Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't start Windows - Blue Screen of Death

Started by ddfafa , Dec 30 2010 07:12 PM

  • This topic is locked This topic is locked

#1
ddfafa
Posted 30 December 2010 - 07:12 PM

ddfafa

    Member

  • Member
  • PipPip
  • 46 posts
Hi there,

Recently, I had some issues with browser redirects, but then they seemed to go away. However, when I restarted my computer today, I couldn't get into windows as I always got the BSOD before anything loaded. Right now, I am running in Safe mode with networking.

Thanks for any help that you guys can provide!

Here's the OTL.txt file:

----

OTL logfile created on: 30/12/2010 5:20:32 PM - Run 1
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\dawn\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 639.00 Mb Available Physical Memory | 63.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.05 Gb Total Space | 81.52 Gb Free Space | 57.39% Space Free | Partition Type: NTFS

Computer Name: NUTNUT | User Name: dawn | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/30 17:17:16 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
PRC - [2010/12/30 17:09:19 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/12/30 17:09:15 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/12/30 17:17:16 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/05/20 02:14:32 | 000,820,488 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Documents and Settings\dawn\Local Settings\Temp\0056821293751929mcinst.exe -- (0056821293751929mcinstcleanup) McAfee Application Installer Cleanup (0056821293751929)
SRV - [2010/04/16 07:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/11 23:06:28 | 000,024,064 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-080708-050100)
SRV - [2009/02/05 08:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Stopped] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2008/04/15 17:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rts5161ccid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rts516xIR.sys -- (Rts516xIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- c:\acernb\int15.sys -- (int15.sys)
DRV - [2010/12/22 21:26:11 | 000,043,008 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\srenum.sys -- (srenum)
DRV - [2010/12/22 21:25:48 | 000,020,480 | ---- | M] (NT Kernel Resources) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisrd.sys -- (ndisrd)
DRV - [2009/03/01 22:03:46 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2009/02/25 19:17:52 | 001,344,224 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/02/24 01:49:44 | 005,032,448 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/02/05 03:33:04 | 000,205,232 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/02/02 23:42:30 | 000,162,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2009/01/02 17:33:54 | 000,145,408 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\M3000KNT.sys -- (M3000Srv)
DRV - [2008/08/05 05:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/04/15 17:53:44 | 000,312,344 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/04/14 05:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2008/04/14 05:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 05:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2008/04/14 05:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2008/04/14 05:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2008/04/14 05:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2008/04/14 05:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2008/04/14 05:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2008/04/14 05:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2008/04/14 05:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2008/04/14 05:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2008/04/14 05:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2008/04/14 05:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2008/04/14 05:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2008/04/14 05:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2008/04/14 05:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2008/04/14 00:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 00:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/02/14 16:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/07/16 14:29:43 | 000,020,504 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxfax.sys -- (HPFXFAX)
DRV - [2007/07/16 14:29:33 | 000,017,432 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2006/11/02 06:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Stopped] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)
DRV - [2006/01/04 00:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2004/12/07 23:10:00 | 000,016,896 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKbFltr.SYS -- (DKbFltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...09&m=aspire_one
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...09&m=aspire_one

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...09&m=aspire_one
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...09&m=aspire_one
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo.co.uk"
FF - prefs.js..browser.startup.homepage: "http://mail.google.c...en-GB:official"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/30 17:09:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/30 17:09:27 | 000,000,000 | ---D | M]

[2009/08/28 21:31:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\dawn\Application Data\Mozilla\Extensions
[2010/12/29 00:15:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\extensions
[2010/05/03 23:04:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/29 00:06:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/03 22:57:10 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/12/30 17:09:20 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/30 17:09:20 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/30 17:09:20 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/30 17:09:20 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/14 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [bywttraudio] C:\WINDOWS\System32\awwxyy.dll (foobar2000.org)
O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [iiiiffaudio] C:\WINDOWS\System32\qonmjg.dll (Symantec Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [M3000Mnt] File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [wvvuuusys] C:\WINDOWS\System32\ljkkkh.dll (BitTorrent, Inc.)
O4 - HKCU..\Run: [gebywxaudio] C:\WINDOWS\System32\awwxyy.dll (foobar2000.org)
O4 - HKCU..\Run: [mssend] C:\Documents and Settings\dawn\Application Data\xssend2\svcnost.exe (Microsoft Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [urponmaudio] C:\WINDOWS\System32\qonmjg.dll (Symantec Corporation)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk = C:\Program Files\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.194.232.200 204.194.234.200 64.59.135.143
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (ljkkkh.dll) - C:\WINDOWS\System32\ljkkkh.dll (BitTorrent, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/11 22:07:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/30 17:17:14 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
[2010/12/30 17:17:08 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\awwxyy.dll
[2010/12/30 17:17:05 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\cbxutt.exe
[2010/12/30 16:38:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/12/29 13:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssend2
[2010/12/28 11:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
[2010/12/28 01:20:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw
[2010/12/24 20:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
[2010/12/22 21:25:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2010/12/22 21:25:48 | 000,020,480 | ---- | C] (NT Kernel Resources) -- C:\WINDOWS\System32\drivers\ndisrd.sys
[2010/12/22 21:22:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
[2010/12/22 21:22:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2
[2010/12/16 23:44:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Desktop\nonno-10-12
[2010/12/06 23:17:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/12/06 23:17:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Desktop\Plants vs Zombies
[2009/03/11 05:53:14 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\Interop.IWshRuntimeLibrary.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/30 17:17:16 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
[2010/12/30 17:17:08 | 000,112,640 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\awwxyy.dll
[2010/12/30 17:17:05 | 000,112,640 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\cbxutt.exe
[2010/12/30 17:16:05 | 000,433,698 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/30 17:16:05 | 000,067,984 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/30 17:11:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/30 16:34:12 | 000,001,585 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2010/12/30 16:28:07 | 000,000,025 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010/12/30 16:28:01 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005UA.job
[2010/12/29 18:28:05 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005Core.job
[2010/12/28 22:25:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/12/22 21:26:11 | 000,043,008 | ---- | M] () -- C:\WINDOWS\System32\drivers\srenum.sys
[2010/12/22 21:26:11 | 000,004,128 | ---- | M] () -- C:\WINDOWS\System32\msrun.exe
[2010/12/22 21:25:48 | 000,020,480 | ---- | M] (NT Kernel Resources) -- C:\WINDOWS\System32\drivers\ndisrd.sys
[2010/12/17 21:35:12 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/17 21:06:56 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/13 20:09:00 | 000,014,537 | ---- | M] () -- C:\Documents and Settings\dawn\Desktop\points I want on CBE application.docx
[2010/12/13 16:24:51 | 000,013,247 | ---- | M] () -- C:\Documents and Settings\dawn\Desktop\Dawn CBE coverletter - 3.docx
[2010/12/08 12:32:35 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/07 14:02:46 | 000,000,025 | ---- | M] () -- C:\Documents and Settings\dawn\Desktop\popcinfot.dat
[2010/12/06 23:16:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/30 16:34:11 | 000,001,585 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2010/12/22 21:26:11 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\drivers\srenum.sys
[2010/12/22 21:26:11 | 000,004,128 | ---- | C] () -- C:\WINDOWS\System32\msrun.exe
[2010/12/13 16:59:49 | 000,014,537 | ---- | C] () -- C:\Documents and Settings\dawn\Desktop\points I want on CBE application.docx
[2010/12/13 16:24:50 | 000,013,247 | ---- | C] () -- C:\Documents and Settings\dawn\Desktop\Dawn CBE coverletter - 3.docx
[2010/12/07 15:00:22 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/12/07 14:02:46 | 000,000,025 | ---- | C] () -- C:\Documents and Settings\dawn\Desktop\popcinfot.dat
[2009/10/03 23:21:04 | 000,000,290 | ---- | C] () -- C:\Documents and Settings\dawn\Application Data\wklnhst.dat
[2009/09/16 20:01:49 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/08/30 12:28:30 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/28 11:38:30 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\M3000DIF.dll
[2009/08/28 11:38:30 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\M3000KNT.sys
[2009/08/28 11:38:30 | 000,015,190 | ---- | C] () -- C:\WINDOWS\M3000Twn.ini
[2009/03/11 23:47:07 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/11 22:55:36 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/03/11 22:10:15 | 000,006,782 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/03/11 22:05:25 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/03/11 14:03:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

