks -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
here are the files: Malwarebytes' Anti-Malware 1.36 Database version: 1989 Windows 5.1.2600 Service Pack 3 4/16/2009 8:55:04 AM mbam-log-2009-04-16 (08-55-04).txt Scan type: Quick Scan Objects scanned: 74073 Time elapsed: 3 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here is the bootlog.................................. this is the second pass as the first was so large Service Pack 3 4 16 2009 17:17:19.375 Loaded driver \WINDOWS\system32\ntkrnlpa.exe Loaded driver \WINDOWS\system32\hal.dll Loaded driver \WINDOWS\system32\KDCOM.DLL Loaded driver \WINDOWS\system32\BOOTVID.dll Loaded driver ACPI.sys Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS Loaded driver pci.sys Loaded driver isapnp.sys Loaded driver pciide.sys Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Loaded driver MountMgr.sys Loaded driver ftdisk.sys Loaded driver PartMgr.sys Loaded driver VolSnap.sys Loaded driver atapi.sys Loaded driver disk.sys Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Loaded driver fltmgr.sys Loaded driver sr.sys Loaded driver Lbd.sys Loaded driver drvmcdb.sys Loaded driver PxHelp20.sys Loaded driver KSecDD.sys Loaded driver Ntfs.sys Loaded driver NDIS.sys Loaded driver ohci1394.sys Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS Loaded driver Mup.sys Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys Loaded driver \SystemRoot\system32\DRIVERS\IntelC53.sys Loaded driver \SystemRoot\system32\DRIVERS\IntelC51.sys Loaded driver \SystemRoot\system32\DRIVERS\IntelC52.sys Loaded driver \SystemRoot\system32\DRIVERS\mohfilt.sys Loaded driver \SystemRoot\System32\Drivers\Modem.SYS Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys Loaded driver \SystemRoot\system32\drivers\ctprxy2k.sys Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys Loaded driver \SystemRoot\system32\DRIVERS\gameenum.sys Loaded driver \SystemRoot\system32\DRIVERS\e100b325.sys Loaded driver \SystemRoot\system32\drivers\sscdbhk5.sys Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys Loaded driver \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys Loaded driver \SystemRoot\system32\DRIVERS\psched.sys Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys Loaded driver \SystemRoot\system32\DRIVERS\SymIM.sys Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys Loaded driver \SystemRoot\system32\DRIVERS\update.sys Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys Loaded driver \SystemRoot\system32\drivers\ha10kx2k.sys Loaded driver \SystemRoot\system32\drivers\emupia2k.sys Loaded driver \SystemRoot\system32\drivers\ctsfm2k.sys Loaded driver \SystemRoot\system32\drivers\ctac32k.sys Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS Did not load driver \SystemRoot\System32\Drivers\Changer.SYS Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS Loaded driver \SystemRoot\System32\Drivers\Null.SYS Loaded driver \SystemRoot\System32\Drivers\Beep.SYS Loaded driver \SystemRoot\system32\drivers\ssrtln.sys Did not load driver \SystemRoot\system32\DRIVERS\i8042prt.sys Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys Loaded driver \SystemRoot\System32\drivers\vga.sys Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys Loaded driver \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS Loaded driver \SystemRoot\System32\Drivers\SYMREDRV.SYS Loaded driver \SystemRoot\System32\Drivers\SYMDNS.SYS Loaded driver \SystemRoot\System32\Drivers\SYMNDIS.SYS Loaded driver \SystemRoot\System32\Drivers\SYMFW.SYS Loaded driver \SystemRoot\System32\Drivers\SYMIDS.SYS Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20090225.002\SymIDSCo.sys Loaded driver \SystemRoot\System32\Drivers\SYMTDI.SYS Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys Loaded driver \SystemRoot\System32\drivers\afd.sys Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys Did not load driver \SystemRoot\system32\DRIVERS\serial.sys Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS Loaded driver \SystemRoot\System32\Drivers\SRTSPX.SYS Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys Loaded driver \SystemRoot\System32\Drivers\Fips.SYS Loaded driver \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS Loaded driver \SystemRoot\system32\drivers\drvnddm.sys Loaded driver \SystemRoot\system32\dla\tfsndres.sys Loaded driver \SystemRoot\system32\dla\tfsnifs.sys Loaded driver \SystemRoot\system32\dla\tfsnopio.sys Loaded driver \SystemRoot\system32\dla\tfsnpool.sys Loaded driver \SystemRoot\system32\dla\tfsnboio.sys Loaded driver \SystemRoot\system32\dla\tfsncofs.sys Loaded driver \SystemRoot\system32\dla\tfsndrct.sys Loaded driver \SystemRoot\system32\dla\tfsnudf.sys Loaded driver \SystemRoot\system32\dla\tfsnudfa.sys Loaded driver \SystemRoot\system32\DRIVERS\elagopro.sys Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys Loaded driver \??\C:\WINDOWS\system32\drivers\CO_Mon.sys Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\system32\drivers\wdmaud.sys Loaded driver \SystemRoot\system32\drivers\sysaudio.sys Loaded driver \SystemRoot\system32\drivers\splitter.sys Loaded driver \SystemRoot\system32\drivers\aec.sys Loaded driver \SystemRoot\system32\drivers\swmidi.sys Loaded driver \SystemRoot\system32\drivers\DMusic.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys Loaded driver \SystemRoot\system32\drivers\drmkaud.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys Loaded driver \SystemRoot\System32\Drivers\ASCTRM.SYS Loaded driver \??\C:\WINDOWS\system32\drivers\cis1284.sys Loaded driver \SystemRoot\system32\DRIVERS\dsunidrv.sys Loaded driver \SystemRoot\system32\DRIVERS\elaunidr.sys Loaded driver \SystemRoot\system32\DRIVERS\srv.sys Loaded driver \??\C:\WINDOWS\system32\drivers\PfModNT.sys Loaded driver \SystemRoot\system32\DRIVERS\secdrv.sys Loaded driver \??\C:\WINDOWS\system32\drivers\symlcbrd.sys Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090412.003\NAVEX15.SYS Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090412.003\NAVENG.SYS Did not load driver \SystemRoot\System32\Drivers\SRTSPX.SYS Loaded driver \SystemRoot\System32\Drivers\SRTSP.SYS Loaded driver \SystemRoot\System32\Drivers\HTTP.sys Here is the rootrepeal log................................................ ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/04/16 17:28 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB07E2000 Size: 98304 File Visible: No Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA5F2000 Size: 8192 File Visible: No Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAD724000 Size: 45056 File Visible: No Status: - Hidden/Locked Files ------------------- Path: Volume C:\ Status: MBR Rootkit Detected! Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\WINDOWS\ntbtlog.txt Status: Size mismatch (API: 17464, Raw: 17354) Path: C:\Documents and Settings\John and Fran\Cookies\john and fran@malwarebytes[1].txt Status: Invisible to the Windows API! Path: C:\Documents and Settings\John and Fran\Cookies\john and fran@malwarebytes[2].txt Status: Visible to the Windows API, but not on disk. SSDT ------------------- #: 031 Function Name: NtConnectPort Status: Hooked by "<unknown>" at address 0x89cf5880 #: 041 Function Name: NtCreateKey Status: Hooked by "Lbd.sys" at address 0xba0f887e #: 247 Function Name: NtSetValueKey Status: Hooked by "Lbd.sys" at address 0xba0f8c10 Stealth Objects ------------------- Object: Hidden Code [ETHREAD: 0x8a44a390] Process: System Address: 0x898a5bd0 Size: - Object: Hidden Code [ETHREAD: 0x8a329248] Process: System Address: 0x89874c20 Size: - Object: Hidden Code [ETHREAD: 0x8a306da8] Process: System Address: 0x898c2e40 Size: - Object: Hidden Code [ETHREAD: 0x8a2fb8e8] Process: System Address: 0x89884160 Size: - Object: Hidden Code [ETHREAD: 0x890cc660] Process: System Address: 0x898a5bd0 Size: - Object: Hidden Code [ETHREAD: 0x88f563d0] Process: System Address: 0x89874c20 Size: - Object: Hidden Code [ETHREAD: 0x899d42b0] Process: System Address: 0x898c2e40 Size: - Object: Hidden Code [ETHREAD: 0x8a74b020] Process: System Address: 0x89884160 Size: - Object: Hidden Code [ETHREAD: 0x88b4d938] Process: System Address: 0x898a5bd0 Size: - Object: Hidden Code [ETHREAD: 0x88af1020] Process: System Address: 0x89874c20 Size: - Object: Hidden Code [ETHREAD: 0x88b4bb38] Process: System Address: 0x898c2e40 Size: - Object: Hidden Code [ETHREAD: 0x88b71a90] Process: System Address: 0x89884160 Size: - -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Hi Advanced Setup I'll do that. Meantime, this may be important...... I ran Dr Web again last night (it takes around 4 hours to complete). When I restarted everything was fine and stayed fine until i connnected to the internet. Then itunes, windows media and others failed to work and the system has erratic lock ups. It seems that whatever fixed dr Web has put in place are undoen whene i connect to the internet. Could something be dialling out in the background? I'll get back to you on the other fixes..... -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
I have also just noticed that even though I set MSCONFIG to full start up, the system always only starts with selective startup -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Hi the disk check is done and was fine. Dr Web was completed and immediately after reboot, everything was fine! ie windows media , itunes all worked perfectly for one time only and now they won't load again. HOWEVER.....overall the pc is running much better and doesn't lock up. Clearly Dr Web got rid of some stuff, but there is still something running in the background which is conflicting with some other apps. Dr Web in heuristic mode also gave some false positives as you suspected it would in your instructions. This included ComboFix, FYI. Here is the Dr Web log: ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\John and Fran\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;; ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\John and Fran\Desktop\ComboFix.exe/data002;Program.PsExec.171;; data002;C:\Documents and Settings\John and Fran\Desktop;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\John and Fran\Desktop;Container contains infected objects;Moved.; smitRem.exe\smitRem/Process.exe;C:\Documents and Settings\John and Fran\Desktop\smitRem.exe;Tool.Prockill;; smitRem.exe\smitRem/pv.exe;C:\Documents and Settings\John and Fran\Desktop\smitRem.exe;Program.PrcView.3741;; smitRem.exe;C:\Documents and Settings\John and Fran\Desktop;Archive contains infected objects;Moved.; Fport.exe;C:\Documents and Settings\John and Fran\Desktop\Fport-2.0\Fport-2.0;Program.FPort.20;; SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\John and Fran\Desktop\N360\SmitfraudFix.exe;Tool.Prockill;; SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\John and Fran\Desktop\N360\SmitfraudFix.exe;Tool.ShutDown.14;; SmitfraudFix.exe;C:\Documents and Settings\John and Fran\Desktop\N360;Archive contains infected objects;Moved.; Process.exe;C:\Documents and Settings\John and Fran\Desktop\SmitfraudFix;Tool.Prockill;Moved.; restart.exe;C:\Documents and Settings\John and Fran\Desktop\SmitfraudFix;Tool.ShutDown.14;Moved.; Process.exe;C:\Documents and Settings\John and Fran\Desktop\smitRem;Tool.Prockill;Moved.; pv.exe;C:\Documents and Settings\John and Fran\Desktop\smitRem;Program.PrcView.3741;Moved.; A0122831.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1038;Program.FPort.20;Moved.; A0124013.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1038;Tool.Prockill;Moved.; A0175038.exe\data006;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1097\A0175038.exe;Adware.Webdir;; A0175038.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1097;Archive contains infected objects;Moved.; A0178066.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1098;Probably BATCH.Virus;; A0179066.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1098;Probably BATCH.Virus;; A0179109.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1099;Probably BATCH.Virus;; A0179112.EXE;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1099;Program.PsExec.170;Moved.; A0188129.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1099;Probably BATCH.Virus;; A0188199.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1100;Probably BATCH.Virus;; A0198159.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1100;Probably BATCH.Virus;; A0198226.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1100;Probably BATCH.Virus;; A0203309.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1100;Probably BATCH.Virus;; A0203367.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1100;Probably BATCH.Virus;; A0203438.