Jump to content

Sluggish PC Trojans removed but no improvement Help please


dooter

Recommended Posts

Hi, malware bytes detected trojans. It says they were quarantined. They deleted OK but PC very sluggish. Firewall reports dropped packets to unknown dns's

[color-blue]Moderator note: Please always Copy all contents of log(s) and Paste directly into main-body of Reply.

Do NOT use the attach option unless I ask you.

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2

Run by DD at 22:06:32 on 2012-12-20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.1908 [GMT 0:00]

.

AV: Virgin Media Security Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

AV: Lavasoft Ad-Aware *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: Virgin Media Security Firewall *Enabled*

FW: Lavasoft Ad-Aware *Disabled*

.

============== Running Processes ================

.

C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Virgin Media\Security\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe

C:\WINDOWS\system32\FortiSSLVPNdaemon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Virgin Media\Security\rps.exe

C:\Program Files\Virgin Media\Digital Home Support\HsdService.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\locator.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\Program Files\Virgin Media\Service Manager\ServiceManager.exe

C:\Program Files\Virgin Media\Digital Home Support\DHSClient.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe

C:\Program Files\IObit\Advanced SystemCare 6\Suo10_SmartRAM.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\PROGRA~1\AD-AWA~1\AdAware.exe

C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe

C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Virgin Media\Service Manager\ServiceManagerComHandler.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe

C:\WINDOWS\system32\SearchFilterHost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k bthsvcs

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.bbc.co.uk/

uInternet Connection Wizard,ShellNext = iexplore

uURLSearchHooks: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - <orphaned>

dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>

BHO: Octh Class: {000123B4-9B42-4900-B3F7-F4B073EFC214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - <orphaned>

BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Grab Pro: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - c:\program files\orbitdownloader\GrabPro.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll

TB: Grab Pro: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spotify Web Helper] "c:\program files\spotify\data\SpotifyWebHelper.exe"

uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart

uRun: [smartRAM] "c:\program files\iobit\advanced systemcare 6\Suo10_SmartRAM.exe" /m

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [soundMan] SOUNDMAN.EXE

mRun: [EPSON Stylus Photo RX700 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9IA.EXE /P31 "EPSON Stylus Photo RX700 Series" /O6 "USB001" /M "Stylus Photo RX700"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [serviceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN

mRun: [DHSClient.exe] "c:\program files\virgin media\digital home support\DHSClient.exe" /AUTORUN

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"

mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:149

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1351527335046

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab

DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab

DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.mypix.com/uk/uk/importer/ImageUploader4.cab

DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab

TCP: Interfaces\{6D203BC2-4FAB-4BBD-9522-0F11B84DFF1B} : DHCPNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL

LSA: Authentication Packages = msv1_0 relog_ap

LSA: Notification Packages = scecli nvcst10.dll

.

============= SERVICES / DRIVERS ===============

.

R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-16 13560]

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-2-21 25608]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-8-31 14776]

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2007-9-12 77312]

R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2011-12-11 146904]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-12-16 22064]

R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-12-7 1236368]

R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2012-11-2 464256]

R2 FortiSslvpnDaemon;FortiClient SSLVPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2012-6-21 944784]

R2 HsdService;HsdService;c:\program files\virgin media\digital home support\HsdService.exe [2011-4-21 1406264]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-12-16 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-12-16 676936]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-6-11 632792]

R2 Radialpoint Security Services;Virgin Media Security;c:\program files\virgin media\security\RpsSecurityAwareR.exe [2010-1-4 165408]

R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\virgin media\security\avg\identity protection\agent\bin\AVGIDSAgent.exe [2010-2-21 5832712]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2012-12-16 439632]

R2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2012-9-20 3677000]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-12-16 66344]

R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-12-8 1103392]

R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-12-8 1369624]

R2 ServicepointService;ServicepointService;c:\program files\virgin media\service manager\ServicepointService.exe [2011-4-21 689464]

R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-12-13 3290896]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-16 22856]

R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-7-21 36384]

R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2010-2-21 122376]

R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2010-2-21 30216]

R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSShim.sys [2010-2-21 25736]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-1 27632]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate1c98629f5d80188;Google Update Service (gupdate1c98629f5d80188);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]

S2 PICOPP;Pico Technology Ltd USB Driver (picopp.sys);c:\windows\system32\drivers\picopp.sys [2010-10-19 86488]

S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-12-8 168384]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-16 33408]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2012-1-28 24576]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]

S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-7-27 86824]

S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-7-27 15016]

S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-7-27 114600]

S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-7-27 108328]

S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-7-27 26024]

S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-7-27 104616]

S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-7-27 109736]

S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2008-2-3 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2008-2-3 85696]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

FileExt: .js: jsfile=c:\windows\system32\Notepad.exe %1 [default=Edit - 'Open' doesn't exist]

ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs5\dreamweaver.exe", "%1"

.

=============== Created Last 30 ================

.

2012-12-16 23:20:49 33408 ----a-w- c:\windows\system32\drivers\gfiark.sys

2012-12-16 22:29:23 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Antivirus

2012-12-16 21:28:11 -------- d-----w- c:\documents and settings\dd\application data\LavasoftStatistics

2012-12-16 21:15:42 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys

2012-12-16 21:15:41 22064 ----a-w- c:\windows\system32\drivers\sbaphd.sys

2012-12-16 21:15:15 -------- d-----w- c:\windows\system32\drivers\VDD

2012-12-16 21:15:14 -------- d-----w- c:\program files\Ad-Aware Antivirus

2012-12-16 21:12:47 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys

2012-12-16 21:11:57 -------- d-----w- c:\documents and settings\dd\local settings\application data\adawarebp

2012-12-16 21:11:56 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars

2012-12-16 21:11:49 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection

2012-12-16 21:11:37 -------- d-----w- c:\program files\adawaretb

2012-12-16 21:11:37 -------- d-----w- c:\documents and settings\dd\application data\adawaretb

2012-12-16 21:11:26 -------- d-----w- c:\program files\Toolbar Cleaner

2012-12-16 21:10:03 -------- d-----w- c:\documents and settings\dd\application data\Ad-Aware Antivirus

2012-12-16 21:02:37 -------- d-----w- c:\documents and settings\dd\application data\Malwarebytes

2012-12-16 21:02:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-12-16 21:02:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-16 21:02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-12-16 20:29:44 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro

2012-12-16 20:19:32 -------- d-----w- c:\program files\WinPcap

2012-12-14 11:49:15 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{2decfb86-5c2a-4897-be45-d97d5a5742a9}\mpengine.dll

2012-12-09 18:22:46 -------- d-----w- c:\documents and settings\dd\local settings\application data\Sun

2012-12-09 18:18:57 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-08 14:12:57 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2012-12-08 14:12:25 15224 ----a-w- c:\windows\system32\sdnclean.exe

2012-12-08 14:12:12 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2012-12-03 18:13:59 -------- d-----w- C:\downloads

2012-12-02 19:15:47 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1

.

==================== Find3M ====================

.

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 11:41:49 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-14 11:41:42 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-09 18:18:30 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-12-09 18:18:28 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-12-09 18:18:28 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec

2012-10-25 03:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2012-10-25 03:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts

2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll

2012-09-28 10:32:56 5989776 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-09-28 10:32:56 44544 ----a-w- c:\windows\system32\drivers\usbaapl.sys

.

============= FINISH: 22:19:17.76 ===============

attach.txt

Edited by Maurice Naggar
Link to post
Share on other sites

Hello dooter and welcome to MalwareBytes forums.

Moderator note: Please always Copy all contents of log(s) and Paste directly into main-body of Reply.

Do NOT use the attach option unless I ask you.

First, Advanced System Care is of dubious value. If you did not buy it, I need for you to Uninstall it before we get going much further.

Also, your system appears to have more than 1 antivirus "active", as well as possibly 2 3rd-party firewalls ! ? ! Why ??

Also note, having more than 1 active-monitor Antivirus results in less security and in deadlocks & conflicts. !!

What trojans did you find and remove ?? Where is that log???

AV: Virgin Media Security Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

AV: Lavasoft Ad-Aware *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: Virgin Media Security Firewall *Enabled*

FW: Lavasoft Ad-Aware *Disabled*

Whichever of the 2 products has the most current license and is up-to-date, keep that one, and Uninstall the other

and then afterwards, you must Logoff and Reboot the system, fresh.

Step 2

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 3

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 4

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 5

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks Maurice. Sorry about the attachments - I am new to this.

I did pay por ASC but its uninstalled now.

My cable provider offers virgin media antivirus which is based on AVG. When my PC started showing signs that all was not well, internet searches suggested that it was not a goo AV and I was recommended to try others. I downloaded spybot which found things virgin missed. I then downloaded MBAM which found new things, then ad-aware etc. etc. Different AV's seem to find different things.

Ad-Aware found 4 threats and 7 traces but I cannot work out how to access the log files.

I was under the impression that I only had one firewall active.

Firewall kept logging dropped packets, many of which were to my cable provider but also many to unknown domains such as 4Kom.ru etc.

recent MBAM logs here:

Quote

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.17.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

DD :: KITCHENPC [administrator]

Protection: Enabled

17/12/2012 21:44:05

mbam-log-2012-12-17 (21-44-05).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 597399

Time elapsed: 10 hour(s), 46 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\System Volume Information\_restore{96C73F25-ADF9-4D61-8411-47551F9C2331}\RP1538\A0461517.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

(end)

unquote

quote

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.16.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

DD :: KITCHENPC [administrator]

Protection: Enabled

16/12/2012 21:13:20

mbam-log-2012-12-16 (21-13-20).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 267460

Time elapsed: 33 minute(s), 53 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Documents and Settings\DD\My Documents\Downloads\DownloadSetup.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.

(end)

unquote

Virgin logs below:

quote

File name Infection Action Date C:\Documents and Settings\DD\My Documents\Vuze Downloads\Guitar pro 6 with crack\Keygen\Keygen\keygen.exe Trojan.Generic.7392475 Quarantined 10/10/2012 20:43:59 C:\Documents and Settings\DD\My Documents\Vuze Downloads\Guitar pro 6 with crack\Keygen\Keygen\keygen.exe Trojan.Generic.7392475 Quarantined 20/10/2012 15:10:23 C:\Documents and Settings\DD\My Documents\Vuze Downloads\Guitar pro 6 with crack\Keygen\Keygen.rar Trojan.Generic.7392475 Reported 20/10/2012 15:10:23 C:\Documents and Settings\DD\Local Settings\Temp\Rar$EX01.297\keygen.exe Trojan.Generic.7392475 Quarantined 20/10/2012 16:01:37 C:\Documents and Settings\DD\Local Settings\Temp\Rar$EX32.594\keygen.exe Trojan.Generic.7392475 Delete at restart 20/10/2012 16:18:06 C:\Documents and Settings\DD\My Documents\Vuze Downloads\Guitar pro 6 with crack\Keygen\Keygen.rar Trojan.Generic.7392475 Reported 29/10/2012 10:18:44 C:\Program Files\Vuze\i4j5739682936144138462.tmp Gen:Trojan.Heur.JP.su3@a0QLvHmi Deleted 29/10/2012 16:04:50 C:\Program Files\Vuze\i4j5630679247762023338.tmp Gen:Trojan.Heur.JP.su3@a0QLvHmi Deleted 29/10/2012 16:18:21 C:\Program Files\Vuze\Azureus.exe Gen:Trojan.Heur.JP.su3@a0QLvHmi Quarantined 29/10/2012 17:11:45 C:\Program Files\Vuze\i4j5935685082935789630.tmp Gen:Trojan.Heur.JP.su3@a0QLvHmi Deleted 30/10/2012 09:03:04 C:\Documents and Settings\DD\My Documents\Vuze Downloads\Guitar pro 6 with crack\Keygen\Keygen.rar Trojan.Generic.7392475 Reported 23/11/2012 19:49:20 C:\Documents and Settings\DD\My Documents\Vuze Downloads\Guitar pro 6 with crack\Keygen\Keygen.rar Trojan.Generic.7392475 Reported 02/12/2012 14:10:41 C:\Documents and Settings\DD\My Documents\Vuze Downloads\Guitar pro 6 with crack\Keygen\Keygen.rar Trojan.Generic.7392475 Reported 11/12/2012 20:52:41

unquote

I have now uninstalled ad-aware also and rebooted.

I performed full scan with MBAM as requested. no items found. Logs here:

quote

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.21.15

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

DD :: KITCHENPC [administrator]

Protection: Enabled

21/12/2012 19:40:32

mbam-log-2012-12-21 (19-40-32).txt

Scan type: Full scan (C:\|F:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 624869

Time elapsed: 8 hour(s), 33 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

unquote

here is the log of the sercurity check as requested:

Quote

Results of screen317's Security Check version 0.99.56

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

OneCare Advisor (Windows Live Toolbar)

Trend Micro RUBotted 2.0 Beta

Exampro AQA GCSE Biology

`````````Anti-malware/Other Utilities Check:`````````

Ad-Aware

Out of date HijackThis installed!

Spybot - Search & Destroy

Windows Defender

Malwarebytes Anti-Malware version 1.65.1.1000

HijackThis 2.0.2

Java 6 Update 37

Java 7 Update 9

Adobe Flash Player 11.5.502.135

Adobe Reader 9 Adobe Reader out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

Google Chrome 23.0.1271.97

Google Chrome Plugins...

````````Process Check: objlist.exe by Laurent````````

Windows Defender MSMpEng.exe

Windows Defender MSASCui.exe

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Spybot Teatimer.exe is disabled!

Malwarebytes' Anti-Malware mbamscheduler.exe

Windows Defender MsMpEng.exe

Windows Defender MSASCui.exe

Trend Micro RUBotted RUBottedGUI.exe

Trend Micro RUBotted RUBotSrv.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

unquote

I installed Erunt as requested and enabled all hidden folders and system files.

PC is much better now, last night it was taking 30 minutes to boot up and when launching any program such as web browser, the window would report 'not responding' for about 10 minutes for each opened program. I suspect this was AV conflicts and deadlocks as you mentioned.

Many thanks for your help.

Darren

Many Thhanks

Link to post
Share on other sites

Download Dr.Web CureIt to the desktop.

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Link to post
Share on other sites

Hi Maurice.

DrWeb Cure-it appears to have been updated, it did not quite match your description. There was only one scan option. I scanned first without choosing any options. It found one threat labelled 'probable' which was a hosts file labelled corrupt.

I ran another scan but was unable to find any option to select disks to scan. It only scanned my C drive. There was also no option for a full scan so I chose custom scan with all options ticked.

This scan found no threats. It generated a .log file (not CSV) which was 11mb in size and caused my browser to hang when pasted. So here is a selection:

Quote

=============================================================================

Dr.Web Scanner SE for Windows v7.0.100.12030

© Doctor Web, Ltd., 1992-2012

Scan session started 2012/12/22 17:14:09

Module location : c:\documents and settings\dd\local settings\temp\4C4AF6C8-45B57A0-6ACD8248-94E53A78\

=============================================================================

Available instances: 2

Instances used: 2

Platform: Windows XP Home x86 (Build 2600), Service Pack 3

API Version: 2.2

Scanning Engine version: 8.0.1.11280

Virus Finding Engine version: 7.0.4.9250

Total 87 virus bases are loaded from c:\documents and settings\dd\local settings\temp\4C4AF6C8-45B57A0-6ACD8248-94E53A78

l5tesq5k 7.0 ef4443b32c81a3c06afaf6e1ff3b076bc0d02655 2012/12/22 14:30:55 6384 records - OK

5wxqjxa0 7.0 f5d1425097a34628f8d752212dabf9732d209c98 2011/07/25 15:20:03 1 record - OK

yr5s69lm 7.0 e8f3d3e60d1cd27bcb2cb611b2fd8ed8e585ac96 2012/12/21 19:02:28 16980 records - OK

mn37crhy 7.0 33def496782eb5b7b1cc93fdb036a1b62fa6a2fd 2012/12/17 03:06:21 25519 records - OK

........<snip>

7.0 8f7a8f6f55130f6becc5331ab38dc2108746b8aa 2011/12/03 23:00:00 26456 records - OK

kupj9xdd 7.0 e6d52b11d2f7d405ccd31347da3b6fde69825168 2011/12/03 22:00:00 74279 records - OK

9tsbicm7 7.0 e20ffde4bbc58e0585b0b3b2f324bc91272c2360 2011/12/03 21:00:00 1 record - OK

Total records count: 3496345

Anti-rootkit module version (API 5.00 / 5.00)<p>Using c:\documents and settings\dd\local settings\temp\4C4AF6C8-45B57A0-6ACD8248-94E53A78\tfozha86.key as Dr.Web ® Key file

This Dr.Web ® Key is for 1 computer (A User)

OPTION [Automatic Apply Actions] NO

OPTION [Turn Off Computer After Scan] NO

OPTION [use Sound Alerts] NO

OPTION [block Network] NO

OPTION [Protect Process] NO

OPTION [Protect Raw Disk] NO

%

Link to post
Share on other sites

Run the following and post the requested log. Credit Kevinf80 for the following

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the Update completes, select Next

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

13. Select "Exit" to close down.

14. Copy and paste the two following logs from the mbar folder:

System - log

Mbar - log Date and time of scan will also be shown

Image10.png

Post those two logs in your reply.

Link to post
Share on other sites

OK ran the Mbar app.

Log files as below:

Quote

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.23.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

DD :: KITCHENPC [administrator]

23/12/2012 16:53:08

mbar-log-2012-12-23 (16-53-08).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 31350

Time elapsed: 1 hour(s), 17 minute(s), 6 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Delete on reboot.

Registry Values Detected: 1

HKCU\SOFTWARE\CROSSRIDER|215AppVerifier (Adware.GamePlayLab) -> Data: c5f1ff44d627f6756b7a690e56cd9961 -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

unquote

quote

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_37

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED

CPU speed: 1.804000 GHz

Memory total: 3220422656, free: 1499172864

------------ Kernel report ------------

12/23/2012 15:23:16

------------ Loaded modules -----------

\WINDOWS\system32\ntkrnlpa.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

gfibto.sys

pciide.sys

\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

viaide.sys

MountMgr.sys

ftdisk.sys

PartMgr.sys

videX32.sys

VolSnap.sys

atapi.sys

viasraid.sys

\WINDOWS\system32\DRIVERS\SCSIPORT.SYS

viamraid.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

sr.sys

bdfsfltr.sys

PxHelp20.sys

KSecDD.sys

WudfPf.sys

Ntfs.sys

NDIS.sys

timntr.sys

vvoice.sys

vpctcom.sys

vmodem.sys

snapman.sys

SmartDefragDriver.sys

AVGIDSEH.sys

Mup.sys

gagp30kx.sys

\SystemRoot\system32\DRIVERS\ati2mtag.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\yk51x86.sys

\SystemRoot\system32\DRIVERS\IntelS51.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\System32\Drivers\Modem.SYS

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\System32\Drivers\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\gameenum.sys

\SystemRoot\system32\drivers\msmpu401.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ALCXWDM.SYS

\SystemRoot\system32\DRIVERS\AmdK8.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\System32\Drivers\RootMdm.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\pppop.sys

\SystemRoot\system32\DRIVERS\rp_skt32.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\rp_pkt32.sys

\SystemRoot\system32\DRIVERS\serscan.sys

\SystemRoot\system32\DRIVERS\seehcri.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\MODEMCSA.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\System32\drivers\truecrypt.sys

\SystemRoot\System32\Drivers\SCDEmu.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\??\C:\WINDOWS\system32\drivers\cbfs.sys

\SystemRoot\System32\Drivers\VdCap03C.sys

\SystemRoot\System32\Drivers\STREAM.SYS

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\NuidFltr.sys

\SystemRoot\system32\DRIVERS\WDFLDR.SYS

\SystemRoot\system32\DRIVERS\Wdf01000.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\point32.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\ati2dvag.dll

\SystemRoot\System32\ati2cqag.dll

\SystemRoot\System32\atikvmag.dll

\SystemRoot\System32\ati3duag.dll

\SystemRoot\System32\ativvaxx.dll

\SystemRoot\System32\ATMFD.DLL

\??\C:\WINDOWS\system32\drivers\mbam.sys

\SystemRoot\system32\DRIVERS\tifsfilt.sys

\SystemRoot\System32\Drivers\DefragFS.SYS

\SystemRoot\system32\DRIVERS\ndisuio.sys

\??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys

\??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys

\??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys

\SystemRoot\System32\Drivers\Fastfat.SYS

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\adfs.SYS

\SystemRoot\System32\Drivers\HTTP.sys

\SystemRoot\system32\drivers\npf.sys

\SystemRoot\system32\DRIVERS\ipfltdrv.sys

\??\C:\Program Files\Virgin Media\Security\BitDefender\profos.sys

\??\C:\Program Files\Virgin Media\Security\BitDefender\trufos.sys

\SystemRoot\System32\Drivers\4908909d.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk6\DR16

Upper Device Object: 0xffffffff891f3700

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\000000a7\

Lower Device Object: 0xffffffff8ab7fac8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk5\DR7

Upper Device Object: 0xffffffff8aac8880

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000099\

Lower Device Object: 0xffffffff8ab21030

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR6

Upper Device Object: 0xffffffff8abb8ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000098\

Lower Device Object: 0xffffffff8aceb770

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR5

Upper Device Object: 0xffffffff8aac43c8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000097\

Lower Device Object: 0xffffffff8aad7df8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR4

Upper Device Object: 0xffffffff8aa77ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000096\

Lower Device Object: 0xffffffff8ab0dea0

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff8b148ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T1L0-20\

Lower Device Object: 0xffffffff8b159b00

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8b14eab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-18\

Lower Device Object: 0xffffffff8b15b940

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

Downloaded database version: v2012.12.23.04

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8b14eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8b180b50, DeviceName: Unknown, DriverName: \Driver\snapman\

DevicePointer: 0xffffffff8b165e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8b14eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8b1a2350, DeviceName: \Device\00000086\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8b15b940, DeviceName: \Device\Ide\IdeDeviceP1T0L0-18\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe3ebc2a8, 0xffffffff8b14eab8, 0xffffffff890c3ab8

