Jump to content

mediashifting popups


feface

Recommended Posts

Hi,

I have a virus on my computer that hijacks my browser (Firefox).  Occasionally, a new tab is created which goes to a mediashifting url and then redirects to google.  I have run a scan which results in 1 virus, which is not able to be removed, even on reboot.  Log is posted below.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122401

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2011-12-24 15:40:28

mbam-log-2011-12-24 (15-40-28).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 300755

Time elapsed: 1 hour(s), 28 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Rootkit.0Access) -> Delete on reboot.

Link to post
Share on other sites

     

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Run by Xi at 15:44:30 on 2011-12-24

Microsoft Windows XP Home Edition 5.1.2600.3.1252.86.1033.18.1022.302 [GMT 8:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

"C:\WINDOWS\system32\svchost.exe"

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.uusee.net/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060922

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://bar.baidu.com/sobar/defaultsearch.html

mCustomizeSearch = hxxp://bar.baidu.com/sobar/defaultsearch.html

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar6.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mic279~1\office14\URLREDIR.DLL

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar6.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {89FDCC4B-8D91-49B0-81A6-18BCFF582735} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [TkBellExe] "c:\program files\k-lite codec pack\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [uUSeeMediaCenter] "c:\program files\common files\uusee\UUSeeMediaCenter.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm

IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe

IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: mswsock.dll

Trusted Zone: musicmatch.com\online

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{5E9F39F9-3B77-4E21-B21B-1DCF52D509FA} : DhcpNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: qyl - {C79BF22F-25C4-4D3D-8183-14149EAB9C0C} -

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

Hosts: 74.125.45.100 www.google.com

Hosts: 209.85.171.100 www.google.com

Hosts: 74.125.77.113 docs.google.com

Hosts: 74.125.77.101 docs.google.com

Hosts: 74.125.77.138 docs.google.com

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\xi\application data\mozilla\firefox\profiles\ws0i8kfl.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\documents and settings\xi\application data\mozilla\firefox\profiles\ws0i8kfl.default\extensions\cctvplayer-plugin@www.cctv.com\plugins\npCCTVplayer.dll

FF - plugin: c:\progra~1\mic279~1\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\mic279~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npuuseep.dll

FF - plugin: c:\program files\tom\xpp\npXPPFF.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: CCTV player plugin for Firefox: cctvplayer-plugin@www.cctv.com - %profile%\extensions\cctvplayer-plugin@www.cctv.com

.

============= SERVICES / DRIVERS ===============

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-26 28544]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-9-10 156968]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-9-22 30192]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\Umss.SYS [2004-7-14 48512]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-9 280344]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-12-24 07:40:34 54016 ----a-w- c:\windows\system32\drivers\vnkfc.sys

2011-12-24 05:34:18 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2011-12-21 08:46:24 -------- d-sh--w- c:\documents and settings\xi\local settings\application data\970a0b06

2011-12-20 19:29:38 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{d79e01b1-8016-41e4-bc1f-5a0aebd7e7b3}\mpengine.dll

.

==================== Find3M ====================

.

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 06:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 06:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-27 03:56:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 03:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 03:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 03:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 15:45:47.55 ===============

Link to post
Share on other sites

Hello feface and welcome to Malwarebytes! :welcome:

I apologize for the delay.

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:
http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe
Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".
Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
-------------
In your next reply, please include:
  • FSS.txt
  • TDSSKiller report
  • C:\ComboFix.txt
  • MBRCheck report

How is your computer running now?

Link to post
Share on other sites

Thanks for the help.

FSS.txt

Farbar Service Scanner

Ran by Xi (administrator) on 26-12-2011 at 05:13:58

Microsoft Windows XP Home Edition Service Pack 3 (X86)

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys

[2004-08-11 01:51] - [2008-04-14 03:19] - 0075264 ____A () 8AF7B108A602BD4F8071782F4F4D5DF7

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

DNE(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x080000000400000001000000020000000300000005000000060000000700000008000000

**** End of log ****

Link to post
Share on other sites

TDSS, Combofix, and MBRCheck logs.

TDSS report:

05:16:53.0296 2352 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16

05:16:55.0296 2352 ============================================================

05:16:55.0296 2352 Current date / time: 2011/12/26 05:16:55.0296

05:16:55.0296 2352 SystemInfo:

05:16:55.0296 2352

05:16:55.0296 2352 OS Version: 5.1.2600 ServicePack: 3.0

05:16:55.0296 2352 Product type: Workstation

05:16:55.0296 2352 ComputerName: XI

05:16:55.0296 2352 UserName: Xi

05:16:55.0296 2352 Windows directory: C:\WINDOWS

05:16:55.0296 2352 System windows directory: C:\WINDOWS

05:16:55.0296 2352 Processor architecture: Intel x86

05:16:55.0296 2352 Number of processors: 2

05:16:55.0296 2352 Page size: 0x1000

05:16:55.0296 2352 Boot type: Normal boot

05:16:55.0296 2352 ============================================================

05:17:01.0734 2352 Initialize success

05:17:13.0359 0224 ============================================================

05:17:13.0359 0224 Scan started

05:17:13.0359 0224 Mode: Manual;

05:17:13.0359 0224 ============================================================

05:17:14.0640 0224 Abiosdsk - ok

05:17:14.0703 0224 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

05:17:14.0703 0224 abp480n5 - ok

05:17:14.0750 0224 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

05:17:14.0765 0224 ACPI - ok

05:17:14.0812 0224 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

05:17:14.0812 0224 ACPIEC - ok

05:17:14.0890 0224 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

05:17:14.0890 0224 adpu160m - ok

05:17:14.0953 0224 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

05:17:14.0953 0224 aec - ok

05:17:15.0015 0224 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

05:17:15.0015 0224 AFD - ok

05:17:15.0062 0224 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

05:17:15.0078 0224 agp440 - ok

05:17:15.0109 0224 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

05:17:15.0109 0224 agpCPQ - ok

05:17:15.0140 0224 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

05:17:15.0140 0224 Aha154x - ok

05:17:15.0171 0224 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

05:17:15.0171 0224 aic78u2 - ok

05:17:15.0187 0224 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

05:17:15.0187 0224 aic78xx - ok

05:17:15.0375 0224 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

05:17:15.0390 0224 AliIde - ok

05:17:15.0406 0224 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

05:17:15.0421 0224 alim1541 - ok

05:17:15.0437 0224 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

05:17:15.0437 0224 amdagp - ok

05:17:15.0484 0224 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

05:17:15.0484 0224 amsint - ok

05:17:15.0546 0224 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

05:17:15.0546 0224 APPDRV - ok

05:17:15.0625 0224 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

05:17:15.0625 0224 Arp1394 - ok

05:17:15.0656 0224 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

05:17:15.0656 0224 asc - ok

05:17:15.0687 0224 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

05:17:15.0687 0224 asc3350p - ok

05:17:15.0750 0224 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

05:17:15.0750 0224 asc3550 - ok

05:17:15.0828 0224 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

05:17:15.0828 0224 AsyncMac - ok

05:17:15.0859 0224 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

05:17:15.0859 0224 atapi - ok

05:17:16.0015 0224 Atdisk - ok

05:17:16.0125 0224 ati2mtag (2573c08729dd52b7b4f18df1592e0b37) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

05:17:16.0203 0224 ati2mtag - ok

05:17:16.0250 0224 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

05:17:16.0265 0224 Atmarpc - ok

05:17:16.0312 0224 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

05:17:16.0328 0224 audstub - ok

05:17:16.0421 0224 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

05:17:16.0421 0224 BCM43XX - ok

05:17:16.0500 0224 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

05:17:16.0500 0224 bcm4sbxp - ok

05:17:16.0531 0224 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

05:17:16.0531 0224 Beep - ok

05:17:16.0671 0224 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

05:17:16.0671 0224 cbidf - ok

05:17:16.0687 0224 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

05:17:16.0687 0224 cbidf2k - ok

05:17:16.0750 0224 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

05:17:16.0750 0224 cd20xrnt - ok

05:17:16.0765 0224 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

05:17:16.0765 0224 Cdaudio - ok

05:17:16.0796 0224 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

05:17:16.0796 0224 Cdfs - ok

05:17:16.0843 0224 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

05:17:16.0843 0224 Cdrom - ok

05:17:16.0859 0224 Changer - ok

05:17:16.0906 0224 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

05:17:16.0906 0224 CmBatt - ok

05:17:16.0937 0224 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

05:17:16.0937 0224 CmdIde - ok

05:17:16.0953 0224 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

05:17:16.0953 0224 Compbatt - ok

05:17:17.0015 0224 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

05:17:17.0015 0224 Cpqarray - ok

05:17:17.0218 0224 CVirtA (72f820e457bc8a1c61aeb86df89dd41a) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

05:17:17.0234 0224 CVirtA - ok

05:17:17.0312 0224 CVPNDRVA (25f3c293b1a10eb1e1a2cee5c3c1c62d) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

05:17:17.0312 0224 CVPNDRVA - ok

05:17:17.0375 0224 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

05:17:17.0390 0224 dac2w2k - ok

05:17:17.0421 0224 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

05:17:17.0421 0224 dac960nt - ok

05:17:17.0500 0224 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys

05:17:17.0500 0224 DgiVecp - ok

05:17:17.0578 0224 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

05:17:17.0578 0224 Disk - ok

05:17:17.0671 0224 DLABOIOM (a14524d3f130a57163e0b3e057fc85d5) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

05:17:17.0671 0224 DLABOIOM - ok

05:17:17.0703 0224 DLACDBHM (7581407a6a3c56860ae31e6e423fe824) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

05:17:17.0703 0224 DLACDBHM - ok

05:17:17.0765 0224 DLADResN (7c4cdf8a684b63d7482e0bf7440dc3b5) C:\WINDOWS\system32\DLA\DLADResN.SYS

05:17:17.0765 0224 DLADResN - ok

05:17:17.0796 0224 DLAIFS_M (97bca2aac06a9fea56615b4b15bdb9b8) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

05:17:17.0796 0224 DLAIFS_M - ok

05:17:17.0828 0224 DLAOPIOM (be8d558cf749424f0de612813f7c6725) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

05:17:17.0828 0224 DLAOPIOM - ok

05:17:17.0859 0224 DLAPoolM (7e5277cb45dc5e2a86af8ce093c7ef31) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

05:17:17.0859 0224 DLAPoolM - ok

05:17:17.0875 0224 DLARTL_N (693dfd92d41a3d270053cd97834e4960) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

05:17:17.0875 0224 DLARTL_N - ok

05:17:17.0953 0224 DLAUDFAM (d886b6d02b51e5bd61b8a571a16d5ca2) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

