IP-BLOCK 204.160.98.253 (Type: outgoing)

[mikispiki]

Hello I posted in the FP section http://forums.malwarebytes.org/index.php?showtopic=114269&st=0&p=585593entry585593 and was advised to post in the infected section. I cannot seem to find the post on the infected section, it was on Aug 15 The post was stopped and then dealt with privately , by email. I was told this was nothing to worry about.

Today i turned on an old seldom used laptop, shortly after booting, i got an alert from MBAM IP-BLOCK 204.160.98.253 (Type: outgoing). The same IP address, This time there was no mention of svchost. This laptop is set to download and install windows updates automatically, nothing was installed today. After going to the windows updates page ,and scanned manually , i found an update fro Internet explorer , which i have now installed.

I see someone else has posted regarding the same issue http://forums.malwarebytes.org/index.php?showtopic=114615

Is there any chance of getting to the bottom of this ?

I have had one mod, telling me i am part of a botnet, another giving me the all clear, yet MBAM is now reporting this on a second machine, which i strongly believe is something to do with windows updates.

Thank you very much

[Maurice Naggar]

Hello mikispiki,

Windows version is ?

Antivirus version is ?

Download DDS and save it to your desktop from http://download.blee...om/sUBs/dds.scr here

or http://download.blee...om/sUBs/dds.com or

http://www.infospyware.net/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

• When done, DDS will open two (2) logs:
  
• DDS.txt
  
• Attach.txt
  
• Save both reports to your desktop.
  

Please Copy & Paste contents of the following logs in your next reply:

DDS.txt

Attach.txt

Download Security Check by screen317 from here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy & Paste the latest MBAM scan log.

Answer my questions from above and Copy/Paste contents of

DDS.txt

Attach.txt

Checkup.txt

MBAM scan log

IF you close all instant messenger programs and all your browsers, does the IP block outgoing still happen?

[mikispiki]

Dear Maurice, many thanks for the reply. My windows is XP home, my antivirus is Avira free Product version 12.0.0.1199

Regarding the IP block, it has only ever happened the once on this machine. I have scoured the logs for 2012, and that was the only one. This is the same for my newer laptop, when I posted the same alert in August, that IP block only ever happened the once. Both alerts happened shortly after booting. On the more recent alert, I was using no programs, no browser/messenger. Because the machine is old, I usually boot it and leave it for several minutes, when I returned I saw the alert. On the alert i posted in August from my new laptop, my concern was that the process was svchost. Sorry if this is confusing

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 16:01:06 on 2012-09-24

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.315 [GMT 1:00]

.

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: COMODO Firewall Pro *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\Explorer.EXE

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Sandboxie\SandboxieRpcSs.exe

C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.bbc.co.uk/

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

mRun: [soundMan] SOUNDMAN.EXE

mRun: [VTTrayp] VTtrayp.exe

mRun: [VTTimer] VTTimer.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-system: DisableStatusMessages = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: Show RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\roboform.dll

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\roboform.dll

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146497453906

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1348392609234

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A3B04211-3918-4B40-A357-58FC532855F8} : DhcpNameServer = 192.168.1.1

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 relog_ap

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\rnsg165t.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_197.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-3 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-3 86224]

R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-3 110032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-3 83392]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-13 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-2 676936]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2010-12-21 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-2 22856]

R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2012-8-25 157776]

S1 MpKsl20c24472;MpKsl20c24472;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c5762ba-efbe-4f2d-a0ce-ad4ed1ee0a9b}\mpksl20c24472.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c5762ba-efbe-4f2d-a0ce-ad4ed1ee0a9b}\MpKsl20c24472.sys [?]

S1 MpKsl26a85ba8;MpKsl26a85ba8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c5762ba-efbe-4f2d-a0ce-ad4ed1ee0a9b}\mpksl26a85ba8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c5762ba-efbe-4f2d-a0ce-ad4ed1ee0a9b}\MpKsl26a85ba8.sys [?]

S1 MpKslad53614a;MpKslad53614a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c5762ba-efbe-4f2d-a0ce-ad4ed1ee0a9b}\mpkslad53614a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c5762ba-efbe-4f2d-a0ce-ad4ed1ee0a9b}\MpKslad53614a.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-25 136176]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-2-24 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-2-24 8456]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-25 136176]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\10.tmp --> c:\windows\system32\10.tmp [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-6 114144]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]

S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]

.

=============== Created Last 30 ================

.

2012-09-23 12:08:59 -------- d-----w- c:\program files\ESET

2012-09-10 17:25:58 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-10 17:25:58 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-10 16:54:53 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll

.

==================== Find3M ====================

.

2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec

2012-08-22 16:34:55 90112 ----a-w- c:\windows\DUMP7a6f.tmp

2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-05 21:06:30 772544 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-05 21:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 16:02:21.09 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 01/05/2006 16:10:32

System Uptime: 24/09/2012 15:15:22 (1 hours ago)

.

Motherboard: MiTAC | |

Processor: Mobile AMD Sempron Processor 3000+ | PGA758 | 1804/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 25 GiB total, 10.35 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 0 GiB total, 0.011 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP325: 12/07/2012 16:39:25 - System Checkpoint

RP326: 12/07/2012 18:45:32 - Software Distribution Service 3.0

RP327: 02/08/2012 18:01:55 - Removed Java 6 Update 31

RP328: 02/08/2012 18:02:51 - Installed Java 7 Update 5

RP329: 02/08/2012 18:04:04 - Installed JavaFX 2.1.1

RP330: 15/08/2012 19:18:37 - System Checkpoint

RP331: 15/08/2012 20:46:14 - Software Distribution Service 3.0

RP332: 10/09/2012 17:57:42 - Revo Uninstaller's restore point - Java 7 Update 5

RP333: 10/09/2012 17:59:02 - Removed Java 7 Update 5

RP334: 10/09/2012 18:00:12 - Revo Uninstaller's restore point - JavaFX 2.1.1

RP335: 10/09/2012 18:00:27 - Removed JavaFX 2.1.1

RP336: 10/09/2012 18:22:33 - Revo Uninstaller's restore point - Adobe Flash Player 11 Plugin

RP337: 12/09/2012 15:26:27 - System Checkpoint

RP338: 12/09/2012 20:09:06 - Software Distribution Service 3.0

RP339: 23/09/2012 10:33:01 - Software Distribution Service 3.0

RP340: 24/09/2012 15:43:12 - System Checkpoint

.

