Jump to content

XP Home Security 2012 + Permissions Altered


Recommended Posts

Hello,

I currently have an infection with the virus in the title.

I began following the instructions at http://forums.malwarebytes.org/index.php?showtopic=9573.

1. Defogger installation and running was Successful.

2. DDS installation and running was Successful.

3. GMER installation was successful; GMER scan was Unsuccessful.

4. Obtaining MalwareBytes Log was Unsuccessful.

Processes 1 and 2 went largely smoothly amid constant popups and Firefox not working. XPHomeSec would give a popup warning about an infection, which was followed by a hijack in Firefox itself that would not allow any pages to load. Eventually got Firefox to work by opening a .html file on my hard drive, then using the "Home" button (method I am currently using to post, as Firefox now returns permission denied errors when I attempt to open it directly).

Process 3 installed; after scan was completed, would not save. Attempts to save brought up a warning dialogue that the system did not have available resources to show Desktop or My Documents files; "Save" window eventually opened with whited out boxes. Attempted to save three times after the warning dialogue, then restarted computer to free resources and view my desktop. Files were not saved.

Attempted scan #2; had to stop halfway to free up resources for another operation. Programs began denying access; had to start Firefox via method above. Any programs I attempt to open currently - including MWB (for log retrieval) and GMER return the permissions error. Related, XPHomeSec also is being denied access; programs no longer starting on load-up.

Before Permissions change, XPHomeSec was loading immediately on startup, alarmingly, even in Safe Mode. Administrator account appears to be clean of infection; unsure if running diagnostic tools on that account will be helpful or not.

I am posting what logs I have (DDS and Attach). I am not zipping either, as I have no way to obtain ark.txt to include.

.

DDS (Ver_2011-06-11.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by Owner at 20:34:48 on 2011-06-10

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.1015 [GMT -5:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Owner\Application Data\dwm.exe

C:\Documents and Settings\Owner\Application Data\Microsoft\conhost.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\ueo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.plusnetwork.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Settings,ProxyServer = http=127.0.0.1:49939

uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\dwm.exe

uWindows: Load=c:\docume~1\owner\locals~1\temp\csrss.exe

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Freecorder Toolbar: {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - c:\program files\freecordertoolbar\vmntemplateX.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll

TB: Freecorder Toolbar: {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - c:\program files\freecordertoolbar\vmntemplateX.dll

TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

mRun: [conhost] c:\documents and settings\owner\application data\microsoft\conhost.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\mi1933~1\office\1033\phdintl.dll/phdContext.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{3A2DC7A4-2E37-4E5E-A7DA-2250DCD5089C} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{EFA979A5-BFF9-40D0-93D5-2CADB454042C} : DhcpNameServer = 68.87.68.166 68.87.74.166

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\djvlt04l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?client=firefox-a&rls=org.mozilla:en-US:official&channel=s&hl=en&source=hp&biw=1280&bih=831&btnG=Google+Search

FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\djvlt04l.default\extensions\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}\components\dtTransparency.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPPGWrap.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Aquatint Black: {7694c49c-9fbd-11dc-8314-0800200c9a66} - %profile%\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}

FF - Ext: FreecorderToolbar: {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - %profile%\extensions\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

.

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

FF - user.js: extensions.newAddons - false

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

============= SERVICES / DRIVERS ===============

.

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-25 108552]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-25 335240]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-25 27784]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-27 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-27 297752]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-11-27 366640]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-13 24652]

S3 FA31x;Netgear FA311/312 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\FA31xND5.SYS [2001-4-17 16025]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-25 22712]

S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-4-17 155136]

S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-4-17 5248]

.

=============== Created Last 30 ================

.

2011-06-10 23:30:43 188416 ------w- c:\documents and settings\owner\application data\dwm.exe

2011-06-10 23:30:20 348160 ------w- c:\documents and settings\owner\local settings\application data\ueo.exe

2011-06-10 23:30:20 176640 ----a-w- c:\documents and settings\owner\application data\microsoft\conhost.exe

2011-05-27 07:27:34 -------- d-----w- c:\documents and settings\owner\application data\vmntemplate

2011-05-27 07:27:04 -------- d-----w- c:\documents and settings\owner\application data\freecordertoolbar

2011-05-27 07:27:03 -------- d-----w- c:\program files\freecordertoolbar

2011-05-27 07:07:27 -------- d-----w- c:\documents and settings\owner\local settings\application data\FLVService

2011-05-27 07:07:11 -------- d-----w- c:\windows\Freecorder

2011-05-27 07:07:11 -------- d-----w- c:\program files\Freecorder

.

==================== Find3M ====================

.

2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 20:35:01.25 ===============

attach.txt

dds.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Hi,

Thanks for the reply. As I mentioned above, I cannot access any programs; when I double click it, I continue to get the "Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item." error.

Will downloading and executing this while logged into the Administrator account work? Or will it need to be run on the same account as has the infection? Alternatively, would you know how to alter my permissions so that I can run TDSKiller?

Thanks in advance

Link to post
Share on other sites

Aha! I'm not sure what happened, but suddenly I got a Javascript warning message, blocked the content, and now for some reason I can open programs again. The downside is XPHomeSec is back in force; the up side is I'm able to run TDSSKiller as well. I'll post the log when it's done.

Link to post
Share on other sites

Odd. No infection detected while HomeSec is spamming warnings over the program running. MWB didn't find any infections either on my last run.

Posting the TDSSKiller log (it didn't ask for a restart):

2011/06/14 19:31:01.0708 3744 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48

2011/06/14 19:31:02.0223 3744 ================================================================================

2011/06/14 19:31:02.0223 3744 SystemInfo:

2011/06/14 19:31:02.0223 3744

2011/06/14 19:31:02.0223 3744 OS Version: 5.1.2600 ServicePack: 2.0

2011/06/14 19:31:02.0223 3744 Product type: Workstation

2011/06/14 19:31:02.0223 3744 ComputerName: YOUR-VP7X3S9CTM

2011/06/14 19:31:02.0223 3744 UserName: Owner

2011/06/14 19:31:02.0223 3744 Windows directory: C:\WINDOWS

2011/06/14 19:31:02.0223 3744 System windows directory: C:\WINDOWS

2011/06/14 19:31:02.0223 3744 Processor architecture: Intel x86

2011/06/14 19:31:02.0223 3744 Number of processors: 1

2011/06/14 19:31:02.0223 3744 Page size: 0x1000

2011/06/14 19:31:02.0223 3744 Boot type: Normal boot

2011/06/14 19:31:02.0223 3744 ================================================================================

2011/06/14 19:31:04.0114 3744 Initialize success

2011/06/14 19:33:34.0739 2184 ================================================================================

2011/06/14 19:33:34.0739 2184 Scan started

2011/06/14 19:33:34.0739 2184 Mode: Manual;

2011/06/14 19:33:34.0739 2184 ================================================================================

2011/06/14 19:33:35.0817 2184 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/06/14 19:33:36.0036 2184 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/06/14 19:33:36.0520 2184 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2011/06/14 19:33:36.0770 2184 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/06/14 19:33:37.0051 2184 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys

2011/06/14 19:33:37.0364 2184 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/06/14 19:33:38.0348 2184 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

2011/06/14 19:33:38.0801 2184 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/06/14 19:33:39.0629 2184 AmdK7 (680ad1c1bb16239e28d8f33a54a7a3c7) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2011/06/14 19:33:40.0098 2184 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/06/14 19:33:41.0161 2184 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/06/14 19:33:41.0426 2184 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/06/14 19:33:41.0879 2184 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/06/14 19:33:42.0145 2184 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/06/14 19:33:42.0504 2184 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys

2011/06/14 19:33:42.0770 2184 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys

2011/06/14 19:33:43.0020 2184 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys

2011/06/14 19:33:43.0286 2184 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/06/14 19:33:44.0770 2184 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/06/14 19:33:44.0973 2184 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/06/14 19:33:45.0411 2184 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/06/14 19:33:45.0629 2184 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/06/14 19:33:45.0864 2184 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/06/14 19:33:46.0489 2184 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/06/14 19:33:47.0020 2184 d347bus (5776322f93cdb91086111f5ffbfda2a0) C:\WINDOWS\system32\DRIVERS\d347bus.sys

2011/06/14 19:33:47.0270 2184 d347prt (b49f79ace459763f4e0380071be9cb45) C:\WINDOWS\System32\Drivers\d347prt.sys

2011/06/14 19:33:47.0973 2184 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/06/14 19:33:48.0239 2184 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/06/14 19:33:48.0567 2184 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/06/14 19:33:48.0833 2184 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/06/14 19:33:49.0067 2184 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/06/14 19:33:49.0536 2184 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/06/14 19:33:49.0817 2184 FA312 (aa855fb8a866281aacb393c1feab91ae) C:\WINDOWS\system32\DRIVERS\FA312nd5.sys

2011/06/14 19:33:50.0036 2184 FA31x (b07ff7273b06bfda0df5f984f2e3b588) C:\WINDOWS\system32\DRIVERS\FA31xND5.SYS

2011/06/14 19:33:50.0286 2184 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/06/14 19:33:50.0536 2184 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys

2011/06/14 19:33:50.0833 2184 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/06/14 19:33:51.0067 2184 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys

2011/06/14 19:33:51.0317 2184 FETNDISB (b7186b33b6cf3a23841015531e6e7d68) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys

2011/06/14 19:33:51.0551 2184 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/06/14 19:33:51.0786 2184 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/06/14 19:33:52.0036 2184 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/06/14 19:33:52.0270 2184 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/06/14 19:33:52.0504 2184 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/06/14 19:33:52.0754 2184 GEARAspiWDM (46f23cfc888b0a4397aae705c8af92af) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/06/14 19:33:53.0051 2184 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/06/14 19:33:53.0333 2184 HidBatt (13c0d55da4b7148ef980e130b85d9f2c) C:\WINDOWS\system32\DRIVERS\HidBatt.sys

2011/06/14 19:33:53.0598 2184 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/06/14 19:33:54.0051 2184 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/06/14 19:33:54.0286 2184 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/06/14 19:33:54.0520 2184 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/06/14 19:33:54.0786 2184 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/06/14 19:33:55.0473 2184 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/06/14 19:33:55.0739 2184 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/06/14 19:33:56.0036 2184 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/06/14 19:33:56.0536 2184 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/06/14 19:33:56.0770 2184 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/06/14 19:33:57.0020 2184 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/06/14 19:33:57.0270 2184 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/06/14 19:33:57.0489 2184 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/06/14 19:33:57.0708 2184 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/06/14 19:33:58.0004 2184 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/06/14 19:33:58.0254 2184 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/06/14 19:33:58.0473 2184 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/06/14 19:33:58.0723 2184 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys

2011/06/14 19:33:58.0989 2184 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/06/14 19:33:59.0254 2184 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2011/06/14 19:33:59.0504 2184 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/06/14 19:34:00.0051 2184 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys

2011/06/14 19:34:00.0270 2184 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys

2011/06/14 19:34:00.0551 2184 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/06/14 19:34:00.0833 2184 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/06/14 19:34:01.0083 2184 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/06/14 19:34:01.0333 2184 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/06/14 19:34:01.0583 2184 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/06/14 19:34:02.0067 2184 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/06/14 19:34:02.0333 2184 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/06/14 19:34:02.0583 2184 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/06/14 19:34:02.0848 2184 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/06/14 19:34:03.0098 2184 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/06/14 19:34:03.0348 2184 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/06/14 19:34:03.0583 2184 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/06/14 19:34:03.0817 2184 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/06/14 19:34:04.0051 2184 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/06/14 19:34:04.0301 2184 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/06/14 19:34:04.0536 2184 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/06/14 19:34:04.0770 2184 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/06/14 19:34:05.0004 2184 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/06/14 19:34:05.0239 2184 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/06/14 19:34:05.0536 2184 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/06/14 19:34:05.0801 2184 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/06/14 19:34:06.0067 2184 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/06/14 19:34:06.0317 2184 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/06/14 19:34:06.0645 2184 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/06/14 19:34:06.0942 2184 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/06/14 19:34:07.0223 2184 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/06/14 19:34:07.0504 2184 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/06/14 19:34:08.0036 2184 nv (9f4384aa43548ddd438f7b7825d11699) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/06/14 19:34:08.0567 2184 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/06/14 19:34:08.0786 2184 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/06/14 19:34:09.0020 2184 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/06/14 19:34:09.0317 2184 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/06/14 19:34:09.0567 2184 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/06/14 19:34:09.0786 2184 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/06/14 19:34:10.0020 2184 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/06/14 19:34:10.0426 2184 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/06/14 19:34:10.0661 2184 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/06/14 19:34:12.0208 2184 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys

2011/06/14 19:34:12.0473 2184 PLSCSI (e230ed02150f702a9be1a0e64525afeb) C:\WINDOWS\system32\DRIVERS\sci0pl.sys

2011/06/14 19:34:12.0754 2184 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/06/14 19:34:13.0004 2184 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/06/14 19:34:13.0270 2184 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys

2011/06/14 19:34:13.0536 2184 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/06/14 19:34:13.0770 2184 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/06/14 19:34:14.0051 2184 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2011/06/14 19:34:14.0364 2184 QCMerced (9a155d31b8e52f41b258282092cc93a7) C:\WINDOWS\system32\DRIVERS\LVCM.sys

2011/06/14 19:34:15.0911 2184 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/06/14 19:34:16.0176 2184 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/06/14 19:34:16.0442 2184 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/06/14 19:34:16.0676 2184 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/06/14 19:34:16.0926 2184 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/06/14 19:34:17.0161 2184 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/06/14 19:34:17.0458 2184 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/06/14 19:34:17.0739 2184 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/06/14 19:34:18.0020 2184 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2011/06/14 19:34:18.0333 2184 RTL8023xp (1e11171c0b9989e1bdaa59e96b2e81c4) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

2011/06/14 19:34:18.0583 2184 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS

2011/06/14 19:34:18.0926 2184 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/06/14 19:34:19.0192 2184 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/06/14 19:34:19.0426 2184 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/06/14 19:34:19.0754 2184 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/06/14 19:34:20.0286 2184 SiS315 (94f6eea8a688a37f71bf9c9aeaa42666) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2011/06/14 19:34:20.0583 2184 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2011/06/14 19:34:20.0833 2184 SiSkp (837d26f79a1647066d75c5c811887475) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2011/06/14 19:34:21.0067 2184 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/06/14 19:34:21.0520 2184 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2011/06/14 19:34:21.0833 2184 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys

2011/06/14 19:34:22.0098 2184 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\System32\DRIVERS\sr.sys

2011/06/14 19:34:22.0395 2184 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/06/14 19:34:22.0692 2184 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/06/14 19:34:22.0926 2184 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/06/14 19:34:23.0192 2184 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/06/14 19:34:24.0348 2184 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/06/14 19:34:24.0645 2184 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/06/14 19:34:24.0911 2184 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/06/14 19:34:25.0161 2184 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/06/14 19:34:25.0411 2184 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/06/14 19:34:25.0973 2184 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/06/14 19:34:26.0442 2184 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/06/14 19:34:26.0770 2184 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/06/14 19:34:27.0020 2184 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/06/14 19:34:27.0239 2184 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/06/14 19:34:27.0489 2184 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/06/14 19:34:27.0770 2184 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/06/14 19:34:27.0989 2184 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/06/14 19:34:28.0254 2184 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/06/14 19:34:28.0489 2184 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/06/14 19:34:28.0708 2184 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/06/14 19:34:29.0333 2184 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/06/14 19:34:29.0583 2184 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys

2011/06/14 19:34:29.0817 2184 viagfx (45489356501ec6cbb789dece991d393f) C:\WINDOWS\system32\DRIVERS\vtmini.sys

2011/06/14 19:34:30.0083 2184 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/06/14 19:34:30.0348 2184 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/06/14 19:34:30.0629 2184 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/06/14 19:34:31.0051 2184 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/06/14 19:34:31.0567 2184 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/06/14 19:34:31.0817 2184 WudfPf (729f76cd53af1685ca4c4c058519c58c) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/06/14 19:34:32.0067 2184 WudfRd (a2aafcc8a204736296d937c7c545b53f) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/06/14 19:34:32.0286 2184 MBR (0x1B8) (bad0263fbe81b49f5f07b32dc9d198b3) \Device\Harddisk0\DR0

2011/06/14 19:34:32.0348 2184 MBR (0x1B8) (20c15ef2111b8472bbfe5e65b7c949e6) \Device\Harddisk5\DR11

2011/06/14 19:34:32.0411 2184 ================================================================================

2011/06/14 19:34:32.0411 2184 Scan finished

2011/06/14 19:34:32.0411 2184 ================================================================================

2011/06/14 19:34:32.0473 2808 Detected object count: 0

2011/06/14 19:34:32.0473 2808 Actual detected object count: 0

Link to post
Share on other sites

  • Staff

Hi,

Please download exeHelper from one of these two places:

http://www.raktor.net/exeHelper/exeHelper.com

http://www.raktor.net/exeHelper/exeHelper.scr

Save it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

exeHelper ran correctly and I seem to be able to run .exe files now.

ComboFix requires that I uninstall AVG to continue. When attempting to uninstall AVG, the process fails with the following error detail:

Local machine: installation failed

Installation:

Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....

Error 0x80070005

Disabling the resident shield feature in AVG does not change the error message from ComboFix.

Link to post
Share on other sites

Same uninstallation error. Tried in an admin account - Same uninstallation error.

Is it possible that one of the earlier programs you had me run disabled the ability to write to the registry?

Also, I'm now getting Google redirects as well. Clicking on the link in Google search results to MWB now takes me to "best-antimalware" about 50% of the time and a lookalike site.

Link to post
Share on other sites

Alright, I did some regedit work on the named key's permissions and got it working. I had to enable full control on all users to finally get it to take; so, ideally one of these programs will put that back to how it's supposed to be. If not, I suppose I'll have to dig up an old registry backup to restore to.

ComboFix ran successfully; below is the log. DDS has been acting... strangely. It will run, and finish (I suppose), but closes itself and does not open any logs. Not sure what to do with that one.

ComboFix Log

ComboFix 11-06-17.04 - Owner 06/19/2011 19:33:29.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.1085 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome\xulcache.jar

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\defaults\preferences\xulcache.js

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\install.rdf

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\WINDOWS

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\LocalService\Application Data\020000008e3dca9f1270C.manifest

c:\documents and settings\LocalService\Application Data\020000008e3dca9f1270O.manifest

c:\documents and settings\LocalService\Application Data\020000008e3dca9f1270P.manifest

c:\documents and settings\LocalService\Application Data\020000008e3dca9f1270S.manifest

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome\xulcache.jar

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\defaults\preferences\xulcache.js

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\install.rdf

c:\documents and settings\Owner\0.7223978056218905.exe

c:\documents and settings\Owner\Application Data\dwm.exe

c:\documents and settings\Owner\Application Data\Microsoft\conhost.exe

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\install.rdf

c:\documents and settings\Owner\Local Settings\Application Data\epy.exe.vir

c:\documents and settings\Owner\WINDOWS

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome\xulcache.jar

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\defaults\preferences\xulcache.js

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\install.rdf

c:\documents and settings\Public.YOUR-VP7X3S9CTM\WINDOWS

c:\documents and settings\Public\WINDOWS

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\regobj.dll

.

----- BITS: Possible infected sites -----

.

hxxp://apnmedia.ask.com

.

((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))

.

.

2011-06-19 08:13 . 2011-06-19 08:13 0 ---ha-w- c:\documents and settings\Owner\vkrurzavxs.tmp

2011-06-19 07:22 . 2011-05-04 07:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-19 07:11 . 2011-06-19 07:11 783360 ----a-w- c:\windows\system32\HPTcpMUI32.exe

2011-06-19 07:11 . 2011-06-19 07:11 184320 ----a-w- c:\windows\system32\LCodcCMP32.dll

2011-06-19 07:11 . 2011-06-19 07:11 783360 ----a-w- c:\windows\system32\ipxsap32.exe

2011-06-19 07:11 . 2011-06-19 07:11 350208 ----a-w- c:\windows\system32\authz32.dll

2011-06-19 01:55 . 2011-06-19 01:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-11 01:02 . 2011-06-20 00:44 -------- d-----w- c:\documents and settings\Administrator.YOUR-VP7X3S9CTM

2011-05-27 07:27 . 2011-05-27 07:27 -------- d-----w- c:\documents and settings\Owner\Application Data\vmntemplate

2011-05-27 07:27 . 2011-06-19 01:47 -------- d-----w- c:\documents and settings\Owner\Application Data\freecordertoolbar

2011-05-27 07:27 . 2011-05-27 07:27 -------- d-----w- c:\program files\freecordertoolbar

2011-05-27 07:07 . 2011-06-10 23:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FLVService

2011-05-27 07:07 . 2011-06-06 23:10 -------- d-----w- c:\program files\Freecorder

2011-05-27 07:07 . 2011-05-27 07:26 -------- d-----w- c:\windows\Freecorder

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 14:11 . 2009-01-25 08:54 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 14:11 . 2009-01-25 08:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 09:52 . 2010-12-28 02:46 472808 ----a-w- c:\windows\system32\deployJava1.dll

2007-08-14 00:24 . 2006-12-09 06:53 32768 ----a-w- c:\program files\mozilla firefox\plugins\MsnChat40en-ca.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{012E9E67-D46F-4A4D-9B05-25D4F7C11D7e}]

2011-06-19 07:11 350208 ----a-w- c:\windows\system32\authz32.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]

2011-03-16 11:59 81920 ----a-w- c:\program files\freecordertoolbar\vmntemplateX.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73E8EEA6-4798-8D95-283F-F6CD841AD427}]

2011-06-19 07:11 184320 ----a-w- c:\windows\system32\LCodcCMP32.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}"= "c:\program files\freecordertoolbar\vmntemplateX.dll" [2011-03-16 81920]

.

[HKEY_CLASSES_ROOT\clsid\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\LCodcCMP32.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=c:\windows\pss\Updates from HP.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk

backup=c:\windows\pss\HP Organize.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

backup=c:\windows\pss\IMStart.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2004-06-29 15:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-09-14 01:50 1603152 -c--a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-10-26 01:10 652624 -c--a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

2004-08-22 22:05 81920 -c--a-w- c:\program files\D-Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

2008-04-24 18:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDetector]

2010-04-30 20:48 28672 -c--a-w- c:\program files\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]

2011-03-24 07:11 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-08-28 17:06 136176 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 17:44 31072 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2010-03-12 19:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

2003-08-21 11:15 483328 ----a-w- c:\windows\system32\hphmon05.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

2003-08-21 11:23 49152 -c--a-w- c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-01-17 03:16 229376 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

2005-06-08 19:44 196608 -c--a-w- c:\program files\Logitech\Video\ManifestEngine.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

2005-06-08 20:24 458752 -c--a-w- c:\program files\Logitech\Video\ISStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

2005-06-08 20:14 217088 -c--a-w- c:\program files\Logitech\Video\LogiTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]

2005-07-19 22:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2011-05-29 14:11 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-05-29 14:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2009-02-04 22:57 4363504 -c--a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]

2009-07-17 17:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]

2009-11-16 15:27 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2008-05-16 20:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2008-05-16 20:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2008-05-16 20:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2004-04-01 09:01 98304 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2004-04-14 20:43 233472 -c--a-w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-04-11 00:01 1217872 -c--a-w- c:\program files\Steam\steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-01-11 10:04 274608 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2003-08-19 06:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2009-08-20 17:41 288560 -c--a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

2004-01-16 11:33 49152 ------w- c:\windows\system32\VTTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\qinael\\counter-strike\\hl.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndclient.exe"=

"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndlauncher.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndlauncher.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\Mozilla Sunbird\\sunbird.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\system32\\ipxsap32.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58791:TCP"= 58791:TCP:Pando Media Booster

"58791:UDP"= 58791:UDP:Pando Media Booster

"51235:TCP"= 51235:TCP:Maptool

.

R2 Eventlog32;Event Log ;c:\windows\system32\ipxsap32.exe [6/19/2011 2:11 AM 783360]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/27/2008 2:26 PM 366640]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/13/2009 1:31 AM 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/25/2009 3:54 AM 22712]

S3 FA31x;Netgear FA311/312 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\FA31xND5.SYS [4/17/2001 7:41 PM 16025]

S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [4/17/2009 12:37 AM 155136]

S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [4/17/2009 12:37 AM 5248]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/25/2009 3:52 AM 717296]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-18 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-19 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-18 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-18 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-20 c:\windows\Tasks\Game_Booster_Startup.job

- c:\program files\IObit\Game Booster\GameBox.exe [2010-12-23 01:08]

.

2011-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2561638254-2130658251-2759704929-1003Core1cc221fa9dd6f36.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 17:06]

.

2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2561638254-2130658251-2759704929-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2561638254-2130658251-2759704929-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-06-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2561638254-2130658251-2759704929-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2561638254-2130658251-2759704929-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Settings,ProxyServer = http=127.0.0.1:57333

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?client=firefox-a&rls=org.mozilla:en-US:official&channel=s&hl=en&source=hp&biw=1280&bih=831&btnG=Google+Search

FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Aquatint Black: {7694c49c-9fbd-11dc-8314-0800200c9a66} - %profile%\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}

FF - Ext: FreecorderToolbar: {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - %profile%\extensions\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

FF - user.js: extensions.newAddons - false

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

MSConfigStartUp-conhost - c:\documents and settings\Owner\Application Data\Microsoft\conhost.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-19 19:44

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-06-19 19:47:37

ComboFix-quarantined-files.txt 2011-06-20 00:47

.

Pre-Run: 13,176,864,768 bytes free

Post-Run: 13,370,990,592 bytes free

.

- - End Of File - - 3199B71A5A9C1D4A0E506D62CC010422

Link to post
Share on other sites

  • Staff

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Before we continue, please update MBAM, run a Quick Scan, and post its log. I want to see if it detects your new variant.

Link to post
Share on other sites

Huh, don't know where that one came from. I uninstalled Viewpoint Media Player, which was the only one on the list.

Incidentally, it seems that there might be something going on with Java? The virus first hit, so far as I can tell, when a Java site loaded with ads. Occasionally since, a java warning message has popped up on random sites when ads loaded about blocking dangerous content. If there's some kind of security issue there, let me know.

MWB results:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6951

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

6/26/2011 1:01:32 AM

mbam-log-2011-06-26 (01-01-32).txt

Scan type: Quick scan

Objects scanned: 210771

Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\authz32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{012E9E67-D46F-4A4D-9B05-25D4F7C11D7e} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{012E9E67-D46F-4A4D-9B05-25D4F7C11D7E} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{012E9E67-D46F-4A4D-9B05-25D4F7C11D7E} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{012E9E67-D46F-4A4D-9B05-25D4F7C11D7E} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\authz32.dll (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\020000008e3dca9f1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\020000008e3dca9f1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\020000008e3dca9f1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\020000008e3dca9f1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

MBAM Log

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6991

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

7/1/2011 10:55:24 AM

mbam-log-2011-07-01 (10-55-24).txt

Scan type: Quick scan

Objects scanned: 211397

Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

c:\WINDOWS\system32\ipxsap32.exe (Trojan.Agent) -> 1352 -> Unloaded process successfully.

c:\WINDOWS\system32\hptcpmui32.exe (Trojan.Agent) -> 1428 -> Unloaded process successfully.

Memory Modules Infected:

c:\WINDOWS\system32\lcodccmp32.dll (Trojan.Downloader.Gen) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{73E8EEA6-4798-8D95-283F-F6CD841AD427} (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73E8EEA6-4798-8D95-283F-F6CD841AD427} (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{73E8EEA6-4798-8D95-283F-F6CD841AD427} (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{73E8EEA6-4798-8D95-283F-F6CD841AD427} (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Downloader.Gen) -> Bad: (C:\WINDOWS\system32\LCodcCMP32.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\ipxsap32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\lcodccmp32.dll (Trojan.Downloader.Gen) -> Delete on reboot.

c:\WINDOWS\system32\hptcpmui32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000008e3dca9f1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

ComboFix Log

ComboFix 11-07-01.01 - Owner 07/01/2011 15:10:59.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.940 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome\xulcache.jar

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\defaults\preferences\xulcache.js

c:\documents and settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\install.rdf

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome\xulcache.jar

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\defaults\preferences\xulcache.js

c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\install.rdf

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome\xulcache.jar

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\defaults\preferences\xulcache.js

c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\install.rdf

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome\xulcache.jar

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\defaults\preferences\xulcache.js

c:\documents and settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\install.rdf

c:\program files\Steam\steam.exe

c:\windows\system32\ps2.bat

.

.

((((((((((((((((((((((((( Files Created from 2011-06-01 to 2011-07-01 )))))))))))))))))))))))))))))))

.

.

2011-07-01 15:55 . 2011-07-01 15:55 54016 ----a-w- c:\windows\system32\drivers\wlfyx.sys

2011-06-19 08:13 . 2011-06-19 08:13 0 ---ha-w- c:\documents and settings\Owner\vkrurzavxs.tmp

2011-06-19 07:22 . 2011-05-04 07:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-19 07:11 . 2011-06-19 07:11 184320 ------w- c:\windows\system32\LCodcCMP32.dll

2011-06-19 01:55 . 2011-06-19 01:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-11 01:02 . 2011-06-20 00:44 -------- d-----w- c:\documents and settings\Administrator.YOUR-VP7X3S9CTM

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-23 01:31 . 2011-06-23 01:31 456542 ----a-w- c:\windows\system32\dlls.zip

2011-05-29 14:11 . 2009-01-25 08:54 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 14:11 . 2009-01-25 08:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 09:52 . 2010-12-28 02:46 472808 ----a-w- c:\windows\system32\deployJava1.dll

2007-08-14 00:24 . 2006-12-09 06:53 32768 ----a-w- c:\program files\mozilla firefox\plugins\MsnChat40en-ca.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-06-20_00.44.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-06-26 06:03 . 2011-06-26 06:03 16384 c:\windows\Temp\Perflib_Perfdata_58c.dat

- 2010-11-22 23:05 . 2010-11-22 23:05 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll

+ 2011-07-01 18:19 . 2011-07-01 18:19 371272 c:\windows\Installer\{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}\SkypeIcon.exe

- 2010-11-22 23:05 . 2010-11-22 23:05 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll

+ 2011-07-01 18:19 . 2011-07-01 18:19 1541120 c:\windows\Installer\1c61c7ef.msi

+ 2011-06-20 02:41 . 2011-06-20 02:41 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2010-11-22 23:05 . 2010-11-22 23:05 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2011-06-20 02:41 . 2011-06-20 02:41 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]

2011-03-16 11:59 81920 ----a-w- c:\program files\freecordertoolbar\vmntemplateX.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}"= "c:\program files\freecordertoolbar\vmntemplateX.dll" [2011-03-16 81920]

.

[HKEY_CLASSES_ROOT\clsid\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=c:\windows\pss\Updates from HP.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk

backup=c:\windows\pss\HP Organize.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

backup=c:\windows\pss\IMStart.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2004-06-29 15:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-09-14 01:50 1603152 -c--a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-10-26 01:10 652624 -c--a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

2004-08-22 22:05 81920 -c--a-w- c:\program files\D-Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

2008-04-24 18:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDetector]

2010-04-30 20:48 28672 -c--a-w- c:\program files\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]

2011-03-24 07:11 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-08-28 17:06 136176 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 17:44 31072 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2010-03-12 19:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

2003-08-21 11:15 483328 ----a-w- c:\windows\system32\hphmon05.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

2003-08-21 11:23 49152 -c--a-w- c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-01-17 03:16 229376 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

2005-06-08 19:44 196608 -c--a-w- c:\program files\Logitech\Video\ManifestEngine.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

2005-06-08 20:24 458752 -c--a-w- c:\program files\Logitech\Video\ISStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

2005-06-08 20:14 217088 -c--a-w- c:\program files\Logitech\Video\LogiTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]

2005-07-19 22:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2011-05-29 14:11 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-05-29 14:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2009-02-04 22:57 4363504 -c--a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]

2009-07-17 17:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]

2009-11-16 15:27 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2008-05-16 20:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2008-05-16 20:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2008-05-16 20:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2004-04-01 09:01 98304 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2004-04-14 20:43 233472 -c--a-w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-01-11 10:04 274608 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2003-08-19 06:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2009-08-20 17:41 288560 -c--a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

2004-01-16 11:33 49152 ------w- c:\windows\system32\VTTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndclient.exe"=

"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndlauncher.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndlauncher.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\Mozilla Sunbird\\sunbird.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Steam\\steamapps\\qinael\\half-life\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\qinael\\counter-strike\\hl.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58791:TCP"= 58791:TCP:Pando Media Booster

"58791:UDP"= 58791:UDP:Pando Media Booster

"51235:TCP"= 51235:TCP:Maptool

"57599:TCP"= 57599:TCP:Pando Media Booster

"57599:UDP"= 57599:UDP:Pando Media Booster

.

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/27/2008 2:26 PM 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/25/2009 3:54 AM 22712]

S3 FA31x;Netgear FA311/312 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\FA31xND5.SYS [4/17/2001 7:41 PM 16025]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/25/2009 3:54 AM 39984]

S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [4/17/2009 12:37 AM 155136]

S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [4/17/2009 12:37 AM 5248]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/25/2009 3:52 AM 717296]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-25 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-26 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-25 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-25 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-04-15 19:13]

.

2011-06-26 c:\windows\Tasks\Game_Booster_Startup.job

- c:\program files\IObit\Game Booster\GameBox.exe [2010-12-23 01:08]

.

2011-06-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2561638254-2130658251-2759704929-1003Core1cc221fa9dd6f36.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 17:06]

.

2011-07-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2561638254-2130658251-2759704929-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-06-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2561638254-2130658251-2759704929-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-07-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2561638254-2130658251-2759704929-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

2011-06-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2561638254-2130658251-2759704929-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MI1933~1\Office\1033\phdintl.dll/phdContext.htm

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?client=firefox-a&rls=org.mozilla:en-US:official&channel=s&hl=en&source=hp&biw=1280&bih=831&btnG=Google+Search

FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Aquatint Black: {7694c49c-9fbd-11dc-8314-0800200c9a66} - %profile%\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}

FF - Ext: FreecorderToolbar: {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - %profile%\extensions\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

FF - user.js: extensions.newAddons - false

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

FF - user.js: search.clsid - {1B7EEB65-4C21-4F31-93F8-478F0816A068}

FF - user.js: search.sid - 15101055100

FF - user.js: extensions.newAddons - false

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe

AddRemove-Steam App 10 - c:\program files\Steam\steam.exe

AddRemove-Steam App 130 - c:\program files\Steam\steam.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-01 15:23

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-07-01 15:26:47

ComboFix-quarantined-files.txt 2011-07-01 20:26

ComboFix2.txt 2011-06-20 00:47

.

Pre-Run: 10,030,583,808 bytes free

Post-Run: 10,029,518,848 bytes free

.

- - End Of File - - CD32AE7B9DC3E5801A1D753141D7BB39

DDS Log

DDS continues it's prior errors. Starts, runs, appears to finish - does not open any logs.

Link to post
Share on other sites

  • Staff

Hi,

I just saw this:

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for BitTorrent and anything else you may have installed.

Link to post
Share on other sites

BitTorrent is a software used for torrents, which, while most known for illegal files, isn't their only use. Personally, I use torrents to share writings that I've authored (and thus own).

I'd suggest you re-examine what "obvious [...] illegal means of downloading software / theft and against the law" is. It's rather prejudicial to assume any P2P file program is being used illegally.

Since I doubt that's likely to alter your terms and conditions, I'll remove the software for the sake of this virus removal. To my knowledge, BitTorrent is all I have (had).

Link to post
Share on other sites

  • Staff

It's not my policy... I don't have any influence over it.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • 4 weeks later...

Hi,

Sorry for the delay in this; I've been having some problems with staying connected to the internet lately. I assumed it was something to do with my ISP, but they know nothing about it, so it appears to be an issue with my computer. Not sure if it's related to this virus or not; the connection comes, stays for awhile, then begins having issues resolving an IP address. Other times it will resolve, but claims it cannot find any servers. Restarting sometimes helps, many times does not. Other times it claims the connection is unplugged, then attempts to connect again. It's making it a bit difficult to keep a steady connection long enough to run a scan (or do much of anything else for that matter).

Results of the last tests incoming, hopefully tonight.

Link to post
Share on other sites

ESET Results

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\526e7b8e-6dab941c Win32/Adware.XPAntiSpyware.AB application cleaned by deleting - quarantined

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\24\5f5e5018-62f6d3ef a variant of Win32/Kryptik.PBE trojan cleaned by deleting - quarantined

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\1ae6267b-6e42d657 Win32/Cycbot.AF trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\yv11ksbx.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sjpdu8zf.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\0.7223978056218905.exe.vir Win32/TrojanDownloader.Tracur.B trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\dwm.exe.vir a variant of Win32/Kryptik.PEY trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.PKN trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\djvlt04l.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\epy.exe.vir.vir a variant of Win32/Kryptik.PBE trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{8a157b6d-6d33-454e-af34-e455f9ecd903}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\Public.YOUR-VP7X3S9CTM\Application Data\Mozilla\Firefox\Profiles\3khvlp88.default\extensions\{d8cd3222-9f46-4248-9a69-bb9bdc2307ba}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000022.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000027.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000028.exe Win32/TrojanDownloader.Tracur.B trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000029.exe a variant of Win32/Kryptik.PEY trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000030.exe a variant of Win32/Kryptik.PKN trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000031.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000032.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000114.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000115.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1\A0000116.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP2\A0000261.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP2\A0000262.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP2\A0000263.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000405.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000406.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000407.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000504.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000540.dll Win32/BHO.NZK trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000626.exe Win32/TrojanDownloader.Tracur.B trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000627.exe Win32/TrojanDownloader.Tracur.B trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP4\A0000750.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP4\A0000751.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP4\A0000752.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP4\A0000753.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP4\A0001011.dll Win32/TrojanDownloader.Agent.PDY trojan cleaned by deleting - quarantined

Checkup.txt

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 26

Java 2 Runtime Environment, SE v1.4.2_03

Adobe Flash Player 10.3.181.26

Mozilla Firefox (3.6.18) Firefox Out of Date!

Mozilla Thunderbird (3.1.11) Thunderbird Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Likely that your connection is to blame and not your computer. Have your ISP run a line test. Are you using a router?

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java 2 Runtime Environment, SE v1.4.2_03

Adobe Flash Player 10.3.181.26

Restart your computer.

Get the latest version of Adobe Flash Player.

Also update Firefox and Thunderbird.

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

-screen317

Link to post
Share on other sites

Hi,

ATF ran successfully (over a gig cleared! Wow!)

Combofix uninstalled

SecurityCheck deleted

Firefox says no updates are available

Thunderbird updated

Java 2 Runtime Environment, SE v1.4.2_03 deleted

Adobe Flash Player 10.3.181.26 not present*

*Only option for Adobe in Add/Remove are:

Adobe AIR

Adobe Flash Player ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.4.0

When attempting to download the newest version, the installation program reports an error: cannot initialize and closes upon running.

Is "Adobe Flash Player 10" what I am looking for? It's the only Flash related item I can locate currently.

Let me know and I'll proceed with the SP3 upgrade.

Link to post
Share on other sites

  • Staff

Hi,

Uninstall Firefox manually then get version 5 from www.mozilla.com

Uninstall all of these:

Adobe AIR

Adobe Flash Player ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.4.0

Reboot.

Delete your flash player installer. Grab a fresh one, reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu), then install it from there.

Back in Normal Mode, download and install the latest version of Adobe Reader.

Reboot. If all of that went successfully, proceed with the SP3 upgrade.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.