Lower DeviceData: 0xffffffffe590e7e8, 0xffffffff8b15b940, 0xffffffff89e64a30

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 21BD1630

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 390716802

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 200049647616 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-390701968-390721968)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff8b148ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8b175d90, DeviceName: Unknown, DriverName: \Driver\snapman\

DevicePointer: 0xffffffff8b15db88, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8b148ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8b167158, DeviceName: \Device\00000087\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8b159b00, DeviceName: \Device\Ide\IdeDeviceP1T1L0-20\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe4554368, 0xffffffff8b148ab8, 0xffffffff89037ab8

Lower DeviceData: 0xffffffffe178a4b8, 0xffffffff8b159b00, 0xffffffff89d30040

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: CAAFDAB4

Partition information:

Partition 0 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 320159322

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 163928604672 bytes

Sector size: 512 bytes

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xffffffff8aa77ab8, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8aa95020, DeviceName: Unknown, DriverName: \Driver\snapman\

DevicePointer: 0xffffffff8ac291c8, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8aa77ab8, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8ab0dea0, DeviceName: \Device\00000096\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 3, DevicePointer: 0xffffffff8aac43c8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8ab4c8d8, DeviceName: Unknown, DriverName: \Driver\snapman\

DevicePointer: 0xffffffff8ac382e8, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8aac43c8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8aad7df8, DeviceName: \Device\00000097\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 4, DevicePointer: 0xffffffff8abb8ab8, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8ac58a38, DeviceName: Unknown, DriverName: \Driver\snapman\

DevicePointer: 0xffffffff8adda020, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8abb8ab8, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8aceb770, DeviceName: \Device\00000098\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 5, DevicePointer: 0xffffffff8aac8880, DeviceName: \Device\Harddisk5\DR7\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8aacf568, DeviceName: Unknown, DriverName: \Driver\snapman\

DevicePointer: 0xffffffff8aae23b8, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8aac8880, DeviceName: \Device\Harddisk5\DR7\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8ab21030, DeviceName: \Device\00000099\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 6, DevicePointer: 0xffffffff891f3700, DeviceName: \Device\Harddisk6\DR16\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8ab0a688, DeviceName: Unknown, DriverName: \Driver\snapman\

DevicePointer: 0xffffffff8ac4eca8, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff891f3700, DeviceName: \Device\Harddisk6\DR16\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8ab7fac8, DeviceName: \Device\000000a7\, DriverName: \Driver\USBSTOR\

------------ End ----------

Done!

Performing system, memory and registry scan...

Read File: File "C:\downloads\adsapi_3.swf" is sparse (flags = 32768)

Read File: File "C:\WINDOWS\system32\oobe\migip.dun" is compressed (flags = 1)

Read File: File "C:\WINDOWS\system32\oobe\obeip.dun" is compressed (flags = 1)

Read File: File "C:\WINDOWS\system32\oobe\oobeinfo.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\ODBC.INI" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\dao\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\ipdmctrl\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.InfoPath.Permission\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.SemiTrust\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.InfoPath\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.InfoPath.Xml\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)

Read File: File "C:\WINDOWS\Help\ciadmin.htm" is compressed (flags = 1)

Read File: File "C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\cons5cWebUpdate2dWin2k.ico0.ico" is compressed (flags = 1)

Read File: File "C:\WINDOWS\Web\bullet.gif" is compressed (flags = 1)

Infected: HKCU\SOFTWARE\CROSSRIDER|215AppVerifier --> [Adware.GamePlayLab]

Infected: HKCU\SOFTWARE\CROSSRIDER --> [Adware.GamePlayLab]

Done!

Scan finished

=======================================

unquote

Thanks

Darren

Link to post
Share on other sites

Proceed forth and do the following.

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 2

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click JRT.exe and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply. And tell me, How is the system now?
  • Re-enable your security software.

Step 3

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller

Link to post
Share on other sites

Hi Maurice.

TFC hung my machine . I had to do a soft reboot.

Also I forgot to turn off antivirus for JRT so I ran it again with AV disabled. Both logs here:

Quote

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.2.4 (12.21.2012:3)

OS: Microsoft Windows XP x86

Ran by DD on 23/12/2012 at 20:27:01.43

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\conduit

Successfully deleted: [Registry Key] hkey_local_machine\software\conduit

Successfully deleted: [Registry Key] hkey_current_user\software\cr_installer

Successfully deleted: [Registry Key] hkey_current_user\software\crossrider

Successfully deleted: [Registry Key] hkey_current_user\software\datamngr

Successfully deleted: [Registry Key] hkey_current_user\software\pricegong

Successfully deleted: [Registry Key] hkey_current_user\software\smartbar

Successfully deleted: [Registry Key] hkey_current_user\software\softonic

Successfully deleted: [Registry Key] hkey_local_machine\software\winamp toolbar

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\imside1egate.application.1

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\winamptbserver.aoltoolbarhelper

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\winamptbserver.aoltoolbarhelper.1

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2504091

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{25cee8ec-5730-41bc-8b58-22ddc8ab8c20}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{9bb47c17-9c68-4bb3-b188-dd9af0fd21}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{9bb47c17-9c68-4bb3-b188-dd9af0fd21}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\blekko toolbars"

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\boost_interprocess"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Application Data\adawaretb"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Application Data\imeshbandmltbpi"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Application Data\opencandy"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Application Data\pricegong"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\appdata\locallow\datamngr"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Local Settings\Application Data\adawarebp"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Local Settings\Application Data\conduit"

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Local Settings\Application Data\zynga"

Successfully deleted: [Folder] "C:\Program Files\adawaretb"

Successfully deleted: [Folder] "C:\Program Files\conduit"

Successfully deleted: [Folder] "C:\Program Files\red kawa"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 23/12/2012 at 23:02:51.90

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

unquote

quote

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.2.4 (12.21.2012:3)

OS: Microsoft Windows XP x86

Ran by DD on 24/12/2012 at 1:04:03.01

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\DD\Local Settings\Application Data\adawarebp"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 24/12/2012 at 2:06:20.40

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Unquote

Here is the log for rogue killer:

Quote

RogueKiller V8.4.0 [Dec 20 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : DD [Admin rights]

Mode : Scan -- Date : 12/24/2012 08:09:25

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[122] : NtOpenProcess @ 0x805C1462 -> HOOKED (\??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys @ 0xBA481470)

SSDT[257] : NtTerminateProcess @ 0x805C86EA -> HOOKED (\??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys @ 0xBA481520)

SSDT[258] : NtTerminateThread @ 0x805C88E4 -> HOOKED (\??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys @ 0xBA4815C0)

SSDT[277] : NtWriteVirtualMemory @ 0x805A99CE -> HOOKED (\??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys @ 0xBA481660)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDT722520DLAT80 +++++

--- User ---

[MBR] 0787932ab047e4a75ad0423289f93279

[bSP] ebf281a301eec92c763a66271be548b6 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 190779 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Maxtor 6Y160P0 +++++

--- User ---

[MBR] a8e0340d26ff52bb289e018e1b067e98

[bSP] 02d40f6008e51ada79ba723727733eac : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 156327 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12242012_02d0809.txt >>

RKreport[1]_S_12242012_02d0809.txt

unquote

Thank you.

Darren

Link to post
Share on other sites

Hello Darren,

Do this next.

Logoff and Restart the system fresh.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe cf-icon.jpg accept the EULA & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh !

Reply & Copy / Paste the contents of C:\Combofix.txt log and tell me, How is the system now ?

RE-Enable your AntiVirus and AntiSpyware applications.

Link to post
Share on other sites

Hi Maurice.

PC has been running better with each process, but even after combofix I have 15 blocked packets to my cable provider just in the time taken to reboot.

Whole machine seems less laggy though. i.e. isn't dropping connection as often as it was. Here's the Log:

Quote:

ComboFix 12-12-23.01 - DD 24/12/2012 14:41:56.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2159 [GMT 0:00]

Running from: c:\documents and settings\DD\Desktop\Combo-Fix.exe

AV: Virgin Media Security Anti-Virus *Disabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FW: Virgin Media Security Firewall *Disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\310

c:\documents and settings\All Users\Application Data\310\{3A5F604F-17E3-44A3-BE4F-ACEBA5BB514F}.swf

c:\documents and settings\All Users\Application Data\hpe3C.dll

c:\documents and settings\All Users\Application Data\TEMP

c:\windows\system32\SET58.tmp

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-11-24 to 2012-12-24 )))))))))))))))))))))))))))))))

.

.

2012-12-24 14:07 . 2012-12-24 14:10 -------- d-----w- c:\documents and settings\DD\Local Settings\Application Data\adawarebp

2012-12-23 20:26 . 2012-12-23 20:26 -------- d-----w- c:\windows\ERUNT

2012-12-23 20:26 . 2012-12-24 01:03 -------- d-----w- C:\JRT

2012-12-22 17:14 . 2012-12-22 19:10 -------- d-----w- c:\documents and settings\DD\Doctor Web

2012-12-22 11:06 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B9533F0D-1BBB-4755-855A-57D6FC09D0FB}\mpengine.dll

2012-12-21 19:18 . 2012-12-21 19:18 -------- d-----w- c:\program files\ERUNT

2012-12-16 23:20 . 2012-12-17 06:43 33616 ----a-w- c:\windows\system32\drivers\gfiark.sys

2012-12-16 21:28 . 2012-12-16 21:28 -------- d-----w- c:\documents and settings\DD\Application Data\LavasoftStatistics

2012-12-16 21:12 . 2012-12-16 21:12 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys

2012-12-16 21:11 . 2012-12-16 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection

2012-12-16 21:11 . 2012-12-16 21:11 -------- d-----w- c:\program files\Toolbar Cleaner

2012-12-16 21:02 . 2012-12-16 21:02 -------- d-----w- c:\documents and settings\DD\Application Data\Malwarebytes

2012-12-16 21:02 . 2012-12-18 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-12-16 21:02 . 2012-12-16 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-12-16 21:02 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-16 20:29 . 2012-12-16 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro

2012-12-16 20:19 . 2012-12-16 20:19 -------- d-----w- c:\program files\WinPcap

2012-12-09 18:23 . 2012-12-09 18:23 -------- d-----w- c:\program files\Common Files\Java

2012-12-09 18:22 . 2012-12-09 18:22 -------- d-----w- c:\documents and settings\DD\Local Settings\Application Data\Sun

2012-12-09 18:18 . 2012-12-09 18:18 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-08 14:12 . 2012-12-08 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-12-03 18:13 . 2012-12-16 20:18 -------- d-----w- C:\downloads

2012-12-02 19:15 . 2012-12-02 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 12:23 . 2004-08-04 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 11:41 . 2012-04-02 08:52 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-14 11:41 . 2011-07-10 06:47 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-09 18:18 . 2012-06-21 17:22 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-12-09 18:18 . 2012-06-21 17:22 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-12-09 18:18 . 2010-05-01 07:42 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-11-13 01:25 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-08 18:00 . 2009-04-06 09:17 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2012-11-02 02:02 . 2004-08-04 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec

2012-10-25 03:12 . 2012-10-25 03:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2012-10-25 03:12 . 2012-10-25 03:12 69632 ----a-w- c:\windows\system32\QuickTime.qts

2012-10-02 18:04 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\synceng.dll

2012-09-28 10:32 . 2009-03-13 21:15 5989776 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-09-28 10:32 . 2008-10-20 19:16 44544 ----a-w- c:\windows\system32\drivers\usbaapl.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-20 719672]

"Spotify Web Helper"="c:\program files\Spotify\Data\SpotifyWebHelper.exe" [2012-10-30 1199576]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"EPSON Stylus Photo RX700 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9IA.EXE" [2004-11-10 98304]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-06-01 1501064]

"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]

"DHSClient.exe"="c:\program files\Virgin Media\Digital Home Support\DHSClient.exe" [2011-03-23 2032952]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]

"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-11-16 542104]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]

.

c:\documents and settings\DD\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HsdService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2012-07-30 14:02 640480 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2012-07-31 03:19 41944 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-07-11 11:00 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]

2010-03-06 02:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2012-04-03 15:05 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]

2010-02-22 03:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2012-11-28 14:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Deskjet 3050A J611 series (NET)]

2011-06-08 17:15 1804648 ----a-w- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]

2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2012-11-29 00:49 151952 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-09-06 14:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]

2010-02-19 13:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Virgin Media\\Service Manager\\ServicepointService.exe"=

"c:\\Program Files\\Winamp\\winamp.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"17469:TCP"= 17469:TCP:*:Disabled:BitComet 17469 TCP

"17469:UDP"= 17469:UDP:*:Disabled:BitComet 17469 UDP

"19870:TCP"= 19870:TCP:*:Disabled:BitComet 19870 TCP(ED2K)

"19870:UDP"= 19870:UDP:*:Disabled:BitComet 19870 UDP(ED2K)

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

"2900:UDP"= 2900:UDP:*:Disabled:lotro

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

"22665:TCP"= 22665:TCP:BitComet 22665 TCP

"22665:UDP"= 22665:UDP:BitComet 22665 UDP

.

R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [16/12/2012 21:12 13560]

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [21/02/2010 17:09 25608]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [31/08/2011 08:12 14776]

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/09/2007 15:49 77312]

R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [11/12/2011 21:25 146904]

R2 FortiSslvpnDaemon;FortiClient SSLVPN;c:\windows\system32\FortiSSLVPNdaemon.exe [21/06/2012 16:00 944784]

R2 HsdService;HsdService;c:\program files\Virgin Media\Digital Home Support\HsdService.exe [21/04/2011 18:37 1406264]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [16/12/2012 21:02 399432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16/12/2012 21:02 676936]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]

R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/06/2011 19:33 632792]

R2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [04/01/2010 12:17 165408]

R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [21/02/2010 17:09 5832712]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [16/12/2012 20:19 439632]

R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [21/04/2011 18:36 689464]

R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [13/12/2012 14:26 3290896]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [16/12/2012 21:02 22856]

R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [21/07/2009 16:53 36384]

R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [21/02/2010 17:09 122376]

R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [21/02/2010 17:09 30216]

R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [21/02/2010 17:09 25736]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [01/02/2010 18:24 27632]

S2 gupdate1c98629f5d80188;Google Update Service (gupdate1c98629f5d80188);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2009 18:05 133104]

S2 PICOPP;Pico Technology Ltd USB Driver (picopp.sys);c:\windows\system32\drivers\picopp.sys [19/10/2010 14:56 86488]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 12:28 160944]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 04:46 288112]

S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [16/12/2012 23:20 33616]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [28/01/2012 21:18 24576]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]

S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [27/07/2009 17:56 86824]

S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [27/07/2009 17:56 15016]

S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [27/07/2009 17:56 114600]

S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [27/07/2009 17:56 108328]

S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [27/07/2009 17:56 26024]

S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [27/07/2009 17:56 104616]

S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [27/07/2009 17:56 109736]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [03/02/2008 20:06 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [03/02/2008 20:06 85696]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - A69FAF40

*NewlyCreated* - WS2IFSL

*Deregistered* - a69faf40

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan sysagent

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 11:41]

.

2012-12-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-USER-37C925CB84-DD.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-05-23 02:44]

.

2012-12-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-USER-37C925CB84-user.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-05-23 02:44]

.

2012-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]

.

2012-12-24 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 17:06]

.

2012-12-23 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 17:06]

.

2012-12-23 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 17:06]

.

2012-12-24 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 17:06]

.

2012-12-24 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-14 16:16]

.

2012-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 18:05]

.

2012-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 18:05]

.

2012-12-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

.

2012-12-23 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-06-11 09:02]

.

2012-12-24 c:\windows\Tasks\SmartDefrag_Startup.job

- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-08-07 09:35]

.

2012-12-24 c:\windows\Tasks\User_Feed_Synchronization-{1BF0E9DE-F4EE-4AB7-9CE9-20580EFA95FD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]

.

2012-12-24 c:\windows\Tasks\User_Feed_Synchronization-{A184B797-9714-4DFC-8FED-AE9022ACA55C}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://news.bbc.co.uk/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)

Toolbar-Locked - (no file)

Toolbar-10 - (no file)

WebBrowser-{A057A204-BACC-4D26-CFC3-3CECC9AB2EDA} - (no file)

WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)

AddRemove-Videora iPod touch Converter - c:\program files\Red Kawa\Video Converter App\uninstaller.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-24 15:03

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:2f,f8,31,ed,47,1d,ee,0c,4c,a0,16,22,26,3b,f6,1a,97,e1,2b,cc,92,

a3,07,9d,74,00,83,1f,e6,07,81,22,86,e2,e2,c3,97,43,01,4f,b7,ca,d4,ef,8f,aa,\

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

"value"="?\09\06\18\0c(/?"

.

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:28,0c,ee,9d,ee,79,58,e0,da,57,3f,fb,35,bf,7b,c5,36,0c,af,b1,59,

c6,01,6b,7b,3f,65,9a,45,07,8b,99,3a,ca,9c,25,56,c7,cf,db,c2,69,27,02,2f,9c,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1308)

c:\windows\system32\Ati2evxx.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

- - - - - - - > 'lsass.exe'(1364)

c:\windows\system32\relog_ap.dll

.

- - - - - - - > 'explorer.exe'(4324)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll

c:\program files\Common Files\Ahead\Lib\MFC71U.DLL

c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Virgin Media\Security\Fws.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Virgin Media\Security\rps.exe

c:\windows\system32\netdde.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Microsoft IntelliType Pro\dpupdchk.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\windows\system32\pctspk.exe

c:\windows\system32\locator.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Virgin Media\Service Manager\ServiceManagerComHandler.exe

.

**************************************************************************

.

Completion time: 2012-12-24 15:14:50 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-24 15:14

.

Pre-Run: 21,734,678,528 bytes free

Post-Run: 24,166,957,056 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

[spybotsd]

timeout.old=0

.

- - End Of File - - F62AF81709EF3A633D44E805A549195D

unquote

Thanks again.

Link to post
Share on other sites

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

Link to post
Share on other sites

Hi Maurice.

No thretas detected.

Here's the logfile

quote:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.24.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

DD :: KITCHENPC [administrator]

Protection: Enabled

24/12/2012 17:19:14

mbam-log-2012-12-24 (17-19-14).txt

Scan type: Full scan (C:\|F:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 591805

Time elapsed: 3 hour(s), 43 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

unquote.

Cheers

and Merry Christmas

Link to post
Share on other sites

Excellent result from MBAM. We are nearly ready to wrap this up.

There's a few utilities you need to get current.

To de-install Flash Player

Use Programs and Features (Windows 7 & Vista) or Add-or-Remove Programs (Windows XP) to de-install older versions of Flash Player.

For stubborn cases,

Download and save the Flash Player uninstaller >> uninstall Flash Player for 32-bit Windows<<

If you have Windows 64-bit, use this Flash Player uninstaller >> uninstall Flash Player for 64-bit Windows<<

Close all browsers and instant messenger (IM) programs.

Run the uninstaller.

To get latest Flash Player

Go to http://www.adobe.com/go/getflash

and get the latest Flash Player

Un-Check any checkbox for Google Chrome, or McAfee Security Scan Plus, or any other widget or toolbar or add-on!!!

Reference: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system

http://support.microsoft.com/kb/827218

Adobe Reader

Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader: Use Control Panel's Add-or-Remove Programs, Un-install Adobe Reader.

Get latest Adobe Reader version

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

javaicon.gifYour Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Accept the EULA & Download the latest version of >> Windows Offline << from here and save it to your desktop.
  • Get the Offline version that corresponds to your "bit-tedness" of your Windows (32-bit or 64-bit)
    How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
  • Close any programs you may have running - especially your web browser(s).
  • Go to Start > Settings > Control Panel, select Programs and Features and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u10-windows-i586.exe to install the newest version.
    ( jre-7u10-windows-x64.exe if this is a 64-bit Windows o.s.)

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

Press Apply then OK. Close the applet when done.

Here are some recommended articles on "Slow System Issues":

What to do if your Computer is running slowly

http://www.malwareremoval.com/tutorials/runningslowly.php

See Quietman7's Slow Computer/browser? Check Here First

http://www.bleepingcomputer.com/forums/topic87058.html

See Miekiemoes' Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Slow Computer/Browser: Check here first!

http://www.bleepingcomputer.com/forums/topic44694.html

xmas.gif

Link to post
Share on other sites

I see that you are clear of your original issues. You are good to go after the following cleanups. Let me know after you have completed these cleanups.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it Combo-Fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the text box that opens, type or copy/paste
    c:\documents and settings\DD\Desktop\Combo-Fix.exe /uninstall
    and then click OK.

IF in the case Combofix un-install has an issue, skip that step.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

ERUNT you should keep and use on a periodic basis to backup Windows registry.

Delete the following if still present:

SecurityCheck.exe

DrWeb Cure-It

MBAR

JRT.exe

RogueKiller.exe

Safer practices & malware prevention

We are finished here. Best regards. xmas.gif

Link to post
Share on other sites

Hi Maurice

Thanks for all the help.

i tried all your ssuugestions, issues included:

Your download links for the installers did not work.

Adobe flash installer did not work from their webpage. I got the black and yellow zebra striped bar saying initialising installation then it disapperared after a few seconds and no install box appeared. I had to use their direct download link in their troubleshooter section.

Couldn't uninstall Combo-Fix as instructed. Run dialogue box kept saying can't find file - seemed not to recognise the space between 'Documents and Settings', kept saying file 'documents cannot be found'. OTC seemed to do the job.

deleted mbar and jrt etc. what about TFC.exe?

I have a router / modem combined in one unit. (virgin media super hub)

AV already checks updates daily and runs scan daily.

Windows auto updates is already set.No high priority updates available at this time.

Secunia scan undertaken. Winamp and Flash player highlighted. Again flash player did not want to install, had to download file to desktop and install from there.

I eventually realsied that dropped packets (incoming) from strange domains were the result of BitComet P2P software. All dropped packets (outgoing) were to my Cable provider.

Many many thanks.

Feliz navidad y un prospero ano.

:)

Link to post
Share on other sites

To put it gently, the use of peer-to-peer software is not wise, and is usually frought with avenues for malwares to come in.

Please remove those that you have.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

TFC is temporary file cleaner utility, which you may keep and use from time to time.

All the best. and Happy New Year.

xmas.gif

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.