Jump to content

generic host process problem and other things


bibs

Recommended Posts

hello.

i'm new to the help forum here, so i don't know how to provide detailed reports like everyone else. but i'll give as much info as i can for now.

a few weeks ago, i was trying to connect to my mom's boyfriend's internet, but was unsuccessful. thats when all my problems started showing up. random tabs in firefox, one of them being something i wish i didn't see. (if you catch my drift.) after that, a program popped up which looked like a rouge antivirus thing. but i was about to click something when it popped up, and with this feature on my laptop where the arrow appears automatically on a certain button (ok, cancel, x buttin etc.) i closed it out on accident. for some reason it never came back. and thus, i could not tell what it was. soon i decided to do a system restore and then some scans. though it did not work in 'safe mode' and stated "system restore will not fix your computer". some viruses came up and i deleted them. the usual. but shortly after that, i began to get more random tabs as well as an error window which said, "generic host process for win32 has encountered a problem and needs to close". then my taskbar and window style would change and glitch. i've tried a fix for that problem that i've found after a long and thorough search on google. it and the virus scans seemed to help for a while, but it would eventually come back. and through the past two weeks or so, avast! would keep blocking a website beginning with 199.80.55.80/go.php?.

currently, this is the first time i've come back onto the internet in a few days. i have not seen the generic host error yet, but random tabs do still pop up and that 199 address is still trying to come up.

and just now it brought up a new tab with that fake firefox "blocked page" thing.

now my laptop is a bit slower and videos take a while to load. also, whenever my laptop's battery runs low and it hibernates, i would start it back up and the internet stops working. thus i have to save the tabs and restart my laptop. i also have to do this when my sound goes out. it says it cannot find the hardware for it. if it happens again, i will give you the full message.

I use a Compaq Laptop with:

Microsoft Windows XP

Media Center Edition

Version 2002

Service Pack 3

things that would pop up:

fb-survey

something that has to do with registry

the fake "blocked page" thing

virus protection:

avast! free antivirus

malwarebytes' anti-malware

67 running processes (@ 1:43 am)

i don't know how to post them. when i figure that out, i will post it.

i will post the malwarebytes log when it finishes scanning.

currently in avast!'s virus chest:

18.tmp C:\WINDOWS\temp Win32:Alureon-JJ [Rtk]

A0153167.exe C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP366 Win32:Malware-gen

dm2[1].exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PAZ2ELF2 Win32:Trojan-gen

*To Note: i haven't used internet explorer for at least a year.(if you don't count accidentally clicking into it, which i haven't done in a while.) maybe two..........i can't remember when i installed firefox lol.

please help. i was unable to repair this with simply system restoring.

thank you

-bibs

Link to post
Share on other sites

post-32477-1261866970.gif

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/2/2010 11:17:49 AM

mbam-log-2010-11-02 (11-17-49).txt

Scan type: Quick scan

Objects scanned: 134410

Time elapsed: 18 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsp1up.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12787531 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\BLuR\Local Settings\Temp\winsp1up.exe (Trojan.FakeAlert.H) -> Not selected for removal.

C:\Documents and Settings\BLuR\Local Settings\Temp\12787531.exe (Trojan.FakeAlert.H) -> Not selected for removal.

just last night, while i was getting food for my kitten, another pop up came up (a rather indecent one) and tried to download something. i canceled it and minimized the window only to find that a rouge program called HDD Defragmenter had installed itself.

since then, errors showed up listing a bunch of numbers and saying something about fatal system error. it said i needed to restart. all i did was press the x button and it restarted anyway. my laptop powered up again and now i have an error which says this:

System Restore

The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

[OK]

i'm just leaving it there until i find out if its legit. though i don't think it is.

and lastly, probably not important, there is a notification typical of rogue programs that asks me to buy it. i'm leaving it there as well.

the generic host process error still appears and changes my taskbar and window style to an older looking view.

Link to post
Share on other sites

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Double click on iexplore.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7 or you don't have a internet connection.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

i had successfully installed the microsoft windows recovery console and began the scan. but a few minutes after the scan started, the errors came up again. i got some stuff to write it down, but i could only get a little info before it restarted itself.

Windows - Delayed Write Field

(X) Windows was unable to save all the data-(all i managed to get down)-......

Low Disk Space

.....(a second after this popped up it shut down. it said something about running on low disk space for the C drive thing.)

[restart]

when i came back on, the hdd defragmentor came up. i minimized it and it disappeared.

windows security alerts came up telling me my updates are turned off. but i did that purposely because i've heard much about fake updates recently.

avast's shields are back up and two warnings came up saying they blocked the site 199.80.55.80/go.php?data=(then its a bunch of letters and numbers.)

after that, the generic host error came up once again, producing the same resulting effects as last time.

shall i try running combofix (iexplorer.exe) again? or perhaps i didn't download it right?

i clicked the first link. it went into the download box (i have internet explorer, but i use firefox) and i right-clicked and selected 'open containing folder'. i went to the combofix icon and renamed it iexplorer.exe. then i dragged it from the downloads folder to the desktop.

Link to post
Share on other sites

Volume (C:)

Volume size = 80.50 GB

Cluster size = 4 KB

Used space = 50.42 GB

Free space = 30.08 GB

Percent free space = 37 %

Volume fragmentation

Total fragmentation = 9 %

File fragmentation = 19 %

Free space fragmentation = 0 %

File fragmentation

Total files = 162,383

Average file size = 447 KB

Total fragmented files = 2

Total excess fragments = 21,979

Average fragments per file = 1.13

Pagefile fragmentation

Pagefile size = 753 MB

Total fragments = 1

Folder fragmentation

Total folders = 17,193

Fragmented folders = 1

Excess folder fragments = 0

Master File Table (MFT) fragmentation

Total MFT size = 181 MB

MFT record count = 180,490

Percent MFT in use = 97 %

Total MFT fragments = 3

--------------------------------------------------------------------------------

Fragments File Size Files that cannot be defragmented

21,579 9.97 GB \Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log

and i removed 9 things from the add/remove list.

Link to post
Share on other sites

i've done the scan, mostly. after a bit, a window popped up:

----------------------

Rootkit!!

----------------------

( i ) ComboFix has detected the presence of rootkit activity and needs to reboot the machine.

----------------------

and it did so. but when it rebooted, combofix started again, but everything else thats supposed to show on the screen (icons, task bar, etc.) never appeared.

i started task manager to poke around to see if i could get on the internet, but it didn't work. and i guess i may have clicked on combofix accidentally or something, but it seemed that it stopped working. i went to start a new task to see if i could get to control panel, but for some reason i clicked on the my computer icon on the side. (silly me lol) once i did that, it froze and (not responding) appeared. i decided to wait, so i fed my kitten and i lay down with her so she could be warm. we both fell asleep (i slept longer than i'd hoped....). after waking up about an hour or so later, the screen was still the same.

i pressed the power button once, the options came up and i hit restart. nothing happened. i pressed the power button once again, but the selection didn't come up this time. so i held the power button down and shut it off and turned it back on again. i saw the black screen for safe mode come up, but it was skipped and it went straight to my desktop without letting me select my account.

i believe thats another thing i forgot to mention. sometimes i would reboot my laptop to get the internet working again, or the sound working again, and nothing would show up. it just showed my background picture. i would have to restart again.

and if i started it back up, sometimes it wouldn't even let me click on my icon to get to my desktop. it would just go on through.

or if there was that black screen with selections to go to safe mode or safe mode with command promp, etc.. like it did a few minutes ago, it would skip it and go directly to my desktop.

right now, the desktop looks okay. the task bar and window style is normal. the generic host error hasn't appeared yet. the hdd defragmentor activation request is still there. but surprisingly this program hasn't done anything much, yet. *knocks on wood* the only thing bad that has happened so far is that avast detected that suspicious website again.

on a separate note of good news, my kitten fell asleep while playing under the blanket ^^ she's very warm :3

Link to post
Share on other sites

hdd defragmentor activation request is still there.
I'm pretty sure that's a fake program.

We need to check on that RootKit.

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites

is this the correct info?

2010/11/02 19:53:53.0312 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49

2010/11/02 19:53:53.0312 ================================================================================

2010/11/02 19:53:53.0312 SystemInfo:

2010/11/02 19:53:53.0312

2010/11/02 19:53:53.0312 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/02 19:53:53.0312 Product type: Workstation

2010/11/02 19:53:53.0312 ComputerName: VIVIAN

2010/11/02 19:53:53.0343 UserName: Viv

2010/11/02 19:53:53.0343 Windows directory: C:\WINDOWS

2010/11/02 19:53:53.0343 System windows directory: C:\WINDOWS

2010/11/02 19:53:53.0343 Processor architecture: Intel x86

2010/11/02 19:53:53.0343 Number of processors: 1

2010/11/02 19:53:53.0343 Page size: 0x1000

2010/11/02 19:53:53.0343 Boot type: Normal boot

2010/11/02 19:53:53.0343 ================================================================================

2010/11/02 19:53:53.0937 Initialize success

2010/11/02 19:54:19.0921 ================================================================================

2010/11/02 19:54:19.0921 Scan started

2010/11/02 19:54:19.0921 Mode: Manual;

2010/11/02 19:54:19.0921 ================================================================================

2010/11/02 19:54:20.0750 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/11/02 19:54:20.0859 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/11/02 19:54:20.0953 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/02 19:54:20.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/11/02 19:54:21.0046 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/11/02 19:54:21.0125 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/02 19:54:21.0203 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/02 19:54:21.0250 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/02 19:54:21.0296 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/11/02 19:54:21.0343 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/11/02 19:54:21.0390 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/11/02 19:54:21.0421 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/11/02 19:54:21.0484 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/11/02 19:54:21.0546 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/11/02 19:54:21.0609 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/11/02 19:54:21.0656 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/11/02 19:54:21.0687 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/02 19:54:21.0734 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/11/02 19:54:21.0781 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/11/02 19:54:21.0812 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/11/02 19:54:22.0093 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/11/02 19:54:22.0140 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/11/02 19:54:22.0203 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/11/02 19:54:22.0265 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2010/11/02 19:54:22.0312 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/11/02 19:54:22.0359 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/02 19:54:22.0437 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/02 19:54:22.0500 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/02 19:54:22.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/02 19:54:22.0671 BCM43XX (114234fafec7060392195170e1c4d45e) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2010/11/02 19:54:22.0750 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/02 19:54:22.0828 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys

2010/11/02 19:54:22.0875 BVRPMPR5 (6598d078d5446197aed6b46c6a2a3431) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

2010/11/02 19:54:23.0265 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/11/02 19:54:23.0375 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/02 19:54:23.0468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/11/02 19:54:23.0515 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/11/02 19:54:23.0562 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/02 19:54:23.0625 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/02 19:54:23.0687 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/02 19:54:23.0875 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/02 19:54:23.0921 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/11/02 19:54:23.0968 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/02 19:54:24.0046 CO_Mon (d6b3d908a66704490eeeea93b3b1acdf) C:\WINDOWS\system32\Drivers\CO_Mon.sys

2010/11/02 19:54:24.0109 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/11/02 19:54:24.0156 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/11/02 19:54:24.0203 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/11/02 19:54:24.0265 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/02 19:54:24.0375 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/02 19:54:24.0437 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/02 19:54:24.0484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/02 19:54:24.0546 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/02 19:54:24.0625 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/11/02 19:54:24.0640 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/02 19:54:24.0703 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/11/02 19:54:24.0765 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys

2010/11/02 19:54:24.0812 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys

2010/11/02 19:54:24.0937 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/02 19:54:25.0031 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/11/02 19:54:25.0125 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/02 19:54:25.0171 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/02 19:54:25.0218 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/02 19:54:25.0281 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/02 19:54:25.0328 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/02 19:54:25.0390 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/11/02 19:54:25.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/02 19:54:25.0484 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

2010/11/02 19:54:25.0562 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys

2010/11/02 19:54:25.0625 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/02 19:54:25.0687 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/02 19:54:25.0781 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/11/02 19:54:25.0828 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/11/02 19:54:25.0875 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/11/02 19:54:25.0906 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/11/02 19:54:25.0984 HSFHWAZL (448c0fd272fe1b80046f4767db21eb8d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2010/11/02 19:54:26.0046 HSF_DPV (2715a27de9c17bdbaf6d6c79989a7b12) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/11/02 19:54:26.0187 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/02 19:54:26.0265 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/11/02 19:54:26.0312 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/11/02 19:54:26.0375 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/02 19:54:26.0500 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/11/02 19:54:26.0640 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2010/11/02 19:54:26.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/02 19:54:26.0750 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/11/02 19:54:26.0796 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/02 19:54:26.0843 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/02 19:54:26.0890 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/02 19:54:26.0953 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/02 19:54:26.0984 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/02 19:54:27.0046 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/02 19:54:27.0140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/02 19:54:27.0203 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/02 19:54:27.0265 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/02 19:54:27.0312 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/02 19:54:27.0343 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/11/02 19:54:27.0406 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/02 19:54:27.0484 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/02 19:54:27.0625 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/11/02 19:54:27.0703 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/11/02 19:54:27.0750 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/11/02 19:54:27.0812 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/11/02 19:54:27.0875 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

2010/11/02 19:54:27.0921 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

2010/11/02 19:54:27.0968 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2010/11/02 19:54:28.0015 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/02 19:54:28.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/02 19:54:28.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/02 19:54:28.0234 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/02 19:54:28.0296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/02 19:54:28.0375 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys

2010/11/02 19:54:28.0421 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/11/02 19:54:28.0468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/02 19:54:28.0546 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/02 19:54:28.0609 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/02 19:54:28.0656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/02 19:54:28.0718 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/02 19:54:28.0750 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/02 19:54:28.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/02 19:54:28.0875 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/11/02 19:54:28.0937 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/02 19:54:29.0000 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/11/02 19:54:29.0078 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/02 19:54:29.0140 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/11/02 19:54:29.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/02 19:54:29.0265 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/02 19:54:29.0312 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/02 19:54:29.0343 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/02 19:54:29.0406 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/02 19:54:29.0468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/02 19:54:29.0562 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/02 19:54:29.0640 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/02 19:54:29.0671 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/02 19:54:29.0750 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/02 19:54:29.0812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/02 19:54:29.0843 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/02 19:54:29.0906 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/02 19:54:29.0968 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/11/02 19:54:29.0984 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/02 19:54:30.0046 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/02 19:54:30.0093 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/02 19:54:30.0156 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/02 19:54:30.0187 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/11/02 19:54:30.0343 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/11/02 19:54:30.0375 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/11/02 19:54:30.0515 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/02 19:54:30.0562 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/02 19:54:30.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/02 19:54:30.0656 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/02 19:54:30.0718 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/11/02 19:54:30.0765 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/11/02 19:54:30.0828 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/11/02 19:54:30.0875 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/11/02 19:54:30.0921 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/11/02 19:54:30.0984 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/02 19:54:31.0046 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/02 19:54:31.0093 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/02 19:54:31.0125 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/02 19:54:31.0187 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/02 19:54:31.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/02 19:54:31.0343 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/02 19:54:31.0421 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/02 19:54:31.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/02 19:54:31.0562 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

2010/11/02 19:54:31.0609 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

2010/11/02 19:54:31.0656 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

2010/11/02 19:54:31.0734 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys

2010/11/02 19:54:31.0796 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/02 19:54:31.0875 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/11/02 19:54:31.0921 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/02 19:54:32.0000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/11/02 19:54:32.0046 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/02 19:54:32.0156 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/11/02 19:54:32.0203 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/11/02 19:54:32.0281 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/11/02 19:54:32.0328 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/02 19:54:32.0421 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/02 19:54:32.0484 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/02 19:54:32.0546 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/11/02 19:54:32.0609 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/02 19:54:32.0656 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/02 19:54:32.0734 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/11/02 19:54:32.0796 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/11/02 19:54:32.0859 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2010/11/02 19:54:32.0906 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/11/02 19:54:32.0937 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/11/02 19:54:33.0031 SynTP (369d0626687a968182a9db40fe8a0905) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/11/02 19:54:33.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/02 19:54:33.0218 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/02 19:54:33.0281 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/02 19:54:33.0343 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/02 19:54:33.0406 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/02 19:54:33.0515 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/11/02 19:54:33.0578 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/02 19:54:33.0640 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/11/02 19:54:33.0718 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/02 19:54:33.0796 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/11/02 19:54:33.0859 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/02 19:54:33.0937 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/02 19:54:33.0984 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/02 19:54:34.0046 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/02 19:54:34.0093 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/02 19:54:34.0140 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/02 19:54:34.0203 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/02 19:54:34.0265 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/02 19:54:34.0343 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/11/02 19:54:34.0406 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/02 19:54:34.0453 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/02 19:54:34.0625 VX3000 (45798ec03c6aeb45aa2f2084f7842f6c) C:\WINDOWS\system32\DRIVERS\VX3000.sys

2010/11/02 19:54:34.0843 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys

2010/11/02 19:54:34.0953 wacmoumonitor (9a03558c37e919b9d6a50864aea0a168) C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys

2010/11/02 19:54:35.0062 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys

2010/11/02 19:54:35.0109 wacomvhid (d412d2cc82c3d469415758cab44875a4) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys

2010/11/02 19:54:35.0156 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys

2010/11/02 19:54:35.0203 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/02 19:54:35.0265 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

2010/11/02 19:54:35.0343 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/02 19:54:35.0484 winachsf (7fe372b1ab60736cc67e8eb6f1fb1f5b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/11/02 19:54:35.0671 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/11/02 19:54:35.0750 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/11/02 19:54:35.0796 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/11/02 19:54:35.0859 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/02 19:54:35.0921 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/02 19:54:36.0109 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/02 19:54:36.0109 ================================================================================

2010/11/02 19:54:36.0109 Scan finished

2010/11/02 19:54:36.0109 ================================================================================

2010/11/02 19:54:36.0140 Detected object count: 1

2010/11/02 19:55:08.0234 \HardDisk0\MBR - will be cured after reboot

2010/11/02 19:55:08.0234 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

2010/11/02 19:55:13.0765 Deinitialize success

Link to post
Share on other sites

sorry for the wait.......

ComboFix 10-11-01.06 - Viv 11/03/2010 0:46.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.167 [GMT -4:00]

Running from: c:\documents and settings\BLuR\Desktop\iexplorer.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\h8srtmainqt.dll

c:\documents and settings\BLuR\Desktop\HDD Defragmenter.lnk

c:\documents and settings\BLuR\Local Settings\Application Data\{99FE4EFB-98C3-4F47-AEBF-AEDA107DC2AD}

c:\documents and settings\BLuR\Local Settings\Application Data\{99FE4EFB-98C3-4F47-AEBF-AEDA107DC2AD}\chrome\content\_cfg.js

c:\documents and settings\BLuR\Local Settings\Application Data\{99FE4EFB-98C3-4F47-AEBF-AEDA107DC2AD}\chrome\content\overlay.xul

c:\documents and settings\BLuR\Local Settings\Application Data\{99FE4EFB-98C3-4F47-AEBF-AEDA107DC2AD}\install.rdf

c:\documents and settings\BLuR\Start Menu\Programs\HDD Defragmenter

c:\documents and settings\BLuR\Start Menu\Programs\HDD Defragmenter\HDD Defragmenter.lnk

c:\documents and settings\BLuR\Start Menu\Programs\HDD Defragmenter\Uninstall HDD Defragmenter.lnk

C:\Microsoft

c:\microsoft\IMJP8_1\imjp81u.dic

c:\program files\Common

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\windows\$NtUninstallMTF1011$

c:\windows\$NtUninstallMTF1011$\zrpt.xml

c:\windows\system32\Thumbs.db

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

D:\Autorun.inf

c:\windows\pchealth\helpctr\binaries\helpctr.exe . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))

.

2010-10-20 21:07 . 2010-08-27 05:57 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll

2010-10-19 18:58 . 2010-10-19 18:58 -------- d-----w- c:\documents and settings\BLuR\Local Settings\Application Data\PCHealth

2010-10-19 17:51 . 2010-10-19 17:51 -------- d-----w- C:\10a2e13eb976de8e53

2010-10-19 05:35 . 2010-10-19 05:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-10-19 03:19 . 2010-10-19 03:19 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-19 03:16 . 2010-10-19 03:16 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-10-19 03:16 . 2010-10-19 03:16 -------- d-----w- c:\windows\system32\Adobe

2010-10-19 03:15 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-10-19 03:15 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-10-18 04:50 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\BLuR\Local Settings\Application Data\Google

2010-10-17 03:02 . 2010-10-17 03:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-10-17 03:02 . 2010-10-17 03:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-10-17 01:40 . 2010-11-02 14:05 -------- d-----w- c:\documents and settings\LocalService\Temporary Internet Files

2010-10-05 15:45 . 2010-10-05 15:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2006-03-16 04:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-03-16 04:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-03-16 04:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-03-16 04:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2006-03-16 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-07 15:12 . 2010-08-10 23:27 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2010-08-10 23:27 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2010-08-10 23:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2010-08-10 23:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2010-08-10 23:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2010-08-10 23:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2010-08-10 23:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2010-08-10 23:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2010-08-10 23:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-01 11:51 . 2006-03-16 04:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2006-03-16 04:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2006-03-16 04:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2005-05-10 08:17 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-14 20:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2006-03-16 04:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2006-03-16 04:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]

"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/10/2010 7:27 PM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/10/2010 7:27 PM 17744]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/21/2009 10:27 PM 2749736]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/16/2008 10:49 PM 24652]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [4/21/2009 10:27 PM 15656]

S3 XDva302;XDva302;\??\c:\windows\system32\XDva302.sys --> c:\windows\system32\XDva302.sys [?]

S3 XDva303;XDva303;\??\c:\windows\system32\XDva303.sys --> c:\windows\system32\XDva303.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=012

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\BLuR\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\BLuR\Application Data\Mozilla\Firefox\Profiles\dhoaz1mj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=12-05-2010&tb_mrud=12-05-2010

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=

FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

Notify-TPSvc - TPSvc.dll

SafeBoot-mcmscsvc

SafeBoot-MCODS

AddRemove-_{53A908D4-99C6-469B-BC13-F4189F260742} - c:\program files\Corel\Corel Painter Essentials 4\MSILauncher {53A908D4-99C6-469B-BC13-F4189F260742}

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-03 00:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(]??????`?@?????L?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82B52030]

3 CLASSPNP[0xF8515FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000008c[0x82B42F18]

5 ACPI[0xF838C620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IAAStorageDevice-0[0x82B53030]

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }

user != kernel MBR !!!

Filesystem trace:

called modules: ntkrnlpa.exe hal.dll catchme.sys aswMon2.SYS fltmgr.sys aswFsBlk.SYS sr.sys aswSP.SYS Ntfs.sys

1 ntkrnlpa!IofCallDriver[0x804EE130] -> [0xFFAAD2F0]

3 aswMon2[0xA0C869DD] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x81E87250]

5 fltmgr[0xF8207E95] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B5A508]

7 sr[0xF81F7870] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82209020]

9 ntkrnlpa[0x80574DCB] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0xFFAAD2F0]

11 aswMon2[0xA0C869DD] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x81E87250]

13 fltmgr[0xF8208098] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B5A508]

15 sr[0xF81F2453] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82209020]

Registry trace:

called modules: ntkrnlpa.exe aswSP.SYS hal.dll

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-11-03 01:01:03

ComboFix-quarantined-files.txt 2010-11-03 05:00

Pre-Run: 32,485,150,720 bytes free

Post-Run: 36,430,139,392 bytes free

- - End Of File - - 51AA33813B3FB3F50B7BF6973DA21EC6

Link to post
Share on other sites

everything seems to be fine on my laptop o-o

my laptop had lost power from it's loose charger. but i turned it back on and the hdd defragmentor has disappeared. there have been no errors pop up as of yet. though i haven't tried out the internet yet. i'm using my mom's laptop right now to connect.

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\XDva302.sys
c:\windows\system32\XDva303.sys

Folder::
c:\program files\Viewpoint

Driver::
XDva302
XDva303

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

it completed many many stages, deleted some files and found something infected which had something about pchealth.

it finished and rebooted.

saw the black screen for safe mode, but it went away and went straight to my account.

it says its preparing the log.

the desktop stuff went away for a moment but came back.

said its almost done.

it made the log:

ComboFix 10-11-01.06 - Viv 11/03/2010 23:03:51.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.285 [GMT -4:00]

Running from: c:\documents and settings\BLuR\Desktop\iexplorer.exe

Command switches used :: c:\documents and settings\BLuR\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::

"c:\windows\system32\XDva302.sys"

"c:\windows\system32\XDva303.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Viewpoint

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Viewpoint\Common\VistaBoot.sdll

c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll

c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini

c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll

c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini

c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\VETScriptInterpreter.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll

c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll

c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini

c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini

c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini

c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe

c:\program files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt

c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

c:\windows\pchealth\helpctr\binaries\helpctr.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_XDVA302

-------\Legacy_XDVA303

-------\Service_XDva302

-------\Service_XDva303

-------\Legacy_Viewpoint_Manager_Service

-------\Legacy_Viewpoint_Manager_Service

-------\Service_Viewpoint Manager Service

-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2010-10-04 to 2010-11-04 )))))))))))))))))))))))))))))))

.

2010-10-20 21:07 . 2010-08-27 05:57 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll

2010-10-19 18:58 . 2010-10-19 18:58 -------- d-----w- c:\documents and settings\BLuR\Local Settings\Application Data\PCHealth

2010-10-19 17:51 . 2010-10-19 17:51 -------- d-----w- C:\10a2e13eb976de8e53

2010-10-19 05:35 . 2010-10-19 05:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-10-19 03:19 . 2010-10-19 03:19 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-19 03:16 . 2010-10-19 03:16 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-10-19 03:16 . 2010-10-19 03:16 -------- d-----w- c:\windows\system32\Adobe

2010-10-19 03:15 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-10-19 03:15 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-10-18 04:50 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\BLuR\Local Settings\Application Data\Google

2010-10-17 03:02 . 2010-10-17 03:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-10-17 03:02 . 2010-10-17 03:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-10-17 01:40 . 2010-11-02 14:05 -------- d-----w- c:\documents and settings\LocalService\Temporary Internet Files

2010-10-05 15:45 . 2010-10-05 15:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2006-03-16 04:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-03-16 04:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-03-16 04:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-03-16 04:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2006-03-16 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-07 15:12 . 2010-08-10 23:27 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2010-08-10 23:27 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2010-08-10 23:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2010-08-10 23:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2010-08-10 23:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2010-08-10 23:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2010-08-10 23:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2010-08-10 23:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2010-08-10 23:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-01 11:51 . 2006-03-16 04:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2006-03-16 04:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2006-03-16 04:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2005-05-10 08:17 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-14 20:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2006-03-16 04:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2006-03-16 04:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]

"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/10/2010 7:27 PM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/10/2010 7:27 PM 17744]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/21/2009 10:27 PM 2749736]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [4/21/2009 10:27 PM 15656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=012

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\BLuR\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\BLuR\Application Data\Mozilla\Firefox\Profiles\dhoaz1mj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=12-05-2010&tb_mrud=12-05-2010

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-03 23:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(]??????`?@?????L?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82BE5030]

3 CLASSPNP[0xF8534FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000008d[0x82BD0E10]

5 ACPI[0xF83AB620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IAAStorageDevice-0[0x82BE6030]

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }

user != kernel MBR !!!

Filesystem trace:

called modules: ntkrnlpa.exe hal.dll aswMon2.SYS fltmgr.sys aswFsBlk.SYS sr.sys Ntfs.sys

1 ntkrnlpa!IofCallDriver[0x804EE130] -> [0xFFB23378]

3 aswMon2[0xA27579DD] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x81F4A2A0]

5 fltmgr[0xF8226E95] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B46200]

7 sr[0xF8216870] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B45770]

9 ntkrnlpa[0x80574DCB] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0xFFB23378]

11 aswMon2[0xA27579DD] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x81F4A2A0]

13 fltmgr[0xF8227098] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B46200]

15 sr[0xF8211453] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B45770]

Registry trace:

called modules: ntkrnlpa.exe aswSP.SYS hal.dll

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2724)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\progra~1\MI3AA1~1\wcescomm.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\windows\system32\msdtc.exe

c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\system32\PSIService.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\WTablet\Pen_TabletUser.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\windows\eHome\ehmsas.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-11-03 23:19:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-04 03:19

ComboFix2.txt 2010-11-03 05:01

Pre-Run: 36,444,200,960 bytes free

Post-Run: 36,329,500,672 bytes free

- - End Of File - - 3EF69EA4779A8218032A3991A57E7196

nothing seems to be happening right now, aside from the fact my laptop can't connect to the internet right now, and another bubble that says avast!, automatic updates, and norton internet worm protection is turned off. avast! and automatic updates are fine. i'll turn them on later. though, i don't have anything that i know of related to norton....(don't like norton much either.) does that feature automatically come with windows xp or something?

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Next:

Open Internet Explorer. Click on tools, then Internet Options. Then click on the Connect tab.

Then press the Lan Settings button and uncheck the Use a proxy server checkbox. Then press OK until you are out of the options screen.

Next:

check some settings on your system:

  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Left click on Properties

[*]Double-Click on the Internet Protocol (TCP/IP) item

[*]Select the radio dial that says Obtain DNS Servers Automatically

[*]Press OK twice to get out of the properties screen

Next:

=========================================================

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line: Note the spaces, they need to be there.

IPCONFIG /release

IPCONFIG /renew

IPCONFIG /flushdns

IPCONFIG /registerdns

Type: Exit

Reboot and let me know how it's running.

Link to post
Share on other sites

the scan completed and found another infected file about pchealth.

the log for joo:

ComboFix 10-11-01.06 - Viv 11/05/2010 2:18.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.146 [GMT -4:00]

Running from: c:\documents and settings\BLuR\Desktop\iexplorer.exe

Command switches used :: c:\documents and settings\BLuR\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\pchealth\helpctr\binaries\helpctr.exe . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))

.

2010-10-20 21:07 . 2010-08-27 05:57 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll

2010-10-19 18:58 . 2010-10-19 18:58 -------- d-----w- c:\documents and settings\BLuR\Local Settings\Application Data\PCHealth

2010-10-19 17:51 . 2010-10-19 17:51 -------- d-----w- C:\10a2e13eb976de8e53

2010-10-19 05:35 . 2010-10-19 05:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-10-19 03:19 . 2010-10-19 03:19 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-19 03:16 . 2010-10-19 03:16 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-10-19 03:16 . 2010-10-19 03:16 -------- d-----w- c:\windows\system32\Adobe

2010-10-19 03:15 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-10-19 03:15 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-10-18 04:50 . 2010-10-19 03:15 -------- d-----w- c:\documents and settings\BLuR\Local Settings\Application Data\Google

2010-10-17 03:02 . 2010-10-17 03:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-10-17 03:02 . 2010-10-17 03:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-10-17 01:40 . 2010-11-02 14:05 -------- d-----w- c:\documents and settings\LocalService\Temporary Internet Files

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2006-03-16 04:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-03-16 04:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-03-16 04:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-03-16 04:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2006-03-16 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-07 15:12 . 2010-08-10 23:27 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2010-08-10 23:27 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2010-08-10 23:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2010-08-10 23:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2010-08-10 23:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2010-08-10 23:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2010-08-10 23:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2010-08-10 23:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2010-08-10 23:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-01 11:51 . 2006-03-16 04:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2006-03-16 04:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2006-03-16 04:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2005-05-10 08:17 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-14 20:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2006-03-16 04:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2006-03-16 04:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-11-03_04.57.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-11-04 03:15 . 2010-11-04 03:15 16384 c:\windows\temp\Perflib_Perfdata_bc0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]

"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/10/2010 7:27 PM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/10/2010 7:27 PM 17744]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/21/2009 10:27 PM 2749736]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [4/21/2009 10:27 PM 15656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=012

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\BLuR\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\BLuR\Application Data\Mozilla\Firefox\Profiles\dhoaz1mj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=12-05-2010&tb_mrud=12-05-2010

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-05 02:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(]??????`?@?????L?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82BE5030]

3 CLASSPNP[0xF8534FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000008d[0x82BD0E10]

5 ACPI[0xF83AB620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IAAStorageDevice-0[0x82BE6030]

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }

user != kernel MBR !!!

Filesystem trace:

called modules: ntkrnlpa.exe hal.dll catchme.sys aswMon2.SYS fltmgr.sys aswFsBlk.SYS sr.sys Ntfs.sys

1 ntkrnlpa!IofCallDriver[0x804EE130] -> [0xFFB23378]

3 aswMon2[0xA27579DD] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x81F4A2A0]

5 fltmgr[0xF8226E95] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B46200]

7 sr[0xF8216870] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B45770]

9 ntkrnlpa[0x80574DCB] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0xFFB23378]

11 aswMon2[0xA27579DD] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x81F4A2A0]

13 fltmgr[0xF8227098] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B46200]

15 sr[0xF8211453] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B45770]

Registry trace:

called modules: ntkrnlpa.exe aswSP.SYS hal.dll

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3668)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-11-05 02:32:34

ComboFix-quarantined-files.txt 2010-11-05 06:32

ComboFix2.txt 2010-11-04 03:19

ComboFix3.txt 2010-11-03 05:01

Pre-Run: 36,387,045,376 bytes free

Post-Run: 36,369,522,688 bytes free

- - End Of File - - 2A6A911CC6E1BCACE0886976E383DE1D

nothing is happening at the moment :3

after i rebooted, i've noticed the norton thing is out of the list in the "your computer might be at risk" balloon, but came back. oh well. if it doesn't hurt my laptop, i guess it can stay lol

and if you were trying to cure my internet problem, unfortunately, nothing has changed. the problem is rather confusing to me and i've tried many searches with google, but to no success. i'm hoping to purchase a netgear wireless router soon to replace the linksys one.

thank you for trying though ^__^

Link to post
Share on other sites

"your computer might be at risk" balloon, but came back
I believe that is Windows Security. Open it up and see what it shows. Click Start > Control Panel > Security Center.

As for your wireless.

Right Click on the wireless icon and Make sure you are letting Windows manage the device.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    helpctr


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook 04.09.10 by jpshortstuff

Log created at 14:30 on 06/11/2010 by Viv

Administrator - Elevation successful

========== filefind ==========

Searching for "helpctr"

No files found.

-= EOF =-

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.