Jump to content

TK421

Members
 View Profile  See their activity

  • Posts

    15

  • Joined

  • Last visited

 Content Type 

Everything posted by TK421

  1. TK421
    Thanks very much!
  2. TK421
    It seems fine now. No more detections since the old restore points were removed.
  3. TK421
    Deleted all but the most recent restore point. Then ran quick scans with Avast and Malwarebytes. No detections!
  4. TK421
    Avira continues to detect the same issue, but I notice all detections point here: "C:\System Volume Information\_restore" Is this from old restore points? ESET found nothing, log file here: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=8 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6920 # api_version=3.0.2 # EOSSerial=d4b3bd591fdace44aae0ea9a93c4c423 # engine=13755 # end=stopped # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2013-05-05 12:33:31 # local_time=2013-05-04 08:33:31 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1799 16775165 100 97 0 0 0 0 # scanned=8308 # found=0 # cleaned=0 # scan_time=485 # version=8 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6920 # api_version=3.0.2 # EOSSerial=d4b3bd591fdace44aae0ea9a93c4c423 # engine=13755 # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2013-05-05 01:06:19 # local_time=2013-05-04 09:06:19 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1799 16775165 100 97 0 0 0 0 # scanned=49848 # found=0 # cleaned=0 # scan_time=1901
  5. TK421
    Hi Maniac, Thanks so much for your help. Here's the report from RogueKiller: RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Patrick [Admin rights] Mode : Scan -- Date : 05/04/2013 19:37:33 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xA471657C) SSDT[41] : NtCreateKey @ 0x8062423A -> HOOKED (Unknown @ 0xA4716536) SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xA4716586) SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xA471652C) SSDT[63] : NtDeleteKey @ 0x806246D6 -> HOOKED (Unknown @ 0xA471653B) SSDT[65] : NtDeleteValueKey @ 0x806248A6 -> HOOKED (Unknown @ 0xA4716545) SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xA4716577) SSDT[98] : NtLoadKey @ 0x8062645E -> HOOKED (Unknown @ 0xA471654A) SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xA4716518) SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xA471651D) SSDT[177] : NtQueryValueKey @ 0x8062245E -> HOOKED (Unknown @ 0xA471659F) SSDT[193] : NtReplaceKey @ 0x8062630E -> HOOKED (Unknown @ 0xA4716554) SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xA4716590) SSDT[204] : NtRestoreKey @ 0x80625C1A -> HOOKED (Unknown @ 0xA471654F) SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xA471658B) SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xA4716595) SSDT[247] : NtSetValueKey @ 0x806227AC -> HOOKED (Unknown @ 0xA4716540) SSDT[255] : NtSystemDebugControl @ 0x8061820E -> HOOKED (Unknown @ 0xA471659A) SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xA4716527) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xA47165AE) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xA47165B3) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD3200BPVT-35JJ5T0 +++++ --- User --- [MBR] 97419417c56473f521e8f553db42b9a6 [bSP] 99e01cb843e2e1908b8edaf5cdf3aa67 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305234 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_05042013_02d1937.txt >> RKreport[1]_S_05042013_02d1937.txt
  6. TK421
    Greetings, Avira detects ever-increasing numbers/variations of TR/Kazy. Malwarebytes doesn't seem to be picking it up at all. The laptop in question has only recently come into my possession so I can't speak to the previous users security habits (I suspect lack thereof!) Trying to clean it up for a family member to use as a second laptop. Logs from dds pasted below per instructions. Thanks in advance! *********** DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2 Run by Patrick at 17:38:27 on 2013-05-04 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1916.1336 [GMT -4:00] . AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes ================ . C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LSI SoftModem\agrsmsvc.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\msdtc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N uPolicies-Explorer: NoDriveTypeAutoRun = dword:323 uPolicies-Explorer: NoDriveAutoRun = dword:67108863 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SecurityProviders: SecurityProviders = msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\patrick\application data\mozilla\firefox\profiles\tumpc62e.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll FF - plugin: c:\windows\system32\npDeployJava1.dll FF - plugin: c:\windows\system32\npptools.dll FF - ExtSQL: 2013-05-04 13:59; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension . ============= SERVICES / DRIVERS =============== . R0 iastor7;iastor7;c:\windows\system32\drivers\iastor7.sys [2012-3-17 470808] R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2012-3-17 13616] R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2012-3-17 5632] R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2012-3-17 13616] R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-5-4 37352] R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-5-4 86752] R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-5-4 110816] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-5-4 84744] R3 ramdisk;Windows RAM Disk Driver;c:\windows\system32\drivers\ramdisk.sys [2012-5-29 10431] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2013-5-4 1691480] . =============== Created Last 30 ================ . 2013-05-04 21:02:05 -------- d-sha-r- C:\cmdcons 2013-05-04 21:00:34 98816 ----a-w- c:\windows\sed.exe 2013-05-04 21:00:34 256000 ----a-w- c:\windows\PEV.exe 2013-05-04 21:00:34 208896 ----a-w- c:\windows\MBR.exe 2013-05-04 20:08:24 -------- d-----w- c:\windows\system32\XPSViewer 2013-05-04 19:46:53 -------- d-sh--w- c:\documents and settings\patrick\PrivacIE 2013-05-04 19:16:49 -------- d-----w- c:\documents and settings\patrick\application data\Malwarebytes 2013-05-04 19:16:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-05-04 19:16:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-05-04 19:16:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2013-05-04 18:55:10 -------- d-----w- c:\windows\ie8updates 2013-05-04 18:54:54 -------- d-----w- c:\program files\MSXML 4.0 2013-05-04 18:50:27 -------- d--h--w- c:\windows\$hf_mig$ 2013-05-04 18:42:46 -------- d-----w- c:\documents and settings\patrick\application data\Avira 2013-05-04 18:38:15 -------- d-----w- c:\windows\system32\NtmsData 2013-05-04 18:36:57 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2013-05-04 18:36:57 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys 2013-05-04 18:36:56 -------- d-----w- c:\program files\Avira 2013-05-04 18:36:56 -------- d-----w- c:\documents and settings\all users\application data\Avira 2013-05-04 18:36:32 2193408 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe 2013-05-04 18:36:32 2149888 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe 2013-05-04 18:36:32 2070016 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe 2013-05-04 18:36:32 2028544 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe 2013-05-04 18:25:49 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2013-05-04 18:25:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2013-05-04 18:25:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2013-05-04 18:25:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2013-05-04 18:25:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2013-05-04 18:25:47 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2013-05-04 18:25:47 2005504 -c----w- c:\windows\system32\dllcache\iertutil.dll 2013-05-04 18:23:06 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys 2013-05-04 18:17:53 144896 ----a-w- c:\windows\system32\javacpl.cpl 2013-05-04 18:17:46 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-05-04 18:15:00 -------- d-----w- c:\documents and settings\patrick\local settings\application data\Sun 2013-05-04 18:14:48 96664 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe 2013-05-04 18:14:48 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll 2013-05-04 18:14:48 74136 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll 2013-05-04 18:14:48 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll 2013-05-04 18:14:48 26520 ----a-w- c:\program files\mozilla firefox\plugin-hang-ui.exe 2013-05-04 18:14:48 170232 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe 2013-05-04 18:12:38 -------- d-----w- c:\documents and settings\patrick\local settings\application data\Mozilla 2013-05-04 18:12:23 -------- d-----w- c:\windows\system32\SoftwareDistribution . ==================== Find3M ==================== . 2013-05-04 19:07:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-05-04 19:07:07 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-05-04 18:17:20 866720 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-05-04 18:17:20 788896 ----a-w- c:\windows\system32\deployJava1.dll 2013-03-08 08:35:47 293376 ----a-w- c:\windows\system32\winsrv.dll 2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-03-02 02:05:19 920064 ----a-w- c:\windows\system32\wininet.dll 2013-03-02 02:05:18 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-03-02 02:05:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-03-02 01:31:30 1876224 ----a-w- c:\windows\system32\win32k.sys 2013-03-02 01:08:57 385024 ----a-w- c:\windows\system32\html.iec 2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys . ============= FINISH: 17:38:50.14 =============== ***************** . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 5/4/2013 1:51:14 PM System Uptime: 5/4/2013 4:57:43 PM (1 hours ago) . Motherboard: TOSHIBA | | Portable PC Processor: Intel® Pentium® Dual CPU T3400 @ 2.16GHz | CPU | 2161/667mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 298 GiB total, 282.273 GiB free. D: is CDROM () E: is Removable . ==== Disabled Device Manager Items ============= . Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\TOS1901\2&DABA3FF&0 Manufacturer: Name: PNP Device ID: ACPI\TOS1901\2&DABA3FF&0 Service: . ==== System Restore Points =================== . RP1: 5/4/2013 1:55:11 PM - Installed Microsoft .NET Framework 2.0 Service Pack 2 RP2: 5/4/2013 1:56:41 PM - Installed Windows KB971276-v3. RP3: 5/4/2013 1:56:49 PM - Printer Driver Microsoft XPS Document Writer Installed RP4: 5/4/2013 1:56:52 PM - Installed RGB9RAST RP5: 5/4/2013 1:56:59 PM - Installed Microsoft .NET Framework 3.0 Service Pack 2 RP6: 5/4/2013 1:59:11 PM - Installed Microsoft .NET Framework 3.5 SP1 RP7: 5/4/2013 1:59:49 PM - Installed Microsoft .NET Framework 4 Client Profile RP8: 5/4/2013 2:01:57 PM - Installed Microsoft .NET Framework 4 Extended RP9: 5/4/2013 2:17:05 PM - Removed Java 7 Update 4 RP10: 5/4/2013 2:44:31 PM - Software Distribution Service 3.0 RP11: 5/4/2013 3:29:04 PM - Software Distribution Service 3.0 RP12: 5/4/2013 3:33:24 PM - Software Distribution Service 3.0 RP13: 5/4/2013 3:42:25 PM - Software Distribution Service 3.0 RP14: 5/4/2013 3:46:32 PM - Software Distribution Service 3.0 RP15: 5/4/2013 4:38:21 PM - Software Distribution Service 3.0 . ==== Installed Programs ====================== . Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Reader X (10.1.3) Adobe Shockwave Player 11.6 Avira Free Antivirus CCleaner Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB2779562) Hotfix for Windows XP (KB971276-v3) Intel® Graphics Media Accelerator Driver Java 7 Update 21 Java Auto Updater Malwarebytes Anti-Malware version 1.75.0.1300 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Games for Windows - LIVE Redistributable Microsoft Games for Windows Marketplace Microsoft Silverlight Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6276 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Mozilla Firefox 20.0.1 (x86 en-US) Mozilla Maintenance Service MSXML 4.0 SP3 Parser (KB2758694) QT Lite 4.1.0 Realtek High Definition Audio Driver Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416) Security Update for Windows Internet Explorer 8 (KB2817183) Security Update for Windows XP (KB2655992) Security Update for Windows XP (KB2691442) Security Update for Windows XP (KB2698365) Security Update for Windows XP (KB2705219-v2) Security Update for Windows XP (KB2712808) Security Update for Windows XP (KB2719985) Security Update for Windows XP (KB2723135-v2) Security Update for Windows XP (KB2727528) Security Update for Windows XP (KB2753842-v2) Security Update for Windows XP (KB2757638) Security Update for Windows XP (KB2758857) Security Update for Windows XP (KB2770660) Security Update for Windows XP (KB2780091) Security Update for Windows XP (KB2802968) Security Update for Windows XP (KB2807986) Security Update for Windows XP (KB2808735) Security Update for Windows XP (KB2813170) Security Update for Windows XP (KB2820917) swMSM Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows XP (KB2661254-v2) Update for Windows XP (KB2736233) Update for Windows XP (KB2749655) WebFldrs XP . ==== Event Viewer Messages From Past Week ======== . 5/4/2013 3:28:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iastor7 5/4/2013 3:27:02 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume. 5/4/2013 2:40:02 PM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future. 5/4/2013 2:39:14 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed. 5/4/2013 2:16:59 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). 5/4/2013 1:51:29 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information. . ==== End Of File ===========================
  7. TK421
    Done, done, and done! Thanks again for your help.
  8. TK421
    No, everything seems to be running fine. Thanks so much for all your help!!!
  9. TK421
    I've run ESET twice, and it reports no detections. However, each time the log file contains no information other than: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK Avira and Windows Defender were disabled prior to scan.
  10. TK421
    I should mention, "Antivirus 2010" still appears in the program list.
  11. TK421
    Everything seems to be running fine. I have not noticed any system performance problems throughout this infection.
  12. TK421
    Avira AntiVir Personal Report file date: Saturday, October 23, 2010 11:20 Scanning for 2963178 virus strains and unwanted programs. The program is running as an unrestricted full version. Online services are available: Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows Vista Windows version : (Service Pack 2) [6.0.6002] Boot mode : Normally booted Username : SYSTEM Computer name : TOSHIBA Version information: BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00 AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/22/2010 15:53:39 AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/22/2010 15:53:39 LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 22:33:04 LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 02:45:20 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 02:45:20 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:43:32 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 12:16:32 VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:30:50 VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:51:27 VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 16:56:00 VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 16:28:17 VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 15:37:59 VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 15:37:59 VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 15:37:59 VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 15:37:59 VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 15:38:00 VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 15:38:01 VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 15:24:16 VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 16:38:40 VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 16:38:41 VBASE017.VDF : 7.10.12.38 146944 Bytes 9/27/2010 15:26:15 VBASE018.VDF : 7.10.12.64 133120 Bytes 9/29/2010 16:14:03 VBASE019.VDF : 7.10.12.99 134144 Bytes 10/1/2010 20:33:25 VBASE020.VDF : 7.10.12.122 131584 Bytes 10/5/2010 06:24:55 VBASE021.VDF : 7.10.12.148 119296 Bytes 10/7/2010 06:24:56 VBASE022.VDF : 7.10.12.175 142848 Bytes 10/11/2010 15:02:27 VBASE023.VDF : 7.10.12.198 131584 Bytes 10/13/2010 15:02:31 VBASE024.VDF : 7.10.12.216 133120 Bytes 10/14/2010 15:02:34 VBASE025.VDF : 7.10.12.238 137728 Bytes 10/18/2010 17:57:17 VBASE026.VDF : 7.10.12.254 129536 Bytes 10/20/2010 17:57:18 VBASE027.VDF : 7.10.13.22 137728 Bytes 10/22/2010 15:20:05 VBASE028.VDF : 7.10.13.23 2048 Bytes 10/22/2010 15:20:05 VBASE029.VDF : 7.10.13.24 2048 Bytes 10/22/2010 15:20:05 VBASE030.VDF : 7.10.13.25 2048 Bytes 10/22/2010 15:20:06 VBASE031.VDF : 7.10.13.27 12288 Bytes 10/22/2010 15:20:06 Engineversion : 8.2.4.84 AEVDF.DLL : 8.1.2.1 106868 Bytes 8/1/2010 17:18:38 AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/20/2010 15:24:33 AESCN.DLL : 8.1.6.1 127347 Bytes 5/12/2010 21:17:22 AESBX.DLL : 8.1.3.1 254324 Bytes 4/26/2010 04:41:10 AERDL.DLL : 8.1.9.2 635252 Bytes 9/23/2010 16:38:46 AEPACK.DLL : 8.2.3.11 471416 Bytes 10/11/2010 16:02:56 AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/23/2010 02:10:33 AEHEUR.DLL : 8.1.2.36 2974072 Bytes 10/20/2010 17:57:33 AEHELP.DLL : 8.1.14.0 246134 Bytes 10/11/2010 16:02:30 AEGEN.DLL : 8.1.3.23 401779 Bytes 10/1/2010 16:14:08 AEEMU.DLL : 8.1.2.0 393588 Bytes 4/26/2010 04:41:07 AECORE.DLL : 8.1.17.0 196982 Bytes 9/28/2010 15:26:20 AEBB.DLL : 8.1.1.0 53618 Bytes 4/26/2010 04:41:06 AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38 AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35 AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 20:47:40 AVREG.DLL : 10.0.3.0 53096 Bytes 4/22/2010 15:53:39 AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/22/2010 15:53:39 AVARKT.DLL : 10.0.0.14 227176 Bytes 4/22/2010 15:53:39 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30 SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58 AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56 NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00 RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20 RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/22/2010 15:53:39 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: C:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Extended process scan...............: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Saturday, October 23, 2010 11:20 Starting search for hidden objects. c:\program files\logitech\logitech webcam software\lu\lulnchr.exe c:\Program Files\Logitech\Logitech WebCam Software\LU\LULnchr.exe [NOTE] The process is not visible. The scan of running processes will be started Scan process 'SearchFilterHost.exe' - '32' Module(s) have been scanned Scan process 'SearchProtocolHost.exe' - '51' Module(s) have been scanned Scan process 'taskeng.exe' - '24' Module(s) have been scanned Scan process 'wmiprvse.exe' - '46' Module(s) have been scanned Scan process 'svchost.exe' - '30' Module(s) have been scanned Scan process 'vssvc.exe' - '49' Module(s) have been scanned Scan process 'avscan.exe' - '81' Module(s) have been scanned Scan process 'avscan.exe' - '29' Module(s) have been scanned Scan process 'SynTPHelper.exe' - '14' Module(s) have been scanned Scan process 'iexplore.exe' - '105' Module(s) have been scanned Scan process 'ViewMgr.exe' - '36' Module(s) have been scanned Scan process 'FlashUtil10k_ActiveX.exe' - '33' Module(s) have been scanned Scan process 'iexplore.exe' - '131' Module(s) have been scanned Scan process 'iexplore.exe' - '88' Module(s) have been scanned Scan process 'iPodService.exe' - '30' Module(s) have been scanned Scan process 'wmiprvse.exe' - '33' Module(s) have been scanned Scan process 'unsecapp.exe' - '28' Module(s) have been scanned Scan process 'igfxext.exe' - '19' Module(s) have been scanned Scan process 'COCIManager.exe' - '36' Module(s) have been scanned Scan process 'CFSwMgr.exe' - '72' Module(s) have been scanned Scan process 'jusched.exe' - '22' Module(s) have been scanned Scan process 'LWS.exe' - '68' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '73' Module(s) have been scanned Scan process 'nmapp.exe' - '65' Module(s) have been scanned Scan process 'nmctxth.exe' - '53' Module(s) have been scanned Scan process 'avgnt.exe' - '53' Module(s) have been scanned Scan process 'NDSTray.exe' - '91' Module(s) have been scanned Scan process 'TCrdMain.exe' - '64' Module(s) have been scanned Scan process 'SmoothView.exe' - '13' Module(s) have been scanned Scan process 'TPwrMain.exe' - '37' Module(s) have been scanned Scan process 'SynTPEnh.exe' - '34' Module(s) have been scanned Scan process 'IAAnotif.exe' - '38' Module(s) have been scanned Scan process 'RtHDVCpl.exe' - '52' Module(s) have been scanned Scan process 'igfxsrvc.exe' - '25' Module(s) have been scanned Scan process 'igfxpers.exe' - '23' Module(s) have been scanned Scan process 'hkcmd.exe' - '23' Module(s) have been scanned Scan process 'Explorer.EXE' - '138' Module(s) have been scanned Scan process 'taskeng.exe' - '82' Module(s) have been scanned Scan process 'Dwm.exe' - '32' Module(s) have been scanned Scan process 'taskeng.exe' - '49' Module(s) have been scanned Scan process 'nmsrvc.exe' - '94' Module(s) have been scanned Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned Scan process 'IAANTMon.exe' - '36' Module(s) have been scanned Scan process 'SearchIndexer.exe' - '63' Module(s) have been scanned Scan process 'WLIDSVC.EXE' - '70' Module(s) have been scanned Scan process 'svchost.exe' - '9' Module(s) have been scanned Scan process 'ViewpointService.exe' - '32' Module(s) have been scanned Scan process 'ULCDRSvr.exe' - '5' Module(s) have been scanned Scan process 'TosIPCSrv.exe' - '18' Module(s) have been scanned Scan process 'TosCoSrv.exe' - '20' Module(s) have been scanned Scan process 'TODDSrv.exe' - '23' Module(s) have been scanned Scan process 'TNaviSrv.exe' - '19' Module(s) have been scanned Scan process 'TMachInfo.exe' - '31' Module(s) have been scanned Scan process 'svchost.exe' - '44' Module(s) have been scanned Scan process 'svchost.exe' - '42' Module(s) have been scanned Scan process 'svchost.exe' - '22' Module(s) have been scanned Scan process 'avshadow.exe' - '33' Module(s) have been scanned Scan process 'LVPrcSrv.exe' - '29' Module(s) have been scanned Scan process 'CFSvcs.exe' - '71' Module(s) have been scanned Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned Scan process 'atashost.exe' - '19' Module(s) have been scanned Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned Scan process 'avguard.exe' - '65' Module(s) have been scanned Scan process 'agrsmsvc.exe' - '16' Module(s) have been scanned Scan process 'svchost.exe' - '59' Module(s) have been scanned Scan process 'sched.exe' - '56' Module(s) have been scanned Scan process 'spoolsv.exe' - '82' Module(s) have been scanned Scan process 'WLANExt.exe' - '45' Module(s) have been scanned Scan process 'svchost.exe' - '95' Module(s) have been scanned Scan process 'svchost.exe' - '87' Module(s) have been scanned Scan process 'SLsvc.exe' - '23' Module(s) have been scanned Scan process 'svchost.exe' - '37' Module(s) have been scanned Scan process 'svchost.exe' - '154' Module(s) have been scanned Scan process 'svchost.exe' - '113' Module(s) have been scanned Scan process 'svchost.exe' - '64' Module(s) have been scanned Scan process 'svchost.exe' - '33' Module(s) have been scanned Scan process 'PresentationFontCache.exe' - '30' Module(s) have been scanned Scan process 'svchost.exe' - '40' Module(s) have been scanned Scan process 'winlogon.exe' - '30' Module(s) have been scanned Scan process 'lsm.exe' - '22' Module(s) have been scanned Scan process 'lsass.exe' - '60' Module(s) have been scanned Scan process 'services.exe' - '33' Module(s) have been scanned Scan process 'csrss.exe' - '14' Module(s) have been scanned Scan process 'wininit.exe' - '26' Module(s) have been scanned Scan process 'csrss.exe' - '14' Module(s) have been scanned Scan process 'smss.exe' - '2' Module(s) have been scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '1657' files ). Starting the file scan: Begin scan in 'C:\' <SQ004816V03> C:\Qoobox\Quarantine\C\Windows\System32\USRINI~1.EXE.vir [DETECTION] Is the TR/FraudPack.kva.64 Trojan Beginning disinfection: C:\Qoobox\Quarantine\C\Windows\System32\USRINI~1.EXE.vir [DETECTION] Is the TR/FraudPack.kva.64 Trojan [NOTE] The file was moved to the quarantine directory under the name '4876b611.qua'. End of the scan: Saturday, October 23, 2010 12:50 Used time: 1:26:16 Hour(s) The scan has been done completely. 25858 Scanned directories 415559 Files were scanned 1 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 1 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 415558 Files not concerned 1802 Archives were scanned 0 Warnings 1 Notes 498549 Objects were scanned with rootkit scan 1 Hidden objects were found
  13. TK421
    RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows Vista Version 6.0.6002 (Service Pack 2) Number of processors #2 ============================================== >Drivers ============================================== 0x8B804000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7225344 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver) 0x81E1E000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System) 0x81E1E000 PnpManager 3903488 bytes 0x81E1E000 RAW 3903488 bytes 0x81E1E000 WMIxWDM 3903488 bytes 0x932F0000 Win32k 2109440 bytes 0x932F0000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver) 0x8CA00000 C:\Windows\system32\drivers\RTKVHDA.sys 2093056 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver) 0x8CC02000 C:\Windows\system32\DRIVERS\AGRSM.sys 1163264 bytes (Agere Systems, SoftModem Device Driver) 0x87A0E000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver) 0x82E08000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver) 0x87802000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver) 0x8C2B6000 C:\Windows\system32\DRIVERS\athr.sys 946176 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver) 0x804DB000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module) 0xAA802000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver) 0x8D228000 C:\Windows\System32\Drivers\dump_iaStor.sys 843776 bytes 0x82C0A000 C:\Windows\system32\DRIVERS\iaStor.sys 843776 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32) 0x8D33F000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor) 0x8BEE8000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel) 0x8C208000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver) 0x8060E000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic) 0x82D53000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface) 0x80411000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library) 0x87965000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack) 0xA90EA000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver) 0x80740000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver) 0x8C6E7000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock) 0x80697000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT) 0x87B5C000 C:\Windows\system32\DRIVERS\tos_sps32.sys 274432 bytes (TOSHIBA Corporation, tos_sps2) 0x8049A000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver) 0x807AF000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver) 0x8BFA0000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver) 0x8C771000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver) 0x82F3E000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem) 0xA9071000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr) 0x87B1E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver) 0x8C64F000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB) 0x821D7000 ACPI_HAL 208896 bytes 0x821D7000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL) 0x82D08000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager) 0x8CDCB000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver) 0x82FAF000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver) 0x8C3BB000 C:\Windows\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver) 0x8C695000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices)) 0x82F13000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider) 0x8C60E000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library) 0x87928000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver) 0xA90C2000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver) 0x87BB6000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache) 0x806EE000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator) 0x8C6C2000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter) 0x82DCF000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption)) 0x8C7CE000 C:\Windows\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement) 0x87907000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll) 0xA9031000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr) 0x8C295000 C:\Windows\system32\DRIVERS\Rtlh86.sys 135168 bytes (Realtek Corporation , Realtek 8101E/8168/8169 NDIS6 32-bit Driver ) 0x8CD4E000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver) 0xA9052000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr) 0x82CE0000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension) 0x879D2000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver) 0x878EC000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API) 0x8D30F000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver) 0xA9003000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver) 0x82F97000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver) 0xA90AA000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector) 0x8C7B7000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver) 0x82FE9000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver) 0xAA8FB000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver) 0x8C72F000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler) 0x8CDA1000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver) 0x8D32A000 C:\Windows\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver) 0xA901C000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver) 0x805CF000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager) 0x805BB000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol) 0x8D207000 C:\Windows\system32\drivers\RTSTOR.SYS 81920 bytes (Realtek Semiconductor Corp., Realtek USB Mass Storage Driver for Vista) 0x8CDB7000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver) 0x8C39D000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver) 0x87952000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6) 0x8C758000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver) 0x87BDD000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver) 0x8C684000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy) 0x80481000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver) 0x82D3A000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver) 0x8D3EF000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver) 0x8078A000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager) 0x805E4000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver) 0x82F84000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver) 0x8D300000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver) 0x87BA7000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver) 0x80715000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver) 0x807F0000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver) 0x8BFDE000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver) 0x80731000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver) 0x93530000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver) 0x8C74A000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver) 0x8CD8A000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver) 0x807A1000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension) 0x8D21B000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver) 0x8CD1E000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver) 0x8C642000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator) 0x8068A000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR) 0xAA8EA000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver) 0x8CD42000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver) 0x8BF89000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver) 0x8C3B0000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver) 0x8C3EC000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver) 0x8CD7F000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver) 0x82DC4000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver) 0x82FDE000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper) 0x82F79000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver) 0x8BF95000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver) 0x80727000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver) 0x8D2F6000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver) 0x82CFE000 C:\Windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver) 0x8C638000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver) 0x8C7F0000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver) 0x8C7AD000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy) 0x8C600000 C:\Windows\system32\DRIVERS\pnarp.sys 40960 bytes (Cisco Systems, Inc., Address Resolution Protocol Driver) 0x87A00000 C:\Windows\system32\DRIVERS\purendis.sys 40960 bytes (Cisco Systems, Inc., NDIS Relay Driver) 0xAA8E0000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver) 0x8BFED000 C:\Windows\system32\DRIVERS\tdcmdpst.sys 40960 bytes (TOSHIBA Corporation., TOSHIBA ODD Writing Driver for x86.) 0x87BEE000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver) 0x8CD2B000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver) 0xAA923000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver) 0x82D4A000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP) 0x8CD98000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver) 0x93510000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver) 0x87BF7000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver) 0x806DD000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll) 0x82CD8000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver) 0x80492000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver) 0x879F6000 C:\Windows\system32\DRIVERS\FwLnk.sys 32768 bytes (TOSHIBA Corporation, TOSHIBA Firmware Linkage 32-bit Driver) 0x806E6000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver) 0x8CD6F000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport) 0x8CD77000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport) 0x87B9F000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor) 0x8CD3B000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver) 0x8040A000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL) 0x8CD34000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver) 0x8079A000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver) 0x8C3F7000 C:\Windows\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter) 0x8C76B000 C:\Windows\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver) 0x8C745000 C:\Windows\system32\DRIVERS\jswpslwf.sys 20480 bytes (Atheros Communications, Inc., Atheros Security NDIS 6.0 Filter Driver) 0xAA8F6000 C:\Windows\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -) 0x87B57000 C:\Windows\system32\DRIVERS\TVALZ_O.SYS 20480 bytes (TOSHIBA Corporation, TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) 0x82F93000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver) 0x80724000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver) 0x8CDFD000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter) 0x8C3FD000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator) 0x8C3EA000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver) ============================================== >Stealth ============================================== ============================================== >Files ============================================== !-->[Hidden] C:\Users\FLORA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1CQ11U82\activity-dora-saves-the-farm%7C!category-dora_showid%7Cshowid-dora_showid%7Ctile-1%7Ctag-adj%7Cmtype-standard%7Csz-728x90%7Cdcopt-ist;ord=526845144803655700[1]1] !-->[Hidden] C:\Users\FLORA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WTL04610\activity-dora-saves-the-farm%7C!category-dora_showid%7Cshowid-dora_showid%7Ctile-13%7Cnode-survey%7Ctag-adj%7Cmtype-standard%7Csz-1x2;ord=371179495030649100[1]1] ============================================== >Hooks ============================================== ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x81EC67AA-->81EC67B1 [ntkrnlpa.exe] ntkrnlpa.exe-->KeFindConfigurationEntry, Type: Inline - RelativeJump 0x821722C7-->8217231D [ntkrnlpa.exe] [3944]LWS.exe-->kernel32.dll-->FindResourceA, Type: IAT modification 0x0050A2F4-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->FindResourceExW, Type: IAT modification 0x0050A2F0-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->FindResourceW, Type: IAT modification 0x0050A4CC-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->FreeResource, Type: IAT modification 0x0050A3F8-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->GetProfileIntA, Type: IAT modification 0x0050A2EC-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->GetProfileIntW, Type: IAT modification 0x0050A388-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->LoadResource, Type: IAT modification 0x0050A4D0-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->LockResource, Type: IAT modification 0x0050A4D4-->00000000 [LWS.exe] [3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x77DF1050-->00000000 [LVPrcInj01.dll] [3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x77DF1018-->00000000 [LVPrcInj01.dll] [3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x77DF1054-->00000000 [LVPrcInj01.dll] [3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x77DF1354-->00000000 [LVPrcInj01.dll] [3944]LWS.exe-->kernel32.dll-->SizeofResource, Type: IAT modification 0x0050A4D8-->00000000 [LWS.exe] [3944]LWS.exe-->user32.dll-->LoadMenuA, Type: IAT modification 0x0050A7E0-->00000000 [LWS.exe] [3944]LWS.exe-->user32.dll-->LoadMenuW, Type: IAT modification 0x0050A6E8-->00000000 [LWS.exe] [3944]LWS.exe-->user32.dll-->LoadStringA, Type: IAT modification 0x0050A7DC-->00000000 [LWS.exe] [3944]LWS.exe-->user32.dll-->LoadStringW, Type: IAT modification 0x0050A7D8-->00000000 [LWS.exe]
  14. TK421
    Thanks for the quick reply. Here's the Combo-fix log: ComboFix 10-10-17.04 - 10/18/2010 11:47:31.1.2 - x86 Microsoft
  15. TK421
    Greetings, My computer was infected with Rogue Antivirus 2010. I ran full scans with Avira and MBAM which removed several items. Subsequent scans with MBAM keep finding the same problem: "Files Infected: C:\Windows\system32\us?rinit.exe (Rogue.Antivirus2010)". I followed the instructions in the "I'm infected...." post and have copied/attached logs as instructed. Two discrepancies/differences were noted: 1)Defogger did NOT prompt me to reboot, although I did receive a "finished" message. I manually re-booted. 2)DDS did not generate two logs as described. Only "DDS.txt" appeared. There was no sign of "Attach.txt." Thanks in advance! *********************** Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4862 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18975 10/17/2010 2:01:50 PM mbam-log-2010-10-17 (14-01-50).txt Scan type: Quick scan Objects scanned: 162282 Time elapsed: 11 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Windows\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully. ************************* DDS (Ver_10-10-10.03) - NTFSx86 Run by Patrick at 19:01:55.93 on Sun 10/17/2010 Internet Explorer: 8.0.6001.18975 Microsoft Attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.