========== LOP Check ==========

[2009/03/11 23:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acer GameZone Console
[2009/03/11 23:31:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eSobi
[2010/12/06 23:17:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/05/04 21:42:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/09 20:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/03/11 23:32:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Acer
[2009/03/11 23:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Acer GameZone Console
[2009/10/03 23:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\OpenOffice.org
[2009/03/11 23:27:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Super-Cow
[2009/10/03 23:21:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Template
[2010/12/20 23:31:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\uTorrent
[2010/12/22 21:22:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2
[2010/12/29 13:15:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssend2
[2010/12/28 11:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
[2010/12/22 21:22:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
[2010/12/24 20:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
[2010/12/28 01:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
Cold Titanium
Posted 31 December 2010 - 02:39 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Hello ddfafa and welcome to G2G!

My name is Cold Titanium ;) , and I will be assisting you with your problem. I am still in training, so all my replies need to be checked by an expert first. So there may be a slight delay in between replies.

Please follow all of my instructions without skipping anything. Also, please refrain from experimenting around whilst I am helping you. At times some of the things I tell you to do may seem unnecessary and frustrating, but just stick to it and we'll get through :D

;) Note: Please save these instructions in a file or print them out, as the internet may not be available while we are fixing the system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'm going over your log now... ;)
  • 0

#3
Cold Titanium
Posted 31 December 2010 - 03:44 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Step #1

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
SRV - [2010/05/20 02:14:32 | 000,820,488 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Documents and Settings\dawn\Local Settings\Temp\0056821293751929mcinst.exe -- (0056821293751929mcinstcleanup) McAfee Application Installer Cleanup (0056821293751929)
DRV - [2010/12/22 21:26:11 | 000,043,008 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\srenum.sys -- (srenum)
DRV - [2010/12/22 21:25:48 | 000,020,480 | ---- | M] (NT Kernel Resources) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisrd.sys -- (ndisrd)
O4 - HKLM..\Run: [bywttraudio] C:\WINDOWS\System32\awwxyy.dll (foobar2000.org)
O4 - HKLM..\Run: [iiiiffaudio] C:\WINDOWS\System32\qonmjg.dll (Symantec Corporation)
O4 - HKLM..\Run: [wvvuuusys] C:\WINDOWS\System32\ljkkkh.dll (BitTorrent, Inc.)
O4 - HKCU..\Run: [gebywxaudio] C:\WINDOWS\System32\awwxyy.dll (foobar2000.org)
O4 - HKCU..\Run: [mssend] C:\Documents and Settings\dawn\Application Data\xssend2\svcnost.exe (Microsoft Corporation)
O4 - HKCU..\Run: [urponmaudio] C:\WINDOWS\System32\qonmjg.dll (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
O30 - LSA: Authentication Packages - (ljkkkh.dll) - C:\WINDOWS\System32\ljkkkh.dll (BitTorrent, Inc.)
[2010/12/30 17:17:08 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\awwxyy.dll
[2010/12/30 17:17:05 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\cbxutt.exe
[2010/12/29 13:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssend2
[2010/12/28 11:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
[2010/12/28 01:20:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw
[2010/12/24 20:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
[2010/12/22 21:22:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
[2010/12/22 21:22:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2
[2010/12/30 16:34:12 | 000,001,585 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2010/12/22 21:26:11 | 000,043,008 | ---- | M] () -- C:\WINDOWS\System32\drivers\srenum.sys
[2010/12/22 21:26:11 | 000,004,128 | ---- | M] () -- C:\WINDOWS\System32\msrun.exe

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Try to boot your computer into normal mode now...If you get into normal mode continue on to steps 2-3:

Else if it still Blue Screens: in Safe Mode, Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #2

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top make sure it is set to Standard Output.
  • Ensure the Use SafeList is selected for Extra Registry
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    msconfig
    safebootminimal
    safebootnetwork
    activex
    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



  • Click the Run Scan button. Do not change any settings unless otherwise told to do so.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Step #3

  • Download GMER to your desktop
  • Right-Click and extract it to the desktop
  • Double-Click gmer.exe
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

After it finishes scanning
  • Click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it to your desktop

Post ark.txt in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like to see OTL.txt, Extras.txt, and ark.txt in your next reply... :D
  • 0

#4
ddfafa
Posted 31 December 2010 - 04:10 PM

ddfafa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Cold Titanium,

Thank you for your help!

Unfortunately, when I click on the "run fix" button in OTL, it shows in the program that it is killing programs and then I get a BSOD. I have tried it two times with the same results in safe mode with networking, but I will try once more with just normal safe mode and see where that gets me?

If that doesn't work, what should I do?

Thanks!
  • 0

#5
ddfafa
Posted 31 December 2010 - 04:29 PM

ddfafa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Cold Titanium,

I have tried to run fix a couple more times and I consistently get the BSOD. I'm not sure if it is helpful or not, but I did another OTL quick scan so I will post the log below.

Thanks again for the help!

--

OTL logfile created on: 31/12/2010 3:22:36 PM - Run 2
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\dawn\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 741.00 Mb Available Physical Memory | 73.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.05 Gb Total Space | 81.52 Gb Free Space | 57.39% Space Free | Partition Type: NTFS

Computer Name: NUTNUT | User Name: dawn | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/30 23:25:02 | 000,074,250 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2\csrss.exe
PRC - [2010/12/30 17:17:16 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
PRC - [2010/12/30 17:09:15 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 05:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\savedump.exe


========== Modules (SafeList) ==========

MOD - [2010/12/30 17:17:16 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/07 09:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 09:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 09:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/05/20 02:14:32 | 000,820,488 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Documents and Settings\dawn\Local Settings\Temp\0056821293751929mcinst.exe -- (0056821293751929mcinstcleanup) McAfee Application Installer Cleanup (0056821293751929)
SRV - [2010/04/16 07:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/11 23:06:28 | 000,024,064 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-080708-050100)
SRV - [2009/02/05 08:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Stopped] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2008/04/15 17:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rts5161ccid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rts516xIR.sys -- (Rts516xIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- c:\acernb\int15.sys -- (int15.sys)
DRV - [2010/12/22 21:26:11 | 000,043,008 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\srenum.sys -- (srenum)
DRV - [2010/12/22 21:25:48 | 000,020,480 | ---- | M] (NT Kernel Resources) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisrd.sys -- (ndisrd)
DRV - [2010/09/07 08:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 08:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 08:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 08:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 08:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 08:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/03/01 22:03:46 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2009/02/25 19:17:52 | 001,344,224 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/02/24 01:49:44 | 005,032,448 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/02/05 03:33:04 | 000,205,232 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/02/02 23:42:30 | 000,162,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2009/01/02 17:33:54 | 000,145,408 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\M3000KNT.sys -- (M3000Srv)
DRV - [2008/08/05 05:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/04/15 17:53:44 | 000,312,344 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/04/14 05:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2008/04/14 05:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 05:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2008/04/14 05:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2008/04/14 05:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2008/04/14 05:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2008/04/14 05:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2008/04/14 05:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2008/04/14 05:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2008/04/14 05:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2008/04/14 05:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2008/04/14 05:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2008/04/14 05:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2008/04/14 05:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2008/04/14 05:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2008/04/14 05:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2008/04/14 00:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 00:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/02/14 16:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/07/16 14:29:43 | 000,020,504 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxfax.sys -- (HPFXFAX)
DRV - [2007/07/16 14:29:33 | 000,017,432 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2006/11/02 06:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Stopped] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)
DRV - [2006/01/04 00:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2004/12/07 23:10:00 | 000,016,896 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKbFltr.SYS -- (DKbFltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...09&m=aspire_one
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...09&m=aspire_one

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...09&m=aspire_one
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...09&m=aspire_one
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo.co.uk"
FF - prefs.js..browser.startup.homepage: "http://mail.google.c...en-GB:official"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/30 17:09:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/30 17:09:27 | 000,000,000 | ---D | M]

[2009/08/28 21:31:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\dawn\Application Data\Mozilla\Extensions
[2010/12/29 00:15:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\extensions
[2010/05/03 23:04:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/31 15:11:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/03 22:57:10 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/12/30 17:09:20 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/30 17:09:20 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/30 17:09:20 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/30 17:09:20 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/14 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [bywttraudio] C:\WINDOWS\System32\awwxyy.dll (foobar2000.org)
O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [cbbccyaudio] C:\WINDOWS\System32\awuttu.dll (foobar2000.org)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [hggedeaudio] C:\WINDOWS\System32\iifefd.dll (foobar2000.org)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [iiiiffaudio] C:\WINDOWS\System32\qonmjg.dll (Symantec Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [M3000Mnt] File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [qopqnoaudio] C:\WINDOWS\System32\opmjij.dll (foobar2000.org)
O4 - HKLM..\Run: [ssropnaudio] C:\WINDOWS\System32\cbxvvu.dll (foobar2000.org)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [tuvwusaudio] C:\WINDOWS\System32\cbxwvu.dll (foobar2000.org)
O4 - HKLM..\Run: [wvvuuusys] C:\WINDOWS\System32\ljkkkh.dll (BitTorrent, Inc.)
O4 - HKCU..\Run: [gebywxaudio] C:\WINDOWS\System32\awwxyy.dll (foobar2000.org)
O4 - HKCU..\Run: [khggfdaudio] C:\WINDOWS\System32\awuttu.dll (foobar2000.org)
O4 - HKCU..\Run: [khifcdaudio] C:\WINDOWS\System32\iifefd.dll (foobar2000.org)
O4 - HKCU..\Run: [mssend] C:\Documents and Settings\dawn\Application Data\xssend2\svcnost.exe (Microsoft Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [tutromaudio] C:\WINDOWS\System32\opmjij.dll (foobar2000.org)
O4 - HKCU..\Run: [urponmaudio] C:\WINDOWS\System32\qonmjg.dll (Symantec Corporation)
O4 - HKCU..\Run: [urpqpoaudio] C:\WINDOWS\System32\cbxwvu.dll (foobar2000.org)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [wvturpaudio] C:\WINDOWS\System32\cbxvvu.dll (foobar2000.org)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk = C:\Program Files\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.194.232.200 204.194.234.200 64.59.135.143
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - ("C:\Documents and Settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2\csrss.exe") - C:\Documents and Settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2\csrss.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (ljkkkh.dll) - C:\WINDOWS\System32\ljkkkh.dll (BitTorrent, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/11 22:07:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/31 15:02:53 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/12/31 15:00:47 | 000,123,904 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\awuttu.dll
[2010/12/31 13:27:49 | 000,123,904 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\cbxvvu.dll
[2010/12/31 00:01:03 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\iifefd.dll
[2010/12/30 23:36:50 | 000,165,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/12/30 23:36:50 | 000,100,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/12/30 23:36:50 | 000,094,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/12/30 23:36:50 | 000,046,672 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/12/30 23:36:50 | 000,028,880 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/12/30 23:36:50 | 000,023,376 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/12/30 23:36:50 | 000,017,744 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/12/30 23:36:42 | 000,167,592 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/12/30 23:36:42 | 000,038,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2010/12/30 23:36:40 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\opmjij.dll
[2010/12/30 23:36:35 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/12/30 23:36:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/12/30 23:34:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssend2
[2010/12/30 23:25:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendaesi1szutdjgmbvttqv2uvu33gosdnk
[2010/12/30 23:25:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2
[2010/12/30 23:07:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/30 23:07:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/30 23:07:08 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/30 23:07:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/30 23:05:36 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\cbxwvu.dll
[2010/12/30 17:17:14 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
[2010/12/30 17:17:08 | 000,112,640 | -H-- | C] (foobar2000.org) -- C:\WINDOWS\System32\awwxyy.dll
[2010/12/30 16:38:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/12/29 13:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendjis2rowzeeq1kooxnwttxwkxdryq1cr
[2010/12/28 11:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
[2010/12/28 01:20:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw
[2010/12/24 20:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
[2010/12/22 21:25:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2010/12/22 21:25:48 | 000,020,480 | ---- | C] (NT Kernel Resources) -- C:\WINDOWS\System32\drivers\ndisrd.sys
[2010/12/22 21:22:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
[2010/12/22 21:22:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2
[2010/12/16 23:44:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Desktop\nonno-10-12
[2010/12/06 23:17:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/12/06 23:17:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dawn\Desktop\Plants vs Zombies
[2009/03/11 05:53:14 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\Interop.IWshRuntimeLibrary.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/31 15:25:18 | 000,433,698 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/31 15:25:18 | 000,067,984 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/31 15:21:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/31 15:00:47 | 000,123,904 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\awuttu.dll
[2010/12/31 13:27:49 | 000,123,904 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\cbxvvu.dll
[2010/12/31 13:24:11 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/31 00:01:03 | 000,112,640 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\iifefd.dll
[2010/12/30 23:39:51 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/12/30 23:36:51 | 000,001,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/12/30 23:36:50 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/12/30 23:36:40 | 000,112,640 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\opmjij.dll
[2010/12/30 23:07:13 | 000,000,788 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/30 23:05:36 | 000,112,640 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\cbxwvu.dll
[2010/12/30 17:17:16 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dawn\Desktop\OTL.exe
[2010/12/30 17:17:08 | 000,112,640 | -H-- | M] (foobar2000.org) -- C:\WINDOWS\System32\awwxyy.dll
[2010/12/30 16:34:12 | 000,001,585 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2010/12/30 16:28:07 | 000,000,025 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010/12/30 16:28:01 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005UA.job
[2010/12/29 18:28:05 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005Core.job
[2010/12/28 22:25:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/12/22 21:26:11 | 000,043,008 | ---- | M] () -- C:\WINDOWS\System32\drivers\srenum.sys
[2010/12/22 21:26:11 | 000,004,128 | ---- | M] () -- C:\WINDOWS\System32\msrun.exe
[2010/12/22 21:25:48 | 000,020,480 | ---- | M] (NT Kernel Resources) -- C:\WINDOWS\System32\drivers\ndisrd.sys
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/17 21:35:12 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/17 21:06:56 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/13 20:09:00 | 000,014,537 | ---- | M] () -- C:\Documents and Settings\dawn\Desktop\points I want on CBE application.docx
[2010/12/13 16:24:51 | 000,013,247 | ---- | M] () -- C:\Documents and Settings\dawn\Desktop\Dawn CBE coverletter - 3.docx
[2010/12/08 12:32:35 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/07 14:02:46 | 000,000,025 | ---- | M] () -- C:\Documents and Settings\dawn\Desktop\popcinfot.dat
[2010/12/06 23:16:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/30 23:39:51 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/12/30 23:36:51 | 000,001,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/12/30 23:07:13 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/30 16:34:11 | 000,001,585 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2010/12/22 21:26:11 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\drivers\srenum.sys
[2010/12/22 21:26:11 | 000,004,128 | ---- | C] () -- C:\WINDOWS\System32\msrun.exe
[2010/12/13 16:59:49 | 000,014,537 | ---- | C] () -- C:\Documents and Settings\dawn\Desktop\points I want on CBE application.docx
[2010/12/13 16:24:50 | 000,013,247 | ---- | C] () -- C:\Documents and Settings\dawn\Desktop\Dawn CBE coverletter - 3.docx
[2010/12/07 15:00:22 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/12/07 14:02:46 | 000,000,025 | ---- | C] () -- C:\Documents and Settings\dawn\Desktop\popcinfot.dat
[2009/10/03 23:21:04 | 000,000,290 | ---- | C] () -- C:\Documents and Settings\dawn\Application Data\wklnhst.dat
[2009/09/16 20:01:49 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/08/30 12:28:30 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/28 11:38:30 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\M3000DIF.dll
[2009/08/28 11:38:30 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\M3000KNT.sys
[2009/08/28 11:38:30 | 000,015,190 | ---- | C] () -- C:\WINDOWS\M3000Twn.ini
[2009/03/11 23:47:07 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/11 22:55:36 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/03/11 22:10:15 | 000,006,782 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/03/11 22:05:25 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/03/11 14:03:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/11 05:53:08 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\ms.dll

========== LOP Check ==========

[2009/03/11 23:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acer GameZone Console
[2010/12/30 23:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/03/11 23:31:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eSobi
[2010/12/06 23:17:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/05/04 21:42:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/09 20:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/03/11 23:32:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Acer
[2009/03/11 23:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Acer GameZone Console
[2010/12/30 23:25:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2
[2009/10/03 23:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\OpenOffice.org
[2009/03/11 23:27:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Super-Cow
[2009/10/03 23:21:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\Template
[2010/12/20 23:31:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\uTorrent
[2010/12/22 21:22:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2
[2010/12/30 23:34:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssend2
[2010/12/30 23:25:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendaesi1szutdjgmbvttqv2uvu33gosdnk
[2010/12/28 11:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
[2010/12/22 21:22:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
[2010/12/24 20:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
[2010/12/28 01:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw
[2010/12/29 13:15:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dawn\Application Data\xssendjis2rowzeeq1kooxnwttxwkxdryq1cr

========== Purity Check ==========



< End of report >
  • 0

#6
Cold Titanium
Posted 31 December 2010 - 05:31 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Try this in Safe Mode w/Networking



Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\Combofix.txt in your next reply.
  • 0

#7
ddfafa
Posted 31 December 2010 - 06:27 PM

ddfafa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Cold Titanium,

The machine was able to boot into normal windows again with combofix! Thanks!

This is the log from the scan.

--

ComboFix 10-12-31.01 - dawn 31/12/2010 17:09:33.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.445 [GMT -7:00]
Running from: c:\documents and settings\dawn\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\dawn\Application Data\desktop.ini
c:\documents and settings\dawn\Application Data\xssend2
c:\documents and settings\dawn\Application Data\xssend2\svcnost.exe
c:\windows\system32\awuttu.dll
c:\windows\system32\awwxyy.dll
c:\windows\system32\cbxvvu.dll
c:\windows\system32\cbxwvu.dll
c:\windows\system32\drivers\srenum.sys
c:\windows\system32\iifefd.dll
c:\windows\system32\ljkkkh.dll
c:\windows\system32\msrun.exe
c:\windows\system32\nnmklm.dll
c:\windows\system32\opmjij.dll
c:\windows\system32\qonmjg.dll
c:\windows\system32\rqomno.dll

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_srenum
-------\Service_srenum


((((((((((((((((((((((((( Files Created from 2010-12-01 to 2011-01-01 )))))))))))))))))))))))))))))))
.

2010-12-31 22:15 . 2010-12-31 22:16 -------- d-----w- c:\documents and settings\Administrator
2010-12-31 22:02 . 2010-12-31 22:02 -------- d-----w- C:\_OTL
2010-12-31 06:36 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-31 06:36 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-31 06:36 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-31 06:36 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-31 06:36 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-31 06:36 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-31 06:36 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-31 06:36 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-31 06:36 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\program files\Alwil Software
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-31 06:25 . 2010-12-31 06:25 -------- d-----w- c:\documents and settings\dawn\Application Data\xssendaesi1szutdjgmbvttqv2uvu33gosdnk
2010-12-31 06:25 . 2010-12-31 06:25 74250 ----a-w- c:\program files\Mozilla Firefox\update.exe
2010-12-31 06:25 . 2010-12-31 06:25 -------- d-----w- c:\documents and settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2
2010-12-31 06:07 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-31 06:07 . 2010-12-31 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-31 06:07 . 2010-12-31 06:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-31 06:07 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 20:15 . 2010-12-29 20:15 -------- d-----w- c:\documents and settings\dawn\Application Data\xssendjis2rowzeeq1kooxnwttxwkxdryq1cr
2010-12-28 18:37 . 2010-12-28 18:37 -------- d-----w- c:\documents and settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
2010-12-28 08:20 . 2010-12-28 08:20 -------- d-----w- c:\documents and settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw
2010-12-25 03:18 . 2010-12-25 03:18 -------- d-----w- c:\documents and settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
2010-12-23 04:25 . 2010-12-30 23:32 -------- d-----w- c:\windows\LastGood.Tmp
2010-12-23 04:25 . 2010-12-23 04:25 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-23 04:22 . 2010-12-31 06:34 29996 ---h--w- c:\documents and settings\dawn\Application Data\ntuser.dat
2010-12-23 04:22 . 2010-12-23 04:22 -------- d-----w- c:\documents and settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
2010-12-23 04:22 . 2010-12-23 04:22 -------- d-----w- c:\documents and settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2
2010-12-18 05:29 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-18 05:29 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-07 06:17 . 2010-12-07 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-03-12 05:06 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2009-03-11 12:53 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2009-03-11 12:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2009-03-11 12:53 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2009-03-11 12:52 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2009-03-11 12:53 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-03-11 12:53 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-03-11 12:52 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-03-11 12:53 1853312 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 5FAC810673F3BC3E9965AD9468788120 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . F54D30E8C799B962C380EA2961C74733 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-10 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-07 328056]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-29 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-05 1430824]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-12 24064]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-04 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-3-11 565248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\HP Color LaserJet CM1312 MFP Series\\hppfsu_cm1312.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\dawn\\Application Data\\oghelxhxryh1q2keeulhbrhtpllwtoz2\\csrss.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/12/2010 11:36 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/12/2010 11:36 PM 17744]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [11/03/2009 11:32 PM 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/03/2009 8:03 PM 38912]
R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [28/08/2009 11:38 AM 145408]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [22/12/2010 9:25 PM 20480]
S2 0056821293751929mcinstcleanup;McAfee Application Installer Cleanup (0056821293751929);c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/03/2009 10:56 PM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/03/2009 11:06 PM 24064]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [16/09/2009 8:03 PM 20504]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/03/2009 10:54 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005Core.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005UA.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?hl=en&zx=18m28qolo5ujz&shva=1#inbox|http://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-urponmaudio - qonmjg.dll
HKCU-Run-mssend - c:\documents and settings\dawn\Application Data\xssend2\svcnost.exe
HKCU-Run-gebywxaudio - awwxyy.dll
HKCU-Run-urpqpoaudio - cbxwvu.dll
HKCU-Run-tutromaudio - opmjij.dll
HKCU-Run-khifcdaudio - iifefd.dll
HKCU-Run-wvturpaudio - cbxvvu.dll
HKCU-Run-khggfdaudio - awuttu.dll
HKCU-Run-opolkkaudio - rqomno.dll
HKCU-Run-hgfddbaudio - nnmklm.dll
HKLM-Run-iiiiffaudio - qonmjg.dll
HKLM-Run-bywttraudio - awwxyy.dll
HKLM-Run-tuvwusaudio - cbxwvu.dll
HKLM-Run-qopqnoaudio - opmjij.dll
HKLM-Run-hggedeaudio - iifefd.dll
HKLM-Run-ssropnaudio - cbxvvu.dll
HKLM-Run-cbbccyaudio - awuttu.dll
HKLM-Run-pmkhigaudio - rqomno.dll
HKLM-Run-nnmnolaudio - nnmklm.dll
HKU-Default-Run-geddaaaudio - qonmjg.dll
HKU-Default-Run-cbywtqaudio - awwxyy.dll
HKU-Default-Run-ljkifdaudio - cbxwvu.dll
HKU-Default-Run-sstuutaudio - opmjij.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-31 17:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\WebCam\M3000\M3000Mnt.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\igfxext.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Alwil Software\Avast5\setup\avast.setup
.
**************************************************************************
.
Completion time: 2010-12-31 17:21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-01 00:21

Pre-Run: 87,391,363,072 bytes free
Post-Run: 86,489,071,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A41AC2BA97C7AE16AD39D09D9445EDF6
  • 0

#8
Cold Titanium
Posted 01 January 2011 - 02:22 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Yaay! Now let's clean up the rest of all this. :D


Do you happen to have your XP install disc?


Let's do this in Normal mode


Step #1


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SRPeek::
c:\windows\system32\winlogon.exe
c:\windows\explorer.exe

Folder::
c:\documents and settings\dawn\Application Data\xssendaesi1szutdjgmbvttqv2uvu33gosdnk
c:\documents and settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2
c:\documents and settings\dawn\Application Data\xssendjis2rowzeeq1kooxnwttxwkxdryq1cr
c:\documents and settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
c:\documents and settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw
c:\documents and settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
c:\documents and settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
c:\documents and settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\dawn\\Application Data\\oghelxhxryh1q2keeulhbrhtpllwtoz2\\csrss.exe"=-

DDS::
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [22/12/2010 9:25 PM 20480]
S2 0056821293751929mcinstcleanup;McAfee Application Installer Cleanup (0056821293751929);c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#9
ddfafa
Posted 01 January 2011 - 04:03 PM

ddfafa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Cold Titanium,

Happy New Year! Thanks for replying even though it is New Year's Day!

Unfortunately, I don't think I have an XP install disc... one probably came with this little netbook, but I am not sure where it is at the moment.

When I went to run combofix, it told me that an update was available, so I hope it was ok that I updated it.

Here is the log from the fix.

--

ComboFix 11-01-01.01 - dawn 01/01/2011 14:46:39.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.537 [GMT -7:00]
Running from: c:\documents and settings\dawn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dawn\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2
c:\documents and settings\dawn\Application Data\oghelxhxryh1q2keeulhbrhtpllwtoz2\csrss.exe
c:\documents and settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2
c:\documents and settings\dawn\Application Data\wdbv3t1mjohbvre2omikiefinpasusn2\csrss.exe
c:\documents and settings\dawn\Application Data\xssendaesi1szutdjgmbvttqv2uvu33gosdnk
c:\documents and settings\dawn\Application Data\xssendaesi1szutdjgmbvttqv2uvu33gosdnk\svcnost.exe
c:\documents and settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2
c:\documents and settings\dawn\Application Data\xssendaxciaqcbpookedhprqhjfswj1nwmcy2\svcnost.exe
c:\documents and settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi
c:\documents and settings\dawn\Application Data\xssendbhygrstgjzem3ufnngx32rhxwhwgdsi\svcnost.exe
c:\documents and settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr
c:\documents and settings\dawn\Application Data\xssendbxzfvivuoe3ujwerwrtkwhoa2thkmcr\svcnost.exe
c:\documents and settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw
c:\documents and settings\dawn\Application Data\xssendeyyczvk2yddsdtvmfkv2hyfhlqaukaw\svcnost.exe
c:\documents and settings\dawn\Application Data\xssendjis2rowzeeq1kooxnwttxwkxdryq1cr
c:\documents and settings\dawn\Application Data\xssendjis2rowzeeq1kooxnwttxwkxdryq1cr\svcnost.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-01 to 2011-01-01 )))))))))))))))))))))))))))))))
.

2011-01-01 21:41 . 2011-01-01 21:41 -------- d-----w- c:\documents and settings\dawn\Application Data\Malwarebytes
2010-12-31 22:15 . 2010-12-31 22:16 -------- d-----w- c:\documents and settings\Administrator
2010-12-31 22:02 . 2010-12-31 22:02 -------- d-----w- C:\_OTL
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\program files\Alwil Software
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-23 04:25 . 2010-12-23 04:25 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-18 05:29 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-18 05:29 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-07 06:17 . 2010-12-07 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-03-12 05:06 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2009-03-11 12:53 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2009-03-11 12:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2009-03-11 12:53 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2009-03-11 12:52 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2009-03-11 12:53 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-03-11 12:53 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-03-11 12:52 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-03-11 12:53 1853312 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\system32\dllcache\explorer.exe [x]
[-] F54D30E8C799B962C380EA2961C74733 1033728 \RP0\A0009028.exe

c:\windows\system32\dllcache\winlogon.exe [x]
[-] 5FAC810673F3BC3E9965AD9468788120 507904 \RP0\A0009027.exe
.
------- Sigcheck -------

[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 507904 . . [------] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-01-01_00.16.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-01 21:05 . 2011-01-01 21:05 16384 c:\windows\temp\Perflib_Perfdata_adc.dat
+ 2009-03-12 05:14 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2009-03-12 05:14 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-03-11 12:53 . 2011-01-01 21:09 68386 c:\windows\system32\perfc009.dat
+ 2009-03-11 12:53 . 2011-01-01 21:09 434266 c:\windows\system32\perfh009.dat
- 2007-07-11 20:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 20:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
+ 2009-06-29 16:12 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2009-06-29 16:12 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-10 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-07 328056]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-29 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-05 1430824]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-12 24064]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-04 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-3-11 565248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\HP Color LaserJet CM1312 MFP Series\\hppfsu_cm1312.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [11/03/2009 11:32 PM 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/03/2009 8:03 PM 38912]
R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [28/08/2009 11:38 AM 145408]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [22/12/2010 9:25 PM 20480]
S2 0056821293751929mcinstcleanup;McAfee Application Installer Cleanup (0056821293751929);c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/03/2009 10:56 PM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/03/2009 11:06 PM 24064]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [16/09/2009 8:03 PM 20504]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/03/2009 10:54 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005Core.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]

2011-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005UA.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?hl=en&zx=18m28qolo5ujz&shva=1#inbox|http://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-01 14:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-01-01 14:54:02
ComboFix-quarantined-files.txt 2011-01-01 21:53
ComboFix2.txt 2011-01-01 00:21

Pre-Run: 86,403,735,552 bytes free
Post-Run: 86,391,304,192 bytes free

- - End Of File - - DA2F6FE88E4E1DB553D417362464EDE6
  • 0

#10
Cold Titanium
Posted 02 January 2011 - 10:34 AM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts

Happy New Year! Thanks for replying even though it is New Year's Day!


Same to you!


If you can find it, I could really use that install disc. We need to replace two infected system files and there are no backup copies on the system.

You could even borrow an install disc...


Step #1


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [22/12/2010 9:25 PM 20480]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Step #2

  • Download GMER to your desktop
  • Right-Click and extract it to the desktop
  • Double-Click gmer.exe
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

After it finishes scanning
  • Click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it to your desktop

Post ark.txt in your next reply


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I'd like to see Combofix.txt and ark.txt in your next reply... :D

Edited by Cold Titanium, 02 January 2011 - 10:35 AM.

  • 0

Advertisements

#11
ddfafa
Posted 02 January 2011 - 06:11 PM

ddfafa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Cold Titanium,

I managed to find an xp install disc... but I just realized that this computer is a netbook and thus has no CD rom drive... would it be possible to get the files online or through USB?

I did the two scans, and once again Combofix told me that there was an updated version, so I let it update. Here are the logs:

--

ComboFix 11-01-02.02 - dawn 02/01/2011 16:06:18.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.556 [GMT -7:00]
Running from: c:\documents and settings\dawn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dawn\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-01 21:41 . 2011-01-01 21:41 -------- d-----w- c:\documents and settings\dawn\Application Data\Malwarebytes
2010-12-31 22:15 . 2010-12-31 22:16 -------- d-----w- c:\documents and settings\Administrator
2010-12-31 22:02 . 2010-12-31 22:02 -------- d-----w- C:\_OTL
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\program files\Alwil Software
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-23 04:25 . 2010-12-23 04:25 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-18 05:29 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-18 05:29 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-07 06:17 . 2010-12-07 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-03-12 05:06 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2009-03-11 12:53 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2009-03-11 12:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2009-03-11 12:53 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2009-03-11 12:52 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2009-03-11 12:53 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-03-11 12:53 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-03-11 12:52 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-03-11 12:53 1853312 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 5FAC810673F3BC3E9965AD9468788120 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . F54D30E8C799B962C380EA2961C74733 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-01-01_00.16.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-01 21:58 . 2011-01-01 21:58 16384 c:\windows\temp\Perflib_Perfdata_1dc.dat
+ 2009-03-12 05:14 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2009-03-12 05:14 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-03-11 12:53 . 2011-01-01 22:02 68386 c:\windows\system32\perfc009.dat
+ 2009-03-11 12:53 . 2011-01-01 22:02 434266 c:\windows\system32\perfh009.dat
- 2007-07-11 20:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 20:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
+ 2009-06-29 16:12 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2009-06-29 16:12 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-10 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-07 328056]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-29 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-05 1430824]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-12 24064]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-04 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-3-11 565248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\HP Color LaserJet CM1312 MFP Series\\hppfsu_cm1312.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [11/03/2009 11:32 PM 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/03/2009 8:03 PM 38912]
R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [28/08/2009 11:38 AM 145408]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [22/12/2010 9:25 PM 20480]
S2 0056821293751929mcinstcleanup;McAfee Application Installer Cleanup (0056821293751929);c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/03/2009 10:56 PM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/03/2009 11:06 PM 24064]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [16/09/2009 8:03 PM 20504]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/03/2009 10:54 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005Core.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005UA.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?hl=en&zx=18m28qolo5ujz&shva=1#inbox|http://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-02 16:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-01-02 16:12:55
ComboFix-quarantined-files.txt 2011-01-02 23:12
ComboFix2.txt 2011-01-01 21:54
ComboFix3.txt 2011-01-01 00:21

Pre-Run: 86,423,875,584 bytes free
Post-Run: 86,412,009,472 bytes free

- - End Of File - - 31C4FB845505A59CA2E763A0472CDD79

--

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-02 17:07:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.FG01
Running: gmer.exe; Driver: C:\DOCUME~1\dawn\LOCALS~1\Temp\kxldqpog.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\dawn\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\dawn\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[1500] explorer.exe 01002583 2 Bytes [AC, 18]
.text C:\WINDOWS\explorer.exe[1500] explorer.exe 01002597 14 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
.text C:\WINDOWS\explorer.exe[1500] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B47247

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
  • 0

#12
Cold Titanium
Posted 03 January 2011 - 02:29 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Do you have another computer with a disc drive? What OS is it running?

Do you have a flashdrive? We'll need it for transferring the files.



Step #1


Insert the XP install disc into the computer and close any widows it pops up.

  • Click the Start button in the lower left corner
  • Click Run
  • Type in cmd and press Enter

Type in the following and press enter after each one:


X: (where x is the drive letter of the cd drive. This can be obtained by looking at My Computer)


mkdir %userprofile%\Desktop\Extracted

EXPAND .\I386\EXPLORER.EX_ %userprofile%\Desktop\Extracted\explorer.exe

EXPAND .\I386\WINLOGON.EX_ %userprofile%\Desktop\Extracted\winlogon.exe


There will now be a folder on the desktop called Extracted containing the two files we need. Copy this folder onto the disinfected flash drive.

Insert the flashdrive into the infected computer and copy the Extracted folder onto the desktop.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #2


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
%userprofile%\Desktop\Extracted\explorer.exe | c:\windows\explorer.exe
%userprofile%\Desktop\Extracted\winlogon.exe | c:\windows\system32\winlogon.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#13
ddfafa
Posted 03 January 2011 - 05:10 PM

ddfafa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Cold Titanium,

I used a computer that was running Win Vista to get the files onto the flash drive. The make directory command wasn't working, so I just manually created the "Extracted" folder in Windows. The other two commands seemed to work fine though.

Here is the log from the Combofix run:

--

ComboFix 11-01-03.01 - dawn 03/01/2011 15:57:27.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.548 [GMT -7:00]
Running from: c:\documents and settings\dawn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dawn\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-01 21:41 . 2011-01-01 21:41 -------- d-----w- c:\documents and settings\dawn\Application Data\Malwarebytes
2010-12-31 22:15 . 2010-12-31 22:16 -------- d-----w- c:\documents and settings\Administrator
2010-12-31 22:02 . 2010-12-31 22:02 -------- d-----w- C:\_OTL
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\program files\Alwil Software
2010-12-31 06:36 . 2010-12-31 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-23 04:25 . 2010-12-23 04:25 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-18 05:29 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-18 05:29 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-07 06:17 . 2010-12-07 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-03-12 05:06 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2009-03-11 12:53 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2009-03-11 12:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2009-03-11 12:53 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2009-03-11 12:52 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2009-03-11 12:53 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2009-03-11 12:53 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-03-11 12:52 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-03-11 12:53 1853312 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 5FAC810673F3BC3E9965AD9468788120 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . F54D30E8C799B962C380EA2961C74733 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-01-01_00.16.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-03 18:15 . 2011-01-03 18:15 16384 c:\windows\temp\Perflib_Perfdata_1cc.dat
+ 2009-03-12 05:14 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2009-03-12 05:14 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-03-11 12:53 . 2011-01-03 18:19 68386 c:\windows\system32\perfc009.dat
+ 2009-03-11 12:53 . 2011-01-03 18:19 434266 c:\windows\system32\perfh009.dat
- 2007-07-11 20:27 . 2010-11-06 00:34 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 20:27 . 2010-09-09 13:38 380928 c:\windows\system32\ieapfltr.dll
+ 2009-06-29 16:12 . 2010-09-09 13:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2009-06-29 16:12 . 2010-11-06 00:34 380928 c:\windows\system32\dllcache\ieapfltr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-10 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-07 328056]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-29 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-05 1430824]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-12 24064]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-04 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-3-11 565248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\dawn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\HP Color LaserJet CM1312 MFP Series\\hppfsu_cm1312.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [11/03/2009 11:32 PM 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/03/2009 8:03 PM 38912]
R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [28/08/2009 11:38 AM 145408]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [22/12/2010 9:25 PM 20480]
S2 0056821293751929mcinstcleanup;McAfee Application Installer Cleanup (0056821293751929);c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\dawn\LOCALS~1\Temp\005682~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/03/2009 10:56 PM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/03/2009 11:06 PM 24064]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [16/09/2009 8:03 PM 20504]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/03/2009 10:54 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005Core.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-953129233-101265881-2389969595-1005UA.job
- c:\documents and settings\dawn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 04:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0809&m=aspire_one
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\dawn\Application Data\Mozilla\Firefox\Profiles\nzn9a714.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?hl=en&zx=18m28qolo5ujz&shva=1#inbox|http://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 16:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-01-03 16:04:32
ComboFix-quarantined-files.txt 2011-01-03 23:04
ComboFix2.txt 2011-01-02 23:12
ComboFix3.txt 2011-01-01 21:54
ComboFix4.txt 2011-01-01 00:21

Pre-Run: 86,384,148,480 bytes free
Post-Run: 86,369,574,912 bytes free

- - End Of File - - 535D7C15E5EA0815DC2C27BAB1D6334D
  • 0

#14
Cold Titanium
Posted 03 January 2011 - 10:21 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Did you make the folder on the desktop of the clean machine? Before running the other two commands? Are there two files (explorer.exe and winlogon.exe) in the Extracted folder?
  • 0

#15
ddfafa
Posted 04 January 2011 - 03:02 AM

ddfafa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Cold Titanium,

Ya, I made the folder on the desktop of the clean machine before running the two commands and I checked afterwards to make sure that there explorer.exe and winlogon.exe were in the folder and they were. Then I copied it to the infected machine and ran the combofix script that was in my last post. For some reason, I kept getting an "access is denied" error message when I tried to run the mkdir command.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP