Jump to content

Recommended Posts

Hi,

I ran MBAM and have this infected files at C:\Window\system32\drivers\utcnjp.sys. It says delete on reboot, but did not. I cannot manually delete it. FileASSASSIN could not delete it, either.

MBAB log and Hajackthis log follows.

Please help.

Thanks in advance.

Started

--

Malwarebytes' Anti-Malware 1.44

Database version: 3711

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/02/2010 2:28:19 AM

mbam-log-2010-02-10 (02-28-19).txt

Scan type: Quick Scan

Objects scanned: 146544

Time elapsed: 14 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\utcnjg.sys (Rootkit.Agent) -> Delete on reboot.

--

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:45:48 PM, on 10/02/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\LogWatNT.exe

c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Common Files\Ahead\lib\NMIndexStoreSvr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll

O2 - BHO: TeachingHandler - {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} - C:\WINDOWS\system32\TPHANDLE.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program

Files\BitComet\tools\BitCometBHO_1.2.6.26.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft

Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLiveVA\DownloaderManager.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer

Developer Toolbar\IEDevToolbar.dll

O3 - Toolbar: (no name) - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - (no file)

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common

Files\Ahead\lib\NMBgMonitor.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: ʹ

Link to post
Share on other sites

Hello Started,

eusa_hand.gif This system appears to have BitComet installed. De-install it before we proceed forward ! I must insist you remove it and any other such peer-to-peer filesharing apps.

I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

P2P file sharing: Know the risks

Should I see that it is still installed, I will withdraw my assistance.

Next: Step 2

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 3

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 4

  • Disable CD-ROM Emulation SoftwareDeFogger - Disable
  • Please download the following tool DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
  • IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
  • Do not re-enable these drivers until otherwise instructed.

Step 5

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 6

Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Step 7

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\WINDOWS\system32\drivers\utcnjg.sys

    Drivers to delete:
    utcnjg
    utcnjg.sys

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • icon_exclaim.gifMake sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

Step 8

Next, see this topic --> http://forums.malwarebytes.org/index.php?showtopic=9573

and do the steps to get & run a Gmer rootkit scan

AND get & run DDS reports

Step 9

Reply with copy of contents of C:\Avenger.txt

Gmer scan log

DDS.txt

Attach.txt

Link to post
Share on other sites

Hi Maurice,

First of all, thank you for your time and help.

I tried to follow each and every step as you described. Most were done as expected, but a few were not able to be executed exactly as instructed. After everything was done, I ran the Malwarebytes, nothing was found. I reboot and ran it again, it was clean. I navigated to folder C:\Window\system32\drivers and did not see the utcnjp.sys any more. :)

The following are those steps different from the instructions:

1. Step 4: Defogger did not ask me to reboot after I clicked OK to confirm 'Finished'. I manually rebooted my computer.

2. Step 8: I did not know what I should do to 'Disable any script blocker'. Nevertheless, I continued to run DDS. The command line window started then disappeared in 20 seconds, without opening any log. So I did not get the DDS.txt and Attach.txt.

3. After Step 8, I got a pop up window (probably) from Symantec Antivirus:

Auto-Protect has acted on the risks.

Risk Action Count Filename Risk Type Origianl Location

Hacktoo.Rootkit Cleand by deletion 2 utcnjp.sys File C:\Avenger\

Please advise what to do next to complete this procedure.

Contents of ark.txt and avenger.txt are as follows. Could you also look at the latest hijackthis.log and let me know if there is anything I should better get rid of?

Regards,

Started.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-16 07:03:22

Windows 5.1.2600 Service Pack 3

Running: gn0h4gjx.exe; Driver: C:\DOCUME~1\LINW~1\LOCALS~1\Temp\pxtdapow.sys

---- System - GMER 1.0.15 ----

SSDT 862D1BD8 ZwAlertResumeThread

SSDT 86339460 ZwAlertThread

SSDT 85E2A0D0 ZwAllocateVirtualMemory

SSDT 86C87100 ZwConnectPort

SSDT 86082C90 ZwCreateMutant

SSDT 85D9D6E0 ZwCreateThread

SSDT 862E05D8 ZwFreeVirtualMemory

SSDT 85E2DD18 ZwImpersonateAnonymousToken

SSDT 86339428 ZwImpersonateThread

SSDT 86E15AD0 ZwMapViewOfSection

SSDT 85FB1008 ZwOpenEvent

SSDT 85CF8DE8 ZwOpenProcessToken

SSDT 86CC67F0 ZwOpenThreadToken

SSDT 868CFD28 ZwResumeThread

SSDT 85F94FD0 ZwSetContextThread

SSDT 86C42480 ZwSetInformationProcess

SSDT 85F8B0F8 ZwSetInformationThread

SSDT 860C50B8 ZwSuspendProcess

SSDT 85E2C2A8 ZwSuspendThread

SSDT 85E34920 ZwTerminateProcess

SSDT 85E28740 ZwTerminateThread

SSDT 86C858A8 ZwUnmapViewOfSection

SSDT 85CF6008 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0xB9 0x7E 0x50 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x34 0x37 0x1C 0x7B ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x67 0x47 0x34 0x49 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0xB9 0x7E 0x50 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x34 0x37 0x1C 0x7B ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x67 0x47 0x34 0x49 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0xB9 0x7E 0x50 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x34 0x37 0x1C 0x7B ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x67 0x47 0x34 0x49 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0xB9 0x7E 0x50 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x34 0x37 0x1C 0x7B ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x67 0x47 0x34 0x49 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0xB9 0x7E 0x50 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x34 0x37 0x1C 0x7B ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x67 0x47 0x34 0x49 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@

Link to post
Share on other sites

You need to temporarily turn off the Symantec Antivirus before running (starting) DDS

See, study and follow the section on Symantec/Norton

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Then start DDS and get those logs copied and posted.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Then allow time for my review.

When the reports are done, turn back on the Symantec/Norton AV.

Symantec was hyper-active and it deleted the driver that had been quarantineed by Avenger tool.

Post copies of DDS.txt

Attach.txt

and latest MBAM scan log

Link to post
Share on other sites

Hi Maurice,

I turned off Symentec and was able to run DDS. Then I ran MBAM MalwareBytes' Anti-Malware and nothing was found.

The logs are posted and attached for your review.

I appreciate your assistance.

Regards,

Started

DDS (Ver_09-12-01.01) - NTFSx86

Run by Lin W at 17:50:25.29 on 16/02/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01

Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1015.295 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\ANIWConnService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\LogWatNT.exe

c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe

C:\Documents and Settings\Lin W\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

uSearch Bar = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: IEHandle Class: {31eba2e2-58b2-4980-9c41-f12f5f1422c5} - c:\windows\system32\TPHANDLE.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: IE DevToolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

TB: {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - No File

EB: IE DOM Explorer: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [D-Link D-Link Wireless 150 USB Adapter DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: &??BitComet?? - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &??BitComet?????? - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: &??BitComet?????? - c:\program files\bitcomet\BitComet.exe/AddVideo.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\linw~1\applic~1\mozilla\firefox\profiles\wwfd6ppw.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {A0CA53B9-0516-4E75-9F17-37CCFB9CF39E} - c:\documents and settings\lin w\local settings\application data\{a0ca53b9-0516-4e75-9f17-37ccfb9cf39e}\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [2010-2-15 147456]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-10-13 107624]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-10-13 107624]

R2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-6-8 50176]

R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]

R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-10-14 1956552]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-5 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100210.004\NAVENG.SYS [2010-2-10 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100210.004\NAVEX15.SYS [2010-2-10 1324720]

R3 rt2870;D-Link 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-2-15 715520]

S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.3\reporting services\reportserver\bin\ReportingServicesService.exe [2007-3-3 17264]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-10-14 122056]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2010-02-16 04:47:51 20 ----a-w- c:\documents and settings\lin w\defogger_reenable

2010-02-16 04:03:54 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME

2010-02-15 23:41:54 3284 ----a-w- c:\windows\system32\ANIWZCS{2FA04624-1641-4AEC-B628-B57F83651F98}

2010-02-15 23:36:12 147456 ----a-w- c:\windows\system32\ANIWConnService.exe

2010-02-15 23:36:06 6 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{2FA04624-1641-4AEC-B628-B57F83651F98}

2010-02-15 23:35:20 0 d-----w- c:\program files\ANI

2010-02-15 23:33:07 715520 ----a-w- c:\windows\system32\drivers\rt2870.sys

2010-02-15 23:33:07 221184 ----a-w- c:\windows\system32\RaCoInst.dll

2010-02-15 23:33:07 13931 ----a-w- c:\windows\system32\RaCoInst.dat

2010-02-15 23:33:07 0 d-----w- c:\program files\D-Link

2010-02-11 21:00:08 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-02-11 21:00:08 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-02-11 01:45:27 0 d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

2006-09-14 18:28:53 105801870 ----a-w- c:\program files\Microsoft SQL Server.rar

============= FINISH: 17:51:22.96 ===============

Malwarebytes' Anti-Malware 1.44

Database version: 3747

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

16/02/2010 6:03:27 PM

mbam-log-2010-02-16 (18-03-27).txt

Scan type: Quick Scan

Objects scanned: 135935

Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 16/06/2009 7:41:13 AM

System Uptime: 16/02/2010 5:42:44 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5GC-MX/1333

Processor: Intel® Celeron® CPU 2.80GHz | LGA 775 | 2800/133mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 59 GiB total, 22.261 GiB free.

D: is FIXED (NTFS) - 57 GiB total, 28.246 GiB free.

E: is FIXED (NTFS) - 70 GiB total, 24.07 GiB free.

F: is CDROM ()

G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP68: 14/12/2009 6:03:06 PM - System Checkpoint

RP69: 15/12/2009 7:02:13 PM - System Checkpoint

RP70: 16/12/2009 11:07:41 PM - System Checkpoint

RP71: 18/12/2009 12:55:27 AM - System Checkpoint

RP72: 19/12/2009 3:08:22 AM - System Checkpoint

RP73: 20/12/2009 3:31:14 AM - System Checkpoint

RP74: 06/01/2010 2:27:48 AM - Removed MSDN Library for Visual Studio 2005

RP75: 06/01/2010 2:31:30 AM - Removed NUnit-Net-2.0 2.2.7

RP76: 06/01/2010 2:32:20 AM - Removed SQL Prompt

RP77: 06/01/2010 2:33:42 AM - Removed WebEx Record and Playback

RP78: 06/01/2010 2:34:06 AM - Removed Windows Live Favorites for Windows Live Toolbar

RP79: 06/01/2010 2:37:28 AM - Removed Windows Live Toolbar

RP80: 09/01/2010 11:19:15 AM - System Checkpoint

RP81: 10/01/2010 12:58:29 PM - System Checkpoint

RP82: 12/01/2010 11:20:12 PM - Software Distribution Service 3.0

RP83: 15/01/2010 3:33:07 AM - System Checkpoint

RP84: 18/01/2010 7:53:53 PM - System Checkpoint

RP85: 23/01/2010 12:40:46 PM - System Checkpoint

RP86: 24/01/2010 3:00:18 AM - Software Distribution Service 3.0

RP87: 27/01/2010 7:31:22 PM - System Checkpoint

RP88: 31/01/2010 12:17:12 PM - System Checkpoint

RP89: 05/02/2010 2:37:27 AM - System Checkpoint

RP90: 06/02/2010 12:57:15 PM - System Checkpoint

RP91: 07/02/2010 1:52:09 PM - System Checkpoint

RP92: 08/02/2010 2:51:03 PM - System Checkpoint

RP93: 09/02/2010 6:05:35 PM - System Checkpoint

RP94: 10/02/2010 8:07:02 PM - Software Distribution Service 3.0

RP95: 11/02/2010 8:44:44 PM - System Checkpoint

RP96: 15/02/2010 6:34:56 PM - Installed D-Link Wireless 150 USB Adapter DWA-125

RP97: 15/02/2010 6:35:19 PM - Installed ANIO Service

RP98: 15/02/2010 6:35:43 PM - Installed ANIWZCS2 Service

RP99: 15/02/2010 11:24:09 PM - Configured Swift 3D Version 4.00

==== Installed Programs ======================

??????? 2.0

2007 Microsoft Office Suite Service Pack 1 (SP1)

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge 1.0

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Common File Installer

Adobe Default Language CS3

Adobe ExtendScript Toolkit 2

Adobe Flash Player 9 ActiveX

Adobe Fonts All

Adobe Help Center 1.0

Adobe Help Viewer CS3

Adobe InDesign CS3

Adobe InDesign CS3 Icon Handler

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Photoshop CS2

Adobe Reader 7.1.0

Adobe Reader Chinese Simplified Fonts

Adobe Reader Chinese Traditional Fonts

Adobe Setup

Adobe SING CS3

Adobe Stock Photos 1.0

Adobe Stock Photos CS3

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Adobe XMP Panels CS3

Agere Systems PCI Soft Modem

AllFusion ERwin Data Modeler

ANIO Service

ANIWZCS2 Service

Atheros Communications Inc.® L2 Fast Ethernet Driver

ATI - Software Uninstall Utility

ATI Display Driver

Canon Utilities PhotoStitch

D-Link Wireless 150 USB Adapter DWA-125

Enterprise Library for .NET Framework 2.0 - January 2006

ERUNT 1.1j

Excentrics World Controls

FileZilla Client 3.2.4.1

GDR 1406 for SQL Server Analysis Services 2005 ENU (KB932557)

GDR 1406 for SQL Server Database Services 2005 ENU (KB932557)

GDR 1406 for SQL Server Integration Services 2005 ENU (KB932557)

GDR 1406 for SQL Server Notification Services 2005 ENU (KB932557)

GDR 1406 for SQL Server Reporting Services 2005 ENU (KB932557)

Google Talk (remove only)

Google Updater

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Intel® Graphics Media Accelerator Driver

Internet Explorer Developer Toolbar

J2SE Runtime Environment 5.0 Update 6

Java SE Runtime Environment 6 Update 1

LiveUpdate 3.2 (Symantec Corporation)

Macromedia Dreamweaver MX 2004

Macromedia Extension Manager

Macromedia Flash MX 2004

Malwarebytes' Anti-Malware

MetaFrame Presentation Server Web Client for Win32

Microsoft .NET Compact Framework 1.0 SP3 Developer

Microsoft .NET Compact Framework 2.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft ASP.NET 2.0 AJAX Extensions 1.0

Microsoft Device Emulator version 1.0 - ENU

Microsoft Document Explorer 2005

Microsoft FrontPage Client - English

Microsoft Office 2003 Web Components

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Live Meeting 2005 Replay Wrapper

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Visio 2007 Service Pack 1 (SP1)

Microsoft Office Visio MUI (English) 2007

Microsoft Office Visio Professional 2007

Microsoft Office Visio Professional 2007 Trial

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Analysis Services

Microsoft SQL Server 2005 Backward compatibility

Microsoft SQL Server 2005 Integration Services

Microsoft SQL Server 2005 Notification Services

Microsoft SQL Server 2005 Reporting Services

Microsoft SQL Server 2005 Tools Express Edition

Microsoft SQL Server Management Studio Express

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

Microsoft Virtual PC 2004

Microsoft Visual J# 2.0 Redistributable Package

Microsoft Visual Studio .NET Enterprise Architect 2003 - English

Microsoft Visual Studio 2005 Professional Edition - ENU

Microsoft Visual Studio 2005 Web Application Projects

Microsoft WSE 2.0 SP3 Runtime

Mozilla Firefox (3.6)

MSDN Library for Visual Studio .NET 2003

MSN

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

MSXML4SP2

Nero 7 Ultra Edition

Norton PartitionMagic

Norton PartitionMagic 8.0

Opera 9.0

PDF Settings

QuickTime

RealPlayer

Realtek High Definition Audio Driver

Security Update for 2007 Microsoft Office System (KB951550)

Security Update for 2007 Microsoft Office System (KB951944)

Security Update for 2007 Microsoft Office System (KB960003)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft Office Excel 2007 (KB959997)

Security Update for Microsoft Office OneNote 2007 (KB950130)

Security Update for Microsoft Office PowerPoint 2007 (KB957789)

Security Update for Microsoft Office Publisher 2007 (KB950114)

Security Update for Microsoft Office system 2007 (KB954326)

Security Update for Microsoft Office system 2007 (KB956828)

Security Update for Microsoft Office Visio 2007 (KB957831)

Security Update for Microsoft Office Word 2007 (KB956358)

Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)

Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)

Security Update for Visio 2007 (KB947590)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB970483)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978706)

Soap 3.0 Toolkit

SQLXML4

Symantec AntiVirus

Synacast Plug-in 1.1.0.7

Telligent Community Server 2.1 SP1

TextPad 4.7

UFile 2005

UFile 2008

UFile Updater 2005

UFile Updater 2008

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office Outlook 2007 (KB952142)

Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB915364)

Update for Outlook 2007 Junk Email Filter (kb968503)

Update for Windows Internet Explorer 8 (KB975364)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Visual Studio .NET Enterprise Architect 2003 - English

Visual Studio.NET Baseline - English

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 8

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Format 11 runtime

Windows Media Format Runtime

Windows Media Player 10

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

WinZip

==== Event Viewer Messages From Past Week ========

16/02/2010 7:17:26 AM, error: PlugPlayManager [11] - The device Root\LEGACY_JELGLH\0000 disappeared from the system without first being prepared for removal.

16/02/2010 12:19:51 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde

16/02/2010 12:19:02 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

16/02/2010 12:19:02 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

15/02/2010 11:57:39 PM, error: Service Control Manager [7034] - The SQL Server (MSSQLSERVER) service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:39 PM, error: Service Control Manager [7034] - The Message Queuing Triggers service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7034] - The World Wide Web Publishing service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7034] - The StarWind iSCSI Service service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7034] - The SQL Server FullText Search (MSSQLSERVER) service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7034] - The SNMP Service service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7034] - The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7034] - The Message Queuing service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7034] - The Event Log Watch service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:38 PM, error: Service Control Manager [7031] - The IIS Admin service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.

15/02/2010 11:57:37 PM, error: Service Control Manager [7034] - The ANIWConn Service service terminated unexpectedly. It has done this 1 time(s).

15/02/2010 11:57:37 PM, error: Service Control Manager [7034] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service terminated unexpectedly. It has done this 1 time(s).

11/02/2010 12:41:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd

11/02/2010 12:40:45 PM, error: sptd [4] - Driver detected an internal error in its data structures for .

10/02/2010 8:02:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10/02/2010 8:01:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

10/02/2010 8:00:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm sptd SRTSP SRTSPX SYMTDI vmm

10/02/2010 8:00:59 PM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

10/02/2010 8:00:59 PM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

10/02/2010 8:00:59 PM, error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.

10/02/2010 8:00:59 PM, error: Service Control Manager [7001] - The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.

10/02/2010 7:57:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sptd SRTSP SRTSPX SYMTDI Tcpip vmm

10/02/2010 7:57:00 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

10/02/2010 7:57:00 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/02/2010 7:57:00 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/02/2010 7:57:00 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

10/02/2010 7:57:00 PM, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/02/2010 7:56:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

10/02/2010 2:31:55 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde sptd

09/02/2010 8:09:38 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips IntelIde intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv sptd SRTSP SRTSPX SYMTDI Tcpip vmm

==== End Of File ===========================

Edited by Maurice Naggar
Attach.txt place in-line
Link to post
Share on other sites

Step 1

Close and save any open documents & any programs you started. Let these updates & utilities run without your starting other tasks.

javaicon.gif

Your Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 18 -"
  • Click the " red Download JRE" button.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement . ". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
    Remove these 2 older Java runtime versions:
    J2SE Runtime Environment 5.0 Update 6
    Java™ SE Runtime Environment 6 Update 1
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:

Click the Update tab. un-check the line if it is checked.

Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_18 from Sun Microsystems Inc.

Step 2

Temporarily disable your antivirus program. Do not turn off the firewall.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine.

Kaspersky is a report only and does not remove files.

Step 3

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Step 4

Post back with copy of the Kaspersky.txt report

& Checkup.txt.

How is your system now icon_question.gif

Link to post
Share on other sites

Hi Maurice,

Sorry for the late reply because it took this long to run Kaspersky. In fact, the first attempt stalled at 62%. And the second try took 12 good hours. One thing I would like to mention to you is that Symantec AntiVirus turned on itself from time to time during the process although I turned it off before the scanning and kept doing so during the scanning if I was around and aware it was on. For sure, it was not always turned off. It did not stop the scan, though. I hope that does not affect the result.

Two logs are posted at the end of this reply for your review.

Thanks,

Started

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, February 18, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, February 18, 2010 12:25:08

Records in database: 3549486

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

Scan statistics:

Objects scanned: 191390

Threats found: 24

Infected objects found: 50

Suspicious objects found: 3

Scan duration: 12:29:49

File name / Threat / Threats count

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F80000\4BF95027.VBN Infected: Trojan-Downloader.Win32.Small.kjb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900000\47F7287F.VBN Infected: Trojan-Downloader.Win32.Zlob.jzr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05DC0000\4FFE2DA9.VBN Infected: Rootkit.Win32.Agent.aioy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06180000\475DD07C.VBN Infected: Exploit.Java.Gimsh.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09DC0003\4BDEAF1D.VBN Infected: not-a-virus:PSWTool.Win32.RAS.a 3

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09DC0004\4BDEBD2E.VBN Infected: not-a-virus:PSWTool.Win32.RARPassCrack.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A9C0000\4FBE33FF.VBN Infected: Trojan-Downloader.JS.Small.ew 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A9C0001\4FBE3452.VBN Infected: Exploit.Win32.IMG-ANI.k 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B380000\4FFA6BFE.VBN Infected: Trojan.Win32.DNSChanger.ueb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B380001.VBN Infected: Trojan.Win32.DNSChanger.ueb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B700000\4FFD4263.VBN Infected: Trojan.Win32.DNSChanger.ueb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B700001\4FFD429A.VBN Infected: Trojan.Win32.DNSChanger.ueb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BDC0000\4FFFFB72.VBN Suspicious: Exploit.Win32.IMG-ANI.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BDC0001\4FFFFBA9.VBN Infected: Trojan-Downloader.VBS.Small.em 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE00000\4EE458C9.VBN Infected: Trojan-Downloader.JS.Agent.hv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE00001\4EE46182.VBN Infected: Trojan-Dropper.Win32.Delf.gi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D040000\4F26AF4F.VBN Infected: Trojan-Dropper.Win32.Delf.gi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140000\4F342312.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140001\4F34232E.VBN Infected: Exploit.Win32.IMG-ANI.bv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140002\4F342348.VBN Infected: Exploit.Win32.IMG-ANI.bv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140003\4F34268D.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140004\4F3426C5.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140005\4F3426F6.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140006\4F34275C.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140007\4F3428D0.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140008\4F3428F7.VBN Infected: Exploit.Win32.IMG-ANI.bv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140009\4F342902.VBN Infected: Exploit.Win32.IMG-ANI.bv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000A\4F34290E.VBN Infected: Exploit.Win32.IMG-ANI.bv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000B\4F34291A.VBN Infected: Exploit.Win32.IMG-ANI.bv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000C\4F34A52A.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000D\4F34A539.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000E\4F34A542.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D14000F\4F34A54A.VBN Suspicious: Exploit.Win32.IMG-ANI.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140010\4F34A552.VBN Suspicious: Exploit.Win32.IMG-ANI.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140011\4F34A55A.VBN Infected: Exploit.Win32.IMG-ANI.ac 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E340001\4F7FD15D.VBN Infected: Trojan-Downloader.Win32.Piker.ako 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E340002\4F7FD19D.VBN Infected: Trojan-Downloader.Win32.Mufanom.hpb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ED40000\4FFE29B1.VBN Infected: Trojan.JS.Gord.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F7C0003\4F7C7A4D.VBN Infected: not-a-virus:PSWTool.Win32.RAS.a 3

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F7C0004\4F7C7A79.VBN Infected: not-a-virus:PSWTool.Win32.RARPassCrack.a 1

D:\SAP\Book\SAP R3-Consultant - Netweaver - ABAP Workbench updated-fixed 10-2006.rar Infected: P2P-Worm.Win32.Kapucen.b 1

E:\emule finished\(eBook ERP CRM SAP) - John Wiley & Sons - ERP - Making It Happen updated-fixed 07-2006.zip Infected: P2P-Worm.Win32.Kapucen.b 1

E:\emule finished\Lavasoft.Ad-Aware.2007.Professional.Edition.v7.0.1.5.Incl-Crack.rar Infected: Trojan-Dropper.Win32.Delf.ebb 1

E:\emule finished\Lavasoft.Ad-Aware.2007.Professional.Edition.v7.0.1.5.Incl-Crack.rar Infected: Trojan-Dropper.Win32.Delf.ebc 1

E:\emule finished\SAP R3-Consultant - Netweaver - ABAP Workbench Developpement Certification (12.2003.DE.su updated-fixed Release 11-2007.rar Infected: P2P-Worm.Win32.Kapucen.ac 1

E:\TOOLS\MORE\servu5001\servusetup.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.50011 1

E:\TOOLS\MORE\servu5001\servusetup.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.5201 1

E:\TOOLS\MORE\Windows.XP.2003.Product.Key.Viewer.Generator.Changer\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2

Selected area has been scanned.

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Symantec AntiVirus

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 18

Java Auto Updater

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.1.0

Adobe Reader Chinese Simplified Fonts

Adobe Reader Chinese Traditional Fonts

``````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus Rtvscan.exe

``````````````````````````````

DNS Vulnerability Check:

`````````End of Log```````````

Link to post
Share on other sites

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Double-click OTL.exe otlDesktopIcon.png to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

The last sections of the Kaspersky scan showed presence of pirated app and warez. Well I'm sorry but since you have evidence of cracked or pirated software you're using on the system I have no choice but to close this thread now.

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.