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1101;Probably BATCH.Virus;; A0203507.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1101;Probably BATCH.Virus;; A0203576.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102;Probably BATCH.Virus;; A0210664.exe\smitRem/Process.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102\A0210664.exe;Tool.Prockill;; A0210664.exe\smitRem/pv.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102\A0210664.exe;Program.PrcView.3741;; A0210664.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102;Archive contains infected objects;Moved.; A0210665.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102\A0210665.exe;Tool.Prockill;; A0210665.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102\A0210665.exe;Tool.ShutDown.14;; A0210665.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102;Archive contains infected objects;Moved.; A0210666.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102;Tool.Prockill;Moved.; A0210667.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102;Tool.ShutDown.14;Moved.; A0210668.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102;Tool.Prockill;Moved.; A0210669.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102;Program.PrcView.3741;Moved.; -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
I'll try your suggestions, in the meantime I finally got MBAM to complete a scan without locking up. It came back clean, but locked immediately afterwards so something is still there. I ran CF multiple times so I am posting the latest logs from MBAM and CF. Meanwhile ill try your suggestions. Thanks again. Here is CF ComboFix 09-04-15.08 - John and Fran 04/15/2009 6:37.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1425 [GMT -4:00] Running from: c:\documents and settings\John and Fran\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) AV: Norton 360 *On-access scanning disabled* (Updated) FW: Norton 360 *enabled* * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 ))))))))))))))))))))))))))))))) . 2009-04-12 23:32 . 2009-04-13 02:05 -------- d--h--w C:\$AVG8.VAULT$ 2009-04-12 19:13 . 2009-04-12 19:13 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-04-12 19:13 . 2009-04-12 19:13 10520 ----a-w c:\windows\system32\avgrsstx.dll 2009-04-12 19:13 . 2009-04-12 19:13 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-04-12 19:13 . 2009-04-14 22:21 -------- d-----w c:\windows\system32\drivers\Avg 2009-04-12 19:13 . 2009-04-12 19:13 -------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-04-12 18:37 . 2009-04-12 18:37 30720 ----a-w c:\windows\system32\drivers\rootrepeal.sys 2009-04-03 10:39 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-03 02:35 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-04-03 02:33 . 2009-04-03 02:33 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-02 01:47 . 2009-04-03 00:55 -------- d-----w c:\documents and settings\John and Fran\Pavark(2) 2009-03-26 22:38 . 2009-04-01 01:52 189472 ----a-w c:\windows\system32\PnkBstrB.xtr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-15 10:39 . 2009-02-19 22:54 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-04-15 02:10 . 2009-04-03 10:56 14469 ----a-w C:\aaw7boot.log 2009-04-15 01:56 . 2008-12-12 22:07 -------- d-----w c:\documents and settings\John and Fran\Application Data\GrabIt 2009-04-12 19:13 . 2009-04-12 19:13 -------- d-----w c:\program files\AVG 2009-04-12 17:01 . 2009-02-19 22:57 -------- d-----w c:\program files\Norton 360 2009-04-12 16:33 . 2009-02-18 15:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 19:32 . 2009-02-18 15:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-02-18 15:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-03 02:33 . 2008-05-20 12:06 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-04-03 02:33 . 2005-11-23 00:51 -------- d-----w c:\program files\Lavasoft 2009-04-03 00:55 . 2009-04-02 02:05 -------- d-----w c:\program files\FileASSASSIN 2009-04-02 01:52 . 2009-04-02 01:52 -------- d-----w c:\program files\Panda Security 2009-03-06 21:21 . 2007-09-06 23:56 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-03-06 21:21 . 2007-09-06 23:56 201352 ----a-w c:\windows\system32\PnkBstrB.exe 2009-03-02 14:14 . 2009-03-19 19:45 198074 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat 2009-02-24 15:51 . 2009-02-19 22:56 10635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2009-02-24 15:51 . 2009-02-19 22:56 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2009-02-24 15:51 . 2009-02-19 22:56 60808 ----a-w c:\windows\system32\S32EVNT1.DLL 2009-02-24 15:51 . 2009-02-19 22:56 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2009-02-24 15:51 . 2009-02-19 22:55 -------- d-----w c:\program files\Symantec 2009-02-21 14:10 . 2006-05-26 19:26 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2009-02-20 00:54 . 2006-05-31 23:49 -------- d-----w c:\program files\ewido anti-malware 2009-02-20 00:50 . 2009-02-20 00:50 -------- d-----w c:\program files\CCleaner 2009-02-20 00:13 . 2009-02-06 02:08 -------- d-----w c:\documents and settings\John and Fran\Application Data\Symantec 2009-02-19 22:57 . 2009-02-19 22:57 -------- d-----w c:\program files\Windows Sidebar 2009-02-19 17:03 . 2009-02-19 17:03 579464 ----a-w c:\windows\system32\SymNeti.dll 2009-02-19 17:03 . 2009-02-19 17:03 207240 ----a-w c:\windows\system32\SymRedir.dll 2009-02-19 16:31 . 2009-02-19 16:31 9844 ----a-w c:\windows\system32\drivers\SymRedir.cat 2009-02-19 16:31 . 2009-02-19 16:31 1611 ----a-w c:\windows\system32\drivers\SymRedir.inf 2009-02-19 16:31 . 2008-02-06 21:43 31280 ----a-w c:\windows\system32\drivers\SymIM.sys 2009-02-19 16:31 . 2009-02-19 16:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys 2009-02-19 16:31 . 2009-02-19 16:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys 2009-02-19 16:31 . 2009-02-19 16:31 38576 ----a-w c:\windows\system32\drivers\symids.sys 2009-02-19 16:31 . 2009-02-19 16:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys 2009-02-19 16:31 . 2009-02-19 16:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys 2009-02-19 16:31 . 2009-02-19 16:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys 2009-02-19 16:31 . 2009-02-19 16:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys 2009-02-16 22:59 . 2006-05-26 21:17 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-16 22:59 . 2006-05-26 21:17 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-09 11:13 . 2008-10-15 19:20 1846784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-08 14:55 . 2006-06-01 01:05 1128 ----a-w C:\rapport.txt 2009-01-23 01:04 . 2009-01-23 01:04 16 ----a-w C:\h.txt 2009-01-21 01:06 . 2009-01-21 01:06 444952 ----a-w c:\windows\system32\wrap_oal.dll 2009-01-21 01:06 . 2005-11-08 12:20 109080 ----a-w c:\windows\system32\OpenAL32.dll 2008-07-16 13:12 . 2006-02-12 22:38 29552 ----a-w c:\documents and settings\John and Fran\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2006-05-31 23:49 . 2006-05-31 23:49 48872 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-04-13_19.51.30.10 ))))))))))))))))))))))))))))))))))))))))) . + 2009-04-15 02:10 . 2009-04-15 02:10 16384 c:\windows\temp\Perflib_Perfdata_784.dat - 2008-07-13 07:07 . 2009-04-12 19:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-07-13 07:07 . 2009-04-14 10:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2005-11-13 00:42 . 2009-04-14 10:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-11-13 00:42 . 2009-04-12 19:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-11-13 00:42 . 2009-04-12 19:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2005-11-13 00:42 . 2009-04-14 10:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-07-08 15:31 . 2009-04-14 21:42 102400 c:\windows\Installer\{9F70BF98-003C-491D-81FC-FF9792206AF0}\iTunesIco.exe - 2008-07-08 15:31 . 2008-07-08 15:31 102400 c:\windows\Installer\{9F70BF98-003C-491D-81FC-FF9792206AF0}\iTunesIco.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-04-12 19:13 10520 ----a-w c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ac3filter"= ac3filter.acm "vidc.hfyu"= huffyuv.dll "msacm.divxa32"= DivXa32.acm "msacm.l3codec"= l3codecp.acm "vidc.3IV2"= 3ivxVfWCodec_dec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] c:\windows\system32\dumprep 0 -u [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2009-03-09 19:06 515416 ----a-w c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2005-08-06 03:05 344064 ----a-w c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2009-04-12 19:13 1932568 ----a-w c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET] 2003-06-18 07:00 45056 ----a-w c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] 2003-09-17 16:43 57344 ----a-w c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] 2007-03-15 15:09 460784 ----a-w c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter] 2008-08-13 22:32 206064 ----a-w c:\program files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2004-12-06 07:05 127035 ----a-w c:\windows\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] 2007-11-15 13:24 16384 ----a-w c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-02-23 22:19 53248 ------w c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] 2009-01-09 20:11 3321856 ----a-w c:\program files\Electronic Arts\EADM\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor] 2007-03-15 23:16 454784 ----a-w c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] 2003-09-04 02:12 221184 ----a-w c:\program files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2005-06-10 16:44 249856 ----a-w c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2005-06-10 16:44 81920 ----a-w c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-06-02 15:13 267048 ----a-w c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monitr32] 2001-08-21 22:52 311296 ----a-w c:\program files\Canon\MultiPASS4\monitr32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox] 2001-08-21 22:52 151552 ----a-w c:\program files\Canon\MultiPASS4\mptbox.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] 2008-02-26 14:50 988512 ----a-w c:\program files\Norton 360\osCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 14:50 413696 ----a-w c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2006-07-06 22:53 20034600 ----a-w c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2003-11-19 23:48 32881 ----a-w c:\program files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 20:45 313472 ----a-w c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 07:00 90112 ------w c:\windows\Updreg.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 rdrmqo;rdrmqo; [x] R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888] R3 COMMONFX.SYS;COMMONFX.SYS; [x] R3 COMMONFX;COMMONFX; [x] R3 CTAUDFX.SYS;CTAUDFX.SYS; [x] R3 CTAUDFX;CTAUDFX; [x] R3 CTERFXFX.SYS;CTERFXFX.SYS; [x] R3 CTERFXFX;CTERFXFX; [x] R3 CTSBLFX.SYS;CTSBLFX.SYS; [x] R3 CTSBLFX;CTSBLFX; [x] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-12 325640] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-12 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-12 298264] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632] S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92b671b6-c4a4-11dd-8690-00123fb0df31}] \Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe \Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe . Contents of the 'Scheduled Tasks' folder 2009-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06] 2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-15 06:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2430473397-3533442952-3856520278-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-2430473397-3533442952-3856520278-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (S-1-5-21-2430473397-3533442952-3856520278-1006) @Allowed: (Read) (S-1-5-21-2430473397-3533442952-3856520278-1006) @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(260) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-04-15 6:41 ComboFix-quarantined-files.txt 2009-04-15 10:41 ComboFix2.txt 2009-04-15 02:07 ComboFix3.txt 2009-04-14 21:30 ComboFix4.txt 2009-04-14 14:06 ComboFix5.txt 2009-04-15 10:36 Pre-Run: 43,337,949,184 bytes free Post-Run: 43,318,116,352 bytes free 252 --- E O F --- 2009-04-03 07:02 Here is M<BAM Malwarebytes' Anti-Malware 1.36 Database version: 1983 Windows 5.1.2600 Service Pack 3 4/15/2009 6:25:24 AM mbam-log-2009-04-15 (06-25-24).txt Scan type: Full Scan (C:\|) Objects scanned: 195555 Time elapsed: 1 hour(s), 18 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Since running combofix, clearly something has changed as the system initially runs much faster. But it gradually slows down and eventually locks. for that reason I couldn't run a MBAM scan; it just locks up halfway through. Also I can't run certain apps like iTunes or windows media. When it locks I reboot and then it keeps locking. If I reboot and run Combofix again it runs better for a while and then eventuslly locks agaiin. Any thoughts? -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
OK i'll run a full scan tonight. But I'm curious; Combofix and HJT don't fix or remove stuff, they simply log it right? So what have the logs indicated? -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Hi there No I am not posting to any other forum. I scanned this forum for potentai answers before posting...thats where i got rootrepeal. Thanks for looking at this..... Here is the combofix log: ComboFix 09-04-13.A2 - John and Fran 2009-04-13 19:43.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1548 [GMT -4:00] Running from: c:\documents and settings\John and Fran\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) AV: Norton 360 *On-access scanning disabled* (Updated) FW: Norton 360 *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bszip.dll c:\windows\system32\drivers\npf.sys c:\windows\system32\imas3r c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\t1t.exe c:\windows\system32\wpcap.dll c:\windows\winhelp.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-12 23:32 . 2009-04-13 02:05 -------- d--h--w C:\$AVG8.VAULT$ 2009-04-12 19:13 . 2009-04-12 19:13 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-04-12 19:13 . 2009-04-12 19:13 10520 ----a-w c:\windows\system32\avgrsstx.dll 2009-04-12 19:13 . 2009-04-12 19:13 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-04-12 19:13 . 2009-04-13 22:22 -------- d-----w c:\windows\system32\drivers\Avg 2009-04-12 19:13 . 2009-04-12 19:13 -------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-04-12 18:37 . 2009-04-12 18:37 30720 ----a-w c:\windows\system32\drivers\rootrepeal.sys 2009-04-03 10:39 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-03 02:35 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-04-03 02:33 . 2009-04-03 02:33 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-02 01:47 . 2009-04-03 00:55 -------- d-----w c:\documents and settings\John and Fran\Pavark(2) 2009-03-26 22:38 . 2009-04-01 01:52 189472 ----a-w c:\windows\system32\PnkBstrB.xtr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 23:46 . 2009-02-19 22:54 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-04-13 23:46 . 2009-04-03 10:56 7749 ----a-w C:\aaw7boot.log 2009-04-13 22:30 . 2008-12-12 22:07 -------- d-----w c:\documents and settings\John and Fran\Application Data\GrabIt 2009-04-12 19:13 . 2009-04-12 19:13 -------- d-----w c:\program files\AVG 2009-04-12 17:01 . 2009-02-19 22:57 -------- d-----w c:\program files\Norton 360 2009-04-12 16:33 . 2009-02-18 15:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 19:32 . 2009-02-18 15:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-02-18 15:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-03 02:33 . 2008-05-20 12:06 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-04-03 02:33 . 2005-11-23 00:51 -------- d-----w c:\program files\Lavasoft 2009-04-03 00:55 . 2009-04-02 02:05 -------- d-----w c:\program files\FileASSASSIN 2009-04-02 01:52 . 2009-04-02 01:52 -------- d-----w c:\program files\Panda Security 2009-03-06 21:21 . 2007-09-06 23:56 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-03-06 21:21 . 2007-09-06 23:56 201352 ----a-w c:\windows\system32\PnkBstrB.exe 2009-03-02 14:14 . 2009-03-19 19:45 198074 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat 2009-02-24 15:51 . 2009-02-19 22:56 10635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2009-02-24 15:51 . 2009-02-19 22:56 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2009-02-24 15:51 . 2009-02-19 22:56 60808 ----a-w c:\windows\system32\S32EVNT1.DLL 2009-02-24 15:51 . 2009-02-19 22:56 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2009-02-24 15:51 . 2009-02-19 22:55 -------- d-----w c:\program files\Symantec 2009-02-21 14:10 . 2006-05-26 19:26 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2009-02-20 00:54 . 2006-05-31 23:49 -------- d-----w c:\program files\ewido anti-malware 2009-02-20 00:50 . 2009-02-20 00:50 -------- d-----w c:\program files\CCleaner 2009-02-20 00:13 . 2009-02-06 02:08 -------- d-----w c:\documents and settings\John and Fran\Application Data\Symantec 2009-02-19 22:57 . 2009-02-19 22:57 -------- d-----w c:\program files\Windows Sidebar 2009-02-19 17:03 . 2009-02-19 17:03 579464 ----a-w c:\windows\system32\SymNeti.dll 2009-02-19 17:03 . 2009-02-19 17:03 207240 ----a-w c:\windows\system32\SymRedir.dll 2009-02-19 16:31 . 2009-02-19 16:31 9844 ----a-w c:\windows\system32\drivers\SymRedir.cat 2009-02-19 16:31 . 2009-02-19 16:31 1611 ----a-w c:\windows\system32\drivers\SymRedir.inf 2009-02-19 16:31 . 2008-02-06 21:43 31280 ----a-w c:\windows\system32\drivers\SymIM.sys 2009-02-19 16:31 . 2009-02-19 16:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys 2009-02-19 16:31 . 2009-02-19 16:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys 2009-02-19 16:31 . 2009-02-19 16:31 38576 ----a-w c:\windows\system32\drivers\symids.sys 2009-02-19 16:31 . 2009-02-19 16:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys 2009-02-19 16:31 . 2009-02-19 16:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys 2009-02-19 16:31 . 2009-02-19 16:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys 2009-02-19 16:31 . 2009-02-19 16:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys 2009-02-16 22:59 . 2006-05-26 21:17 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-16 22:59 . 2006-05-26 21:17 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-09 11:13 . 2008-10-15 19:20 1846784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-08 14:55 . 2006-06-01 01:05 1128 ----a-w C:\rapport.txt 2009-01-23 01:04 . 2009-01-23 01:04 16 ----a-w C:\h.txt 2009-01-21 01:06 . 2009-01-21 01:06 444952 ----a-w c:\windows\system32\wrap_oal.dll 2009-01-21 01:06 . 2005-11-08 12:20 109080 ----a-w c:\windows\system32\OpenAL32.dll 2008-07-16 13:12 . 2006-02-12 22:38 29552 ----a-w c:\documents and settings\John and Fran\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2006-05-31 23:49 . 2006-05-31 23:49 48872 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-12 1932568] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-04-12 15:13 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ac3filter"= ac3filter.acm "vidc.hfyu"= huffyuv.dll "msacm.divxa32"= DivXa32.acm "msacm.l3codec"= l3codecp.acm "vidc.3IV2"= 3ivxVfWCodec_dec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] --a------ 2009-03-09 15:06 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2005-08-05 23:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2008-10-17 16:52 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET] --a------ 2003-06-18 03:00 45056 c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] --a------ 2003-09-17 12:43 57344 c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter] --a------ 2008-08-13 18:32 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a------ 2004-12-06 03:05 127035 c:\windows\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] --a------ 2007-11-15 09:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 18:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] --a------ 2009-01-09 16:11 3321856 c:\program files\Electronic Arts\EADM\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor] --a------ 2007-03-15 19:16 454784 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] --a------ 2003-09-03 22:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2005-06-10 12:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2005-06-10 12:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-06-02 11:13 267048 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monitr32] --a------ 2001-08-21 18:52 311296 c:\program files\Canon\MultiPASS4\monitr32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox] --a------ 2001-08-21 18:52 151552 c:\program files\Canon\MultiPASS4\mptbox.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck] --a------ 2008-02-26 10:50 988512 c:\program files\Norton 360\osCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2006-07-06 18:53 20034600 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2003-11-19 19:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 03:00 90112 c:\windows\Updreg.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 rdrmqo;rdrmqo; [x] R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888] R3 COMMONFX.SYS;COMMONFX.SYS; [x] R3 COMMONFX;COMMONFX; [x] R3 CTAUDFX.SYS;CTAUDFX.SYS; [x] R3 CTAUDFX;CTAUDFX; [x] R3 CTERFXFX.SYS;CTERFXFX.SYS; [x] R3 CTERFXFX;CTERFXFX; [x] R3 CTSBLFX.SYS;CTSBLFX.SYS; [x] R3 CTSBLFX;CTSBLFX; [x] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-12 325640] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-12 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-12 298264] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632] S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92b671b6-c4a4-11dd-8690-00123fb0df31}] \Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe \Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe . Contents of the 'Scheduled Tasks' folder 2009-04-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06] 2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-CTHelper - CTHELPER.EXE MSConfigStartUp-CTXFIREG - CTxfiReg.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 19:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2430473397-3533442952-3856520278-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-2430473397-3533442952-3856520278-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (S-1-5-21-2430473397-3533442952-3856520278-1006) @Allowed: (Read) (S-1-5-21-2430473397-3533442952-3856520278-1006) @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(340) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\AVG\AVG8\avgrsx.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-04-13 19:52 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-13 23:52 Pre-Run: 47,436,107,776 bytes free Post-Run: 48,089,309,184 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 274 --- E O F --- 2009-04-03 07:02 and here is the HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:55:10, on 4/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\John and Fran\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://offsite.cartus.com/msrdp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing) -- End of file - 7512 bytes I hope you can use this to advise on how to fix this. Thanks again John -
Rootkit.agent locks up mbam
johnnycobra replied to johnnycobra's topic in Resolved Malware Removal Logs
Thanks for reopening this here is DDS.txt DDS (Ver_09-03-16.01) - NTFSx86 Run by John and Fran at 16:12:52.68 on Sun 04/12/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1492 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) AV: Norton 360 *On-access scanning enabled* (Updated) FW: Norton 360 *enabled* ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\John and Fran\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxps://offsite.cartus.com/msrdp.cab DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcDvusS ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-12 325640] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-12 27656] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-12 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-12 298264] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-12 101936] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090412.003\NAVENG.SYS [2009-4-12 89104] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090412.003\NAVEX15.SYS [2009-4-12 876144] S0 rdrmqo;rdrmqo;c:\windows\system32\drivers\ntrtrgh.sys --> c:\windows\system32\drivers\ntrtrgh.sys [?] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888] S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?] S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2004-12-10 30336] S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\dellsu~2\hwdiag\bin\PCD5SRVC.pkms [2007-12-5 20640] S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2009-4-12 30720] S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-2-19 1245064] =============== Created Last 30 ================ 2009-04-12 15:13 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-04-12 15:13 10,520 a------- c:\windows\system32\avgrsstx.dll 2009-04-12 15:13 325,640 a------- c:\windows\system32\drivers\avgldx86.sys 2009-04-12 15:13 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-04-12 15:13 <DIR> --d----- c:\program files\AVG 2009-04-12 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8 2009-04-12 14:37 30,720 a------- c:\windows\system32\drivers\rootrepeal.sys 2009-04-03 06:39 15,688 a------- c:\windows\system32\lsdelete.exe 2009-04-02 22:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-04-02 22:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-04-01 22:05 <DIR> --d----- c:\program files\FileASSASSIN 2009-04-01 21:52 <DIR> --d----- c:\program files\Panda Security 2009-04-01 21:47 <DIR> --d----- c:\documents and settings\john and fran\Pavark(2) 2009-03-26 18:38 189,472 a------- c:\windows\system32\PnkBstrB.xtr ==================== Find3M ==================== 2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-03-06 17:21 140,216 a------- c:\windows\system32\drivers\PnkBstrK.sys 2009-03-06 17:21 201,352 a------- c:\windows\system32\PnkBstrB.exe 2009-03-02 10:14 198,074 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat 2009-02-24 11:51 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2009-02-24 11:51 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2009-02-24 11:51 60,808 a------- c:\windows\system32\S32EVNT1.DLL 2009-02-24 11:51 806 a------- c:\windows\system32\drivers\SYMEVENT.INF 2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll 2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll 2009-02-19 12:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys 2009-02-19 12:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat 2009-02-19 12:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf 2009-02-19 12:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys 2009-02-19 12:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys 2009-02-19 12:31 96,560 a------- c:\windows\system32\drivers\symfw.sys 2009-02-19 12:31 38,576 a------- c:\windows\system32\drivers\symids.sys 2009-02-19 12:31 37,424 a------- c:\windows\system32\drivers\symndis.sys 2009-02-19 12:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys 2009-02-19 12:31 13,616 a------- c:\windows\system32\drivers\symdns.sys 2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys 2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys 2009-01-20 21:06 444,952 a------- c:\windows\system32\wrap_oal.dll 2009-01-20 21:06 109,080 a------- c:\windows\system32\OpenAL32.dll 2006-12-30 00:34 104 ---shr-- c:\windows\system32\858344CD46.sys ============= FINISH: 16:13:17.29 =============== and here is attach.txt DDS (Ver_09-03-16.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 11/12/2005 7:54:49 PM System Uptime: 4/12/2009 4:05:40 PM (0 hours ago) Motherboard: Dell Inc. | | 0RD203 Processor: Intel® Pentium® 4 CPU 3.40GHz | Microprocessor | 3391/800mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 229 GiB total, 44.816 GiB free. D: is CDROM () E: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1007: 1/4/2009 1:06:01 PM - System Checkpoint RP1008: 1/5/2009 5:45:37 PM - System Checkpoint RP1009: 1/6/2009 6:22:55 PM - System Checkpoint RP1010: 1/7/2009 6:43:32 PM - System Checkpoint RP1011: 1/8/2009 8:39:14 PM - System Checkpoint RP1012: 1/9/2009 8:50:10 PM - System Checkpoint RP1013: 1/10/2009 9:50:07 PM - System Checkpoint RP1014: 1/11/2009 10:50:08 PM - System Checkpoint RP1015: 1/13/2009 8:23:36 AM - System Checkpoint RP1016: 1/14/2009 6:24:25 PM - System Checkpoint RP1017: 1/15/2009 7:18:39 PM - Software Distribution Service 3.0 RP1018: 1/16/2009 5:46:48 PM - friday 16 jan RP1019: 1/17/2009 6:23:07 PM - System Checkpoint RP1020: 1/18/2009 8:55:26 PM - System Checkpoint RP1021: 1/19/2009 9:28:10 PM - System Checkpoint RP1022: 1/20/2009 8:07:14 PM - Installed Creative Audio Console RP1023: 1/21/2009 10:01:18 PM - Restore Operation RP1024: 1/21/2009 10:07:09 PM - Restore Operation RP1025: 1/21/2009 10:23:08 PM - Restore Operation RP1026: 1/21/2009 11:18:21 PM - Restore Operation RP1027: 1/23/2009 6:48:12 PM - System Checkpoint RP1028: 1/25/2009 9:06:24 AM - System Checkpoint RP1029: 1/26/2009 12:48:41 PM - System Checkpoint RP1030: 1/27/2009 6:20:05 PM - System Checkpoint RP1031: 1/28/2009 6:49:15 PM - System Checkpoint RP1032: 2/1/2009 7:03:18 PM - System Checkpoint RP1033: 2/2/2009 7:10:42 PM - System Checkpoint RP1034: 2/3/2009 7:55:10 PM - System Checkpoint RP1035: 2/4/2009 7:56:19 PM - System Checkpoint RP1036: 2/6/2009 8:57:09 PM - System Checkpoint RP1037: 2/7/2009 3:44:24 PM - Ad-Aware Restore Point 2009-02-07 15:44:20 RP1038: 2/7/2009 6:22:09 PM - Restore Operation RP1039: 2/8/2009 4:37:43 PM - pre update RP1040: 2/8/2009 4:40:45 PM - Removed LiveUpdate (Symantec Corporation) RP1041: 2/9/2009 6:46:21 PM - Restore Operation RP1042: 2/10/2009 6:52:12 PM - System Checkpoint RP1043: 2/11/2009 6:54:59 PM - System Checkpoint RP1044: 2/12/2009 11:11:55 AM - Software Distribution Service 3.0 RP1045: 2/13/2009 1:49:06 PM - System Checkpoint RP1046: 2/13/2009 7:52:28 PM - pre regfix RP1047: 2/14/2009 8:00:17 PM - System Checkpoint RP1048: 2/15/2009 8:09:52 PM - System Checkpoint RP1049: 2/16/2009 5:28:56 PM - Installed Symantec Technical Support Advanced Chat Controls RP1050: 2/16/2009 5:58:53 PM - pre Norton chat RP1051: 2/16/2009 6:38:11 PM - Installed Symantec Technical Support Web Controls RP1052: 2/16/2009 7:06:40 PM - Removed Ad-Aware RP1053: 2/16/2009 9:59:40 PM - post norton chat RP1054: 2/18/2009 7:30:17 AM - System Checkpoint RP1055: 2/18/2009 7:35:51 PM - Removed LiveUpdate (Symantec Corporation) RP1056: 2/19/2009 7:47:48 PM - post n360 succesful installation RP1057: 2/19/2009 8:49:50 PM - Norton 360 Registry Clean RP1058: 2/21/2009 9:16:02 AM - System Checkpoint RP1059: 2/22/2009 9:40:31 AM - System Checkpoint RP1060: 2/23/2009 6:02:05 PM - System Checkpoint RP1061: 2/24/2009 6:58:09 PM - System Checkpoint RP1062: 2/25/2009 5:13:44 PM - Software Distribution Service 3.0 RP1063: 2/26/2009 5:26:33 PM - System Checkpoint RP1064: 2/28/2009 9:03:10 AM - System Checkpoint RP1065: 3/1/2009 3:50:14 PM - System Checkpoint RP1066: 3/2/2009 9:13:57 AM - pre pi RP1067: 3/3/2009 7:51:14 PM - System Checkpoint RP1068: 3/5/2009 4:37:53 PM - System Checkpoint RP1069: 3/6/2009 6:00:27 PM - System Checkpoint RP1070: 3/7/2009 6:24:14 PM - System Checkpoint RP1071: 3/8/2009 7:13:09 PM - System Checkpoint RP1072: 3/9/2009 8:15:53 PM - System Checkpoint RP1073: 3/11/2009 4:52:41 PM - Software Distribution Service 3.0 RP1074: 3/12/2009 5:00:23 PM - System Checkpoint RP1075: 3/15/2009 8:34:53 PM - System Checkpoint RP1076: 3/16/2009 6:07:33 PM - Software Distribution Service 3.0 RP1077: 3/17/2009 6:28:07 PM - System Checkpoint RP1078: 3/18/2009 6:53:37 PM - System Checkpoint RP1079: 3/19/2009 3:45:26 PM - Restore Operation RP1080: 3/20/2009 6:28:24 PM - System Checkpoint RP1081: 3/22/2009 9:50:05 AM - System Checkpoint RP1082: 3/23/2009 6:09:07 PM - System Checkpoint RP1083: 3/24/2009 6:28:50 PM - System Checkpoint RP1084: 3/25/2009 7:04:08 PM - System Checkpoint RP1085: 3/26/2009 7:24:32 PM - System Checkpoint RP1086: 3/27/2009 7:53:29 PM - System Checkpoint RP1087: 3/28/2009 7:55:07 PM - System Checkpoint RP1088: 3/30/2009 7:35:14 AM - System Checkpoint RP1089: 3/31/2009 6:17:51 PM - System Checkpoint RP1090: 3/31/2009 10:01:44 PM - Restore Operation RP1091: 4/1/2009 10:36:53 PM - System Checkpoint RP1092: 4/2/2009 8:54:42 PM - Restore Operation RP1093: 4/3/2009 3:00:16 AM - Software Distribution Service 3.0 RP1094: 4/3/2009 7:04:40 AM - Installed AVG Free 8.5 RP1095: 4/3/2009 6:26:15 PM - Removed AVG Free 8.5 RP1096: 4/3/2009 6:27:00 PM - Installed AVG Free 8.5 RP1097: 4/12/2009 3:13:10 PM - Installed AVG Free 8.5 ==== Installed Programs ====================== 3ivx MPEG-4 5.0.1 Decoder (remove only) Ad-Aware Adobe Flash Player ActiveX Adobe Reader 7.0.8 Adobe Shockwave Player AOLIcon AppCore Apple Mobile Device Support Apple Software Update ATI Control Panel ATI Display Driver AutoUpdate AVG 8.5 Backup Banctec Service Agreement Battlefield 2 Belltech Greeting Card Designer 4.2 Camera Window Canon Camera WIA Driver Canon Camera Window for ZoomBrowser EX Canon MultiPASS Suite 4.00 Canon PhotoRecord Canon PowerShot S45 WIA Driver Canon Utilities FileViewerUtility 1.0 Canon Utilities PhotoStitch 3.1 Canon Utilities RemoteCapture 2.6 Canon Utilities ZoomBrowser EX ccCommon CCleaner (remove only) Creative Audio Console Creative MediaSource Critical Update for Windows Media Player 11 (KB959772) Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Media Experience Dell Support Center (Support Software) Dell System Restore DellSupport Digital Content Portal DivX Codec DivX Converter DivX Player DivX Web Player Drivers Install For Linksys Easylink Advisor EA Download Manager Easy Card 3.1 EducateU Eudora FileViewerUtility 1.0 GameSpy Arcade GearDrvs Google Earth GrabIt 1.7.2 Beta 3 (build 996) High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Image Resizer Powertoy for Windows XP Intel® 537EP V9x DF PCI Modem Intel® PRO Network Connections Drivers Intel® PROSet for Wired Connections Internet Explorer Default Page iPod for Windows 2006-01-10 iPod Updater 2004-10-20 iTunes Java 2 Runtime Environment, SE v1.4.2_03 Learn2 Player (Uninstall Only) Linksys EasyLink Advisor 1.6 (0032) LiveUpdate (Symantec Corporation) Macromedia Flash Player Malwarebytes' Anti-Malware Media Player Codec Pack 2.2.0 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office 2000 Small Business Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Modem Event Monitor Modem Helper Modem On Hold MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Musicmatch for Windows Media Player muvee Plugin 1.0 NewzToolz Norton 360 Norton 360 (Symantec Corporation) Norton 360 HTMLHelp Norton Confidential Core Operation Flashpoint uninstall Optimum Online net guide Panda ActiveScan Photo Click PhotoStitch PicaView32 PowerDVD 5.5 Print Screen Deluxe QuickBooks Simple Start Special Edition QuickTime RarZilla Free Unrar 2.52 RealPlayer Basic RemoteCapture 2.6 Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Skype 2.5 Sonic DLA Sonic MyDVD LE Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sound Blaster Audigy 2 ZS SPBBC 32bit Symantec Real Time Storage Protection Component Symantec Technical Support Advanced Chat Controls Symantec Technical Support Controls Symantec Technical Support Web Controls SymNet TeamSpeak 2 RC2 Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Viewpoint Media Player Virtual Earth 3D (Beta) Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebCyberCoach 3.2 Dell WebFldrs XP Windows Defender Signatures Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 11 Windows XP Service Pack 3 WinZip Yahoo! Messenger ==== Event Viewer Messages From Past Week ======== 4/12/2009 12:02:10 PM, error: Service Control Manager [7000] - The SRTSP service failed to start due to the following error: A device attached to the system is not functioning. 4/12/2009 12:02:10 PM, error: SRTSPL [20] - Unable to initialize the virus scanning engine database files. 4/12/2009 12:02:10 PM, error: SRTSP [5] - Error loading Symantec real time Anti-Virus driver. 4/12/2009 12:02:10 PM, error: SRTSP [4] - Error loading virus definitions. 4/12/2009 12:02:04 PM, error: Service Control Manager [7034] - The LiveUpdate Notice service terminated unexpectedly. It has done this 1 time(s). 4/12/2009 12:02:04 PM, error: Service Control Manager [7034] - The Symantec Lic NetConnect service service terminated unexpectedly. It has done this 1 time(s). 4/12/2009 12:02:04 PM, error: Service Control Manager [7031] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service. 4/12/2009 12:02:04 PM, error: Service Control Manager [7031] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service. 4/12/2009 11:56:40 AM, error: Service Control Manager [7000] - The SRTSPL service failed to start due to the following error: A device attached to the system is not functioning. 4/12/2009 8:20:01 AM, error: Service Control Manager [7016] - The MpService service has reported an invalid current state 0. 4/12/2009 12:12:44 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 4/12/2009 12:12:44 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 4/12/2009 12:12:44 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 4/12/2009 12:12:44 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 4/12/2009 12:12:44 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 4/12/2009 12:12:44 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SYMTDI Tcpip WS2IFSL 4/12/2009 12:13:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 4/12/2009 12:13:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 4/12/2009 12:16:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} ==== End Of File ===========================