==== Installed Programs ======================

.

2350

2350_Help

2350Trb

7-Zip 9.22beta

Acronis True Image Home

Adobe Flash Player 11 Plugin

AiO_Scan

AiOSoftware

Avira Free Antivirus

BroadJump Client Foundation

BufferChm

CCleaner

Copy

CreativeProjects

CreativeProjectsTemplates

CueTour

Destinations

Director

DocProc

DocumentViewer

EASEUS Partition Master 9.1.0 Home Edition

EMET

ESET Online Scanner v3

Fax

Foxit Reader 5.1

Free RAR Extract Frog

Google Update Helper

HitmanPro 3.6

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB976002-v5)

Hotfix for Windows XP (KB981793)

HP Diagnostic Assistant

HP Image Zone 4.2

HP PSC & OfficeJet 4.2

HP Software Update

HPSystemDiagnostics

ImgBurn

InstantShare

Junk Mail filter update

LightScribe 1.4.74.1

Malwarebytes Anti-Malware version 1.65.0.1400

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB2656370)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 15.0.1 (x86 en-GB)

Mozilla Maintenance Service

Mozilla Thunderbird 15.0.1 (x86 en-US)

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Overland

PhotoGallery

Picasa 3

PrintScreen

Private Folder Setup

ProductContext

QFolder

QuickProjects

Readme

Recuva

Revo Uninstaller 1.92

RoboForm 7-7-4 (All Users)

S3 S3Display

S3 S3Gamma2

S3 S3Info2

S3 S3Overlay

S3 S3TrayPlus

Sandboxie 3.74 (32-bit)

Scan

Secunia PSI (2.0.0.1003)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2722913)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2709162)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Segoe UI

SkinsHP1

Smart Link 56K Modem

TrayApp

Tweak UI

UBCD4Win 3.60

Unload

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VIA Rhine-Family Fast Ethernet Adapter

VLC media player 2.0.1

WebReg

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Sign-in Assistant

Windows Live Upload Tool

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

24/09/2012 15:15:56, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 0040D06D99C9 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

23/09/2012 15:18:32, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss ssmdrv Tcpip

23/09/2012 15:18:32, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

23/09/2012 15:18:32, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

23/09/2012 15:18:32, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

23/09/2012 15:18:32, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

23/09/2012 15:17:50, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

23/09/2012 15:17:46, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

23/09/2012 15:17:42, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

.

==== End Of File ===========================

Results of screen317's Security Check version 0.99.51

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Avira Free Antivirus

ESET Online Scanner v3

Avira successfully updated!

`````````Anti-malware/Other Utilities Check:`````````

Secunia PSI (2.0.0.1003)

Malwarebytes Anti-Malware version 1.65.0.1400

CCleaner

Adobe Flash Player 11.4.402.265

Mozilla Firefox (15.0.1)

Mozilla Thunderbird (15.0.1)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 9%

````````````````````End of Log``````````````````````

Malwarebytes Anti-Malware (PRO) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.24.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: ANON-2F9BB3F18B [administrator]

Protection: Enabled

24/09/2012 16:12:17

mbam-log-2012-09-24 (16-12-17).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 203932

Time elapsed: 14 minute(s), 14 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Once again many thanks for taking thetime to look into this.

[Maurice Naggar]

The old ip-block occurence may have been just a one-off occasion. It may (perhaps) have even been your firewall software. Let's hope this is not an infection, or, a wild-goose chase.

Do as much as you can of the following. You may post a log into a separate reply, as you go along down the list.

Please do NO websurfing, no web searching, no online transactions.

Only go to this forum and the websites that I guide you to.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Close all open browsers at this point.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Start Internet Explorer

Using Internet Explorer browser only, go to BitDefender Quickscan website:

http://quickscan.bitdefender.com

and click "Start Scan".

Observe your browser in case it shows a notice/message bar to allow download and installation of a tool.

Allow the download and install of qsax.cab from BitDefender. Right-click the IE info bar and select Install to install the BitDefender quick scan module.

If prompted, reply yes to allow it to run.

Press the Allow button and follow prompts.

Press the "Start Scan" once more.

You'll see the EULA in a pop-up window. Click the I accept & then the OK button

Note: The FAQ is here --> http://quickscan.bitdefender.com/faq/

and that QuickScan has no removal capability.

The site boasts a 60-second scan. Do have patience as it likely will take longer.

It may seem to stall at moments, but have patience; it will move on.

You'll see a progress bar at top right of window.

Hopefully you will see a No infections found in the bar-winddow. Press the View Log button.

The log report will show in your text editor. Save the log.

Do a Select ALL, Copy. Then paste contents into your next reply.

Step 4

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Click on Scan.
  
• Click on Report and copy/paste the content of the notepad into your next reply.

Step 5

RE-Enable your antivirus program.

To de-install Flash Player

Use Programs and Features (Windows 7 & Vista) or Add-or-Remove Programs (Windows XP) to de-install older versions of Flash Player.

For stubborn cases,

Download and save the Flash Player uninstaller >> uninstall Flash Player for 32-bit Windows<<

If you have Windows 64-bit, use this Flash Player uninstaller >> uninstall Flash Player for 64-bit Windows<<

Close all browsers and instant messenger (IM) programs.

Run the uninstaller.

To get latest Flash Player

Go to http://www.adobe.com/go/getflash

and get the latest Flash Player

Un-Check any checkbox for Google Chrome, or McAfee Security Scan Plus, or any other widget or toolbar or add-on!!!

Reference: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system

http://support.microsoft.com/kb/827218

Copy & Paste contents of log from Bitdefender & RogueKiller log.

Use separate replies as needed if logs do not fit into one reply box.

Next:

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

• Internet Services
  
• Windows Firewall
  
• System Restore
  
• Security Center/Action Center
  
• Windows Update
  
• Windows Defender
  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into a new reply.

[mikispiki]

Let's hope this is not an infection, or, a wild-goose chase.

Hello Maurice, my sincerest apologies, if this is a wild goose chase.

I ran RK, i saved the log, when i tried to close the program, it asked me if i wa sure i wanted to close without deleting 4 entries. Upon inspection, i deleted them

QuickScan 32-bit v0.9.9.118

---------------------------

Scan date: Mon Sep 24 18:20:42 2012

Machine ID: C88362F1

No infection found.

-------------------

Processes

---------

Acronis Scheduler 2 544 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

Avira Free Antivirus 280 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

Avira Free Antivirus 560 C:\Program Files\Avira\AntiVir Desktop\avguard.exe

Avira Free Antivirus 2548 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

Avira Free Antivirus 1872 C:\Program Files\Avira\AntiVir Desktop\sched.exe

LightScribe 244 C:\Program Files\Common Files\LightScribe\LSSrvc.exe

Malwarebytes Anti-Malware 1472 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

Malwarebytes Anti-Malware 708 C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

Malwarebytes Anti-Malware 1152 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Microsoft® Windows® Operating System 1796 C:\WINDOWS\system32\spoolsv.exe

Microsoft® Windows® Operating System 2928 C:\WINDOWS\system32\wscntfy.exe

Modem 1528 C:\WINDOWS\system32\slserv.exe

Part of S3 Screen Toys 292 C:\WINDOWS\system32\VTTrayp.exe

Realtek Sound Manager 284 C:\WINDOWS\SOUNDMAN.EXE

RoboForm 356 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

S3 Graphics, Inc. Utilities 316 C:\WINDOWS\system32\VTTimer.exe

Sandboxie 336 C:\Program Files\Sandboxie\SbieCtrl.exe

Sandboxie 1160 C:\Program Files\Sandboxie\SbieSvc.exe

Secunia Update Agent 1284 C:\Program Files\Secunia\PSI\sua.exe

(verified) Microsoft® Windows® Operating System 1488 C:\WINDOWS\explorer.exe

(verified) Microsoft® Windows® Operating System 3296 C:\WINDOWS\system32\alg.exe

(verified) Microsoft® Windows® Operating System 720 C:\WINDOWS\system32\csrss.exe

(verified) Microsoft® Windows® Operating System 324 C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System 804 C:\WINDOWS\system32\lsass.exe

(verified) Microsoft® Windows® Operating System 792 C:\WINDOWS\system32\services.exe

(verified) Microsoft® Windows® Operating System 656 C:\WINDOWS\system32\smss.exe

(verified) Microsoft® Windows® Operating System 1212 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1320 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1068 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1544 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1588 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1660 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 972 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 2024 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 748 C:\WINDOWS\system32\winlogon.exe

(verified) Windows® Internet Explorer 712 C:\Program Files\Internet Explorer\iexplore.exe

(verified) Windows® Internet Explorer 1480 C:\Program Files\Internet Explorer\iexplore.exe

(verified) Windows® Internet Explorer 3736 C:\Program Files\Internet Explorer\iexplore.exe

Network activity

----------------

Process iexplore.exe (1480) connected on port 80 (HTTP) --> 173.194.34.66

Process iexplore.exe (1480) connected on port 80 (HTTP) --> 199.7.71.190

Process svchost.exe (1068) listens on ports: 135 (RPC)

Autoruns and critical files

---------------------------

AUTOBACK.EXE C:\Program Files\ERUNT\AUTOBACK.EXE

Avira Free Antivirus C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

Microsoft® Windows® Operating System C:\WINDOWS\system32\CRYPT32.dll

Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll

Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll

Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll

Microsoft® Windows® Operating System C:\WINDOWS\system32\logon.scr

Microsoft® Windows® Operating System C:\WINDOWS\system32\SHELL32.dll

Microsoft® Windows® Operating System c:\windows\system32\userinit.exe

Microsoft® Windows® Operating System C:\WINDOWS\system32\WlNotify.dll

Part of S3 Screen Toys C:\WINDOWS\system32\VTTrayp.exe

Realtek Sound Manager C:\WINDOWS\SOUNDMAN.EXE

RoboForm C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

S3 Graphics, Inc. Utilities C:\WINDOWS\system32\VTTimer.exe

Sandboxie C:\Program Files\Sandboxie\SbieCtrl.exe

(verified) Google Update C:\Program Files\Google\Update\GoogleUpdate.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\BROWSEUI.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll

(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

Browser plugins

---------------

Bitdefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll

ECOM Loader C:\WINDOWS\Downloaded Program Files\ecmldr32.dll

ECOM Server C:\WINDOWS\Downloaded Program Files\ecmsvr32.dll

Google Update C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll

Java Deployment Toolkit 7.0.50.255 C:\WINDOWS\system32\npDeployJava1.dll

Messenger C:\Program Files\Messenger\msmsgs.exe

Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll

Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll

Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll

NAVAPI C:\WINDOWS\Downloaded Program Files\navapi32.dll

NPSWF32_11_4_402_265.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll

Picasa C:\Program Files\Google\Picasa3\npPicasa3.dll

RoboForm C:\Program Files\Siber Systems\AI RoboForm\RoboForm.DLL

Symantec Antivirus Engine C:\WINDOWS\Downloaded Program Files\naveng32.dll

Symantec Antivirus Engine C:\WINDOWS\Downloaded Program Files\navex32a.dll

Symantec Security Check C:\WINDOWS\Downloaded Program Files\avsniff.dll

Symantec Security Check C:\WINDOWS\Downloaded Program Files\rufsi.dll

TODO: <Product name> C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll

VLC Web Plugin C:\Program Files\VideoLAN\VLC\npvlc.dll

WholeSecurity Confidence Online for C:\WINDOWS\Downloaded Program Files\AXXPEE.dll

Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll

(verified) Microsoft® Windows Live Login Helper C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Scan

----

MD5: 0798951ae42d1161cf1e6cf4280cc8eb C:\Program Files\Avira\AntiVir Desktop\aecore.dll

MD5: cd7b65e600b8ebc91b292c1ac9ec1215 C:\Program Files\Avira\AntiVir Desktop\aeemu.dll

MD5: bc6e22138c02f41028b46e2b600b4833 C:\Program Files\Avira\AntiVir Desktop\aeexp.dll

MD5: 4418d5e1aef2de478f2dfa84e1854e4f C:\Program Files\Avira\AntiVir Desktop\aegen.dll

MD5: 0109c5101dd4520719f912a32ded5946 C:\Program Files\Avira\AntiVir Desktop\aehelp.dll

MD5: 5c2e390fc6db4d006e4cf761f1247bd3 C:\Program Files\Avira\AntiVir Desktop\aeheur.dll

MD5: 56a0f81c7513b9ca4ed975e42f4edb0d C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll

MD5: b095d4f78a2fa9bd627855f368113e81 C:\Program Files\Avira\AntiVir Desktop\aepack.dll

MD5: cf28139a8aecbf3bec26ca1a16fd69cf C:\Program Files\Avira\AntiVir Desktop\aerdl.dll

MD5: 64605b72b605dede66d38e3d7094e73b C:\Program Files\Avira\AntiVir Desktop\aesbx.dll

MD5: 011c74cf75ea6e0b5ab816e2d94f8257 C:\Program Files\Avira\AntiVir Desktop\aescn.dll

MD5: 64ee0157ea4927c79005e316b0c7a0b7 C:\Program Files\Avira\AntiVir Desktop\aescript.dll

MD5: e75a782a8c218d03a0af54325132bc70 C:\Program Files\Avira\AntiVir Desktop\aevdf.dll

MD5: 01bddcb32f78945604b3a67fed497db3 c:\program files\avira\antivir desktop\avesvc.dll

MD5: c05e10ac65ce218ea116a9af5b250e00 c:\program files\avira\antivir desktop\avesvcr.dll

MD5: 434d3aff60ee877a2d1cade7016af4c3 C:\Program Files\Avira\AntiVir Desktop\avevtlog.dll

MD5: 1ae773142781013f32ae19d0404879fa C:\Program Files\Avira\AntiVir Desktop\AVGIO.DLL

MD5: f4202f68bb3b9a08822238d9017ec638 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

MD5: c9a36ef935aced86aedf93e97e606911 C:\Program Files\Avira\AntiVir Desktop\avguard.exe

MD5: 4200272ee793c5e139365e0afe9aab5b C:\Program Files\Avira\AntiVir Desktop\avipc.dll

MD5: a04dd0e3c71fe7ac602b573b1b03758f c:\program files\avira\antivir desktop\avpref.dll

MD5: 3754883925ea66a2ecf47747ba91b7f6 c:\program files\avira\antivir desktop\avreg.dll

MD5: 52233c5d1890811c552068015afe27df C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

MD5: 19439b245c71a5c0c62af5671ed078e8 c:\program files\avira\antivir desktop\ccgen.dll

MD5: 0a0f3612a73619a755c596a4441f25d9 c:\program files\avira\antivir desktop\ccgenrc.dll

MD5: 126b2f509341c36d99bd15188592123a c:\program files\avira\antivir desktop\ccgrdrc.dll

MD5: 7e6ba46e48a45dbad5aade3510598bdd c:\program files\avira\antivir desktop\ccgrdw.dll

MD5: db7f445e3a62f96b8e5b4b61bcffd22e c:\program files\avira\antivir desktop\ccguard.dll

MD5: 795d4835ce714f4a0c601766134f344b c:\program files\avira\antivir desktop\cclic.dll

MD5: 5ac47e3ac56e5e8827c9c593cb86881e c:\program files\avira\antivir desktop\cclicrc.dll

MD5: 82464461acdfba6b876bf9f74a66bcbb c:\program files\avira\antivir desktop\ccmainrc.dll

MD5: 388129c269db1db1e36d89c8d27c330f c:\program files\avira\antivir desktop\ccmsg.dll

MD5: 9d1c5d971235a5e84b1c25e7cefc52e4 c:\program files\avira\antivir desktop\ccmsgrc.dll

MD5: 06f93da727d348689707611448470c9e c:\program files\avira\antivir desktop\ccupdate.dll

MD5: 0800ff435a29dcd07d275798cfeb6ef2 c:\program files\avira\antivir desktop\ccupdrc.dll

MD5: 5336c3171a5b80bb58220fe4ed795e47 C:\Program Files\Avira\AntiVir Desktop\ccupdw.dll

MD5: 8e95eeecc7ec8624a360d4ee73e8e140 c:\program files\avira\antivir desktop\ccwgrd.dll

MD5: 0915ef55171347230e465c98fa44dded C:\Program Files\Avira\AntiVir Desktop\ccwkrlib.dll

MD5: 13b7445daad8ea6774d65fd9def5d199 c:\program files\avira\antivir desktop\cfglib.dll

MD5: 670690fd78d7a14ff6b2579502c7fffb c:\program files\avira\antivir desktop\gpavgio.dll

MD5: 0d99e1210ecbc560e53fd759cfa4eab5 c:\program files\avira\antivir desktop\gpgen.dll

MD5: 729f4d9ec5e17a5588dd187d0f5f2738 c:\program files\avira\antivir desktop\gpgenrep.dll

MD5: 991f2c676b636e475cb9c8c30ed8e570 c:\program files\avira\antivir desktop\gpgrd.dll

MD5: c2c2335e62da083e06bd99a70dfa8785 c:\program files\avira\antivir desktop\gpgui.dll

MD5: 80126bc6148cad0fdb4eff948232dc34 c:\program files\avira\antivir desktop\gpipc.dll

MD5: 2ec0d1737c05adb6156c65bd4a2613f6 c:\program files\avira\antivir desktop\gplegacy.dll

MD5: c48e0d43530060cad4a0b231b10eb5ba c:\program files\avira\antivir desktop\gpschd.dll

MD5: 3ef34ffab47a2ecf4ce395edb6d15334 C:\Program Files\Avira\AntiVir Desktop\grdcore.dll

MD5: ea196c9873949a3d2050c86b7ae95fdd C:\Program Files\Avira\AntiVir Desktop\guardmsg.dll

MD5: 31222a7f19ef7013fd43e47168e4400a c:\program files\avira\antivir desktop\onlcfg.dll

MD5: 3b31850fff112be58294896eb9f684f1 C:\Program Files\Avira\AntiVir Desktop\rcimage.dll

MD5: 0a1cc583e8147004e4ad4625d7fbf88c C:\Program Files\Avira\AntiVir Desktop\sched.exe

MD5: 453a81f0537d7619bdc677e9a733c3fa C:\Program Files\Avira\AntiVir Desktop\schedr.dll

MD5: 503fe48bc3b68f40018520aeae3beac1 C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll

MD5: 93e118b465160d9d01907ea3350353ca C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

MD5: ab8134127f786c9603817b5318dceeaa C:\Program Files\Common Files\LightScribe\LSSrvc.exe

MD5: e00de20f0f6bed5cd2160247ddc9443b C:\Program Files\ERUNT\AUTOBACK.EXE

MD5: 45d7f2fabdfd500e3c35dc068b552544 C:\Program Files\Google\Picasa3\npPicasa3.dll

MD5: 586fdc4e02623ee228ec35b9604ae5f2 C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll

MD5: 028fd0e10b2248c75f07e2fec2562e2e C:\Program Files\Internet Explorer\ieproxy.dll

MD5: bc95b80d8699f3ecccc467bff97fd9a4 C:\Program Files\Internet Explorer\xpshims.dll

MD5: 923bb61d913c37eab1570f236ccdce41 C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

MD5: 420e9bf21339f51b31df4194d5a0e12e C:\Program Files\Malwarebytes' Anti-Malware\mbamcore.dll

MD5: e0d2f6bf46e6053193faa3e294d657ff C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

MD5: aebdb652d9273ad61e10c5d8f51c86fb C:\Program Files\Malwarebytes' Anti-Malware\mbamnet.dll

MD5: 0dcf16b1449811efa47ab52cac84093c C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

MD5: 9eaaba4d601004bea4daa6e146e19a96 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

MD5: 3e930c641079443d4de036167a69caa2 C:\Program Files\Messenger\msmsgs.exe

MD5: cb8af049ac9be419a77adae288673359 C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

MD5: 12df9c0c576875866d040518222ae08a C:\Program Files\Sandboxie\SbieCtrl.exe

MD5: 913311f5f69932adc29b0ff3015494cd C:\Program Files\Sandboxie\SbieDll.dll

MD5: 224049c51e2c2d07b02b1bed262976a1 C:\Program Files\Sandboxie\SbieDrv.sys

MD5: 3129023cef1a2225665d44f9545daed4 C:\Program Files\Sandboxie\SbieSvc.exe

MD5: 1ce8490e8919ef5c72275952c202e749 C:\Program Files\Secunia\PSI\PSIA.exe

MD5: 9337c7c45392a32cac5e59ddac0d0342 C:\Program Files\Secunia\PSI\sua.exe

MD5: 352f2c9cd0fa40e7f61f01ca72c64424 C:\Program Files\Siber Systems\AI RoboForm\RoboForm.DLL

MD5: 7b52a122d3e9ee55dbe476e56bf20edf C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

MD5: 1f8ffde82c52353906244afdc6baf2ab C:\Program Files\VideoLAN\VLC\npvlc.dll

MD5: 310c15fd8358b2c4cd7a5b98a112883f C:\WINDOWS\AppPatch\AcGenral.DLL

MD5: a5e06a91cf82d97985c90b12fee33a01 C:\WINDOWS\Downloaded Program Files\avsniff.dll

MD5: 457af40a5dbd3a0a8a3d968dee7d27ea C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll

MD5: 9c2410960d8425bb70161787ff2fd8a1 C:\WINDOWS\Downloaded Program Files\AXXPEE.dll

MD5: 03ca4a509e1b0e59005a731f54eb9481 C:\WINDOWS\Downloaded Program Files\ecmldr32.dll

MD5: 0cf3dfb03f62d8b3794e86f0c8b2237e C:\WINDOWS\Downloaded Program Files\ecmsvr32.dll

MD5: ca74a39806ecd04fd412eabcb70473c9 C:\WINDOWS\Downloaded Program Files\navapi32.dll

MD5: 251753abdc8ce1b9fcb0a9a860768fd4 C:\WINDOWS\Downloaded Program Files\naveng32.dll

MD5: 87d36ec240af391aa830ba5caa3f28a9 C:\WINDOWS\Downloaded Program Files\navex32a.dll

MD5: 56940b50ab0e5923822f47b0e4463885 C:\WINDOWS\Downloaded Program Files\qsax.dll

MD5: d9021b7c1d765851774fd9a753aec435 C:\WINDOWS\Downloaded Program Files\rufsi.dll

MD5: e1a1206a4fb19b675e947b29ccd25fba C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

MD5: 16fded08c873555859d2c83c82f0348d C:\WINDOWS\SOUNDMAN.EXE

MD5: cfd4e51402da9838b5a04ae680af54a0 c:\windows\system32\browser.dll

MD5: 93afb83fbc1f9443cac722fca63d73bf C:\WINDOWS\system32\comctl32.dll

MD5: ed0c0df222209e43ad9afbf3fe87dde0 C:\WINDOWS\system32\comsvcs.dll

MD5: 8fcf03e4d7be9b5587ccf11719959006 C:\WINDOWS\system32\corpol.dll

MD5: 64416c6e07606720c1ece6dd374bdffd C:\WINDOWS\system32\CRYPT32.dll

MD5: c14350fc0d47d806699c4f907fc6785b C:\WINDOWS\system32\cryptnet.dll

MD5: 515a7fae2070c2b0242b2353443e2f11 C:\WINDOWS\system32\cscdll.dll

MD5: dd40363abad230a84c5e2178b11efa88 C:\WINDOWS\system32\CSRSRV.dll

MD5: 56adb11f7d4d0816c0be1e701c1b5e52 C:\WINDOWS\system32\D3DIM700.DLL

MD5: e2092f0a1d7abc243f9c2362483d150d C:\WINDOWS\System32\dimsntfy.dll

MD5: 389496118b3b03c2328024af320132ac C:\WINDOWS\system32\DNSAPI.dll

MD5: 5f7e24fa9eab896051ffb87f840730d2 c:\windows\system32\dnsrslvr.dll

MD5: 30bb1bde595ca65fd5549462080d94e5 C:\WINDOWS\system32\DRIVERS\AegisP.sys

MD5: 1e44bc1e83d8fd2305f8d452db109cf9 C:\WINDOWS\System32\drivers\afd.sys

MD5: 292ce6f164008e825d71c07fd0265943 C:\WINDOWS\system32\drivers\ALCXWDM.SYS

MD5: d5541f0afb767e85fc412fc609d96a74 C:\WINDOWS\system32\DRIVERS\avgntflt.sys

MD5: 7d967a682d4694df7fa57d63a2db01fe C:\WINDOWS\system32\DRIVERS\avipbb.sys

MD5: 271cfd1a989209b1964e24d969552bf7 C:\WINDOWS\system32\DRIVERS\avkmgr.sys

MD5: cfc4cc73c903152a23e1db28eaba1f03 C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys

MD5: 3a74c423cf6bcca6982715878f450a3b C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

MD5: 5faba4775d4c61e55ec669d643ffc71f C:\WINDOWS\system32\DRIVERS\HPZid412.sys

MD5: a3c43980ee1f1beac778b44ea65dbdd4 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

MD5: 2906949bd4e206f2bb0dd1896ce9f66f C:\WINDOWS\system32\DRIVERS\HPZius12.sys

MD5: 65e794e86468b61f2bc79abc48bc4433 C:\WINDOWS\system32\drivers\mbam.sys

MD5: 0db7527db188c7d967a37bb51bbf3963 C:\WINDOWS\system32\drivers\mbamswissarmy.sys

MD5: 7d304a5eb4344ebeeab53a2fe3ffb9f0 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

MD5: 47c16c6c710b99f2d1cbfb0a3b24d1e8 C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys

MD5: 8dcda7ddbd68971e7833ffdc31f63b07 C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys

MD5: 0109c4f3850dfbab279542515386ae22 C:\WINDOWS\system32\DRIVERS\ndistapi.sys

MD5: d24dfd16a1e2a76034df5aa18125c35d C:\WINDOWS\system32\DRIVERS\psi_mf.sys

MD5: f7bb4e7a7c02ab4a2672937e124e306e C:\WINDOWS\System32\Drivers\PxHelp20.sys

MD5: 604567bf6f9742f6c69730dbc87227b3 C:\WINDOWS\system32\DRIVERS\RecAgent.sys

MD5: 5c45add6599137e5499ac9c4a11854cb C:\WINDOWS\system32\DRIVERS\slntamr.sys

MD5: ec437c138e5a6c53b2605fbcb77f2845 C:\WINDOWS\system32\DRIVERS\Slnthal.sys

MD5: 03ec63e1de00d7efa51997ddd208ca2b C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys

MD5: e78c98378a071ce4d48a7c514fa98fa1 C:\WINDOWS\system32\DRIVERS\snapman.sys

MD5: 47ddfc2f003f7f9f0592c6874962a2e7 C:\WINDOWS\system32\DRIVERS\srv.sys

MD5: d352fff2a623b916c08ceacbfc8b5c32 C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

MD5: 64694b2a5c772e1c61feac300ed90ca6 C:\WINDOWS\system32\DRIVERS\timntr.sys

MD5: fa9e00bdaa1ad155a60bfd42f8ec9d44 C:\WINDOWS\system32\DRIVERS\vtmini.sys

MD5: f5b754cdea20bbb3a31e16a776ede6d6 c:\windows\system32\ESENT.dll

MD5: 901c43516504cbe582e4c4193e00876a C:\WINDOWS\system32\HPZipm12.exe

MD5: 2030af1f7504a82e31c892d14be55d6f C:\WINDOWS\system32\hpzlnt10.dll

MD5: d573deb87cb2df4e5116d2a4e284eab4 C:\WINDOWS\system32\ieframe.dll

MD5: ff5dc0e7b0fb876523751bc39b0ffc9f C:\WINDOWS\system32\iepeers.dll

MD5: 0579cc3b95edd1ce664a35e016f3dd58 C:\WINDOWS\system32\iertutil.dll

MD5: ffc01a72d1c25ccb39f61b202ce60819 C:\WINDOWS\system32\IMAGEHLP.dll

MD5: 0689622e6484934eb6e5f4d3a96311f9 C:\WINDOWS\system32\jscript.dll

MD5: a525c96c51d55111fdf3bea9ffffc7ae C:\WINDOWS\system32\kerberos.dll

MD5: 20fa028cb6506591a99c51432a3c0174 C:\WINDOWS\system32\LangWrbk.dll

MD5: 5677dfe438ec1f009273fc84feed6b10 C:\WINDOWS\system32\localspl.dll

MD5: 9fad7dff67555ff1e06bc4a3893024a7 C:\WINDOWS\system32\logon.scr

MD5: bd31dc6dbe9333c4fbd4bdf0899f2160 C:\WINDOWS\system32\LSASRV.dll

MD5: 2ed65cf5725fcd0dfd40f87782ae37d5 C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll

MD5: 2a2c442f00b45e01d4c882eea69a01bc C:\WINDOWS\system32\MFC100ENU.DLL

MD5: f3de10aabd5c7a1a186c9966f037d0c0 C:\WINDOWS\system32\mfc100u.dll

MD5: f6f2bfc17069eb335acceef7595f9302 C:\WINDOWS\system32\MFC42u.dll

MD5: 7473fecbcc12090389df7c60191ec09f C:\WINDOWS\system32\msfeeds.dll

MD5: df3c3ca94cbc9de07ac3eb49440a8d45 C:\WINDOWS\system32\mshtml.dll

MD5: d3f72d50de53f9f1f55240115af4d42e c:\windows\system32\msi.dll

MD5: bc83108b18756547013ed443b8cdb31b C:\WINDOWS\system32\MSVCP100.dll

MD5: 0e37fbfa79d349d672456923ec5fbbe3 C:\WINDOWS\system32\MSVCR100.dll

MD5: 943337d786a56729263071623bbb9de5 C:\WINDOWS\system32\mswsock.dll

MD5: acfee2392503dd5e457363a0510b8bcb C:\WINDOWS\system32\msxml3.dll

MD5: cac752bf84db4666ed3ce0948e6ea937 C:\WINDOWS\system32\NETAPI32.dll

MD5: 062f837c1fbdb6a0a75f82efc2ee8e74 c:\windows\system32\netshell.dll

MD5: 2f4781f84c92e8c4b1586e47a78e8a61 C:\WINDOWS\system32\npDeployJava1.dll

MD5: f8f0d25ca553e39dde485d8fc7fcce89 C:\WINDOWS\system32\ntdll.dll

MD5: 40b0f98bad16ad5def894e88c3ef8014 C:\WINDOWS\system32\ODBC32.dll

MD5: 6bad1bed9872e62049e487fb91ae2f3a C:\WINDOWS\system32\ole32.dll

MD5: 20200ee3cfe10e9f0c028d8653be11c6 C:\WINDOWS\system32\OLEACC.dll

MD5: 1b2be5777f69a71778f52ffee1c798d6 C:\WINDOWS\system32\OLEAUT32.dll

MD5: 92904f159fe06dcb773703276d8db36b C:\WINDOWS\system32\relog_ap.dll

MD5: d4502f124289a31976130cccb014c9aa C:\WINDOWS\system32\RPCRT4.dll

MD5: 72451fd61ddbb0a1fb071b7c3cde5594 C:\WINDOWS\system32\rsvpsp.dll

MD5: 0f64207b49390c8063c36ae7cbf9c2db C:\WINDOWS\system32\schannel.dll

MD5: 26cb10fa893f940ab09713ff46dcdade C:\WINDOWS\system32\SHDOCVW.dll

MD5: 6843d54bc4a40cc8c5741af750233d10 C:\WINDOWS\system32\SHELL32.dll

MD5: 99bc0b50f511924348be19c7c7313bbf C:\WINDOWS\system32\SHSVCS.dll

MD5: 8ab072e905c3d04fe5efa5647e4c9620 C:\WINDOWS\system32\slserv.exe

MD5: 60784f891563fb1b767f70117fc2428f C:\WINDOWS\system32\spoolsv.exe

MD5: 3a7c3cbe5d96b8ae96ce81f0b22fb527 c:\windows\system32\srvsvc.dll

MD5: 3caeae7608f1bd7ba873a3b02895b106 C:\WINDOWS\system32\sti.dll

MD5: d0049860b63dd87a73a5d165c829c65f C:\WINDOWS\system32\T2EMBED.DLL

MD5: 9371862d37e8f0af21e4dea95e867c39 C:\WINDOWS\system32\urlmon.dll

MD5: a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

MD5: 9e03dc5ab51cfd0190541ce2038d819d C:\WINDOWS\system32\USP10.dll

MD5: de083f2a3af1432986c099984944b069 C:\WINDOWS\system32\VTDisply.dll

MD5: 3d6c1afe343790244271f7f4ee60cb9c C:\WINDOWS\system32\VTGamma2.dll

MD5: ebeca3851d107df38b23098a5d349a01 C:\WINDOWS\system32\VTInfo2.dll

MD5: acf54d829f66c5d473e7b132857d99ee C:\WINDOWS\system32\VTOvrlay.dll

MD5: 09c57a991d09a148dac582fe212573a1 C:\WINDOWS\system32\VTTimer.exe

MD5: b7401a1c424e0836d7846e42548946b4 C:\WINDOWS\system32\VTTrayp.exe

MD5: 684559a03cbc1d05ba120a18b0d8ba5d C:\WINDOWS\system32\WINHTTP.dll

MD5: ff1c14bca1a797ce45dd359fa2c9eda8 C:\WINDOWS\system32\WININET.dll

MD5: 4a953f13942867ba8fb41f141ec1b80c C:\WINDOWS\system32\WINMM.dll

MD5: d72b9ec3337b247a666f098f3d6b43de C:\WINDOWS\System32\winrnr.dll

MD5: 8c7dca4b158bf16894120786a7a5f366 C:\WINDOWS\system32\winsrv.dll

MD5: 95f5c420e9bdd4c3569602911420a774 C:\WINDOWS\system32\WINTRUST.dll

MD5: 2cc34e8bb667eef78899546e12649196 C:\WINDOWS\system32\WlNotify.dll

MD5: f92e1076c42fcd6db3d72d8cfe9816d5 C:\WINDOWS\system32\wscntfy.exe

MD5: fc3ec24fce372c89423e015a2ac1a31e C:\WINDOWS\system32\wuaueng.dll

MD5: 5caf91e865fe0c85048a233e594544d2 c:\windows\system32\WUDFPlatform.dll

MD5: bea4aee74fef171eb61de1bad8faf427 C:\WINDOWS\system32\xmllite.dll

MD5: 16403217ab6fc5c30c14c6b12098ad4b C:\WINDOWS\system32\xpsp2res.dll

MD5: 736b12b725aeb2b07f0241a9f680cb10 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

MD5: 80776884e7a05d6da5040926f82b0273 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154\gdiplus.dll

No file uploaded.

Scan finished - communication took 0 sec

Total traffic - 0.01 MB sent, 0.77 KB recvd

Scanned 582 files and modules - 89 seconds

==============================================================================

RogueKiller V8.0.5 [09/23/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Scan -- Date : 09/24/2012 18:27:18

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\MEMSWEEP2 (\??\C:\WINDOWS\system32\10.tmp) -> FOUND

[services][ROGUE ST] HKLM\[...]\ControlSet003\Services\MEMSWEEP2 (\??\C:\WINDOWS\system32\10.tmp) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[25] : NtClose @ 0x805B1D78 -> HOOKED (Unknown @ 0xF7C7F604)

SSDT[41] : NtCreateKey @ 0x8061ABE2 -> HOOKED (Unknown @ 0xF7C7F5BE)

SSDT[50] : NtCreateSection @ 0x805A0800 -> HOOKED (Unknown @ 0xF7C7F60E)

SSDT[53] : NtCreateThread @ 0x805C735E -> HOOKED (Unknown @ 0xF7C7F5B4)

SSDT[63] : NtDeleteKey @ 0x8061B07E -> HOOKED (Unknown @ 0xF7C7F5C3)

SSDT[65] : NtDeleteValueKey @ 0x8061B24E -> HOOKED (Unknown @ 0xF7C7F5CD)

SSDT[68] : NtDuplicateObject @ 0x805B398C -> HOOKED (Unknown @ 0xF7C7F5FF)

SSDT[98] : NtLoadKey @ 0x8061CE06 -> HOOKED (Unknown @ 0xF7C7F5D2)

SSDT[122] : NtOpenProcess @ 0x805C13E2 -> HOOKED (Unknown @ 0xF7C7F5A0)

SSDT[128] : NtOpenThread @ 0x805C166E -> HOOKED (Unknown @ 0xF7C7F5A5)

SSDT[177] : NtQueryValueKey @ 0x80618E06 -> HOOKED (Unknown @ 0xF7C7F627)

SSDT[193] : NtReplaceKey @ 0x8061CCB6 -> HOOKED (Unknown @ 0xF7C7F5DC)

SSDT[200] : NtRequestWaitReplyPort @ 0x805981A4 -> HOOKED (Unknown @ 0xF7C7F618)

SSDT[204] : NtRestoreKey @ 0x8061C5C2 -> HOOKED (Unknown @ 0xF7C7F5D7)

SSDT[213] : NtSetContextThread @ 0x805C8FB6 -> HOOKED (Unknown @ 0xF7C7F613)

SSDT[237] : NtSetSecurityObject @ 0x805B60FE -> HOOKED (Unknown @ 0xF7C7F61D)

SSDT[247] : NtSetValueKey @ 0x80619154 -> HOOKED (Unknown @ 0xF7C7F5C8)

SSDT[255] : NtSystemDebugControl @ 0x8060EB2C -> HOOKED (Unknown @ 0xF7C7F622)

SSDT[257] : NtTerminateProcess @ 0x805C866A -> HOOKED (Unknown @ 0xF7C7F5AF)

S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xF7C7F636)

S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xF7C7F63B)

_INLINE_ : NtRequestPort -> HOOKED (Unknown @ 0x80597E78)

_INLINE_ : NtRequestWaitReplyPort -> HOOKED (Unknown @ 0xF7C7F618)

_INLINE_ : NtTraceEvent -> HOOKED (Unknown @ 0x805318D6)

¤¤¤ Extern Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST950212A +++++

--- User ---

[MBR] 1e230136024a2e57d8ea6cceab681d57

[bSP] 94c7d9cc66e75925930cbad5105bb3b3 : Linux MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 25940 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 53139454 | Size: 20794 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Farbar Service Scanner Version: 19-09-2012

Ran by Owner (administrator) on 24-09-2012 at 18:39:31

Running from "C:\Documents and Settings\Owner\Desktop"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AegisP(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x080000000400000001000000020000000300000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

I hope I have done as instructed. Thanks in advance

[Maurice Naggar]

The Bitdefender result is good. And so is the FSS (services) report. The RogueKiller report is not.

Please proceed with the following

Turn off your antivirus so that it does not interfere

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Please double-click OTL.exe to run it. (Note: If you are running on Windows 7 or Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  :processes
  killallprocesses
  :files
  C:\WINDOWS\system32\10.tmp
  recycler /alldrives
  :reg
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableRegistryTools"=-
  [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
  "DisableCMD"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "DisableCAD"=dword:00000000
  [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
  "DisableConfig"=-
  [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
  "DisableSR"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoRun"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoRun"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoClose"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoClose"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoSetTaskbar"=-
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CLEARALLRESTOREPOINTS]
  [EMPTYFLASH]
  [emptyjava]
  [Reboot]
  *****************************************************************
  
• Return to OTL. Right click in the window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button .
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

After you are done, and have posted the OTL log, please re-enable your antivirus program.

[mikispiki]

Hello again Maurice, many thanks for your reply. I will follow your instructions tomorrow, and post back. Regarding the registry entries found by Roguekiller ( 10 tmp ) Is it possible they once belonged to Sophos rootkit remover. That program has definitely been on the machine years ago . It does create a tmp file http://www.bleepingcomputer.com/startups/MEMSWEEP2-22472.html

Once again, I thank you for your time and advice

[mikispiki]

Hello again maurice, I opened OTL pasted the fix and run it. All i got was the " killing process " for about two hours. In the end I decided to pull the plug. No damage done. Unless you have reason to think there is an infection, I will love you and leave you .

The two 10.tmp registry entries [services][ROGUE ST] HKLM\[...]\ControlSet001\Services\MEMSWEEP2 (\??\C:\WINDOWS\system32\10.tmp) -> FOUND, would appear to me to be from Sophos anti rootkit, which creates memsweep2 service.I have had this in the past, perhaps after deleting it left the registry entries behind I looked for 10.tmp in the 32 folder and found nothing.

Thank you kindly for your time and help, it's much appreciated.

Cheers Mick

[Maurice Naggar]

There is a chance you have or had an infection, since I noted that the registry editor has been disabled.

I am suggesting you run this in OTL {with procedure slightly modified}.

Turn off your antivirus so that it does not interfere

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

• Please double-click OTL.exe to run it. (Note: If you are running on Windows 7 or Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  :files
  C:\WINDOWS\system32\10.tmp
  recycler /alldrives
  :reg
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
  "{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableRegistryTools"=-
  [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
  "DisableCMD"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "DisableCAD"=dword:00000000
  [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
  "DisableConfig"=-
  [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
  "DisableSR"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoRun"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoRun"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoClose"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoClose"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoSetTaskbar"=-
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CLEARALLRESTOREPOINTS]
  [EMPTYFLASH]
  [emptyjava]
  [Reboot]
  *****************************************************************
  
• Return to OTL. Right click in the window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button .
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

After you are done, and have posted the OTL log, please re-enable your antivirus program.

[mikispiki]

Hi again Maurice, I too saw the registry disabled entry, but I've been into regedit tonight , no problems. I will run your amended fix tomorrow and post back. I can't do these things near bedtime, they prey on my mind and keep me awake. I once got up at 3 in the morning to sort something out and had to take a day off work through lack of sleep

Once again, thank you

[Maurice Naggar]

<LOL> I'm chuckling 'cause I can relate to that.

Get some rest.

[mikispiki]

Hello again Maurice, tried the edited fix, unfortunately no joy. Left it for 1 and half hours , had to pull the plug. It just said " killing process do not interrupt ". I gave it another go, same again. I seriously appreciate your help and time. However , I think it's time it call it a day. I've taken enough of your valuable time. Please mark the post resolved. Take care and thanks Mick

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.