05:17:17.0953 0224 DLAUDFAM - ok

05:17:18.0187 0224 DLAUDF_M (2c0ecf7a9d5162d87c64e2ae868b5039) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

05:17:18.0187 0224 DLAUDF_M - ok

05:17:18.0265 0224 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

05:17:18.0312 0224 dmboot - ok

05:17:18.0359 0224 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

05:17:18.0359 0224 dmio - ok

05:17:18.0390 0224 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

05:17:18.0390 0224 dmload - ok

05:17:18.0453 0224 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

05:17:18.0453 0224 DMusic - ok

05:17:18.0593 0224 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys

05:17:18.0593 0224 DNE - ok

05:17:18.0640 0224 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

05:17:18.0640 0224 dpti2o - ok

05:17:18.0671 0224 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

05:17:18.0687 0224 drmkaud - ok

05:17:18.0734 0224 drvmcdb (73623d89faef4d1aa600edee8b490bc5) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

05:17:18.0734 0224 drvmcdb - ok

05:17:18.0765 0224 drvnddm (2aeee1600d0f14ba535f90a1f4411b54) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

05:17:18.0765 0224 drvnddm - ok

05:17:18.0921 0224 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys

05:17:18.0921 0224 DSproct - ok

05:17:18.0937 0224 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

05:17:18.0953 0224 E100B - ok

05:17:19.0156 0224 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

05:17:19.0171 0224 Fastfat - ok

05:17:19.0218 0224 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

05:17:19.0218 0224 Fdc - ok

05:17:19.0250 0224 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

05:17:19.0250 0224 Fips - ok

05:17:19.0281 0224 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

05:17:19.0281 0224 Flpydisk - ok

05:17:19.0312 0224 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

05:17:19.0312 0224 FltMgr - ok

05:17:19.0359 0224 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys

05:17:19.0359 0224 FsVga - ok

05:17:19.0390 0224 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

05:17:19.0390 0224 Fs_Rec - ok

05:17:19.0421 0224 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

05:17:19.0437 0224 Ftdisk - ok

05:17:19.0500 0224 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

05:17:19.0500 0224 GEARAspiWDM - ok

05:17:19.0562 0224 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

05:17:19.0562 0224 Gpc - ok

05:17:19.0578 0224 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

05:17:19.0593 0224 HDAudBus - ok

05:17:19.0656 0224 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

05:17:19.0656 0224 HidUsb - ok

05:17:19.0687 0224 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

05:17:19.0687 0224 hpn - ok

05:17:19.0765 0224 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

05:17:19.0765 0224 HSFHWAZL - ok

05:17:19.0921 0224 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

05:17:19.0984 0224 HSF_DPV - ok

05:17:20.0109 0224 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

05:17:20.0109 0224 HTTP - ok

05:17:20.0140 0224 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

05:17:20.0140 0224 i2omgmt - ok

05:17:20.0171 0224 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

05:17:20.0171 0224 i2omp - ok

05:17:20.0203 0224 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

05:17:20.0203 0224 i8042prt - ok

05:17:20.0250 0224 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

05:17:20.0265 0224 Imapi - ok

05:17:20.0312 0224 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

05:17:20.0312 0224 ini910u - ok

05:17:20.0375 0224 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

05:17:20.0375 0224 IntelIde - ok

05:17:20.0421 0224 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

05:17:20.0421 0224 intelppm - ok

05:17:20.0453 0224 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

05:17:20.0453 0224 Ip6Fw - ok

05:17:20.0531 0224 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

05:17:20.0531 0224 IpFilterDriver - ok

05:17:20.0562 0224 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

05:17:20.0562 0224 IpInIp - ok

05:17:20.0625 0224 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

05:17:20.0625 0224 IpNat - ok

05:17:20.0656 0224 IPSec (8af7b108a602bd4f8071782f4f4d5df7) C:\WINDOWS\system32\DRIVERS\ipsec.sys

05:17:20.0656 0224 IPSec - ok

05:17:20.0765 0224 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

05:17:20.0765 0224 IRENUM - ok

05:17:20.0796 0224 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

05:17:20.0796 0224 isapnp - ok

05:17:20.0843 0224 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

05:17:20.0843 0224 Kbdclass - ok

05:17:20.0890 0224 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

05:17:20.0906 0224 kmixer - ok

05:17:20.0937 0224 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

05:17:20.0937 0224 KSecDD - ok

05:17:20.0968 0224 lbrtfdc - ok

05:17:21.0000 0224 MBAMSwissArmy - ok

05:17:21.0046 0224 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

05:17:21.0046 0224 mdmxsdk - ok

05:17:21.0078 0224 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

05:17:21.0078 0224 mnmdd - ok

05:17:21.0140 0224 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

05:17:21.0140 0224 Modem - ok

05:17:21.0156 0224 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

05:17:21.0171 0224 Mouclass - ok

05:17:21.0281 0224 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

05:17:21.0281 0224 mouhid - ok

05:17:21.0296 0224 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

05:17:21.0296 0224 MountMgr - ok

05:17:21.0328 0224 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

05:17:21.0328 0224 mraid35x - ok

05:17:21.0359 0224 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

05:17:21.0359 0224 MRxDAV - ok

05:17:21.0437 0224 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

05:17:21.0437 0224 MRxSmb - ok

05:17:21.0562 0224 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

05:17:21.0562 0224 Msfs - ok

05:17:21.0625 0224 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

05:17:21.0625 0224 MSKSSRV - ok

05:17:21.0640 0224 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

05:17:21.0640 0224 MSPCLOCK - ok

05:17:21.0718 0224 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

05:17:21.0718 0224 MSPQM - ok

05:17:21.0765 0224 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

05:17:21.0765 0224 mssmbios - ok

05:17:21.0796 0224 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

05:17:21.0796 0224 Mup - ok

05:17:21.0875 0224 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

05:17:21.0875 0224 NDIS - ok

05:17:21.0921 0224 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

05:17:21.0921 0224 NdisTapi - ok

05:17:21.0937 0224 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

05:17:21.0937 0224 Ndisuio - ok

05:17:21.0984 0224 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

05:17:21.0984 0224 NdisWan - ok

05:17:22.0093 0224 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

05:17:22.0093 0224 NDProxy - ok

05:17:22.0125 0224 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

05:17:22.0125 0224 NetBIOS - ok

05:17:22.0156 0224 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

05:17:22.0171 0224 NetBT - ok

05:17:22.0218 0224 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

05:17:22.0218 0224 NIC1394 - ok

05:17:22.0343 0224 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

05:17:22.0343 0224 Npfs - ok

05:17:22.0437 0224 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

05:17:22.0468 0224 Ntfs - ok

05:17:22.0578 0224 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

05:17:22.0578 0224 Null - ok

05:17:22.0687 0224 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

05:17:22.0796 0224 nv - ok

05:17:22.0843 0224 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

05:17:22.0843 0224 NwlnkFlt - ok

05:17:22.0906 0224 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

05:17:22.0906 0224 NwlnkFwd - ok

05:17:23.0078 0224 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

05:17:23.0078 0224 ohci1394 - ok

05:17:23.0140 0224 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys

05:17:23.0140 0224 omci - ok

05:17:23.0187 0224 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

05:17:23.0203 0224 Parport - ok

05:17:23.0234 0224 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

05:17:23.0234 0224 PartMgr - ok

05:17:23.0281 0224 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

05:17:23.0281 0224 ParVdm - ok

05:17:23.0437 0224 pavboot (210a628a0d7b3f45257850efbff27538) C:\WINDOWS\system32\drivers\pavboot.sys

05:17:23.0437 0224 pavboot - ok

05:17:23.0531 0224 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

05:17:23.0531 0224 PCI - ok

05:17:23.0546 0224 PCIDump - ok

05:17:23.0562 0224 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

05:17:23.0578 0224 PCIIde - ok

05:17:23.0593 0224 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

05:17:23.0593 0224 Pcmcia - ok

05:17:23.0640 0224 PDCOMP - ok

05:17:23.0656 0224 PDFRAME - ok

05:17:23.0671 0224 PDRELI - ok

05:17:23.0687 0224 PDRFRAME - ok

05:17:23.0734 0224 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

05:17:23.0734 0224 perc2 - ok

05:17:23.0765 0224 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

05:17:23.0765 0224 perc2hib - ok

05:17:23.0843 0224 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

05:17:23.0843 0224 PptpMiniport - ok

05:17:23.0937 0224 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

05:17:23.0937 0224 PSched - ok

05:17:23.0984 0224 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

05:17:24.0000 0224 Ptilink - ok

05:17:24.0015 0224 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

05:17:24.0015 0224 PxHelp20 - ok

05:17:24.0062 0224 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

05:17:24.0062 0224 ql1080 - ok

05:17:24.0140 0224 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

05:17:24.0140 0224 Ql10wnt - ok

05:17:24.0156 0224 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

05:17:24.0156 0224 ql12160 - ok

05:17:24.0234 0224 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

05:17:24.0234 0224 ql1240 - ok

05:17:24.0265 0224 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

05:17:24.0265 0224 ql1280 - ok

05:17:24.0281 0224 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

05:17:24.0281 0224 RasAcd - ok

05:17:24.0328 0224 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

05:17:24.0328 0224 Rasl2tp - ok

05:17:24.0390 0224 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

05:17:24.0390 0224 RasPppoe - ok

05:17:24.0406 0224 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

05:17:24.0406 0224 Raspti - ok

05:17:24.0500 0224 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

05:17:24.0500 0224 Rdbss - ok

05:17:24.0546 0224 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

05:17:24.0546 0224 RDPCDD - ok

05:17:24.0593 0224 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

05:17:24.0593 0224 rdpdr - ok

05:17:24.0750 0224 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

05:17:24.0765 0224 RDPWD - ok

05:17:24.0843 0224 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

05:17:24.0843 0224 redbook - ok

05:17:24.0937 0224 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

05:17:24.0937 0224 rimmptsk - ok

05:17:24.0968 0224 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

05:17:24.0968 0224 rimsptsk - ok

05:17:25.0000 0224 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

05:17:25.0015 0224 rismxdp - ok

05:17:25.0031 0224 rootrepeal - ok

05:17:25.0109 0224 SCDEmu (c23dbd9bfba8b1170706e0896b3cf7da) C:\WINDOWS\system32\drivers\SCDEmu.sys

05:17:25.0109 0224 SCDEmu - ok

05:17:25.0171 0224 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

05:17:25.0171 0224 sdbus - ok

05:17:25.0218 0224 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

05:17:25.0218 0224 Secdrv - ok

05:17:25.0359 0224 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

05:17:25.0359 0224 serenum - ok

05:17:25.0437 0224 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

05:17:25.0437 0224 Serial - ok

05:17:25.0546 0224 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

05:17:25.0546 0224 Sfloppy - ok

05:17:25.0562 0224 Simbad - ok

05:17:25.0625 0224 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

05:17:25.0625 0224 sisagp - ok

05:17:25.0656 0224 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

05:17:25.0671 0224 Sparrow - ok

05:17:25.0750 0224 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

05:17:25.0750 0224 splitter - ok

05:17:25.0796 0224 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

05:17:25.0796 0224 sr - ok

05:17:25.0890 0224 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

05:17:25.0906 0224 Srv - ok

05:17:25.0937 0224 SSPORT - ok

05:17:26.0078 0224 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys

05:17:26.0140 0224 STHDA - ok

05:17:26.0234 0224 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

05:17:26.0234 0224 swenum - ok

05:17:26.0265 0224 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

05:17:26.0265 0224 swmidi - ok

05:17:26.0328 0224 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

05:17:26.0328 0224 symc810 - ok

05:17:26.0375 0224 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

05:17:26.0375 0224 symc8xx - ok

05:17:26.0437 0224 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

05:17:26.0453 0224 sym_hi - ok

05:17:26.0484 0224 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

05:17:26.0484 0224 sym_u3 - ok

05:17:26.0546 0224 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys

05:17:26.0562 0224 SynTP - ok

05:17:26.0656 0224 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

05:17:26.0656 0224 sysaudio - ok

05:17:26.0734 0224 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys

05:17:26.0734 0224 taphss - ok

05:17:26.0796 0224 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\WINDOWS\system32\DRIVERS\tapvpn.sys

05:17:26.0796 0224 tapvpn - ok

05:17:26.0875 0224 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

05:17:26.0875 0224 Tcpip - ok

05:17:26.0984 0224 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

05:17:26.0984 0224 TDPIPE - ok

05:17:27.0046 0224 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

05:17:27.0046 0224 TDTCP - ok

05:17:27.0078 0224 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

05:17:27.0093 0224 TermDD - ok

05:17:27.0171 0224 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys

05:17:27.0171 0224 tmcomm - ok

05:17:27.0265 0224 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

05:17:27.0265 0224 TosIde - ok

05:17:27.0359 0224 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

05:17:27.0359 0224 Udfs - ok

05:17:27.0437 0224 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

05:17:27.0437 0224 ultra - ok

05:17:27.0515 0224 UMSSSTOR (d3c985fa303bc571ce36fbd93b5355b5) C:\WINDOWS\system32\DRIVERS\UMSS.SYS

05:17:27.0531 0224 UMSSSTOR - ok

05:17:27.0593 0224 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

05:17:27.0593 0224 Update - ok

05:17:27.0734 0224 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

05:17:27.0734 0224 USBAAPL - ok

05:17:27.0781 0224 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys

05:17:27.0781 0224 usbbus - ok

05:17:27.0843 0224 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys

05:17:27.0843 0224 UsbDiag - ok

05:17:27.0906 0224 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

05:17:27.0906 0224 usbehci - ok

05:17:27.0953 0224 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

05:17:27.0968 0224 usbhub - ok

05:17:28.0046 0224 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys

05:17:28.0062 0224 USBModem - ok

05:17:28.0156 0224 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

05:17:28.0156 0224 usbprint - ok

05:17:28.0187 0224 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

05:17:28.0187 0224 USBSTOR - ok

05:17:28.0250 0224 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

05:17:28.0250 0224 usbuhci - ok

05:17:28.0281 0224 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

05:17:28.0281 0224 VgaSave - ok

05:17:28.0578 0224 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

05:17:28.0578 0224 viaagp - ok

05:17:28.0656 0224 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

05:17:28.0656 0224 ViaIde - ok

05:17:28.0687 0224 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

05:17:28.0703 0224 VolSnap - ok

05:17:28.0765 0224 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys

05:17:28.0828 0224 vsdatant - ok

05:17:28.0953 0224 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

05:17:28.0953 0224 Wanarp - ok

05:17:28.0968 0224 wanatw - ok

05:17:28.0984 0224 WDICA - ok

05:17:29.0015 0224 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

05:17:29.0015 0224 wdmaud - ok

05:17:29.0171 0224 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

05:17:29.0187 0224 winachsf - ok

05:17:29.0296 0224 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

05:17:29.0296 0224 WudfPf - ok

05:17:29.0375 0224 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

05:17:29.0375 0224 WudfRd - ok

05:17:29.0437 0224 MBR (0x1B8) (823ca895571a1d99983f2953dc6838e7) \Device\Harddisk0\DR0

05:17:29.0468 0224 \Device\Harddisk0\DR0 - ok

05:17:29.0500 0224 Boot (0x1200) (acecbe0fb7eb6dd1b5524b1031b1ebf5) \Device\Harddisk0\DR0\Partition0

05:17:29.0500 0224 \Device\Harddisk0\DR0\Partition0 - ok

05:17:29.0546 0224 Boot (0x1200) (241d22b60e0c1e93784bf2acdd9a2e7b) \Device\Harddisk0\DR0\Partition1

05:17:29.0546 0224 \Device\Harddisk0\DR0\Partition1 - ok

05:17:29.0546 0224 ============================================================

05:17:29.0546 0224 Scan finished

05:17:29.0546 0224 ============================================================

05:17:29.0562 0476 Detected object count: 0

05:17:29.0562 0476 Actual detected object count: 0

05:18:42.0531 3312 Deinitialize success

Combofix report:

ComboFix 11-12-23.01 - Xi 2011-12-26 5:43.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.86.1033.18.1022.705 [GMT 8:00]

Running from: c:\documents and settings\Xi\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\SECB1E.tmp

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Xi\Application Data\pdinstall.exe

c:\documents and settings\Xi\Local Settings\Application Data\970a0b06\U

c:\documents and settings\Xi\Local Settings\Application Data\970a0b06\U\000000c0.@

c:\documents and settings\Xi\Local Settings\Application Data\970a0b06\U\000000cb.@

c:\documents and settings\Xi\Local Settings\Application Data\970a0b06\U\000000cf.@

c:\documents and settings\Xi\Local Settings\Application Data\970a0b06\U\800000c0.@

c:\documents and settings\Xi\My Documents\~WRD3404.tmp

c:\documents and settings\Xi\My Documents\~WRL0043.tmp

c:\documents and settings\Xi\My Documents\~WRL0071.tmp

c:\documents and settings\Xi\My Documents\~WRL0406.tmp

c:\documents and settings\Xi\My Documents\~WRL1158.tmp

c:\documents and settings\Xi\My Documents\~WRL1305.tmp

c:\documents and settings\Xi\My Documents\~WRL1758.tmp

c:\documents and settings\Xi\My Documents\~WRL1973.tmp

c:\documents and settings\Xi\My Documents\~WRL2036.tmp

c:\documents and settings\Xi\My Documents\~WRL2389.tmp

c:\documents and settings\Xi\My Documents\~WRL3706.tmp

c:\program files\Mozilla Firefox\plugins\npuuseep.dll

c:\program files\StormII

c:\program files\StormII\Codec\QTSystem\QuickTime.qtp

c:\windows\$NtUninstallKB25587$\2534017798\@

c:\windows\$NtUninstallKB25587$\2534017798\L\odetmngk

c:\windows\$NtUninstallKB25587$\2534017798\loader.tlb

c:\windows\$NtUninstallKB25587$\2534017798\U\@00000001

c:\windows\$NtUninstallKB25587$\2534017798\U\@000000c0

c:\windows\$NtUninstallKB25587$\2534017798\U\@000000cb

c:\windows\$NtUninstallKB25587$\2534017798\U\@000000cf

c:\windows\$NtUninstallKB25587$\2534017798\U\@80000000

c:\windows\$NtUninstallKB25587$\2534017798\U\@800000c0

c:\windows\$NtUninstallKB25587$\2534017798\U\@800000cb

c:\windows\$NtUninstallKB25587$\2534017798\U\@800000cf

c:\windows\$NtUninstallKB25587$\3721181436

c:\windows\assembly\GAC_MSIL\desktop.ini

c:\windows\Down_Temp

c:\windows\Downloaded Installations\BMP

c:\windows\Downloaded Installations\BMP\{77976D5E-C17A-49E5-A91B-D7BFA08301CB}\1033.MST

c:\windows\Downloaded Installations\BMP\{77976D5E-C17A-49E5-A91B-D7BFA08301CB}\BACS.msi

c:\windows\sosuo.col

c:\windows\struct~.ini

c:\windows\system32\

c:\windows\system32\inf

c:\windows\system32\mywfhit.ini

c:\windows\system32\mywfhit.ini.tmp

c:\windows\system32\nsis_loader.dll

c:\windows\system32\oobe\isperror

c:\windows\system32\oobe\isperror\ispcnerr.htm

c:\windows\system32\oobe\isperror\ispdtone.htm

c:\windows\system32\oobe\isperror\isphdshk.htm

c:\windows\system32\oobe\isperror\ispins.htm

c:\windows\system32\oobe\isperror\ispnoanw.htm

c:\windows\system32\oobe\isperror\isppberr.htm

c:\windows\system32\oobe\isperror\ispphbsy.htm

c:\windows\system32\oobe\isperror\ispsbusy.htm

c:\windows\system32\SET128.tmp

c:\windows\system32\SET12B.tmp

c:\windows\system32\SET137.tmp

c:\windows\system32\SET139.tmp

c:\windows\system32\SET13F.tmp

c:\windows\system32\SET140.tmp

c:\windows\system32\SET142.tmp

c:\windows\system32\SET144.tmp

c:\windows\system32\SET145.tmp

c:\windows\system32\setb5.tmp

c:\windows\system32\tmpdcj0.exe

c:\windows\$NtUninstallKB25587$ . . . . Failed to delete

.

Infected copy of c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097864.exe

.

Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097865.exe

.

Infected copy of c:\windows\system32\Ati2evxx.exe was found and disinfected

Restored copy from - c:\i386\ati2evxx.exe

.

Infected copy of c:\program files\Cisco Systems\VPN Client\cvpnd.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097866.exe

.

Infected copy of c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097867.exe

.

Infected copy of c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP847\A0097982.exe

.

Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097872.exe

.

Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097868.exe

.

Infected copy of c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097869.EXE

.

Infected copy of c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097870.exe

.

Infected copy of c:\program files\Dell\QuickSet\NICCONFIGSVC.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097871.exe

.

Infected copy of c:\windows\System32\WLTRYSVC.EXE was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP847\A0098075.EXE

.

Infected copy of c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097870.exe

Infected copy of c:\program files\Dell\QuickSet\NICCONFIGSVC.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0097871.exe

Infected copy of c:\windows\System32\WLTRYSVC.EXE was found and disinfected

Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP847\A0098075.EXE

.

((((((((((((((((((((((((( Files Created from 2011-11-25 to 2011-12-25 )))))))))))))))))))))))))))))))

.

.

2011-12-24 05:34 . 2011-12-24 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-12-21 08:46 . 2011-12-25 21:56 -------- d-sh--w- c:\documents and settings\Xi\Local Settings\Application Data\970a0b06

2011-12-20 19:29 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{D79E01B1-8016-41E4-BC1F-5A0AEBD7E7B3}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-21 10:47 . 2009-07-28 09:28 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 06:29 . 2011-10-24 06:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 06:29 . 2011-10-24 06:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2004-08-10 17:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-27 03:56 . 2011-06-13 08:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2010-12-13 14:20 . 2007-08-14 22:22 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-12-13 30192]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-09-10 177448]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2007-06-29 520192]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-12 127036]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-20 519584]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-22 24576]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PPTV.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PPTV.lnk

backup=c:\windows\pss\PPTV.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"HssTrayService"=3 (0x3)

"HotspotShieldService"=2 (0x2)

"ccosm"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dmremote.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=

"c:\\Documents and Settings\\Xi\\My Documents\\Downloads\\sdasetup_revwire207.exe"=

"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

"c:\\Documents and Settings\\Xi\\Desktop\\TDSSKiller.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP port 135

"50000:UDP"= 50000:UDP:sina_live

"50001:UDP"= 50001:UDP:sina_live

"6001:TCP"= 6001:TCP:sina_live

"6002:TCP"= 6002:TCP:sina_live

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-26 16:49 28544]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-9-10 15:03 156968]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 13:16 130384]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-9-22 13:38 30192]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 21:37 4640000]

S3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\Umss.SYS [2004-7-14 0:40 48512]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 13:16 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

sina_live_deamon REG_MULTI_SZ sina_live_deamon

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 09:57]

.

2011-12-23 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 11:20]

.

2011-04-15 c:\windows\Tasks\switchShakeIcon.job

- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-04-12 10:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.uusee.net/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

TCP: DhcpNameServer = 192.168.0.1

Handler: qyl - {C79BF22F-25C4-4D3D-8183-14149EAB9C0C} -

DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

FF - ProfilePath - c:\documents and settings\Xi\Application Data\Mozilla\Firefox\Profiles\ws0i8kfl.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: CCTV player plugin for Firefox: cctvplayer-plugin@www.cctv.com - %profile%\extensions\cctvplayer-plugin@www.cctv.com

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-TkBellExe - c:\program files\K-Lite Codec Pack\Real\Update_OB\realsched.exe

HKLM-Run-UUSeeMediaCenter - c:\program files\Common Files\uusee\UUSeeMediaCenter.exe

SafeBoot-WinDefend

MSConfigStartUp-PPAP - c:\program files\Common Files\PPLiveNetwork\PPAP.exe

MSConfigStartUp-PPLiveVA - c:\program files\PPLive\PPVA\PPLiveVA.exe

AddRemove-Move Networks Player_is1 - c:\documents and settings\Xi\Application Data\Move Networks\ie_bin\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-26 06:04

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Sb*_\View]

"Data"=hex:03,00,00,00,14,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,

00,00,00,00,00,00,28,00,00,00,14,00,00,00,14,00,00,00,14,00,00,00,0b,00,00,\

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Sb*_\File Name MRU]

"Value"=multi:"yuhui question\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Sb*_\View]

"Data"=hex:03,00,00,00,14,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,

00,00,03,00,00,00,28,00,00,00,14,00,00,00,14,00,00,00,14,00,00,00,0b,00,00,\

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Office\Settings\Sb*_ *O*f*f*i*c*e* *‡ech\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Office\Settings\Sb*_ *O*f*f*i*c*e* *‡ech\View]

"Data"=hex:03,00,00,00,14,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,

00,00,03,00,00,00,28,00,00,00,14,00,00,00,14,00,00,00,14,00,00,00,0b,00,00,\

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F55F7CF-07D1-74FC-7265-F5A496D1F84C}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1076)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(660)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\stsystra.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-12-26 06:11:18 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-25 22:10

.

Pre-Run: 3,053,645,824 bytes free

Post-Run: 4,078,051,328 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 76E42785350DFE5A3F7D30263D8CAD6C

MBR Report:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001c

Kernel Drivers (total 141):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E5000 \WINDOWS\system32\hal.dll

0xF7A9D000 \WINDOWS\system32\KDCOM.DLL

0xF79AD000 \WINDOWS\system32\BOOTVID.dll

0xF746E000 ACPI.sys

0xF7A9F000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF745D000 pci.sys

0xF759D000 isapnp.sys

0xF79B1000 compbatt.sys

0xF79B5000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7B65000 pciide.sys

0xF781D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF75AD000 MountMgr.sys

0xF743E000 ftdisk.sys

0xF7825000 PartMgr.sys

0xF782D000 pavboot.sys

0xF75BD000 VolSnap.sys

0xF7426000 atapi.sys

0xF75CD000 disk.sys

0xF75DD000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7406000 fltmgr.sys

0xF73F4000 sr.sys

0xF73DE000 DRVMCDB.SYS

0xF75ED000 PxHelp20.sys

0xF73C7000 KSecDD.sys

0xF733A000 Ntfs.sys

0xF730D000 NDIS.sys

0xF75FD000 Combo-Fix.sys

0xF760D000 ohci1394.sys

0xF761D000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF72F3000 Mup.sys

0xF763D000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xF777D000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF7A91000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF6789000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xF6775000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF674D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xF66E5000 \SystemRoot\system32\DRIVERS\bcmwl5.sys

0xF793D000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xF66C1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7945000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF778D000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys

0xF66AD000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xF794D000 \SystemRoot\system32\DRIVERS\rimmptsk.sys

0xF779D000 \SystemRoot\system32\DRIVERS\rimsptsk.sys

0xF6661000 \SystemRoot\system32\DRIVERS\rixdptsk.sys

0xF77AD000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF6632000 \SystemRoot\system32\DRIVERS\SynTP.sys

0xF7ACF000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7955000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF795D000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF77BD000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF7AD1000 \SystemRoot\System32\Drivers\DLACDBHM.SYS

0xF77CD000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF77DD000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF660F000 \SystemRoot\system32\DRIVERS\ks.sys

0xF7965000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0xF72C7000 \SystemRoot\system32\DRIVERS\fsvga.sys

0xF65F4000 \SystemRoot\system32\DRIVERS\dne2000.sys

0xF7CE1000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF77ED000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF72BF000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF65DD000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF77FD000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF780D000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF796D000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF65CC000 \SystemRoot\system32\DRIVERS\psched.sys

0xF764D000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7975000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF797D000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF765D000 \SystemRoot\system32\DRIVERS\tapvpn.sys

0xF69A9000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7AD3000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF656E000 \SystemRoot\system32\DRIVERS\update.sys

0xF72B7000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF7985000 \SystemRoot\system32\DRIVERS\omci.sys

0xF6999000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF22A6000 \SystemRoot\system32\drivers\sthda.sys

0xF2282000 \SystemRoot\system32\drivers\portcls.sys

0xF6969000 \SystemRoot\system32\drivers\drmk.sys

0xF2250000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys

0xF2153000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys

0xF20A3000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

0xF798D000 \SystemRoot\System32\Drivers\Modem.SYS

0xF6959000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7A5D000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF7AE3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7C93000 \SystemRoot\System32\Drivers\Null.SYS

0xF7AE5000 \SystemRoot\System32\Drivers\Beep.SYS

0xF799D000 \SystemRoot\System32\Drivers\DLARTL_N.SYS

0xF79A5000 \SystemRoot\System32\drivers\vga.sys

0xF7AE7000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7AE9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF783D000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF7855000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF7A61000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xF6949000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xF1342000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xF131A000 \SystemRoot\system32\DRIVERS\netbt.sys

0xF12F8000 \SystemRoot\System32\drivers\afd.sys

0xF6939000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF6919000 \SystemRoot\System32\Drivers\SCDEmu.SYS

0xF11DD000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xF1145000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF766D000 \SystemRoot\System32\Drivers\Fips.SYS

0xF208B000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

0xF768D000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xF112D000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7AF5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF1238000 \SystemRoot\System32\drivers\Dxapi.sys

0xF7865000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7BA2000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF055000 \SystemRoot\System32\ati2cqag.dll

0xBF09A000 \SystemRoot\System32\atikvmag.dll

0xBF0DC000 \SystemRoot\System32\ati3duag.dll

0xBF37D000 \SystemRoot\System32\ativvaxx.dll

0xBF529000 \SystemRoot\System32\ATMFD.DLL

0xF775D000 \SystemRoot\System32\Drivers\DRVNDDM.SYS

0xF7C69000 \SystemRoot\System32\DLA\DLADResN.SYS

0xEEFD7000 \SystemRoot\System32\DLA\DLAIFS_M.SYS

0xEF055000 \SystemRoot\System32\DLA\DLAOPIOM.SYS

0xF7B05000 \SystemRoot\System32\DLA\DLAPoolM.SYS

0xF787D000 \SystemRoot\System32\DLA\DLABOIOM.SYS

0xEEFBF000 \SystemRoot\System32\DLA\DLAUDFAM.SYS

0xEEFA9000 \SystemRoot\System32\DLA\DLAUDF_M.SYS

0xEEFF9000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xEEC9C000 \SystemRoot\system32\drivers\wdmaud.sys

0xEEDF9000 \SystemRoot\system32\drivers\sysaudio.sys

0xEE6A1000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xEE5F5000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

0xEE54D000 \SystemRoot\system32\DRIVERS\srv.sys

0xEE691000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xEE4E5000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys

0xEE497000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xEE24E000 \SystemRoot\System32\Drivers\HTTP.sys

0xF78CD000 \??\C:\ComboFix\catchme.sys

0xF7B5B000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):

0 System Idle Process

4 System

1000 C:\WINDOWS\system32\smss.exe

1048 csrss.exe

1076 C:\WINDOWS\system32\winlogon.exe

1120 C:\WINDOWS\system32\services.exe

1132 C:\WINDOWS\system32\lsass.exe

1316 C:\WINDOWS\system32\Ati2evxx.exe

1332 C:\WINDOWS\system32\svchost.exe

1480 svchost.exe

1512 C:\WINDOWS\system32\svchost.exe

1708 svchost.exe

1940 C:\WINDOWS\system32\WLTRYSVC.EXE

1952 C:\WINDOWS\system32\BCMWLTRY.EXE

2008 C:\WINDOWS\system32\spoolsv.exe

712 C:\WINDOWS\system32\Ati2evxx.exe

388 C:\Program Files\Common Files\Java\Java Update\jusched.exe

404 C:\WINDOWS\system32\WLTRAY.EXE

416 C:\WINDOWS\stsystra.exe

424 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

444 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

976 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

992 C:\WINDOWS\system32\dla\DLACTRLW.EXE

1268 C:\Program Files\iTunes\iTunesHelper.exe

1404 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

700 C:\Program Files\Digital Line Detect\DLG.exe

1876 svchost.exe

268 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

340 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

516 C:\Program Files\Java\jre6\bin\jqs.exe

1976 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

676 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

608 C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

2156 wmiprvse.exe

2608 C:\Program Files\iPod\bin\iPodService.exe

1688 C:\WINDOWS\system32\wscntfy.exe

660 C:\WINDOWS\explorer.exe

228 C:\Documents and Settings\Xi\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000014`2d6e5000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-75LAT0, Rev: 02.06M02

Size Device Name MBR Status

--------------------------------------------

110 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: D21BD8D161AAE2A5526E0F37D27A127EF80AC72E

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice:

Done!

Link to post
Share on other sites

Computer currently has no internet connection. All efforts to repair connections have failed. Both ethernet and wireless connections are able to connect to the router, but the computer cannot obtain an IP address. Trying to repair the ethernet connection yields an error about a failure to query TCP/IP settings.

I don't know if it is relevant, but during the running of Combofix, after it had asked to restart my computer, there was a Windows Application Error - Instruction at "some address" referenced memory at "some address". The memory could not be "written". Since combofix was still running, I ignored the error and let it finish.

Thanks again for the help.

Link to post
Share on other sites

You've got quite a nasty infection on your computer. We need to gather some more information about it before we take the next steps.

Please do the following:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

---------

Download the latest version of Kaspersky Virus Removal Tool

  • Close all other applications and double-click and run the installer.
  • When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.
  • In the window that opens (Autoscan), in the Scope tab place a checkmark to the left of Parse email formats.
  • Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK.
  • Select all the scanable items except for CD-ROM drives and click the Start scan button.
    6zvqld.gif
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply.

---------

Please include the ESET Online Scan report as well as the Kaspersky AVPTool report in your next reply.

Please let me know how things are running now as well.

Link to post
Share on other sites

I cannot run the online scan due to the internet connection problems, but will download the Kaspersky on a different computer and then transfer the file over.

Sounds good. Using a DVD or CD would be the safest, as this infection could possibly install itself onto removable flash drives.

Link to post
Share on other sites

I ran the Kaspersky VRT. The format of the report does not list the detected items first. I will copy the lines that are not "ok" "archive" or "packed" below.

Automatic Scan: completed 30 minutes ago (events: 436873, objects: 427799, time: 02:46:57)

2011-12-26 18:48:58 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\INBOX/[From Stephen Wang <sswang@gmail.com>][Date 27 Dec 2009 13:15:40][subj Re: web proxy]/u98/u98.exe Information

2011-12-26 19:17:05 Detected: Trojan-Spy.HTML.Fraud.gen C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail/[From "service@paypal.com" <service@paypal.com>][Date 26 Mar 2005 07:28:01][subj Unauthorized Account Access: (Routing code: W7S-LQ3-L-X3)]/html

2011-12-26 19:40:08 Detected: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 19:45:59 Detected: HEUR:Trojan.Win32.Generic C:\WINDOWS\system32\drivers\ipsec.sys

2011-12-26 20:02:45 Untreated: Trojan-Spy.HTML.Fraud.gen C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail/[From "service@paypal.com" <service@paypal.com>][Date 26 Mar 2005 07:28:01][subj Unauthorized Account Access: (Routing code: W7S-LQ3-L-X3)]/html Write not supported

2011-12-26 20:03:14 Deleted: Trojan-Spy.HTML.Fraud.gen C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail

2011-12-26 20:04:09 Deleted: HEUR:Trojan.Win32.Generic HKLM\System\ControlSet001\Services\IPSec\IPSec

2011-12-26 20:04:13 Deleted: HEUR:Trojan.Win32.Generic HKLM\System\ControlSet002\Services\IPSec\IPSec

2011-12-26 20:04:17 Deleted: HEUR:Trojan.Win32.Generic HKLM\System\ControlSet003\Services\IPSec\IPSec

2011-12-26 20:04:39 Task stopped

2011-12-26 20:17:54 Task started

2011-12-26 20:27:08 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u96.zip/u96.exe Information

2011-12-26 20:27:08 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u98.zip/u98.exe Information

2011-12-26 20:27:08 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u96(2).zip.part/u96.exe Information

2011-12-26 21:25:02 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u96.zip/u96.exe Information

2011-12-26 21:25:02 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u98.zip/u98.exe Information

2011-12-26 21:25:02 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u96(2).zip.part/u96.exe Information

2011-12-26 18:45:17 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir

2011-12-26 18:45:18 Backed up C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir

2011-12-26 18:45:18 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir

2011-12-26 18:45:18 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir

2011-12-26 18:45:21 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\WLTRYSVC.EXE.vir

2011-12-26 18:45:22 Backed up C:\Qoobox\Quarantine\C\WINDOWS\system32\WLTRYSVC.EXE.vir

2011-12-26 18:45:22 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\WLTRYSVC.EXE.vir

2011-12-26 18:45:22 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\WLTRYSVC.EXE.vir

2011-12-26 18:44:24 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe.vir

2011-12-26 18:44:50 Backed up C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe.vir

2011-12-26 18:44:50 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe.vir

2011-12-26 18:44:50 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe.vir

2011-12-26 18:44:51 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe.vir

2011-12-26 18:44:52 Backed up C:\Qoobox\Quarantine\C\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe.vir

2011-12-26 18:44:52 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe.vir

2011-12-26 18:44:52 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe.vir

2011-12-26 18:43:44 Backed up C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE.vir

2011-12-26 18:43:45 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE.vir

2011-12-26 18:43:45 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE.vir

2011-12-26 18:43:45 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Dell\QuickSet\NICCONFIGSVC.exe.vir

2011-12-26 18:43:55 Backed up C:\Qoobox\Quarantine\C\Program Files\Dell\QuickSet\NICCONFIGSVC.exe.vir

2011-12-26 18:43:55 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Dell\QuickSet\NICCONFIGSVC.exe.vir

2011-12-26 18:43:55 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Dell\QuickSet\NICCONFIGSVC.exe.vir

2011-12-26 18:43:56 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir

2011-12-26 18:44:01 Backed up C:\Qoobox\Quarantine\C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir

2011-12-26 18:44:03 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir

2011-12-26 18:44:07 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir

2011-12-26 18:44:07 Archive: Embedded C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\INBOX/[From BEE-LAN WANG <beelanw@gmail.com>][Date 24 Sep 2010 14:02:49][subj Here we go again]/Sept 20.pdf

2011-12-26 18:44:08 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir

2011-12-26 18:44:20 Backed up C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir

2011-12-26 18:44:20 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir

2011-12-26 18:44:20 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir

2011-12-26 18:44:21 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir

2011-12-26 18:44:22 Backed up C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir

2011-12-26 18:44:22 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir

2011-12-26 18:44:22 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir

2011-12-26 18:43:20 Backed up C:\Qoobox\Quarantine\C\Program Files\Cisco Systems\VPN Client\cvpnd.exe.vir

2011-12-26 18:43:20 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Cisco Systems\VPN Client\cvpnd.exe.vir

2011-12-26 18:43:20 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Cisco Systems\VPN Client\cvpnd.exe.vir

2011-12-26 18:43:21 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir

2011-12-26 18:43:27 Backed up C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir

2011-12-26 18:43:27 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir

2011-12-26 18:43:27 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir

2011-12-26 18:43:28 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE.vir

2011-12-26 18:42:59 Backed up C:\Qoobox\Quarantine\C\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe.vir

2011-12-26 18:43:01 Cleared of viruses: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe.vir

2011-12-26 18:43:05 Disinfected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe.vir

2011-12-26 18:43:07 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Cisco Systems\VPN Client\cvpnd.exe.vir

2011-12-26 18:42:38 Backed up C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Local Settings\Application Data\970a0b06\U\000000cf.@.vir

2011-12-26 18:42:38 Deleted: Trojan-Downloader.Win32.Agent.gyal C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Local Settings\Application Data\970a0b06\U\000000cf.@.vir

2011-12-26 18:42:38 Detected: Rootkit.Win32.PMax.x C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Local Settings\Application Data\970a0b06\U\800000c0.@.vir

2011-12-26 18:42:40 Backed up C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Local Settings\Application Data\970a0b06\U\800000c0.@.vir

2011-12-26 18:42:40 Deleted: Rootkit.Win32.PMax.x C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Local Settings\Application Data\970a0b06\U\800000c0.@.vir

2011-12-26 18:42:41 Detected: Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe.vir

2011-12-26 18:41:15 Untreated: Trojan-Spy.HTML.Citifraud.ak C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\INBOX/[From Smith Barney <identdep_op308848336767156@smithbarney.com>][Date 09 Oct 2004 14:37:41][subj Smith Barney - official information [sat, 09 Oct 2004 17:35:41]/html Write not supported

2011-12-26 18:40:35 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail/[From Stephen Wang <sswang@gmail.com>][Date 27 Dec 2009 13:15:40][subj Re: web proxy]/u98/u98.exe Information

2011-12-26 18:39:48 Backed up C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Application Data\pdinstall.exe.vir

2011-12-26 18:39:48 Deleted: Packed.Win32.Krap.hc C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Application Data\pdinstall.exe.vir

2011-12-26 18:39:48 Detected: Trojan-Spy.HTML.Citifraud.ak C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\INBOX/[From Smith Barney <identdep_op308848336767156@smithbarney.com>][Date 09 Oct 2004 14:37:41][subj Smith Barney - official information [sat, 09 Oct 2004 17:35:41]/html

2011-12-26 18:39:48 Detected: Trojan-Downloader.Win32.Agent.gyal C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Local Settings\Application Data\970a0b06\U\000000cf.@.vir

2011-12-26 15:51:37 Detected: Packed.Win32.Krap.hc C:\Qoobox\Quarantine\C\Documents and Settings\Xi\Application Data\pdinstall.exe.vir

2011-12-26 18:38:28 Untreated: Trojan-Spy.HTML.Citifraud.ak C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail/[From Smith Barney <identdep_op308848336767156@smithbarney.com>][Date 09 Oct 2004 14:37:41][subj Smith Barney - official information [sat, 09 Oct 2004 17:35:41]/html Write not supported

2011-12-26 14:20:31 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u96.zip/u96.exe Information

2011-12-26 14:20:31 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u98.zip/u98.exe Information

2011-12-26 14:20:36 Detected: not-a-virus:NetTool.Win32.UltraSurf.gu C:\Documents and Settings\Xi\My Documents\Downloads\u96(2).zip.part/u96.exe Information

2011-12-26 14:06:57 Deleted: Trojan-Spy.HTML.Citifraud.ak C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\Trash

2011-12-26 14:06:52 Backed up C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\Trash

2011-12-26 14:06:52 Detected: Trojan-Spy.HTML.Citifraud.ak C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail/[From Smith Barney <identdep_op308848336767156@smithbarney.com>][Date 09 Oct 2004 14:37:41][subj Smith Barney - official information [sat, 09 Oct 2004 17:35:41]/html

2011-12-26 12:58:57 Detected: Trojan-Spy.HTML.Citifraud.ak C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\Trash/[From Smith Barney <identdep_op308848336767156@smithbarney.com>][Date 09 Oct 2004 14:37:41][subj Smith Barney - official information [sat, 09 Oct 2004 17:35:41]/html

2011-12-26 14:06:29 Backed up C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail

2011-12-26 12:47:48 Detected: Trojan-Spy.HTML.Fraud.gen C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\[Gmail].sbd\All Mail/[From "service@paypal.com" <service@paypal.com>][Date 26 Mar 2005 07:28:01][subj Unauthorized Account Access: (Routing code: W7S-LQ3-L-X3)]/html

2011-12-26 12:47:14 Detected: Trojan-Spy.HTML.Fraud.gen C:\Documents and Settings\Xi\Application Data\Thunderbird\Profiles\7qi442ff.default\ImapMail\imap.googlemail.com\INBOX/[From "service@paypal.com" <service@paypal.com>][Date 26 Mar 2005 07:28:01][subj Unauthorized Account Access: (Routing code: W7S-LQ3-L-X3)]/html

2011-12-26 12:44:46 Backed up C:\Documents and Settings\Xi\Application Data\Sun\Java\Deployment\cache\6.0\59\945efbb-27eec478

2011-12-26 12:44:46 Deleted: Trojan.Win32.Jorik.MokesLoader.fi C:\Documents and Settings\Xi\Application Data\Sun\Java\Deployment\cache\6.0\59\945efbb-27eec478

2011-12-26 12:41:59 Detected: Trojan.Win32.Jorik.MokesLoader.fi C:\Documents and Settings\Xi\Application Data\Sun\Java\Deployment\cache\6.0\59\945efbb-27eec478/PE-Crypt.XorPE

2011-12-26 12:41:18 Detected: Exploit.Java.Gimsh.b C:\Documents and Settings\Xi\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-7165e2cd/vmain.class

2011-12-26 12:41:19 Backed up C:\Documents and Settings\Xi\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-7165e2cd

2011-12-26 12:41:19 Deleted: Exploit.Java.Gimsh.b C:\Documents and Settings\Xi\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-7165e2cd/vmain.class

2011-12-26 12:28:15 Backed up C:\Documents and Settings\Xi\.housecall6.6\Quarantine\orz.exe.bac_a02236

2011-12-26 12:28:16 Deleted: Trojan-Downloader.Win32.Small.ybw C:\Documents and Settings\Xi\.housecall6.6\Quarantine\orz.exe.bac_a02236

2011-12-26 12:02:09 Corrupted C:\Documents and Settings\Xi\Application Data\Apple Computer\mario.exe/PE_Patch

2011-12-26 12:01:04 Detected: Trojan-Downloader.Win32.Small.ybw C:\Documents and Settings\Xi\.housecall6.6\Quarantine\orz.exe.bac_a02236/CryptFF.b

2011-12-26 11:47:07 Not processed C:\hiberfil.sys Object is locked

2011-12-26 11:47:08 Not processed C:\pagefile.sys Object is locked

2011-12-26 20:06:18 Disinfected: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:06:18 Cleared of viruses: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:06:01 Backed up C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:06:01 Detected: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:05:11 Detected: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:03:55 Will be disinfected on system restart: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:03:54 Cleared of viruses: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:03:54 Detected: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:03:48 Backed up C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:03:14 Detected: Trojan.Win32.Patched.mf C:\WINDOWS\system32\BCMWLTRY.EXE

2011-12-26 20:03:09 Task started

Link to post
Share on other sites

I'm afraid I have very bad news.

Win32.Patched.mf (and related variants) is a dangerous file infector which infects .exe files, and sometimes opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. As you have discovered, this leaves many of your otherwise legitimate programs dysfunctional, and error-laden, leaving them crippled.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Win32.Patched.mf remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

itself. The infection is often contracted from Network and Removable Drives.

In my opinion, Win32.Patched.mf is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:

• Reimaging the system

• Restoring the entire system using a full system backup from before the backdoor infection

• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That's right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

--------

NOTE: I would exercise great caution in attempting to save any of your personal data. Do NOT try to save any executable (.exe) or web page (.HTML) files. You may be able to save any music, photos, and document files; make sure you scan them with an antivirus program first, though.

--------

Regards,

-DFB

Link to post
Share on other sites

Ok, not the news I wanted, but thank you very much for all your time and help. I would like to restore the internet connection before reformatting and reinstalling, as my operating system discs and other software are currently in a different country. Are there steps that I could take to achieve that?

Link to post
Share on other sites

Yep- one of your Internet Connnection services (ipsec.sys, to be exact) has been corrupted by the virus. The following will find us a replacement copy with which we can restore the original version to, which should resolve your connection issues:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    ipsec.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

Its 11:30 PM here so I think I'll call it a night. I'll check back in the morning to see the results of the scan and then advise you on the next step. ;)

Cheers,

-DFB

Link to post
Share on other sites

Yes, that is entirely possible- However, your computer appears to be made by Dell... many Dell computers come with a built-in Recovery Partition, so I would suggest you use the options there for completing this procedure.

See this link by Dell for more information: http://support.dell.com/support/topics/global.aspx/support/kcs/document?c=us&l=en&s=gen&docid=DSN_181316&isLegacy=true

Link to post
Share on other sites

Here is the log from the systemlook program. Thanks again.

SystemLook 30.07.11 by jpshortstuff

Log created at 13:32 on 27/12/2011 by Xi

Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"

C:\i386\ipsec.sys --a---- 74752 bytes [14:28 13/10/2006] [10:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [10:09 05/08/2008] [10:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [08:08 05/08/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91

-= EOF =-

Link to post
Share on other sites

Good. Now, please do the following:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

FCopy::

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys | C:\WINDOWS\system32\Drivers\ipsec.sys

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now.

Link to post
Share on other sites

Thanks. Here is the Combofix log. No internet yet, but I have not tried to reconfigure things to see if that can fix the problem.

ComboFix 11-12-23.01 - Xi 2011-12-28 8:50.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.86.1033.18.1022.566 [GMT 8:00]

Running from: c:\documents and settings\Xi\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Xi\Desktop\CFSCript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\$NtServicePackUninstall$\ipsec.sys --> c:\windows\system32\Drivers\ipsec.sys

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))

.

.

2011-12-28 00:50 . 2004-08-04 10:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-12-28 00:50 . 2004-08-04 10:00 74752 ----a-w- c:\windows\system32\dllcache\ipsec.sys

2011-12-26 12:15 . 2011-12-26 15:42 -------- d-----w- c:\windows\LastGood.Tmp

2011-12-24 05:34 . 2011-12-24 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-12-21 08:46 . 2011-12-25 21:56 -------- d-sh--w- c:\documents and settings\Xi\Local Settings\Application Data\970a0b06

2011-12-20 19:29 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{D79E01B1-8016-41E4-BC1F-5A0AEBD7E7B3}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-26 12:03 . 2006-09-22 04:56 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE

2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-21 10:47 . 2009-07-28 09:28 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 06:29 . 2011-10-24 06:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 06:29 . 2011-10-24 06:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll

2010-12-13 14:20 . 2007-08-14 22:22 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-12-25_22.03.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\LastGood.Tmp\system32\DRIVERS\93201950.sys

+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\LastGood.Tmp\system32\DRIVERS\4780931drv.sys

+ 2011-12-28 01:08 . 2011-12-28 01:08 16384 c:\windows\temp\Perflib_Perfdata_4a0.dat

+ 2011-12-28 01:08 . 2011-12-28 01:08 16384 c:\windows\temp\Perflib_Perfdata_14c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-12-13 30192]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-09-10 177448]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2007-06-29 520192]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-12 127036]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-20 519584]

.

c:\documents and settings\Xi\Start Menu\Programs\Startup\

_uninst_97039442.lnk - c:\documents and settings\Xi\Local Settings\temp\_uninst_97039442.bat [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-22 24576]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PPTV.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PPTV.lnk

backup=c:\windows\pss\PPTV.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"HssTrayService"=3 (0x3)

"HotspotShieldService"=2 (0x2)

"ccosm"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dmremote.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=

"c:\\Documents and Settings\\Xi\\My Documents\\Downloads\\sdasetup_revwire207.exe"=

"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

"c:\\Documents and Settings\\Xi\\Desktop\\TDSSKiller.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP port 135

"50000:UDP"= 50000:UDP:sina_live

"50001:UDP"= 50001:UDP:sina_live

"6001:TCP"= 6001:TCP:sina_live

"6002:TCP"= 6002:TCP:sina_live

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-26 16:49 28544]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-9-10 15:03 156968]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 13:16 130384]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-9-22 13:38 30192]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 21:37 4640000]

S3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\Umss.SYS [2004-7-14 0:40 48512]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 13:16 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

sina_live_deamon REG_MULTI_SZ sina_live_deamon

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 09:57]

.

2011-12-27 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 11:20]

.

2011-04-15 c:\windows\Tasks\switchShakeIcon.job

- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-04-12 10:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.uusee.net/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

TCP: DhcpNameServer = 192.168.0.1

Handler: qyl - {C79BF22F-25C4-4D3D-8183-14149EAB9C0C} -

DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

FF - ProfilePath - c:\documents and settings\Xi\Application Data\Mozilla\Firefox\Profiles\ws0i8kfl.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: CCTV player plugin for Firefox: cctvplayer-plugin@www.cctv.com - %profile%\extensions\cctvplayer-plugin@www.cctv.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-28 09:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Sb*_\View]

"Data"=hex:03,00,00,00,14,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,

00,00,03,00,00,00,28,00,00,00,14,00,00,00,14,00,00,00,14,00,00,00,0b,00,00,\

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Sb*_\View]

"Data"=hex:03,00,00,00,14,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,

00,00,00,00,00,00,28,00,00,00,14,00,00,00,14,00,00,00,14,00,00,00,0b,00,00,\

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Sb*_\File Name MRU]

"Value"=multi:"yuhui question\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Sb*_\View]

"Data"=hex:03,00,00,00,14,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,

00,00,03,00,00,00,28,00,00,00,14,00,00,00,14,00,00,00,14,00,00,00,0b,00,00,\

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Office\Settings\Sb*_ *O*f*f*i*c*e* *‡ech\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Office\9.0\Common\Open Find\Office\Settings\Sb*_ *O*f*f*i*c*e* *‡ech\View]

"Data"=hex:03,00,00,00,14,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,

00,00,03,00,00,00,28,00,00,00,14,00,00,00,14,00,00,00,14,00,00,00,0b,00,00,\

.

[HKEY_USERS\S-1-5-21-3689998133-615260391-1029485202-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F55F7CF-07D1-74FC-7265-F5A496D1F84C}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1084)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(3400)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\system32\Ati2evxx.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\stsystra.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-12-28 09:14:14 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-28 01:13

.

Pre-Run: 9,963,315,200 bytes free

Post-Run: 10,054,049,792 bytes free

.

- - End Of File - - 029B9C2834AB3375217C9E1B01CD1A17

Link to post
Share on other sites

Ok. Here is the FSS report.

Farbar Service Scanner

Ran by Xi (administrator) on 28-12-2011 at 11:21:21

Microsoft Windows XP Home Edition Service Pack 3 (X86)

****************************************************************

Internet Services:

============

Dnscache Service is not running. Checking service configuration:

The start type of Dnscache service is OK.

The ImagePath of Dnscache service is OK.

The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:

The start type of Dhcp service is OK.

The ImagePath of Dhcp service is OK.

The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:

The start type of Tcpip service is OK.

The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:

Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.

Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.

Connection Status:

==============

Localhost is blocked.

There is no connection to network.

Attempt to access Google IP returned error: Other errors

Attempt to access Yahoo IP returend error: Other errors

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is OK.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys

[2011-12-28 08:50] - [2004-08-04 18:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Bridge(10) BridgeMP(9) DNE(8) Gpc(6) NetBT(5) PSched(7) Tcpip(3)

0x0B0000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B000000

**** End of log ****

Link to post
Share on other sites

Let's try this:

First,

BackupYour Registry with ERUNT

  • Please go here, scroll down to ERUNT, and download.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe

----------

Next, Go to http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/

Download the correct zip file for your Windows: Windows 7 (Seven.zip), Vista.zip, or XP.zip.

Double-click to open the zip file.

Double-click each one of the six .reg files in turn and click Yes to add it to the Registry.

Reboot, and post a new Farbar Service Scanner log here for me to see.

Link to post
Share on other sites

Ok, the zip file contains 8 keys: afd, ipsec, netbt, wscsvc, legacy_afd, legacy_ipsec, legacy_netbt, and legacy_wscsvc. The non-legacy keys installed correctly. The legacy keys resulted in error messages. Here is the latest FSS log. Thanks.

Farbar Service Scanner

Ran by Xi (administrator) on 28-12-2011 at 16:00:36

Microsoft Windows XP Home Edition Service Pack 3 (X86)

****************************************************************

Internet Services:

============

Dnscache Service is not running. Checking service configuration:

The start type of Dnscache service is OK.

The ImagePath of Dnscache service is OK.

The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:

The start type of Dhcp service is OK.

The ImagePath of Dhcp service is OK.

The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:

The start type of Tcpip service is OK.

The ImagePath of Tcpip service is OK.

Connection Status:

==============

Localhost is blocked.

There is no connection to network.

Attempt to access Google IP returned error: Other errors

Attempt to access Yahoo IP returend error: Other errors

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is OK.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys

[2011-12-28 08:50] - [2004-08-04 18:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Bridge(10) BridgeMP(9) DNE(8) Gpc(6) IPSec(5) NetBT(6) PSched(7) Tcpip(3)

0x0B0000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B000000

**** End of log ****

Link to post
Share on other sites

Let's try the following:

Click Start > Run then type cmd and click OK

At the command prompt, copy and paste the following commands (one at a tine) and then press ENTER:

netsh winsock reset catalog

netsh int ip reset c:\resetlog.txt

ipconfig /flushdns

exit

Reboot your computer. Then, please post the contents of the C:\Resetlog.txt and let me know if you can connect to the internet.

Please download MiniToolBox, save it to your desktop and run it.

Place a checkmark in the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using the "Reset FF Proxy Settings" option, Firefox should be closed.

Also, please post a new FSS log for me here to see. :)

Link to post
Share on other sites

Ok. I am unable to run the ipconfig /flushdns command. It says "internal error occurred - request not supported" etc. Here are the logs.

Resetlog.txt

reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation

old REG_MULTI_SZ =

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain

SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{1574B666-940E-4AA1-8E3B-3102DD39BBC1}\NetbiosOptions

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}\NetbiosOptions

reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}\NameServerList

old REG_MULTI_SZ =

<empty>

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}\NetbiosOptions

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{A274D5B8-64BF-4AF4-9CE1-C8745118A562}\NetbiosOptions

reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{B94BF970-0099-4B6A-A716-40E00CEABBB3}\NameServerList

old REG_MULTI_SZ =

<empty>

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{B94BF970-0099-4B6A-A716-40E00CEABBB3}\NetbiosOptions

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{E7407984-AD39-44AE-8629-28FFDACC4467}\NetbiosOptions

deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20E2945E-B3DD-4C4E-9F6F-B61DA69BD578}\AddressType

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20E2945E-B3DD-4C4E-9F6F-B61DA69BD578}\DisableDynamicUpdate

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20E2945E-B3DD-4C4E-9F6F-B61DA69BD578}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20E2945E-B3DD-4C4E-9F6F-B61DA69BD578}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20E2945E-B3DD-4C4E-9F6F-B61DA69BD578}\UdpAllowedPorts

old REG_MULTI_SZ =

0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32A57070-BA94-4043-9C0B-8AFE1B62B2A2}\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32A57070-BA94-4043-9C0B-8AFE1B62B2A2}\IpAutoconfigurationAddress

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32A57070-BA94-4043-9C0B-8AFE1B62B2A2}\IpAutoconfigurationMask

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32A57070-BA94-4043-9C0B-8AFE1B62B2A2}\IpAutoconfigurationSeed

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32A57070-BA94-4043-9C0B-8AFE1B62B2A2}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32A57070-BA94-4043-9C0B-8AFE1B62B2A2}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{32A57070-BA94-4043-9C0B-8AFE1B62B2A2}\UdpAllowedPorts

old REG_MULTI_SZ =

0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{531D3D38-B38F-4A40-9052-52EFBA55506B}\NameServer

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\IpAutoconfigurationAddress

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\IpAutoconfigurationMask

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\IpAutoconfigurationSeed

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\Mtu

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75A8E330-CDDD-4BA7-BD4D-287E589C23E2}\UdpAllowedPorts

old REG_MULTI_SZ =

0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\DisableDynamicUpdate

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\EnableDhcp

old REG_DWORD = 0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\IpAutoconfigurationAddress

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\IpAutoconfigurationMask

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\IpAutoconfigurationSeed

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\Mtu

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89E593AE-6EFD-49D3-9EE7-F427E568CDF4}\UdpAllowedPorts

old REG_MULTI_SZ =

0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A2BACFE3-3BFD-4906-B156-2982560D883C}\AddressType

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A2BACFE3-3BFD-4906-B156-2982560D883C}\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A2BACFE3-3BFD-4906-B156-2982560D883C}\Mtu

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A2BACFE3-3BFD-4906-B156-2982560D883C}\RawIpAllowedProtocols

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A2BACFE3-3BFD-4906-B156-2982560D883C}\TcpAllowedPorts

old REG_MULTI_SZ =

0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A2BACFE3-3BFD-4906-B156-2982560D883C}\UdpAllowedPorts

old REG_MULTI_SZ =

0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B94BF970-0099-4B6A-A716-40E00CEABBB3}\NameServer

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution

reset Linkage\Bind for ms_netbt. bad value was:

REG_MULTI_SZ =

\Device\Tcpip_{E6D314CC-9C15-45FF-9A9C-F5245BA6EAB7}

\Device\Tcpip_{1574B666-940E-4AA1-8E3B-3102DD39BBC1}

\Device\Tcpip_{A274D5B8-64BF-4AF4-9CE1-C8745118A562}

reset Linkage\Route for ms_netbt. bad value was:

REG_MULTI_SZ =

"Tcpip" "{E6D314CC-9C15-45FF-9A9C-F5245BA6EAB7}"

"Tcpip" "NdisWanIp"

reset Linkage\Export for ms_netbt. bad value was:

REG_MULTI_SZ =

\Device\NetBT_Tcpip_{E6D314CC-9C15-45FF-9A9C-F5245BA6EAB7}

\Device\NetBT_Tcpip_{1574B666-940E-4AA1-8E3B-3102DD39BBC1}

\Device\NetBT_Tcpip_{A274D5B8-64BF-4AF4-9CE1-C8745118A562}

reset Linkage\UpperBind for PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&6C79FC5&0&00E0. bad value was:

REG_MULTI_SZ =

DNE

reset Linkage\UpperBind for ROOT\NET\0001. bad value was:

REG_MULTI_SZ =

DNE

reset Linkage\UpperBind for ROOT\NET\0000. bad value was:

REG_MULTI_SZ =

DNE

reset Linkage\UpperBind for PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0. bad value was:

REG_MULTI_SZ =

DNE

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:

REG_MULTI_SZ =

DNE

<completed>

Result.txt

MiniToolBox by Farbar

Ran by Xi (administrator) on 29-12-2011 at 07:02:34

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Normal

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.

Additional information: Unable to query host name.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.

No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Disconnected)

Cisco Systems VPN Adapter = Local Area Connection 2 (Disconnected)

Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Media disconnected)

Dell Wireless 1390 WLAN Mini-Card = Wireless Network Connection 2 (Media disconnected)

# ----------------------------------

# Interface IP Configuration

# ----------------------------------

pushd interface ip

popd

# End of interface IP configuration

Windows IP Configuration

An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.

Additional information: Unable to query host name.

Server: UnKnown

Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown

Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown

Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.

Unable to contact IP driver, error code 2,

========================= Event log errors: ===============================

Application errors:

==================

Error: (12/29/2011 06:51:58 AM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/28/2011 03:38:27 PM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/28/2011 09:08:29 AM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 08:14:27 PM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:49:28 AM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:42:47 AM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:33:33 AM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:28:15 AM) (Source: Application Error) (User: )

Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x06381e77.

Processing media-specific event for [explorer.exe!ws!]

Error: (12/26/2011 06:44:26 AM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 06:28:47 AM) (Source: JavaQuickStarterService) (User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

System errors:

=============

Error: (12/29/2011 07:02:54 AM) (Source: Service Control Manager) (User: )

Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:

%%2

Error: (12/29/2011 07:02:54 AM) (Source: Service Control Manager) (User: )

Description: The TCP/IP Protocol Driver service failed to start due to the following error:

%%2

Error: (12/29/2011 07:02:52 AM) (Source: Service Control Manager) (User: )

Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:

%%2

Error: (12/29/2011 07:02:52 AM) (Source: Service Control Manager) (User: )

Description: The TCP/IP Protocol Driver service failed to start due to the following error:

%%2

Error: (12/29/2011 07:02:51 AM) (Source: Service Control Manager) (User: )

Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:

%%2

Error: (12/29/2011 07:02:51 AM) (Source: Service Control Manager) (User: )

Description: The TCP/IP Protocol Driver service failed to start due to the following error:

%%2

Error: (12/29/2011 07:02:50 AM) (Source: Service Control Manager) (User: )

Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:

%%2

Error: (12/29/2011 07:02:50 AM) (Source: Service Control Manager) (User: )

Description: The TCP/IP Protocol Driver service failed to start due to the following error:

%%2

Error: (12/29/2011 07:02:49 AM) (Source: Service Control Manager) (User: )

Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:

%%2

Error: (12/29/2011 07:02:49 AM) (Source: Service Control Manager) (User: )

Description: The TCP/IP Protocol Driver service failed to start due to the following error:

%%2

Microsoft Office Sessions:

=========================

Error: (12/29/2011 06:51:58 AM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/28/2011 03:38:27 PM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/28/2011 09:08:29 AM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 08:14:27 PM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:49:28 AM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:42:47 AM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:33:33 AM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 07:28:15 AM) (Source: Application Error)(User: )

Description: explorer.exe6.0.2900.5512unknown0.0.0.006381e77

Error: (12/26/2011 06:44:26 AM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/26/2011 06:28:47 AM) (Source: JavaQuickStarterService)(User: )

Description: Unable to create JQS API server: bind() failed (Socket error 10050)

=========================== Installed Programs ============================

¿ì³µ(FlashGet) 1.8.2.1003 (Version: 1.8.2.1003)

°®ÆÕÉú´òÓ¡»úÈí¼þ

7-Zip 4.65

Acoustica Premium Edition 4.1 (Version: 4.1)

Adobe Flash Player 10 ActiveX (Version: 10.0.42.34)

Adobe Flash Player 10 Plugin (Version: 10.3.183.10)

Adobe Help Center 2.1 (Version: 2.1)

Adobe Photoshop Elements 5.0 (Version: 5.0)

Adobe Photoshop Elements 5.0.2 Patcher (Version: 5.0.2)

Adobe Reader X (10.1.0) (Version: 10.1.0)

Adobe Shockwave Player 11.5 (Version: 11.5.2.602)

Amazon MP3 Downloader 1.0.12 (Version: 1.0.12)

AoA DVD Ripper

AOLIcon (Version: 1.00.0000)

Apple Application Support (Version: 2.1.5)

Apple Mobile Device Support (Version: 4.0.0.96)

Apple Software Update (Version: 2.1.3.127)

ATI - Software Uninstall Utility (Version: 6.14.10.1018)

ATI Catalyst Control Center (Version: 1.2.2334.37172)

ATI Display Driver (Version: 8.261-060523a1-033841C-Dell)

Bonjour (Version: 3.0.0.10)

Broadcom Management Programs (Version: 8.65.05)

C-Media USB Mass Storage Driver

Chinese Flashcards v2.1

Chinese Simplified Fonts Support For Adobe Reader X (Version: 10.0.0)

Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)

Conexant HDA D110 MDC V.92 Modem

Dell Digital Jukebox Driver

Dell Media Experience

Dell Support 3.2 (Version: 5.5.2038)

Dell System Restore (Version: 2.00.0000)

Dell Wireless WLAN Card (Version: 4.10.47.3)

Digital Content Portal (Version: 1.00.0000)

Digital Line Detect (Version: 1.15)

DVD Decrypter (Remove Only)

ERUNT 1.1j

Express Burn

Free DVD MP3 Ripper 1.12

Google Desktop (Version: 5.9.1005.12335)

Google Toolbar for Internet Explorer

GPL Ghostscript 8.60

GPL Ghostscript Fonts

GSview 4.9

High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)

ImgBurn (Version: 2.4.1.0)

iTunes (Version: 10.5.0.142)

J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)

Java Auto Updater (Version: 2.0.2.1)

Java 6 Update 2 (Version: 1.6.0.20)

Java 6 Update 20 (Version: 6.0.200)

Java 6 Update 3 (Version: 1.6.0.30)

Java 6 Update 7 (Version: 1.6.0.70)

K-Lite Mega Codec Pack 5.1.0 (Version: 5.1.0)

Learn2 Player (Uninstall Only)

LG USB Modem driver

LGMobileSync (Version: 1.0.0.0)

LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.14.0)

Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)

MCU (Version: 1.00.0000)

Microsoft .NET Framework 1.1 (Version: 1.1.4322)

Microsoft .NET Framework 1.1 Security Update (KB2572067)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)

Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft .NET Framework 4 Client Profile ??????? (Version: 4.0.30319)

Microsoft .NET Framework 4 Client Profile CHS Language Pack (Version: 4.0.30319)

Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Premium (Version: 9.00.3007)

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Home and Student 2010 (Version: 14.0.6029.1000)

Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)

Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)

Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)

Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)

Microsoft Office Word Viewer 2003 (Version: 11.0.8173.0)

Microsoft Plus! Digital Media Edition Installer (Version: 1.1.0.3514)

Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)

Microsoft Silverlight (Version: 4.0.60831.0)

Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) (Version: 8.00.2039)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)

Microsoft Works 2000 (Version: 1.0.0.0000)

Modem Helper (Version: 3.01)

Mozilla Firefox (3.6.25) (Version: 3.6.25 (en-US))

Mozilla Thunderbird (3.1.10) (Version: 3.1.10 (en-US))

MSN

MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)

MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)

MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)

MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)

Music Transfer (Version: 1.3.00.11130)

Musicmatch for Windows Media Player (Version: 0.00.000)

Musicmatch® Jukebox (Version: 10.10.0097)

NetWaiting (Version: 2.5.23)

OpenMG Limited Patch 4.7-07-14-05-01

OpenMG Secure Module 4.7.00 (Version: 4.7.00.12140)

Panda ActiveScan 2.0 (Version: 01.02.00.0009)

PowerDVD 5.7

PowerISO

Primo (Version: 1.00.0000)

qnbj (Version: 1.0.0)

QuickSet (Version: 7.1.10)

QuickTime

QuickTime (Version: 7.71.80.42)

RealPlayer

Runtime (Version: 1.00.0000)

Samsung ML-1630 Series

Seagate Manager Installer (Version: 2.02.0021)

SearchAssist

Skype™ 3.8 (Version: 3.8.42)

Sonic DLA (Version: 5.2.1)

Sonic MyDVD LE (Version: 6.1.1)

Sonic RecordNow Audio (Version: 2.0.0)

Sonic RecordNow Copy (Version: 2.0.0)

Sonic RecordNow Data (Version: 2.0.0)

Sonic Update Manager (Version: 3.0.0)

SonicStage 4.3 (Version: 4.3)

Sony Picture Utility (Version: 4.2.00.11130)

Switch Sound File Converter

Synaptics Pointing Device Driver (Version: 8.2.4.6)

TOEFL Sample Questions (Version: 4.00.0000)

TOMÖ±²¥2.0

URL Assistant

Viewpoint Media Player

VLC media player 1.0.1 (Version: 1.0.1)

VPN Client

WAV to MP3 Encoder (Version: 1.0.0)

WebFldrs XP (Version: 9.50.7523)

Winamp (remove only)

Windows Defender (Version: 1.1.1593.21)

Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7 (Version: 20061107.210142)

Windows Internet Explorer 8 (Version: 20090308.140743)

Windows Media Format 11 runtime

Windows Media Player 10 (Version: 9.00.3636)

Windows Media Player 11

Windows XP Service Pack 3 (Version: 20080414.031525)

WinRAR archiver

Xvid 1.1.3 final uninstall (Version: 1.1)

========================= Memory info: ===================================

Percentage of memory in use: 36%

Total physical RAM: 1022.37 MB

Available physical RAM: 649.4 MB

Total Pagefile: 2460.27 MB

Available Pagefile: 2214.72 MB

Total Virtual: 2047.88 MB

Available Virtual: 1951.18 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:80.66 GB) (Free:9.34 GB) NTFS

2 Drive d: (Backup) (Fixed) (Total:25.69 GB) (Free:14.02 GB) NTFS

5 Drive g: (LEXAR MEDIA) (Removable) (Total:0.12 GB) (Free:0.04 GB) FAT

========================= Users: ========================================

User accounts for \\XI

Administrator Guest HelpAssistant

Jason SUPPORT_388945a0 Xi

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini052310-01.dmp

C:\WINDOWS\Minidump\Mini061108-01.dmp

C:\WINDOWS\Minidump\Mini090508-01.dmp

C:\WINDOWS\Minidump\Mini100707-01.dmp

**** End of log ****

FSS.txt

Farbar Service Scanner

Ran by Xi (administrator) on 29-12-2011 at 07:04:20

Microsoft Windows XP Home Edition Service Pack 3 (X86)

****************************************************************

Internet Services:

============

Dnscache Service is not running. Checking service configuration:

The start type of Dnscache service is OK.

The ImagePath of Dnscache service is OK.

The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:

The start type of Dhcp service is OK.

The ImagePath of Dhcp service is OK.

The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:

The start type of Tcpip service is OK.

The ImagePath of Tcpip service is OK.

Connection Status:

==============

Localhost is blocked.

There is no connection to network.

Attempt to access Google IP returned error: Other errors

Attempt to access Yahoo IP returend error: Other errors

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is OK.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys

[2011-12-28 08:50] - [2004-08-04 18:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Bridge(10) BridgeMP(9) DNE(8) Gpc(6) IPSec(5) NetBT(6) PSched(7) Tcpip(3)

0x0B0000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B000000

**** End of log ****

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.