Threazy Posted March 10, 2013 ID:655376 Share Posted March 10, 2013 I seemed to have acquired a bot. I keep getting messages that MBAM has "successfully blocked access to a malicious site 91.214.44.8 Type: outgoing" I purchased a Pro version of MBAM, but don't think it install successfully - I can't find any way to activate it. I ran a full system scan, found 5 objects, removed them, but am still receiving the IP-Block message. So obvious MBAM didn't get the bot. Following the instructions for DDS, here are my logs:DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702Run by bill at 20:54:06 on 2013-03-09Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1604 [GMT -7:00]..============== Running Processes ================.C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Norton AntiVirus\Engine\20.3.0.36\ccSvcHst.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exeC:\Program Files\Norton AntiVirus\Engine\20.3.0.36\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exeC:\WINDOWS\system32\NLSSRV32.EXEC:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exeC:\Program Files\Norton Identity Safe\Engine\2013.3.0.26\ccSvcHst.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Ahead\ODD Toolkit\DVDTray.exeC:\Program Files\Ahead\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Mindjet\MindManager 6\MMReminderService.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\hphmon05.exeC:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\UltraMon\UltraMon.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\UltraMon\UltraMonTaskbar.exeC:\Program Files\HAS\HAS.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exeC:\Program Files\Spybot\TeaTimer.exeC:\Program Files\Spotify\Data\SpotifyWebHelper.exeC:\Documents and Settings\bill\Application Data\Dropbox\bin\Dropbox.exeC:\Program Files\Microsoft Office\Office14\ONENOTEM.EXEC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\WINDOWS\system32\SNDVOL32.EXEC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\svchost.exe -k imgsvc.============== Pseudo HJT Report ===============.uStart Page = about:blankuSearch Bar = hxxp://www.google.com/ieuSearch Page = hxxp://www.google.comuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uProxyOverride = <local>;*.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: SelectionLinksBHO Class: {300BEC06-B743-4D19-86B9-11DC711D7FFB} - BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\SDHelper.dllBHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\20.3.0.36\ips\ipsbho.dllBHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLLBHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dllBHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - c:\program files\norton identity safe\engine\2013.3.0.26\coieplg.dllBHO: CmjBrowserHelperObject Object: {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dllBHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: Norton Identity Safe Toolbar: {A13C2648-91D4-4BF3-BC6D-0079707C4389} - c:\program files\norton identity safe\engine\2013.3.0.26\coieplg.dllTB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - c:\program files\norton identity safe\engine\2013.3.0.26\coieplg.dllTB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dlluRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [pdfSaver3] "c:\program files\tracker software\pdf-xchange 3\pdfsaver\pdfSaver3.exe"uRun: [HAS.exe] "c:\program files\has\HAS.EXE" -m -ruRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [spybotSD TeaTimer] c:\program files\spybot\TeaTimer.exeuRun: [AdobeBridge] <no file>mRun: [RTHDCPL] RTHDCPL.EXEmRun: [soundMan] SOUNDMAN.EXEmRun: [AlcWzrd] ALCWZRD.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exemRun: [DVDTray] c:\program files\ahead\odd toolkit\DVDTray.exemRun: [RemoteControl] "c:\program files\ahead\cyberlink\powerdvd\PDVDServ.exe"mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [MMReminderService] c:\program files\mindjet\mindmanager 6\MMReminderService.exemRun: [pdfSaver3] <no file>dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,NStartupFolder: c:\docume~1\bill\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\documents and settings\bill\start menu\programs\startup\BDrive.batStartupFolder: c:\docume~1\bill\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\bill\application data\dropbox\bin\Dropbox.exeStartupFolder: c:\docume~1\bill\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:145uPolicies-Explorer: NoSMMyPictures = dword:1mPolicies-Explorer: NoDriveTypeAutoRun = dword:145mPolicies-Explorer: ForceClassicControlPanel = dword:1mPolicies-Explorer: NoSMMyPictures = dword:1mPolicies-Explorer: StartMenuLogoff = dword:1IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000IE: Edit with Altova X&MLSpy - c:\program files\altova\xmlspy2007\spy.htmIE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - c:\program files\altova\xmlspy2007\spy.htmIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dllIE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dllIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\SDHelper.dllIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeDPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CABDPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cabDPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cabDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229314640875DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cabDPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=26688DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cabDPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cabDPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cabDPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.bah.com/dana-cached/setup/JuniperSetupSP1.cabTCP: NameServer = 192.168.1.1TCP: Interfaces\{D9E0FF09-DF24-4C02-AA41-DF5350AD26A0} : DHCPNameServer = 192.168.1.1Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLLHandler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dllNotify: RDM+ - c:\program files\rdm\notify.dllSEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\bill\application data\mozilla\firefox\profiles\usj6jgm7.default\FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\ipsffplgn\components\IPSFFPl.dllFF - plugin: c:\documents and settings\bill\local settings\application data\google\update\1.3.21.135\npGoogleUpdate3.dllFF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLLFF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLLFF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin10171.dllFF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dllFF - plugin: c:\program files\emusic download manager\plugin\npemusic.dllFF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dllFF - plugin: c:\program files\nitro\pro 8\npdf.dllFF - plugin: c:\program files\nitro\pro 8\npnitroie.dllFF - plugin: c:\program files\nitro\pro 8\npnitromozilla.dllFF - plugin: c:\program files\nitro\pro 8\NPShellExtension.dllFF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_171.dllFF - ExtSQL: !HIDDEN! 2010-02-12 03:05; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension.---- FIREFOX POLICIES ----user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);============= SERVICES / DRIVERS ===============.R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1403000.024\symds.sys [2013-2-26 367704]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1403000.024\symefa.sys [2013-2-26 934488]R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.2.0.19\definitions\bashdefs\20130301.001\BHDrvx86.sys [2013-3-5 997464]R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\nav\1403000.024\ccsetx86.sys [2013-2-26 134304]R1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\nst\7dd03000.01a\ccsetx86.sys [2013-2-19 134304]R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1403000.024\ironx86.sys [2013-2-26 175264]R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-3-9 398184]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-3-9 682344]R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\20.3.0.36\ccsvchst.exe [2013-2-26 144520]R2 NCO;Norton Identity Safe;c:\program files\norton identity safe\engine\2013.3.0.26\ccsvchst.exe [2013-2-19 144520]R2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\nitro\pro 8\NitroPDFDriverService8.exe [2013-3-5 196616]R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [2013-3-5 70152]R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-5-29 31896]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-11-3 106656]R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.2.0.19\definitions\ipsdefs\20130308.001\IDSXpx86.sys [2013-3-8 373728]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-3-9 21104]R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.2.0.19\definitions\virusdefs\20130309.003\NAVENG.SYS [2013-3-9 93296]R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_20.2.0.19\definitions\virusdefs\20130309.003\NAVEX15.SYS [2013-3-9 1603824]R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-4-27 11520]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]S3 RDMPLocalService;RDM+ Local Service;c:\program files\rdm\rdmpserv.exe [2012-6-24 1083904]S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2013-03-09 14:38:58 21104 ----a-w- c:\windows\system32\drivers\mbam.sys2013-03-09 14:38:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-03-07 23:11:14 -------- d-----w- c:\documents and settings\bill\application data\Nitro2013-03-07 23:11:14 -------- d-----w- c:\documents and settings\bill\application data\FileOpen2013-03-07 23:11:14 -------- d-----w- c:\documents and settings\all users\application data\FileOpen2013-03-07 23:10:38 27144 ----a-w- c:\windows\system32\nitrolocalmon2.dll2013-03-07 23:10:38 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll2013-03-07 23:10:17 -------- d-----w- c:\program files\Nitro2013-03-07 23:10:17 -------- d-----w- c:\program files\common files\Nitro2013-03-07 23:10:16 -------- d-----w- c:\documents and settings\all users\application data\Nitro2013-03-07 23:09:38 -------- d-----w- c:\documents and settings\bill\application data\Downloaded Installations2013-03-07 22:41:57 -------- d-----w- c:\documents and settings\bill\application data\Anvsoft2013-03-07 21:40:06 -------- d-----w- c:\program files\Restoration2013-03-07 21:33:59 -------- d-----w- c:\program files\Convar2013-03-05 08:10:56 70152 ----a-w- c:\windows\system32\NLSSRV32.EXE2013-02-27 01:25:41 934488 ----a-w- c:\windows\system32\drivers\nav\1403000.024\symefa.sys2013-02-27 01:25:41 602712 ----a-w- c:\windows\system32\drivers\nav\1403000.024\srtsp.sys2013-02-27 01:25:41 394656 ----a-w- c:\windows\system32\drivers\nav\1403000.024\symtdi.sys2013-02-27 01:25:41 367704 ----a-w- c:\windows\system32\drivers\nav\1403000.024\symds.sys2013-02-27 01:25:41 350368 ----a-w- c:\windows\system32\drivers\nav\1403000.024\symtdiv.sys2013-02-27 01:25:41 338592 ----a-w- c:\windows\system32\drivers\nav\1403000.024\symnets.sys2013-02-27 01:25:41 32344 ----a-w- c:\windows\system32\drivers\nav\1403000.024\srtspx.sys2013-02-27 01:25:41 21400 ----a-r- c:\windows\system32\drivers\nav\1403000.024\symelam.sys2013-02-27 01:25:41 175264 ----a-w- c:\windows\system32\drivers\nav\1403000.024\ironx86.sys2013-02-27 01:25:41 134304 ----a-w- c:\windows\system32\drivers\nav\1403000.024\ccsetx86.sys2013-02-27 01:25:27 14818 ----a-w- c:\windows\system32\drivers\nav\1403000.024\symvtcer.dat2013-02-27 01:25:27 -------- d-----w- c:\windows\system32\drivers\nav\1403000.0242013-02-19 11:05:39 134304 ----a-w- c:\windows\system32\drivers\nst\7dd03000.01a\ccsetx86.sys2013-02-19 11:05:31 -------- d-----w- c:\windows\system32\drivers\nst\7DD03000.01A2013-02-17 16:59:56 5632 ----a-w- c:\windows\system32\ptpusb.dll2013-02-17 16:59:55 159232 ----a-w- c:\windows\system32\ptpusd.dll2013-02-14 03:47:04 -------- d-----w- c:\program files\common files\SunnComm Shared.==================== Find3M ====================.2013-02-27 19:03:10 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-02-27 19:03:10 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-01-06 18:06:32 96 ----a-w- c:\windows\wpd99.drv2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll2012-12-26 20:16:29 916480 ----a-w- c:\windows\system32\wininet.dll2012-12-26 20:16:28 43520 ----a-w- c:\windows\system32\licmgr10.dll2012-12-26 20:16:28 1469440 ------w- c:\windows\system32\inetcpl.cpl2012-12-24 06:40:59 385024 ----a-w- c:\windows\system32\html.iec2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll2011-01-10 12:58:04 4935680 ------w- c:\program files\SF Universal Launcher.exe.=================== ROOTKIT ====================.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 5.1.2600 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5CA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 .device: opened successfullyuser: MBR read successfully.Disk trace:called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AC394B1]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac4093c]; MOV EAX, [0x8ac40ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }1 ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Harddisk0\DR0[0x8AD7CAB8]3 CLASSPNP[0xB8118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\0000007f[0x8ADDB9E8]5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> [0x8ADE7D98]\Driver\atapi[0x8ADD3B00] -> IRP_MJ_CREATE -> 0x8AC394B1error: Read A device attached to the system is not functioning.kernel: MBR read successfully_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }detected disk devices:detected hooks:\Driver\atapi DriverStartIo -> 0x8AC392E2user & kernel MBR OK Warning: possible TDL3 rootkit infection !.============= FINISH: 20:55:43.78 ===============.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 12/10/2008 6:42:11 AMSystem Uptime: 3/9/2013 9:41:09 PM (-1 hours ago).Motherboard: PEGATRON CORPORATION | | BeniciaProcessor: Intel Pentium III Xeon processor | CPU 1 | 2499/1333mhz.==== Disk Partitions =========================.B: is FIXED (NTFS) - 365 GiB total, 156.529 GiB free.C: is FIXED (NTFS) - 100 GiB total, 36.053 GiB free.D: is FIXED (NTFS) - 365 GiB total, 156.529 GiB free.E: is CDROM ()F: is FIXED (NTFS) - 695 GiB total, 182.749 GiB free.G: is CDROM ()H: is RemovableI: is RemovableJ: is RemovableK: is RemovableN: is RemovableP: is FIXED (NTFS) - 931 GiB total, 606.57 GiB free.T: is FIXED (NTFS) - 233 GiB total, 232.812 GiB free.U: is FIXED (NTFS) - 2795 GiB total, 1950.947 GiB free.V: is FIXED (NTFS) - 932 GiB total, 311.49 GiB free.W: is FIXED (NTFS) - 4 GiB total, 1.992 GiB free..==== Disabled Device Manager Items =============.Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}Description: Beanbag Emulation DeviceDevice ID: USB\VID_0A48&PID_3282&MI_00\6&1E676175&0&0000Manufacturer: Name: Beanbag Emulation DevicePNP Device ID: USB\VID_0A48&PID_3282&MI_00\6&1E676175&0&0000Service: .==== System Restore Points ===================.No restore point in system..==== Installed Programs ======================.µTorrentAdobe AIRAdobe Bridge 1.0Adobe Common File InstallerAdobe Community HelpAdobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAdobe Help Center 1.0Adobe Media PlayerAdobe Photoshop CS2Adobe Photoshop CS5Adobe Reader 7.0Adobe Stock Photos 1.0Altova XMLSpy 2007 Enterprise EditionAmazon MP3 Downloader 1.0.17Apple Application SupportApple Mobile Device SupportApple Software UpdateAudacity 1.2.3Audacity 1.3.11 (Unicode)BlackBerry App World Browser PluginBlackBerry Desktop Software 7.1BlackBerry Device Software UpdaterBonjourBookSmart® 2.9.2 2.9.2Business Contact Manager for Outlook 2007 SP2Data Lifeguard Diagnostic for WindowsDefinition Update for Microsoft Office 2010 (KB982726) 32-Bit EditionDigitImgDiskCheckup v3.0.1006Dragon NaturallySpeaking 10DropboxDVD Data Rescue 2.1DVD Shrink 3.2eMusic Download Manager 4.0.0.5EndNote X2EPSON Copy UtilityEPSON Photo PrintEPSON ScanEPSON Scanner Reference GuideEPSON Smart PanelEPSON TWAIN 5EraserEVGA Precision 1.5.1febooti fileTweakGarmin City Navigator North America NT 2010.40Garmin Communicator PluginGarmin USB DriversGarmin WebUpdaterGoogle ChromeGoogle EarthGoogle Toolbar for Internet ExplorerGoogle Update HelperHandy Recovery 1.0HASHeatsoft ADCSHotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows XP (KB2158563)Hotfix for Windows XP (KB2443685)Hotfix for Windows XP (KB2570791)Hotfix for Windows XP (KB2633952)Hotfix for Windows XP (KB2756822)Hotfix for Windows XP (KB2779562)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB954550-v5)Hotfix for Windows XP (KB961118)Hotfix for Windows XP (KB976098-v2)Hotfix for Windows XP (KB979306)Hotfix for Windows XP (KB981793)hp LaserJet 1010 SeriesHP Memories DiscHP Product DetectionHP Software UpdateHyperCam 2HyperSnap 6ISI ResearchSoft - Export HelperiT Library Clinic v1.0iTunesJava 6 Update 11LAME v3.98.2 for AudacityLeechFTP LightScribe 1.4.62.1Logitech MouseWare 9.79.1 Magic Bullet Looks StudioMagic File Renamer 6.12 Professional EditionMalwarebytes Anti-Malware version 1.70.0.1100MediaMonkey 4.0Meeting ServiceMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1 Security Update (KB2698023)Microsoft .NET Framework 1.1 Security Update (KB2742597)Microsoft .NET Framework 1.1 Security Update (KB979906)Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft Kernel-Mode Driver Framework Feature Pack 1.7Microsoft National Language Support Downlevel APIsMicrosoft Office 2003 Web ComponentsMicrosoft Office 2007 Primary Interop AssembliesMicrosoft Office 2010 Language Pack Service Pack 1 (SP1)Microsoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Accounting 2007Microsoft Office Accounting ADP Payroll AddinMicrosoft Office Accounting Equifax AddinMicrosoft Office Accounting Fixed Asset ManagerMicrosoft Office Accounting PayPal AddinMicrosoft Office Excel MUI (English) 2010Microsoft Office Groove MUI (English) 2010Microsoft Office InfoPath MUI (English) 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Professional Plus 2010Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Small Business Connectivity ComponentsMicrosoft Office Visio 2010Microsoft Office Visio MUI (English) 2010Microsoft Office Word MUI (English) 2010Microsoft Software Update for Web Folders (English) 14Microsoft SQL Server 2005Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)Microsoft SQL Server Native ClientMicrosoft SQL Server Setup Support Files (English)Microsoft SQL Server VSS WriterMicrosoft Visio 2010 Service Pack 1 (SP1)Microsoft Visio Premium 2010Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft_VC80_ATL_x86Microsoft_VC80_CRT_x86Microsoft_VC80_MFC_x86Microsoft_VC80_MFCLOC_x86Microsoft_VC90_ATL_x86Microsoft_VC90_CRT_x86Microsoft_VC90_MFC_x86Mindjet MindManager Pro 6Mozilla Firefox 18.0.1 (x86 en-US)Mozilla Maintenance ServiceMozilla Thunderbird 17.0.3 (x86 en-US)Mp3tag v2.46aMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MSXML 6.0 ParserNEC DISPLAY SOLUTIONS: Monitor InstallerNero SuiteNikon View 6Nitro Pro 8Norton AntiVirusNorton Identity SafeNotepad++NVIDIA Display Control PanelNVIDIA DriversNVIDIA nView Desktop ManagerNVIDIA PhysXOctoshape add-in for Adobe Flash PlayeroverlandPDF-XChange 3.0PDF Settings CS5Pdf995PdfEdit995PhotoRescue PC 2.1.660PhotoRescue PC Demo 2.1.660Photosmart 140,240,7200,7600,7700,7900 SeriesPinnacle Instant DVD RecorderPinnacle Studio 12Pinnacle Studio 12 Ultimate PluginsPinnacle Video DriverPowerDVDproDAD Vitascene 1.0PS7900PSShortcutsPSUsageQFolderQuicken 2005Quicken 2010QuickTimeRDM+ 4.20REALTEK GbE & FE Ethernet PCI-E NIC DriverRealtek High Definition Audio DriverScanToWebSeaTools for WindowsSecurity Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit EditionSecurity Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553091)Security Update for Microsoft Office 2010 (KB2553096)Security Update for Microsoft Office 2010 (KB2553371) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2553447) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2589320) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2589337) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2597986) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2598243) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687501) 32-Bit EditionSecurity Update for Microsoft Office 2010 (KB2687510) 32-Bit EditionSecurity Update for Microsoft Visio 2010 (KB2687508) 32-Bit EditionSecurity Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit EditionSecurity Update for Microsoft Windows (KB2564958)Security Update for Microsoft Word 2010 (KB2760410) 32-Bit EditionSecurity Update for Windows Internet Explorer 7 (KB938127-v2)Security Update for Windows Internet Explorer 7 (KB956390)Security Update for Windows Internet Explorer 7 (KB958215)Security Update for Windows Internet Explorer 7 (KB978207)Security Update for Windows Internet Explorer 8 (KB2183461)Security Update for Windows Internet Explorer 8 (KB2360131)Security Update for Windows Internet Explorer 8 (KB2416400)Security Update for Windows Internet Explorer 8 (KB2482017)Security Update for Windows Internet Explorer 8 (KB2497640)Security Update for Windows Internet Explorer 8 (KB2510531)Security Update for Windows Internet Explorer 8 (KB2530548)Security Update for Windows Internet Explorer 8 (KB2544521)Security Update for Windows Internet Explorer 8 (KB2559049)Security Update for Windows Internet Explorer 8 (KB2586448)Security Update for Windows Internet Explorer 8 (KB2618444)Security Update for Windows Internet Explorer 8 (KB2647516)Security Update for Windows Internet Explorer 8 (KB2675157)Security Update for Windows Internet Explorer 8 (KB2699988)Security Update for Windows Internet Explorer 8 (KB2722913)Security Update for Windows Internet Explorer 8 (KB2744842)Security Update for Windows Internet Explorer 8 (KB2761465)Security Update for Windows Internet Explorer 8 (KB2792100)Security Update for Windows Internet Explorer 8 (KB2797052)Security Update for Windows Internet Explorer 8 (KB2799329)Security Update for Windows Internet Explorer 8 (KB971961)Security Update for Windows Internet Explorer 8 (KB981332)Security Update for Windows Internet Explorer 8 (KB982381)Security Update for Windows Media Player (KB2378111)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB968816)Security Update for Windows Media Player (KB973540)Security Update for Windows Media Player (KB975558)Security Update for Windows Media Player (KB978695)Security Update for Windows Media Player (KB979402)Security Update for Windows XP (KB2079403)Security Update for Windows XP (KB2115168)Security Update for Windows XP (KB2121546)Security Update for Windows XP (KB2160329)Security Update for Windows XP (KB2229593)Security Update for Windows XP (KB2279986)Security Update for Windows XP (KB2286198)Security Update for Windows XP (KB2296011)Security Update for Windows XP (KB2296199)Security Update for Windows XP (KB2347290)Security Update for Windows XP (KB2360937)Security Update for Windows XP (KB2387149)Security Update for Windows XP (KB2393802)Security Update for Windows XP (KB2412687)Security Update for Windows XP (KB2419632)Security Update for Windows XP (KB2423089)Security Update for Windows XP (KB2436673)Security Update for Windows XP (KB2440591)Security Update for Windows XP (KB2443105)Security Update for Windows XP (KB2476490)Security Update for Windows XP (KB2476687)Security Update for Windows XP (KB2478960)Security Update for Windows XP (KB2478971)Security Update for Windows XP (KB2479628)Security Update for Windows XP (KB2479943)Security Update for Windows XP (KB2481109)Security Update for Windows XP (KB2483185)Security Update for Windows XP (KB2485376)Security Update for Windows XP (KB2503658)Security Update for Windows XP (KB2503665)Security Update for Windows XP (KB2506212)Security Update for Windows XP (KB2506223)Security Update for Windows XP (KB2507618)Security Update for Windows XP (KB2507938)Security Update for Windows XP (KB2508272)Security Update for Windows XP (KB2508429)Security Update for Windows XP (KB2509553)Security Update for Windows XP (KB2511455)Security Update for Windows XP (KB2524375)Security Update for Windows XP (KB2535512)Security Update for Windows XP (KB2536276-v2)Security Update for Windows XP (KB2536276)Security Update for Windows XP (KB2544893-v2)Security Update for Windows XP (KB2544893)Security Update for Windows XP (KB2555917)Security Update for Windows XP (KB2562937)Security Update for Windows XP (KB2566454)Security Update for Windows XP (KB2567053)Security Update for Windows XP (KB2567680)Security Update for Windows XP (KB2570222)Security Update for Windows XP (KB2570947)Security Update for Windows XP (KB2584146)Security Update for Windows XP (KB2585542)Security Update for Windows XP (KB2592799)Security Update for Windows XP (KB2598479)Security Update for Windows XP (KB2603381)Security Update for Windows XP (KB2618451)Security Update for Windows XP (KB2619339)Security Update for Windows XP (KB2620712)Security Update for Windows XP (KB2621440)Security Update for Windows XP (KB2624667)Security Update for Windows XP (KB2631813)Security Update for Windows XP (KB2633171)Security Update for Windows XP (KB2639417)Security Update for Windows XP (KB2641653)Security Update for Windows XP (KB2646524)Security Update for Windows XP (KB2647518)Security Update for Windows XP (KB2653956)Security Update for Windows XP (KB2655992)Security Update for Windows XP (KB2659262)Security Update for Windows XP (KB2660465)Security Update for Windows XP (KB2661637)Security Update for Windows XP (KB2676562)Security Update for Windows XP (KB2685939)Security Update for Windows XP (KB2686509)Security Update for Windows XP (KB2691442)Security Update for Windows XP (KB2695962)Security Update for Windows XP (KB2698365)Security Update for Windows XP (KB2705219)Security Update for Windows XP (KB2707511)Security Update for Windows XP (KB2709162)Security Update for Windows XP (KB2712808)Security Update for Windows XP (KB2718523)Security Update for Windows XP (KB2719985)Security Update for Windows XP (KB2723135)Security Update for Windows XP (KB2724197)Security Update for Windows XP (KB2727528)Security Update for Windows XP (KB2731847)Security Update for Windows XP (KB2753842-v2)Security Update for Windows XP (KB2753842)Security Update for Windows XP (KB2757638)Security Update for Windows XP (KB2758857)Security Update for Windows XP (KB2761226)Security Update for Windows XP (KB2770660)Security Update for Windows XP (KB2778344)Security Update for Windows XP (KB2779030)Security Update for Windows XP (KB2780091)Security Update for Windows XP (KB2799494)Security Update for Windows XP (KB2802968)Security Update for Windows XP (KB938464)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951066)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951698)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB954211)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB954600)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956391)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956744)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956841)Security Update for Windows XP (KB956844)Security Update for Windows XP (KB957095)Security Update for Windows XP (KB957097)Security Update for Windows XP (KB958215)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958869)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB960859)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB969059)Security Update for Windows XP (KB969947)Security Update for Windows XP (KB970238)Security Update for Windows XP (KB970430)Security Update for Windows XP (KB971468)Security Update for Windows XP (KB971486)Security Update for Windows XP (KB971657)Security Update for Windows XP (KB971961)Security Update for Windows XP (KB972270)Security Update for Windows XP (KB973354)Security Update for Windows XP (KB973507)Security Update for Windows XP (KB973869)Security Update for Windows XP (KB973904)Security Update for Windows XP (KB974112)Security Update for Windows XP (KB974318)Security Update for Windows XP (KB974392)Security Update for Windows XP (KB974571)Security Update for Windows XP (KB975025)Security Update for Windows XP (KB975467)Security Update for Windows XP (KB975560)Security Update for Windows XP (KB975561)Security Update for Windows XP (KB975562)Security Update for Windows XP (KB975713)Security Update for Windows XP (KB977165-v2)Security Update for Windows XP (KB977816)Security Update for Windows XP (KB977914)Security Update for Windows XP (KB978037)Security Update for Windows XP (KB978251)Security Update for Windows XP (KB978262)Security Update for Windows XP (KB978338)Security Update for Windows XP (KB978542)Security Update for Windows XP (KB978601)Security Update for Windows XP (KB979309)Security Update for Windows XP (KB979482)Security Update for Windows XP (KB979559)Security Update for Windows XP (KB979683)Security Update for Windows XP (KB979687)Security Update for Windows XP (KB980195)Security Update for Windows XP (KB980218)Security Update for Windows XP (KB980232)Security Update for Windows XP (KB980436)Security Update for Windows XP (KB981322)Security Update for Windows XP (KB981349)Security Update for Windows XP (KB981852)Security Update for Windows XP (KB981957)Security Update for Windows XP (KB981997)Security Update for Windows XP (KB982132)Security Update for Windows XP (KB982214)Security Update for Windows XP (KB982665)Security Update for Windows XP (KB982802)SelectionLinksSES DriverSignature995SilverFast 8.0.1r17 (32bit)SilverFast Epson 6.6.2r4aSkype™ 5.10smartmontoolsSoftQuad HoTMetaL PRO 4.0SoftQuad HoTMetaL PRO 5.0SoftQuad HoTMetaL Site Maker DatabaseSpeedFan (remove only)SpotifySpybot - Search & DestroySureThing CD Labeler 4 SESystem Requirements LabTreeSize Professional 3.3Tweak UIUltraISO Premium V9.31UltraMonUpdate for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft Office 2010 (KB2553065)Update for Microsoft Office 2010 (KB2553092)Update for Microsoft Office 2010 (KB2553181) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553267) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553310) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553378) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2566458)Update for Microsoft Office 2010 (KB2596964) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2598242) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2687509) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2760631) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2553290) 32-Bit EditionUpdate for Microsoft OneNote 2010 (KB2687277) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2597090) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2687623) 32-Bit EditionUpdate for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit EditionUpdate for Microsoft PowerPoint 2010 (KB2598240) 32-Bit EditionUpdate for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit EditionUpdate for Windows Internet Explorer 7 (KB980182)Update for Windows Internet Explorer 8 (KB976662)Update for Windows Internet Explorer 8 (KB980182)Update for Windows Internet Explorer 8 (KB982632)Update for Windows XP (KB2141007)Update for Windows XP (KB2345886)Update for Windows XP (KB2467659)Update for Windows XP (KB2541763)Update for Windows XP (KB2607712)Update for Windows XP (KB2616676)Update for Windows XP (KB2641690)Update for Windows XP (KB2661254-v2)Update for Windows XP (KB2718704)Update for Windows XP (KB2736233)Update for Windows XP (KB2749655)Update for Windows XP (KB898461)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB955839)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971029)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)Viewpoint Media PlayerVisual C++ 2008 x86 Runtime - (v9.0.30729)Visual C++ 2008 x86 Runtime - v9.0.30729.01Visual C++ Runtime for Dragon NaturallySpeakingVisual Color Picker 2.6VNC Free Edition 4.1.2VueScanWebFldrs XPWindows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)Windows Genuine Advantage Notifications (KB905474)Windows Genuine Advantage Validation Tool (KB892130)Windows Internet Explorer 7Windows Internet Explorer 8Windows Media Format RuntimeWinSCP 4.3.9xplorer² professional 32 bit.==== Event Viewer Messages From Past Week ========.3/8/2013 7:03:26 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server (MSSMLBIZ) service to connect.3/8/2013 5:34:17 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)3/8/2013 5:21:15 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.3/8/2013 5:21:15 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.3/8/2013 5:20:43 PM, error: Service Control Manager [7023] - The Business Contact Manager SQL Server Startup Service service terminated with the following error: %%21479434533/8/2013 5:20:43 PM, error: Service Control Manager [7000] - The SQL Server (MSSMLBIZ) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.3/8/2013 5:20:12 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.3/8/2013 5:19:17 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)3/8/2013 2:19:45 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)3/8/2013 12:19:45 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)3/7/2013 11:19:45 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)3/4/2013 3:24:33 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.3/4/2013 3:00:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office PowerPoint 2007 (KB2596764).3/4/2013 12:15:48 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period..==== End Of File =========================== Link to post Share on other sites More sharing options...
Maniac Posted March 10, 2013 ID:655403 Share Posted March 10, 2013 Hello Threazy! My name is Maniac and I will be glad to help you solve your malware problem.Please note:If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.BACKDOOR WARNINGOne or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:Help: I Got Hacked. Now What Do I Do?Help: I Got Hacked. Now What Do I Do? Part IIHow Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know. Link to post Share on other sites More sharing options...
Threazy Posted March 10, 2013 Author ID:655530 Share Posted March 10, 2013 Thank for the response, Maniac. I did just purchase MBAM; I had had a copy installed already but it sounded like the paid pro version would be more powerful so I bought a copy. I'm sure your help would be as capable as customer support, so let me ask of few questions of you first, if I am.I would like to try and clean the machine, but would like to ask a few questions and give you a run down of events.(1) I've been thinking about upgrading to Windows 7 (or getting a new computer altogether); would a fresh install of Windows 7 on this machine solve the problem, so could there be malicious coding hiding out somewhere that could be a problem?(2) As you can see from the logs, I have a number of drives connected to the machine for off-computer storage and backup. (Backup is just file-copy backup - not a backup solution.) Regarding the malicious code "hiding out", what is the likelihood the malware could have stashed something on one of these drives? None of the drives are bootable and contain mostly contain data files - documents, pictures, music (though there are some backup installers.) Is there a way to scan these drives to ensure that they're clean?(3) You seem to recognize/know what the malware is what do do with it - is that the case?Here is the series of events:(1) On Thursday, 3/7, as you can see from the log, I searched for and downloaded utilities for merging PDF documents (3 utilities) and undeleting (3). The infection must have originated from one of these 6 installers. (2) I started experiencing system freezes - I'd click the start button and the system would freeze. Interestingly, right around this time, ITunes told me that it couldn't find an audio device and windows volume control for WAV files kept getting reset to 0.(3) Suspecting a problem, I unplugged my ethernet cable form the wall and the system booted and behaved normally. I think I turned off external drives, too.(4) Friday, 3/8, I left the computer off all day. That night, I turned it back on, reconnected to the internet, and updated my malwarebytes database. (I think). I started getting the IP-Block message from MBAM and posted my first message about the problem (123615). I also think - and this probably wasn't a good idea - left the computer on all night and am uncertain whether my external drives were on or not.(5) Saturday, 3/9, I purchased the pro version of MBAM but was not able to activate it - not sure it installed properly. I then ran a 10 hour system scan (still connected to the internet) and it found 5 objects, which I removed. During the scan, the IP_Block message did not come up, though it did reappear after the scan. (6) Following the repair instructions, I ran DDS and posted the message above. The infected computer has been off and disconnected from the internet since then.That's the story so far, Maniac - thanks again.Bill Link to post Share on other sites More sharing options...
Maniac Posted March 10, 2013 ID:655635 Share Posted March 10, 2013 (1) I've been thinking about upgrading to Windows 7 (or getting a new computer altogether); would a fresh install of Windows 7 on this machine solve the problem, so could there be malicious coding hiding out somewhere that could be a problem?This is the best deicision. Will solve many problems and ensure prevention of many others.(2) As you can see from the logs, I have a number of drives connected to the machine for off-computer storage and backup. (Backup is just file-copy backup - not a backup solution.) Regarding the malicious code "hiding out", what is the likelihood the malware could have stashed something on one of these drives? None of the drives are bootable and contain mostly contain data files - documents, pictures, music (though there are some backup installers.) Is there a way to scan these drives to ensure that they're clean?Yes, you can scan your data with up-to-date antivirus, Malwarebytes' Anti-Malware and for a specific files (or a couple, but small size files) could be check in www.virustotal.com .(3) You seem to recognize/know what the malware is what do do with it - is that the case?Yes, I'm familiar with this situation, but upgrading to Windows 7 and clean start is the best option. Link to post Share on other sites More sharing options...
Threazy Posted March 11, 2013 Author ID:655821 Share Posted March 11, 2013 Can I ask you one more question, Maniac, kinda unrelated to the infection? Can you tell from the logs whether my computer can handle the 64-bit version of Windows 7? I think the answer is yes, but I'm not 100% sure. Thanks again for your help. Link to post Share on other sites More sharing options...
Maniac Posted March 11, 2013 ID:655882 Share Posted March 11, 2013 How much RAM you have? Link to post Share on other sites More sharing options...
Threazy Posted March 14, 2013 Author ID:657026 Share Posted March 14, 2013 Hi, Maniac - sorry it's taken me so long to get back to you. I have 3G of RAM. Which, obviously, I installed to accommodate for my 32-bit XP system and won't be able to take advantage of 64-bit Win7. :-) But the Win7 question is moot - I went ahead and bought a new machine and will reformat/reinstall the OS on the old machine and repurpose it.In the mean time, I've tried to do some cleaning on my old machine (I'm sorry - I went ahead and tried it without your advice.) I'm keeping the machine offline except for brief connectivity to update virus signature files. Kapersky TDSKiller found and removed a Pihar virus. I've also run spybot and MBAM. Interestingly, after Kapersky removed the Pihar, Norton AV popped up with a warning that it blocked Malcol and tirdev (?not sure I remember the name) trojans; subsequent scans for these trojans turned up nothing. I'm continuing the scan/clean and - at the moment - I'm not finding anything with the tools I have.If I may ask one more question: I purchased the commercial/consumer MBAM license, but I have not been able (ie not been offered the opportunity) to activate it. I've reinstalled the purchased download a couple of times (even in safe mode) but still don't have the opportunity to activate. I can, however, do a flash scan, which is available only to licensed users. Any thoughts on why I can't activate? Is that a sign there is still a problem lurking somewhere?Bill Link to post Share on other sites More sharing options...
Maniac Posted March 14, 2013 ID:657027 Share Posted March 14, 2013 Because your system is infected. Link to post Share on other sites More sharing options...
Threazy Posted March 14, 2013 Author ID:657074 Share Posted March 14, 2013 That's what I was afraid of. Given that the scans are no longer finding anything, I guess the virus is entrenched and there's nothing more I can do. The system seems to be running smoothly - no strange hiccups or stalls; the only strange thing I've noticed is that when I shut down there is a Windows Update that the system wants to install - which I bypass because I think it's odd given my situation. I wanted to get back on my system before the new machine arrives just to make sure I have everything properly backed-up - and I realize that there is a risk in doing this. Do you have any last bits of advice about cleaning or using the machine (in disconnected mode)? (then I'll stop troubling you with questions. :-))Thanks, Maniac - Bill Link to post Share on other sites More sharing options...
Maniac Posted March 14, 2013 ID:657130 Share Posted March 14, 2013 You take self-initiative in this situation. I can and I want to help you, but I need to make sure that from now on you will follow my instructions and only them. This is my only condition. Link to post Share on other sites More sharing options...
Threazy Posted March 15, 2013 Author ID:657478 Share Posted March 15, 2013 I apologize if taking action on my own offended you, Maniac. Your original response did request that I do no scanning or take actions on my own without your instructions and I did not honor that request, so I'm sorry for that. I figured that since I was going to reformat the drive anyway, if I did a half-assed job of cleaning it wouldn't matter.But if it's not too late and I haven't messed things up too much, I would like your help doing a search and clean that is sufficient for me to safely move my application data (eg office files, pictures, music) off of the machine before reformatting it. I haven't done anything further (the machine has been off) since my post of 7:25 (two post prior to this one.) That was Wednesday evening 3/13. Bill Link to post Share on other sites More sharing options...
Maniac Posted March 17, 2013 ID:658030 Share Posted March 17, 2013 Okay, I will help you.If is only music, documents and pictures is okay. The problem might be an exe files, com files and so on executable files.Let's check your files. Please update your Malwarebytes' Anti-Malware and using right mouse click, check your data with Malwarebytes' Anti-Malware. Let me know when you are ready and about the results. Link to post Share on other sites More sharing options...
Threazy Posted March 17, 2013 Author ID:658058 Share Posted March 17, 2013 Thanks, Maniac - here's what I've done:I have three external backup drives that contains copies of all my data files. The last backup was performed the day prior to the infection. I installed MBAM on my work laptop (and was able to activate it) and did a full scan of each of these drives. No malicious content was detected. So unless the virus was really sneaky in stashing something there, my guess is that they're clean and good to go.On the infected computer, I have not turned it on yet. When I do, I do not plan on touching any exe, or bat files on that machine. What I want to do is inspect the files there and see if there is anything I am missing from my backups. The one thing I know I want to do is backup my Thunderbird mailbox so I can restore it to my new computer. So with respect to your instructions: (1) MBAM is installed on the infected computer, but I haven't been able to activate the PRO version on that machine - it still seems to be blocked; it will update the virus definitions, however, if I connect the machine to the internet. (2) Given my scans of my backups, does that take the place of your instructions? If I do find any files that I want to move off of the infected computer, I will scan them as you suggest. The next question, then, is how do I safely get them off of the infected computer?Thanks - Bill Link to post Share on other sites More sharing options...
Maniac Posted April 1, 2013 ID:663549 Share Posted April 1, 2013 Are you still with me, Bill? Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 7, 2013 ID:666011 Share Posted April 7, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts