Jump to content

possible trojin backdoor, "Enable malicious website blocking" disabled unexpectantly, box cannot be checked


Recommended Posts

This problem happens contiunally and at random. It happens when I go online, but never does it happen offline and from what I've read of other people with this problem it could likely be a virus or malware of some kind or a backdoor trojin. I was referred here by one of the experts from General Malwarebytes Anti-malware forum" someone please help me determine if I do indeed have some kind of malicious attack on my PC or if it is merely a software glitch.

here are my PC's stats.

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by matolis at 14:56:48 on 2013-04-01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1361 [GMT -5:00]

.

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: Lavasoft Ad-Aware *Disabled*

FW: Kaspersky Internet Security *Disabled*

.

============== Running Processes ================

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Razer\razertra.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe

C:\Documents and Settings\All Users\Application Data\Search Protection\SearchProtection.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\klwtblfs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mStart Page = about:blank

uURLSearchHooks: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll

BHO: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll

BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll

TB: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

mRun: [CTHelper] CTHELPER.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [razertra] c:\program files\razer\razertra.exe

mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"

mRun: [searchProtection] c:\documents and settings\all users\application data\search protection\_run.bat

mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"

mRunOnce: [Z1] cmd /c "e:\mbar\mbar.exe" /cleanup /s

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:28

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm

IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1363374798406

Notify: AtiExtEvent - Ati2evxx.dll

Notify: klogon - c:\windows\system32\klogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-3-25 13560]

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2013-3-15 116264]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-3-15 586584]

R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608]

R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]

R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2013-2-21 1236336]

R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-3-15 682344]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]

R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-5-25 24408]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-7-25 24920]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-3-31 35144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-3-15 21104]

S1 1502209drv;1502209drv;c:\windows\system32\drivers\1502209drv.sys [2013-3-20 475736]

S2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2012-9-20 3677000]

S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2013-3-17 99856]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2013-3-21 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2013-3-25 25832]

.

=============== Created Last 30 ================

.

2013-03-31 11:29:07 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-03-29 18:51:11 -------- d-----w- c:\documents and settings\all users\application data\EA Core

2013-03-29 18:51:06 -------- d-----w- c:\documents and settings\all users\application data\EA Logs

2013-03-29 18:02:42 -------- d--h--w- c:\program files\common files\EAInstaller

2013-03-29 18:02:22 -------- d-----w- c:\program files\NVIDIA Corporation

2013-03-29 15:37:47 107888 ----a-w- c:\windows\system32\CmdLineExt.dll

2013-03-29 09:43:44 -------- d-----w- c:\program files\Origin Games

2013-03-29 09:43:43 -------- d-----w- c:\documents and settings\matolis\local settings\application data\Origin

2013-03-29 09:43:42 -------- d-----w- c:\documents and settings\matolis\application data\Origin

2013-03-29 09:43:30 -------- d-----w- c:\documents and settings\all users\application data\Origin

2013-03-29 09:43:30 -------- d-----w- c:\documents and settings\all users\application data\Electronic Arts

2013-03-29 09:43:09 -------- d-----w- c:\program files\Origin

2013-03-29 07:52:46 -------- d-----w- c:\program files\MSXML 4.0

2013-03-29 07:38:01 -------- d-----w- c:\program files\Microsoft Games

2013-03-29 07:02:44 -------- d-----w- C:\Games

2013-03-29 06:43:03 -------- d-----w- c:\documents and settings\all users\application data\BioWare

2013-03-29 06:01:18 -------- d-----w- c:\program files\Mass Effect 2

2013-03-25 17:33:52 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP

2013-03-25 17:00:28 -------- d-----w- c:\program files\Dragon Age

2013-03-25 15:12:26 -------- d-----w- c:\program files\common files\BioWare

2013-03-25 14:54:24 -------- d-----w- c:\program files\Mass Effect

2013-03-25 07:47:23 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Antivirus

2013-03-25 07:47:22 -------- d-----w- c:\documents and settings\matolis\application data\LavasoftStatistics

2013-03-25 07:42:35 -------- d-----w- c:\program files\Ad-Aware Antivirus

2013-03-25 07:41:55 -------- d-----w- c:\documents and settings\all users\application data\Downloaded Installations

2013-03-25 07:41:46 -------- d-----w- c:\documents and settings\matolis\local settings\application data\adawarebp

2013-03-25 07:41:46 -------- d-----w- c:\documents and settings\all users\application data\Search Protection

2013-03-25 07:41:45 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars

2013-03-25 07:41:45 -------- d-----w- c:\documents and settings\all users\application data\adawaretb

2013-03-25 07:41:43 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection

2013-03-25 07:41:06 -------- d-----w- c:\program files\Toolbar Cleaner

2013-03-25 07:40:59 -------- d-----w- c:\documents and settings\matolis\application data\SecureSearch

2013-03-25 07:40:54 -------- d-----w- c:\program files\adawaretb

2013-03-25 07:40:54 -------- d-----w- c:\documents and settings\matolis\application data\adawaretb

2013-03-25 07:39:30 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys

2013-03-25 07:39:29 44424 ----a-w- c:\windows\system32\sbbd.exe

2013-03-25 07:39:19 -------- d-----w- c:\documents and settings\matolis\application data\Ad-Aware Antivirus

2013-03-21 19:31:39 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2013-03-21 17:10:20 -------- d-----w- c:\documents and settings\matolis\local settings\application data\Adobe

2013-03-21 17:03:24 -------- d-----w- c:\documents and settings\matolis\local settings\application data\WMTools Downloaded Files

2013-03-21 16:51:45 57344 ----a-w- c:\windows\system32\razer.cpl

2013-03-21 16:51:45 38904 ----a-w- c:\windows\system32\drivers\razerusb.sys

2013-03-21 16:39:11 102400 ----a-w- c:\windows\system32\cttele32.dll

2013-03-21 16:39:03 -------- d-----w- c:\program files\OpenAL

2013-03-21 16:35:39 22691984 ----a-w- c:\windows\system32\AppSetup.exe

2013-03-21 16:32:07 -------- d-----w- c:\program files\common files\Creative Labs Shared

2013-03-21 07:23:19 -------- d--h--w- c:\windows\PIF

2013-03-21 03:43:37 475736 ----a-w- c:\windows\system32\drivers\1502209drv.sys

2013-03-21 02:17:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2013-03-21 02:17:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2013-03-21 02:17:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2013-03-21 02:17:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2013-03-21 02:17:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2013-03-21 02:17:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2013-03-21 02:17:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2013-03-21 02:16:48 -------- d-----w- c:\documents and settings\matolis\local settings\application data\Apple

2013-03-21 02:16:13 -------- d-----w- c:\documents and settings\matolis\local settings\application data\Apple Computer

2013-03-21 02:05:38 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-21 02:05:38 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-19 10:05:59 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2013-03-19 10:04:19 -------- d--h--w- c:\windows\msdownld.tmp

2013-03-19 10:04:04 -------- d-----w- c:\windows\Logs

2013-03-19 08:21:36 -------- d-----w- c:\windows\pss

2013-03-17 17:37:57 -------- d-----w- c:\documents and settings\matolis\local settings\application data\ATI

2013-03-17 17:35:23 99856 ----a-w- c:\windows\system32\drivers\AtihdXP3.sys

2013-03-17 17:33:27 -------- d-----w- C:\AMD

2013-03-17 16:48:05 -------- d-----w- c:\program files\CCleaner

2013-03-17 04:50:42 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2013-03-17 04:47:46 -------- d-----w- C:\USBVaccine

2013-03-16 22:19:12 -------- d-----w- c:\program files\Windows Media Connect 2

2013-03-16 22:17:59 -------- d-----w- c:\windows\system32\LogFiles

2013-03-16 03:55:05 -------- d-----w- c:\windows\system32\XPSViewer

2013-03-16 03:54:39 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2013-03-16 03:54:39 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2013-03-16 03:54:39 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2013-03-16 03:54:39 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2013-03-16 03:54:39 575488 ------w- c:\windows\system32\xpsshhdr.dll

2013-03-16 03:54:39 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2013-03-16 03:54:39 1676288 ------w- c:\windows\system32\xpssvcs.dll

2013-03-16 03:54:39 117760 ------w- c:\windows\system32\prntvpt.dll

2013-03-16 03:54:38 -------- d-----w- C:\70a2473e871645d7e4

2013-03-15 21:13:51 -------- d-sh--w- c:\documents and settings\matolis\PrivacIE

2013-03-15 21:13:50 -------- d-sh--w- c:\documents and settings\matolis\IECompatCache

2013-03-15 21:05:26 -------- d-sh--w- c:\documents and settings\matolis\IETldCache

2013-03-15 19:48:31 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2013-03-15 19:48:02 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2013-03-15 19:47:43 -------- d-----w- c:\windows\ie8updates

2013-03-15 19:47:37 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2013-03-15 19:47:37 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2013-03-15 19:47:37 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2013-03-15 19:47:37 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2013-03-15 19:47:37 2004992 -c----w- c:\windows\system32\dllcache\iertutil.dll

2013-03-15 19:47:37 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2013-03-15 19:47:37 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll

2013-03-15 19:46:34 -------- dc-h--w- c:\windows\ie8

2013-03-15 19:30:52 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys

2013-03-15 19:27:34 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2013-03-15 19:27:34 3072 ------w- c:\windows\system32\iacenc.dll

2013-03-15 19:25:54 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2013-03-15 19:18:13 2193024 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2013-03-15 19:18:13 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2013-03-15 19:18:12 2027520 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2013-03-15 19:18:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2013-03-15 19:17:18 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2013-03-15 19:17:18 272128 ------w- c:\windows\system32\drivers\bthport.sys

2013-03-15 19:15:53 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2013-03-15 19:15:53 -------- d-----w- c:\windows\system32\PreInstall

2013-03-15 19:15:52 -------- d--h--w- c:\windows\$hf_mig$

2013-03-15 19:13:14 -------- d-sh--w- c:\documents and settings\matolis\UserData

2013-03-15 19:04:53 -------- d-----w- c:\windows\system32\SoftwareDistribution

2013-03-15 17:20:11 -------- d-----w- c:\documents and settings\matolis\application data\Malwarebytes

2013-03-15 17:19:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-03-15 17:19:56 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-15 17:19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-03-15 17:05:28 -------- d-----w- c:\program files\Kaspersky Lab

2013-03-15 17:05:28 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab

2013-03-15 17:05:22 74072 ----a-w- c:\windows\system32\drivers\klflt.sys

2013-03-15 16:54:46 7062 ----a-w- c:\windows\system32\audiopid.vxd

2013-03-15 16:54:35 647872 ------w- c:\windows\system32\Mscomct2.ocx

2013-03-15 16:54:35 41984 ------w- c:\windows\Ctregrun.exe

2013-03-15 16:54:22 90112 ------w- c:\windows\Updreg.EXE

2013-03-15 16:53:52 445016 ----a-w- c:\windows\system32\wrap_oal.dll

2013-03-15 16:53:52 109144 ----a-w- c:\windows\system32\OpenAL32.dll

2013-03-15 16:53:20 10240 ----a-w- c:\windows\CTDCRES.DLL

2013-03-15 16:53:20 -------- d-----w- c:\windows\system32\Data

2013-03-15 16:52:41 -------- d-----w- c:\program files\Creative

2013-03-15 14:25:00 -------- d-sh--r- C:\acroldr

2013-03-15 10:18:57 -------- d--h--w- c:\windows\system32\GroupPolicy

2013-03-15 09:19:52 0 ----a-w- c:\windows\ativpsrm.bin

2013-03-15 09:12:59 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll

2013-03-15 09:12:59 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll

2013-03-15 09:12:59 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll

2013-03-15 09:12:59 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll

2013-03-15 09:12:59 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll

2013-03-15 09:03:45 -------- d-----w- c:\documents and settings\matolis\local settings\application data\ApplicationHistory

2013-03-15 09:02:50 -------- d-----w- c:\windows\system32\URTTemp

2013-03-15 08:55:46 19240 ----a-r- c:\windows\system32\drivers\SiWinAcc.sys

2013-03-15 08:55:46 118824 ----a-r- c:\windows\system32\SilSupp.dll

2013-03-15 08:55:46 116264 ----a-r- c:\windows\system32\drivers\SI3112r.sys

2013-03-15 08:35:32 117248 ----a-r- c:\windows\system32\drivers\viamraid.sys

2013-03-15 08:18:56 27904 ----a-w- c:\windows\system32\drivers\VIAAGP1.SYS

2013-03-15 08:18:52 -------- d-----w- c:\windows\system32\ReinstallBackups

2013-03-15 08:18:29 306688 ----a-w- c:\windows\IsUninst.exe

2013-03-15 08:18:21 -------- d-----w- c:\documents and settings\matolis\WINDOWS

2013-03-15 08:15:05 5824 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS

.

==================== Find3M ====================

.

2013-03-15 16:35:09 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys

2013-03-15 16:35:08 24920 ----a-w- c:\windows\system32\drivers\klmouflt.sys

2013-03-15 16:35:08 24408 ----a-w- c:\windows\system32\drivers\klkbdflt.sys

2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-02-06 10:48:44 81920 ------w- c:\windows\system32\ieencode.dll

2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet.dll

2013-02-05 20:05:46 43520 ------w- c:\windows\system32\licmgr10.dll

2013-02-05 20:05:46 1469440 ------w- c:\windows\system32\inetcpl.cpl

2013-02-05 05:53:57 385024 ------w- c:\windows\system32\html.iec

2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-07 01:16:02 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-07 00:36:58 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax

2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll

.

============= FINISH: 14:57:41.96 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 3/15/2013 2:16:14 AM

System Uptime: 4/1/2013 2:20:07 PM (0 hours ago)

.

Motherboard: ASUSTeK Computer Inc. | | K8V

Processor: AMD Athlon 64 Processor 3200+ | Socket 754 | 2002/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 932 GiB total, 842.072 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 75 GiB total, 73.977 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}

Description: AMD High Definition Audio Device

Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&2D021E0F&0&0001

Manufacturer: Advanced Micro Devices

Name: AMD High Definition Audio Device

PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&2D021E0F&0&0001

Service: AtiHDAudioService

.

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}

Description: VIA RAID Controller - 3149

Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78

Manufacturer: VIA Technologies, Inc.

Name: VIA RAID Controller - 3149

PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78

Service: viamraid

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Ad-Aware Antivirus

Ad-Aware Security Add-on

Adobe Flash Player 11 ActiveX

Adobe Reader XI (11.0.02)

AMD Catalyst Install Manager

Apple Application Support

Apple Software Update

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CCleaner

Creative Audio Control Panel

Creative Console Launcher

Creative Software AutoUpdate

Creative System Information

Creative WaveStudio 7

DARK VOID

Dragon Age: Origins

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB954550-v5)

Kaspersky Internet Security 2013

Malwarebytes Anti-Malware version 1.70.0.1100

Mass Effect

Mass Effect 2

Mass Effect™ 3

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2742597)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Flight Simulator X

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

NVIDIA PhysX

OpenAL

Origin

QuickTime

Razer

redist

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB2809289)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows XP (KB923789)

Sound Blaster X-Fi

Two Worlds

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows Internet Explorer 8 (KB2632503)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

.

==== Event Viewer Messages From Past Week ========

.

4/1/2013 2:20:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: gagp30kx

4/1/2013 2:17:59 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.

3/31/2013 9:30:59 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Ad-Aware service to connect.

3/31/2013 9:30:59 AM, error: Service Control Manager [7000] - The Ad-Aware service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/31/2013 9:30:54 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service SBAMSvc with arguments "" in order to run the server: {FE7E09CE-BBF4-4698-8BC1-37C9002DAA43}

3/25/2013 8:13:41 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

3/25/2013 8:13:41 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/25/2013 6:35:13 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Adobe Flash Player Update Service service to connect.

3/25/2013 6:35:13 AM, error: Service Control Manager [7000] - The Adobe Flash Player Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/25/2013 12:56:20 PM, error: Application Popup [877] - There was error [DATABASE OPEN FAILED] processing the driver database.

.

==== End Of File ===========================

Link to post
Share on other sites

Hi arkhaan,

Welcome to Malwarebytes Forum

My name is Tomk1. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.

The fixes are specific to your problem and should only be used for the issues on this machine.

Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.

It's often worth reading through these instructions and printing them for ease of reference.

If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.

Please reply to this thread. Do not start a new topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

Then:

  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Link to post
Share on other sites

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-04-01 16:15:23

-----------------------------

16:15:23.093 OS Version: Windows 5.1.2600 Service Pack 3

16:15:23.093 Number of processors: 1 586 0x408

16:15:23.093 ComputerName: MDAUB588 UserName: matolis

16:15:24.171 Initialize success

16:17:15.937 AVAST engine defs: 13040101

16:17:30.265 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

16:17:30.265 Disk 0 Vendor: WDC_WD800BB-63JKC0 05.01C05 Size: 76319MB BusType: 3

16:17:30.265 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\SI3112r1Port2Path0Target0Lun0

16:17:30.265 Disk 1 Vendor: SiI_____ 1100 Size: 953878MB BusType: 1

16:17:30.343 Disk 1 MBR read successfully

16:17:30.343 Disk 1 MBR scan

16:17:30.359 Disk 1 Windows XP default MBR code

16:17:30.359 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953875 MB offset 63

16:17:30.375 Disk 1 scanning sectors +1953536130

16:17:30.406 Disk 1 scanning C:\WINDOWS\system32\drivers

16:17:43.593 Service scanning

16:17:48.187 Service kl1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5

16:17:48.281 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5

16:17:48.296 Service klkbdflt C:\WINDOWS\system32\DRIVERS\klkbdflt.sys **LOCKED** 5

16:17:48.328 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5

16:17:48.343 Service kltdi C:\WINDOWS\system32\DRIVERS\kltdi.sys **LOCKED** 5

16:17:48.406 Service kneps C:\WINDOWS\system32\DRIVERS\kneps.sys **LOCKED** 5

16:17:53.203 Modules scanning

16:17:56.656 Disk 1 trace - called modules:

16:17:56.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll SI3112r.sys

16:17:56.671 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a63c608]

16:17:56.671 3 CLASSPNP.SYS[ba0a8fd7] -> nt!IofCallDriver -> \Device\Scsi\SI3112r1Port2Path0Target0Lun0[0x8a62fa38]

16:17:57.703 AVAST engine scan C:\WINDOWS

16:18:01.906 AVAST engine scan C:\WINDOWS\system32

16:21:37.734 AVAST engine scan C:\WINDOWS\system32\drivers

16:22:02.812 AVAST engine scan C:\Documents and Settings\matolis

16:23:02.062 AVAST engine scan C:\Documents and Settings\All Users

16:23:51.640 Scan finished successfully

16:26:52.656 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\matolis\Desktop\MBR.dat"

16:26:52.656 The log file has been saved successfully to "C:\Documents and Settings\matolis\Desktop\aswMBR.txt"

I had to run "Roguekiller" twice because the first time I ran it I had forgotten to close down my other programs(mbam, Kaspersky ect) sorry about that this is confusiing, but RK made 3 reports.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : matolis [Admin rights]

Mode : Scan -- Date : 04/01/2013 16:36:15

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat) [-] -> FOUND

[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[122] : NtOpenProcess @ 0x805C1462 -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0x96192C4C)

SSDT[128] : NtOpenThread @ 0x805C16EE -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0x96192D3C)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800BB-63JKC0 +++++

--- User ---

[MBR] e830bfbade9ae6845a724b66390a44da

[bSP] 873b6688299a642a951645c4e274ccac : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: SiI RAID 0 Set 0 SCSI Disk Device +++++

--- User ---

[MBR] fd3085d2deb2d7a3800d077ee06bcb8a

[bSP] 29de1555f20f4574cd04076ba872fded : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953875 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_04012013_02d1636.txt >>

RKreport[1]_S_04012013_02d1636.txt

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : matolis [Admin rights]

Mode : Remove -- Date : 04/01/2013 16:37:01

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat) [-] -> DELETED

[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[122] : NtOpenProcess @ 0x805C1462 -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0x96192C4C)

SSDT[128] : NtOpenThread @ 0x805C16EE -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0x96192D3C)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800BB-63JKC0 +++++

--- User ---

[MBR] e830bfbade9ae6845a724b66390a44da

[bSP] 873b6688299a642a951645c4e274ccac : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: SiI RAID 0 Set 0 SCSI Disk Device +++++

--- User ---

[MBR] fd3085d2deb2d7a3800d077ee06bcb8a

[bSP] 29de1555f20f4574cd04076ba872fded : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953875 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2]_D_04012013_02d1637.txt >>

RKreport[1]_S_04012013_02d1636.txt ; RKreport[2]_D_04012013_02d1637.txt

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : matolis [Admin rights]

Mode : Shortcuts HJfix -- Date : 04/01/2013 16:38:14

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤

Desktop: Success 0 / Fail 0

Quick launch: Success 0 / Fail 0

Programs: Success 6 / Fail 0

Start menu: Success 0 / Fail 0

User folder: Success 51 / Fail 0

My documents: Success 0 / Fail 0

My favorites: Success 0 / Fail 0

My pictures: Success 0 / Fail 0

My music: Success 0 / Fail 0

My videos: Success 0 / Fail 0

Local drives: Success 64 / Fail 0

Backup: [NOT FOUND]

Drives:

[A:] \Device\Floppy0 -- 0x2 --> Skipped

[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored

[D:] \Device\CdRom0 -- 0x5 --> Skipped

[E:] \Device\HarddiskVolume2 -- 0x3 --> Restored

Finished : << RKreport[3]_SC_04012013_02d1638.txt >>

RKreport[1]_S_04012013_02d1636.txt ; RKreport[2]_D_04012013_02d1637.txt ; RKreport[3]_SC_04012013_02d1638.txt

Link to post
Share on other sites

At this point I'm not seeing any sign of a rootkit.

RK took care of the one rogue I could see.

Let's dig a little deeper:

Download ComboFix from here: http://download.blee...Bs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Link to post
Share on other sites

ComboFix 13-04-01.01 - matolis 04/01/2013 17:58:22.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1582 [GMT -5:00]

Running from: c:\documents and settings\matolis\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Lavasoft Ad-Aware *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\matolis\WINDOWS

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2013-03-01 to 2013-04-01 )))))))))))))))))))))))))))))))

.

.

2013-03-29 07:02 . 2013-03-29 08:50 -------- d-----w- C:\Games

2013-03-17 17:33 . 2013-03-17 17:33 -------- d-----w- C:\AMD

2013-03-17 04:47 . 2013-03-17 04:47 -------- d-----w- C:\USBVaccine

2013-03-16 03:54 . 2013-03-16 03:54 -------- d-----w- C:\70a2473e871645d7e4

2013-03-15 14:25 . 2013-03-15 14:25 -------- d-----r- C:\acroldr

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-15 16:35 . 2012-06-08 17:38 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys

2013-03-15 16:35 . 2012-07-25 20:53 24920 ----a-w- c:\windows\system32\drivers\klmouflt.sys

2013-03-15 16:35 . 2012-05-26 01:38 24408 ----a-w- c:\windows\system32\drivers\klkbdflt.sys

2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-02-06 10:48 . 2013-02-06 10:48 81920 ------w- c:\windows\system32\ieencode.dll

2013-02-05 20:05 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2013-02-05 20:05 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2013-02-05 20:05 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2013-02-05 05:53 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec

2013-01-26 03:55 . 2008-04-14 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-07 01:16 . 2008-04-14 12:00 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-07 00:36 . 2008-04-14 00:01 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20 . 2008-04-14 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-01-02 06:49 . 2008-04-14 12:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax

2013-01-02 06:49 . 2008-04-14 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]

.

[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]

2013-02-11 10:47 87464 ----a-w- c:\program files\adawaretb\adawareDx.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]

.

[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]

"CTHelper"="CTHELPER.EXE" [2006-05-24 17920]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 98304]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-06 25600]

"razertra"="c:\program files\Razer\razertra.exe" [2004-02-26 208896]

"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2013-01-31 542632]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Z1"="e:\mbar\mbar.exe" [2013-04-01 1363016]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]

@="Ad-Aware Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\adawaretb\\dtUser.exe"=

"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=

"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=

"c:\\Games\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=

"c:\\Games\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=

"c:\\Games\\CAPCOM\\DARK VOID\\Launcher.exe"=

"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Origin Games\\Mass Effect 3\\Binaries\\Win32\\MassEffect3.exe"=

.

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [3/15/2013 3:55 AM 116264]

R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [6/8/2012 12:38 PM 43608]

R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]

R2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [2/21/2013 5:37 AM 1236336]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [5/5/2010 9:23 PM 171096]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [5/5/2010 9:24 PM 1324120]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [5/5/2010 9:23 PM 72792]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]

R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [5/25/2012 8:38 PM 24408]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [7/25/2012 3:53 PM 24920]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [3/31/2013 6:29 AM 35144]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [3/25/2013 2:39 AM 13560]

S1 1502209drv;1502209drv;c:\windows\system32\drivers\1502209drv.sys [3/20/2013 10:43 PM 475736]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/15/2013 12:19 PM 682344]

S2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [9/20/2012 5:39 AM 3677000]

S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [3/17/2013 12:35 PM 99856]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/21/2013 11:32 AM 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [5/5/2010 9:23 PM 171096]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [5/5/2010 9:24 PM 1324120]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [5/5/2010 9:23 PM 72792]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [3/25/2013 12:10 PM 25832]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/15/2013 12:19 PM 21104]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ASWMBR

*NewlyCreated* - TRUESIGHT

*Deregistered* - aswMBR

*Deregistered* - TrueSight

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-21 02:05]

.

2013-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-28238300.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-04-01 18:04

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-329068152-706699826-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:0b,aa,0d,75,9d,5e,19,42,63,87,ce,40,38,16,64,96,03,a3,65,05,b2,

51,63,05,37,37,1e,5f,94,d5,14,14,01,c4,3d,65,42,46,94,0c,86,f1,24,08,27,2a,\

"rkeysecu"=hex:b4,44,1a,37,75,ae,19,c5,64,52,18,43,bf,08,e5,51

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1040)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

Completion time: 2013-04-01 18:05:45

ComboFix-quarantined-files.txt 2013-04-01 23:05

.

Pre-Run: 904,002,850,816 bytes free

Post-Run: 904,048,906,240 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - F2D599EB9E0AFFB11C1E8DFB1A2C4797

Link to post
Share on other sites

That is looking good...

Let's get an online scan:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: EOLS1.gif
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:


    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Now click on: EOLS3.gif

    [*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

    [*]When completed the Online Scan will begin automatically.

    [*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

    [*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

    [*]Now click on: EOLS4.gif

    [*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

    [*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, Please let me know how things seem to be running now.

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=8

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=809897f28ff30643bc58aabfa567badf

# engine=13527

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2013-04-02 03:12:23

# local_time=2013-04-01 10:12:23 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1286 16777213 100 97 0 18691865 0 0

# scanned=105944

# found=0

# cleaned=0

# scan_time=2474

the computer runs normally when Kaspersky and mbam aren't running together, it seems to be running those two programs together causes much of the slowdown on my PC, especially when I have "Enable malicious website blocking" enabled at the same time Kaspersky is enabled. However, I do not know why "Enable malicious website blocking" disables on its own without my intervention. So far it hasn't done so since beginning these diagnostic tests.

Here's hoping...

Link to post
Share on other sites

Ok... I'm thinking the problem is interaction between the programs rather than malware. That being the case I suggest that you post your problem here: http://forums.malwar...hp?showforum=41

I suspect that someone will be better prepared to help you with this than I am.

But first:

Time for some housekeeping

  • Click START then RUN

  • Now type ComboFix /Uninstall in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Combofix_uninstall_image.jpg

The above procedure will:

  • Implement some cleanup procedures.
  • Reset System Restore.

Now to remove most of the tools that we have used in fixing your machine:

  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

If there are any tools or logs left.. just delete them.

Please re-enable any security that was disabled.

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:

So how did I get infected in the first place?

by Tony Klein

Also: "How to prevent malware"

by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

Link to post
Share on other sites

I have run combofix Uninstall and OTC however, when I rebooted I remained online and when I was back on the desktop, the mbam icon greyed out and it was inacessalble I can't even bring it up, will reboot again and hopefully mbam will be restored, this has happened to me before-something to do with icon sequencing, that is what I read in another forum. I will refer back to the forum you suggested- though I started a topic there originally and was referred here.

Thank you kindly for your help in assuring I do not have any malware.

Link to post
Share on other sites

It isn't actually "on" it is just available. It isn't a combofix produce it is from Microsoft... combofix just checked to see if it was installed and installed it if it hadn't been. It can be removed but I recommend you leave it so it is available if you get a rootkit infection. An updated version of it is installed automatically with Vista and newer systems... it just had not been "invented" yet when xp first came out.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.