Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

xp home security 2012 and it's evil siblings [Solved]

Started by melanie11127 , Dec 14 2011 07:26 PM

  • This topic is locked This topic is locked

#1
melanie11127
Posted 14 December 2011 - 07:26 PM

melanie11127

    Member

  • Member
  • PipPip
  • 15 posts
I've tried to do what I can alone. This malware is like the Hydra, I cut off a head and 2 more grow back. It started 5 days ago. I kept hearing a popping noise while I was in full screen. I minimized to find a flashing fake anti-virus screen. I ran MBAM. It locked up. I downloaded NCRFix & Rkill. I was able to shut down the processes that were blocking task manager & MBAM. MBAM found quite a bit of stuff, which I removed. Upon restart, it acted ok for awhile and then back to the popping noises and now dinging. Next day, Security Sphere 2012 showed up. I followed the same procedure. Again, temporary relief. Now I've got something else (it keeps changing names)it takes over my browser and opens 10 random websites trying to sell me anything from pens to futons. New symptom today is that when I tried to open browser, it says I'm at the site I want on the address bar, but the screen is blank and the tab says "untitled". I'm saying "UNCLE" at this point :surrender: . Please help me! Thanks so much for all that you do... :wub:
(OTL log below)

OTL logfile created on: 12/14/2011 8:00:58 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\admin\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.36 Gb Available Physical Memory | 68.27% Memory free
3.34 Gb Paging File | 2.85 Gb Available in Paging File | 85.35% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 19.31 Gb Free Space | 34.55% Space Free | Partition Type: NTFS
Drive D: | 4.78 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 7.60 Gb Total Space | 5.93 Gb Free Space | 77.98% Space Free | Partition Type: FAT32

Computer Name: MELANIE | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/14 20:00:23 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\admin\My Documents\Downloads\OTL.exe
PRC - [2011/04/08 11:59:52 | 000,507,624 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/12/08 16:15:44 | 000,063,360 | ---- | M] (DivX, LLC) -- C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
PRC - [2010/12/03 14:35:08 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 07:00:00 | 000,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ping.exe
PRC - [2007/11/08 22:50:10 | 001,552,384 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
PRC - [2007/09/14 10:53:16 | 000,218,424 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
PRC - [2007/09/10 09:55:04 | 000,092,160 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
PRC - [2007/09/07 17:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
PRC - [2007/05/10 09:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2006/10/20 16:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2006/08/17 08:00:00 | 001,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/04 22:20:45 | 008,522,400 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/10/15 02:15:48 | 000,627,712 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\67acf86c887ecc01046fbae9383a3296\System.Transactions.ni.dll
MOD - [2011/10/15 02:14:20 | 000,628,224 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\ea9d924e1a05104a025dcf4ea000a01e\System.EnterpriseServices.ni.dll
MOD - [2011/10/15 02:10:03 | 001,013,248 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\082bac718fc58b916fea0e9c68f3a11c\System.Management.ni.dll
MOD - [2011/10/15 02:09:27 | 000,774,144 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\f9c069ce862f430fb08f7e5ac3dbf8ac\System.Runtime.Remoting.ni.dll
MOD - [2011/10/15 02:06:19 | 005,457,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\dfc37d9c4d533fba277b7127a3984dfd\System.Xml.ni.dll
MOD - [2011/10/15 02:06:08 | 012,544,000 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\600c9650b5c48337b46069b6252ddc1e\System.Windows.Forms.ni.dll
MOD - [2011/10/15 02:05:35 | 001,590,784 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\6d8041e94c621e5f49f5e715054bec68\System.Drawing.ni.dll
MOD - [2011/10/15 02:05:06 | 006,643,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\3456a183f9315e3b48b718e67650c7d3\System.Data.ni.dll
MOD - [2011/10/15 02:03:12 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/10/15 02:02:19 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2011/10/15 02:02:18 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2011/10/15 02:02:08 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2011/10/15 02:02:04 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2011/08/11 02:05:50 | 003,182,592 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2011/01/29 20:26:52 | 000,854,016 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll
MOD - [2011/01/29 20:26:51 | 000,403,456 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
MOD - [2011/01/29 20:26:51 | 000,270,336 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll
MOD - [2011/01/29 20:26:50 | 000,471,040 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
MOD - [2011/01/29 20:26:47 | 000,046,880 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll
MOD - [2011/01/29 20:26:47 | 000,012,064 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll
MOD - [2011/01/29 20:26:46 | 000,419,616 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll
MOD - [2011/01/29 20:26:46 | 000,270,112 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.445.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll
MOD - [2011/01/29 20:26:46 | 000,023,840 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.dll
MOD - [2011/01/29 20:26:46 | 000,018,720 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll
MOD - [2011/01/29 20:26:45 | 000,120,096 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll
MOD - [2011/01/29 20:26:44 | 000,070,432 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll
MOD - [2011/01/29 20:26:43 | 000,121,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll
MOD - [2010/12/03 14:35:08 | 001,017,304 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2009/10/07 14:01:34 | 000,143,360 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2009/10/07 14:01:14 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2007/09/13 14:42:26 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\AmRes_en.dll
MOD - [2007/09/10 09:53:26 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\wxvault.dll
MOD - [2006/08/18 12:17:36 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL
MOD - [2005/10/25 19:57:52 | 000,143,360 | ---- | M] () -- C:\WINDOWS\system32\bioapi_mds300.dll
MOD - [2005/10/25 19:57:52 | 000,106,496 | ---- | M] () -- C:\WINDOWS\system32\bioapi100.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/11/08 22:50:10 | 001,552,384 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2007/09/13 14:31:44 | 000,192,512 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe -- (WaveEnrollmentService)
SRV - [2007/09/07 17:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2007/08/31 17:39:18 | 000,486,400 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/12/12 06:13:10 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2009/10/07 14:01:32 | 002,649,216 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/09/10 09:55:00 | 000,161,280 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)
DRV - [2007/09/07 09:57:14 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
DRV - [2007/09/06 09:18:40 | 000,018,176 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WaveFDE.sys -- (WaveFDE)
DRV - [2007/05/10 09:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/08/18 12:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 12:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 12:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 12:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 12:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 12:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 12:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 12:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 09:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 09:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/10/26 09:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/05/13 17:27:56 | 000,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "www.facebook.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.13
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2010/12/22 21:33:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2010/12/22 21:33:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/20 17:58:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/07 20:03:07 | 000,000,000 | ---D | M]

[2010/12/22 17:28:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\admin\Application Data\Mozilla\Extensions
[2011/12/14 19:29:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\5unbs242.default\extensions
[2011/02/01 19:51:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\5unbs242.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/09/27 22:46:13 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\5unbs242.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/04/10 15:08:16 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\5unbs242.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(2)
[2011/11/11 19:51:05 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\5unbs242.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/12/13 19:12:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/21 00:29:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2010/12/22 21:33:38 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 <video>) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO
[2010/12/22 21:33:38 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA
[2009/10/22 08:02:48 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/15 09:44:00 | 000,568,832 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcp90.dll
[2011/03/15 09:44:02 | 000,655,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcr90.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/15 09:44:34 | 000,115,200 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\nppanda3d.dll

O1 HOSTS File: ([2011/12/12 06:13:54 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [DivX Download Manager] C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe (DivX, LLC)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [EmbassySecurityCheck] C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Wave Systems Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{16CC6E2F-F760-49A7-9FCE-20CB6C355B72}: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{16CC6E2F-F760-49A7-9FCE-20CB6C355B72}: NameServer = 8.8.4.4,8.8.8.8
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (waveGina.dll) -C:\WINDOWS\System32\waveGina.dll (Wave Systems Corp.)
O20 - Winlogon\Notify\gemsafe: DllName - (C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll) - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
O24 - Desktop WallPaper: C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (wvauth) -C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/22 07:39:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/07/09 11:46:12 | 000,000,103 | ---- | M] () - F:\AUTORUN.INF -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/12 06:13:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\aA28300CeJgC28300
[2011/12/12 06:13:10 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/12/12 06:13:10 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/12/12 06:13:10 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/12/11 00:09:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/12/10 23:59:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/12/10 22:21:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\go away
[2011/12/10 22:21:37 | 000,000,000 | ---D | C] -- C:\Program Files\get bent hacker2
[2011/12/09 20:25:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\My Documents\frys order confirmation_files
[2011/12/06 19:19:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\My Documents\overstock_files
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/14 19:40:12 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/14 19:23:50 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{657C2346-0896-4BC7-9D62-EE9A21AB37D1}.job
[2011/12/14 19:23:22 | 000,445,230 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/14 19:23:22 | 000,073,950 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/14 19:19:17 | 000,189,259 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/12/14 19:19:17 | 000,139,603 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/12/14 19:19:17 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\WavXMapDrive.bat
[2011/12/14 19:19:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/14 19:18:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/14 05:49:00 | 000,001,004 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\magicJack.lnk
[2011/12/12 21:37:26 | 000,013,900 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\io7x3tnn4g674j0qr3y08
[2011/12/12 21:37:26 | 000,013,900 | -HS- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\io7x3tnn4g674j0qr3y08
[2011/12/12 06:13:54 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/12/12 06:13:10 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/12/12 06:13:10 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/12/12 06:13:10 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/12/11 23:51:47 | 000,014,578 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2w65pu8r47m777
[2011/12/11 23:51:47 | 000,014,578 | -HS- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\2w65pu8r47m777
[2011/12/10 23:09:05 | 000,139,603 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/12/10 22:21:41 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/10 22:14:59 | 000,016,720 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5q77xb5p14p437
[2011/12/10 22:14:59 | 000,016,720 | -HS- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\5q77xb5p14p437
[2011/12/09 20:25:04 | 000,033,483 | ---- | M] () -- C:\Documents and Settings\admin\My Documents\frys order confirmation.htm
[2011/12/08 22:24:19 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\admin\Desktop\Word.lnk
[2011/12/06 19:19:38 | 000,174,885 | ---- | M] () -- C:\Documents and Settings\admin\My Documents\overstock.com
[2011/12/06 01:00:25 | 000,000,278 | ---- | M] () -- C:\WINDOWS\TheMatrix.ini
[2011/12/04 18:40:27 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/28 11:50:16 | 000,000,729 | ---- | M] () -- C:\Documents and Settings\admin\My Documents\joeys finshed wish list.rtf
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/12 21:35:25 | 000,013,900 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\io7x3tnn4g674j0qr3y08
[2011/12/12 21:35:25 | 000,013,900 | -HS- | C] () -- C:\Documents and Settings\admin\Local Settings\Application Data\io7x3tnn4g674j0qr3y08
[2011/12/12 17:01:35 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
[2011/12/11 23:47:33 | 000,014,578 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2w65pu8r47m777
[2011/12/11 23:47:33 | 000,014,578 | -HS- | C] () -- C:\Documents and Settings\admin\Local Settings\Application Data\2w65pu8r47m777
[2011/12/10 21:28:28 | 000,016,720 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5q77xb5p14p437
[2011/12/10 21:28:28 | 000,016,720 | -HS- | C] () -- C:\Documents and Settings\admin\Local Settings\Application Data\5q77xb5p14p437
[2011/12/09 20:25:03 | 000,033,483 | ---- | C] () -- C:\Documents and Settings\admin\My Documents\frys order confirmation.htm
[2011/12/06 19:19:37 | 000,174,885 | ---- | C] () -- C:\Documents and Settings\admin\My Documents\overstock.com
[2011/11/28 11:50:16 | 000,000,729 | ---- | C] () -- C:\Documents and Settings\admin\My Documents\joeys finshed wish list.rtf
[2011/08/29 00:08:08 | 000,000,278 | ---- | C] () -- C:\WINDOWS\TheMatrix.ini
[2011/07/14 18:20:54 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/02/09 19:30:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\admin\Local Settings\Application Data\WavXMapDrive.bat
[2011/02/09 19:16:49 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2011/02/09 19:16:28 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2011/02/09 19:16:27 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2011/01/31 03:30:35 | 000,194,016 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/01/09 19:02:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/01/09 17:56:59 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/01 20:13:22 | 000,000,313 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2010/12/22 17:28:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/15 09:42:55 | 000,139,603 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2010/03/15 09:42:16 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2010/03/15 09:42:15 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2010/03/15 09:42:14 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/03/15 09:42:14 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2010/03/15 09:42:14 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/03/15 09:42:14 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/03/15 09:42:13 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/03/15 09:42:13 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2010/03/15 09:25:05 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/10/22 08:19:44 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2009/10/22 08:19:43 | 000,000,166 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/10/22 08:12:16 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/10/22 08:12:15 | 000,025,088 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2009/10/22 08:12:14 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/10/22 07:54:14 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2009/10/22 07:42:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/10/22 07:36:38 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/10/22 03:31:11 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/10/22 03:29:59 | 000,169,096 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 07:00:00 | 000,445,230 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 07:00:00 | 000,073,950 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/13 14:42:30 | 000,499,712 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2007/09/13 14:42:30 | 000,471,040 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2007/09/13 14:42:28 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2007/09/13 14:42:28 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2007/09/13 14:42:28 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2007/09/13 14:42:28 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2007/09/13 14:42:26 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2007/09/13 14:42:26 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2007/09/13 14:42:26 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2007/09/13 14:42:26 | 000,434,176 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2007/09/13 14:36:24 | 000,438,272 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2007/09/13 14:32:36 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\CacheFP.exe
[2007/09/12 15:05:08 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2007/09/12 15:04:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2007/09/12 15:04:26 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2007/09/12 15:04:06 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2007/09/12 15:03:44 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2007/09/12 15:03:24 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2007/09/12 15:03:04 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2007/09/12 15:02:44 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2007/09/12 15:02:22 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2007/09/12 15:02:02 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2007/09/10 09:53:26 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2007/06/15 10:19:20 | 000,835,584 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2006/11/09 16:07:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 22:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 22:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/08/14 11:02:10 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
[2006/06/12 08:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\tsp.dll
[2005/04/15 11:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/15 11:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/02/05 14:46:00 | 000,004,608 | ---- | C] () -- C:\WINDOWS\fgexec.dll
[2004/09/10 13:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/09/10 13:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/12/23 21:32:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\AVG10
[2011/08/03 00:15:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\Laconic Software
[2010/12/22 21:33:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\Local
[2011/12/14 05:49:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\mjusbsp
[2011/01/11 11:47:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\OpenOffice.org
[2011/01/13 14:33:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\TeamViewer
[2011/09/03 20:16:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\Wave Systems Corp
[2011/12/12 06:25:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\aA28300CeJgC28300
[2011/06/21 00:22:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/12/23 21:31:03 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/05/16 20:48:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
[2011/04/10 15:08:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/02/09 19:14:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
[2011/11/02 20:10:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/02/15 19:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2011/12/14 19:23:50 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{657C2346-0896-4BC7-9D62-EE9A21AB37D1}.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
maliprog
Posted 15 December 2011 - 07:01 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello melanie11127 and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

NOTE: You have very nasty infection! I would strongly advice you to backup all your important data from your system before you begin with the fix.

This malware tends to disable you whole system and let you with nothing. Please backup your date.

Step 2

Go to Start then Run... and type (For Vista/7 type this in Start -> Search box):

compmgmt.msc

From the left panel click Disk management and maximize the window.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

To print screen please download ClickShoot.exe on your desktop
Run the program and when you are ready press [Print Screen] button on your keyboard
Post ClickShoot_HHMMSS.jpg it creates here for me.


Step 3

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

 Step 4


Please don't forget to include these items in your reply:

  • Screenshot
  • Combofix log
It would be helpful if you could post each log in separate post
  • 0

#3
melanie11127
Posted 15 December 2011 - 10:08 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
here is my screenshot of diskmanagement

Attached Thumbnails

  • ClickShoot_221106.jpg

  • 0

#4
melanie11127
Posted 15 December 2011 - 10:13 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ComboFix 11-12-15.02 - admin 12/15/2011 22:42:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1695 [GMT -5:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\Application Data\Local
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\2.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\3.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\4.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\5.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\6.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\7.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Bones.S06E23.HDTV.XviD-LOL.avi.ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\CSI.S11E19.HDTV.XviD-LOL.avi.ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\OneClickMoviezCom-VeronikaDeci.avi.ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM.avi(2).ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM.avi(3).ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM.avi(4).ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM.avi.ddr
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Bones.S06E23.HDTV.XviD-LOL.avi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\CSI.S11E19.HDTV.XviD-LOL.avi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\OneClickMoviezCom-VeronikaDeci.avi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM(2).avi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM(3).avi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM.avi
c:\documents and settings\admin\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Real.Time.with.Bill.Maher.2011.06.17.HDTV.XviD-FQM.avi.ddp
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico
c:\windows\$NtUninstallKB40173$
c:\windows\$NtUninstallKB40173$\1131702363
c:\windows\$NtUninstallKB40173$\1306382640\@
c:\windows\$NtUninstallKB40173$\1306382640\bckfg.tmp
c:\windows\$NtUninstallKB40173$\1306382640\cfg.ini
c:\windows\$NtUninstallKB40173$\1306382640\Desktop.ini
c:\windows\$NtUninstallKB40173$\1306382640\keywords
c:\windows\$NtUninstallKB40173$\1306382640\kwrd.dll
c:\windows\$NtUninstallKB40173$\1306382640\L\fqmeexnt
c:\windows\$NtUninstallKB40173$\1306382640\lsflt7.ver
c:\windows\$NtUninstallKB40173$\1306382640\U\00000001.@
c:\windows\$NtUninstallKB40173$\1306382640\U\00000002.@
c:\windows\$NtUninstallKB40173$\1306382640\U\00000004.@
c:\windows\$NtUninstallKB40173$\1306382640\U\80000000.@
c:\windows\$NtUninstallKB40173$\1306382640\U\80000004.@
c:\windows\$NtUninstallKB40173$\1306382640\U\80000032.@
c:\windows\CSC\d6
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\waveGina.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-16 03:38 . 2008-04-14 00:10 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-12-16 03:38 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-12-12 11:13 . 2011-12-12 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\aA28300CeJgC28300
2011-12-11 05:09 . 2011-12-11 05:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-11 03:21 . 2011-12-14 01:37 -------- d-----w- c:\program files\get bent hacker2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 03:58 . 2011-02-10 00:30 0 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\WavXMapDrive.bat
2011-11-05 03:20 . 2011-11-05 03:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-10-22 12:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2011-03-15 14:44 . 2011-04-10 23:42 568832 ----a-w- c:\program files\mozilla firefox\plugins\msvcp90.dll
2011-03-15 14:44 . 2011-04-10 23:42 655872 ----a-w- c:\program files\mozilla firefox\plugins\msvcr90.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\admin\Application Data\mjusbsp\cdloader2.exe" [2011-08-23 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvMediaCenter"="NvMCTray.dll" [2008-06-09 86016]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-09-12 176128]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-09-14 75064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Veetle\\Player\\VeetleNet.exe"=
"c:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"=
.
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 7:00 AM 5120]
S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\User_Feed_Synchronization-{657C2346-0896-4BC7-9D62-EE9A21AB37D1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{16CC6E2F-F760-49A7-9FCE-20CB6C355B72}: NameServer = 8.8.4.4,8.8.8.8
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\5unbs242.default\
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 22:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
- - - - - - - > 'explorer.exe'(2012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
.
**************************************************************************
.
Completion time: 2011-12-15 23:03:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 04:02
.
Pre-Run: 29,503,463,424 bytes free
Post-Run: 31,144,955,904 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A9ABAC88069342E53E7C1A4AFE40647F
  • 0

#5
melanie11127
Posted 15 December 2011 - 10:27 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
It seems to be behaving for now. Webpages open quicker, too. Just before I ran the fix, I couldn't get on the internet. My wireless connection was constantly trying to acquire a network address and never succeeding. I got messages from Combofix as it was running. The first one was about AVG Free 2011 being active. It is not, I removed it months ago. I double-checked in "add/remove" programs, it did not show up as an installed program. So I continued. Another message was "infected with ZeroAccess and is particularly difficult to remove, Combofix may have to run twice. Then it said it found a rootkit and required a reboot, but warning me not to do it manually (I didn't). Is there more to this monster? Again, thanks for the help!
  • 0

#6
maliprog
Posted 16 December 2011 - 12:38 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi melanie11127,

Combofix did great job! We need to be sure infection is gone so bare with me... After running these steps test your system and tell me how is it now like you did in you last post.

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/12/12 06:13:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\aA28300CeJgC28300
    [2011/12/12 21:37:26 | 000,013,900 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\io7x3tnn4g674j0qr3y08
    [2011/12/12 21:37:26 | 000,013,900 | -HS- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\io7x3tnn4g674j0qr3y08
    [2011/12/11 23:51:47 | 000,014,578 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2w65pu8r47m777
    [2011/12/11 23:51:47 | 000,014,578 | -HS- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\2w65pu8r47m777
    [2011/12/10 22:14:59 | 000,016,720 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5q77xb5p14p437
    [2011/12/10 22:14:59 | 000,016,720 | -HS- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\5q77xb5p14p437

    :Files
    C:\Documents and Settings\All Users\Application Data\aA28300CeJgC28300
    C:\Documents and Settings\All Users\Application Data\io7x3tnn4g674j0qr3y08
    C:\Documents and Settings\admin\Local Settings\Application Data\io7x3tnn4g674j0qr3y08
    C:\Documents and Settings\All Users\Application Data\2w65pu8r47m777
    C:\Documents and Settings\admin\Local Settings\Application Data\2w65pu8r47m777
    C:\Documents and Settings\All Users\Application Data\5q77xb5p14p437
    C:\Documents and Settings\admin\Local Settings\Application Data\5q77xb5p14p437
    ipconfig /flushdns /c

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.

  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 3

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Step 4

Please don't forget to include these items in your reply:

  • OTL fix log
  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#7
melanie11127
Posted 16 December 2011 - 07:04 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
All processes killed
========== OTL ==========
Folder C:\Documents and Settings\All Users\Application Data\aA28300CeJgC28300\ not found.
C:\Documents and Settings\All Users\Application Data\io7x3tnn4g674j0qr3y08 moved successfully.
C:\Documents and Settings\admin\Local Settings\Application Data\io7x3tnn4g674j0qr3y08 moved successfully.
C:\Documents and Settings\All Users\Application Data\2w65pu8r47m777 moved successfully.
C:\Documents and Settings\admin\Local Settings\Application Data\2w65pu8r47m777 moved successfully.
C:\Documents and Settings\All Users\Application Data\5q77xb5p14p437 moved successfully.
C:\Documents and Settings\admin\Local Settings\Application Data\5q77xb5p14p437 moved successfully.
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\aA28300CeJgC28300 folder moved successfully.
File\Folder C:\Documents and Settings\All Users\Application Data\io7x3tnn4g674j0qr3y08 not found.
File\Folder C:\Documents and Settings\admin\Local Settings\Application Data\io7x3tnn4g674j0qr3y08 not found.
File\Folder C:\Documents and Settings\All Users\Application Data\2w65pu8r47m777 not found.
File\Folder C:\Documents and Settings\admin\Local Settings\Application Data\2w65pu8r47m777 not found.
File\Folder C:\Documents and Settings\All Users\Application Data\5q77xb5p14p437 not found.
File\Folder C:\Documents and Settings\admin\Local Settings\Application Data\5q77xb5p14p437 not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\admin\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\admin\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: admin
->Temp folder emptied: 1009624 bytes
->Temporary Internet Files folder emptied: 5962716 bytes
->Java cache emptied: 225686738 bytes
->FireFox cache emptied: 116075996 bytes
->Flash cache emptied: 2960585 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 410495 bytes
->Flash cache emptied: 71136 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 338.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12162011_195124

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#8
melanie11127
Posted 16 December 2011 - 07:13 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
20:06:45.0421 0476 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
20:06:45.0875 0476 ============================================================
20:06:45.0875 0476 Current date / time: 2011/12/16 20:06:45.0875
20:06:45.0875 0476 SystemInfo:
20:06:45.0875 0476
20:06:45.0875 0476 OS Version: 5.1.2600 ServicePack: 3.0
20:06:45.0875 0476 Product type: Workstation
20:06:45.0875 0476 ComputerName: MELANIE
20:06:45.0875 0476 UserName: admin
20:06:45.0875 0476 Windows directory: C:\WINDOWS
20:06:45.0875 0476 System windows directory: C:\WINDOWS
20:06:45.0875 0476 Processor architecture: Intel x86
20:06:45.0875 0476 Number of processors: 2
20:06:45.0875 0476 Page size: 0x1000
20:06:45.0875 0476 Boot type: Normal boot
20:06:45.0875 0476 ============================================================
20:06:48.0000 0476 Initialize success
20:06:57.0296 2600 ============================================================
20:06:57.0296 2600 Scan started
20:06:57.0296 2600 Mode: Manual;
20:06:57.0296 2600 ============================================================
20:06:57.0656 2600 Abiosdsk - ok
20:06:57.0703 2600 abp480n5 - ok
20:06:57.0796 2600 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:06:57.0796 2600 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
20:06:57.0796 2600 ACPI ( Virus.Win32.Rloader.a ) - infected
20:06:57.0796 2600 ACPI - detected Virus.Win32.Rloader.a (0)
20:06:57.0859 2600 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:06:57.0859 2600 ACPIEC - ok
20:06:57.0875 2600 adpu160m - ok
20:06:57.0921 2600 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:06:57.0921 2600 aec - ok
20:06:58.0000 2600 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:06:58.0000 2600 AFD - ok
20:06:58.0000 2600 Aha154x - ok
20:06:58.0015 2600 aic78u2 - ok
20:06:58.0031 2600 aic78xx - ok
20:06:58.0046 2600 AliIde - ok
20:06:58.0062 2600 amsint - ok
20:06:58.0078 2600 asc - ok
20:06:58.0093 2600 asc3350p - ok
20:06:58.0109 2600 asc3550 - ok
20:06:58.0140 2600 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:06:58.0140 2600 AsyncMac - ok
20:06:58.0187 2600 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:06:58.0203 2600 atapi - ok
20:06:58.0343 2600 Atdisk - ok
20:06:58.0421 2600 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:06:58.0421 2600 Atmarpc - ok
20:06:58.0468 2600 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:06:58.0484 2600 audstub - ok
20:06:58.0546 2600 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
20:06:58.0546 2600 b57w2k - ok
20:06:58.0718 2600 BCM43XX (345d38f298368dd6b0df5c4f37457a22) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
20:06:58.0828 2600 BCM43XX - ok
20:06:58.0906 2600 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:06:58.0906 2600 Beep - ok
20:06:58.0906 2600 catchme - ok
20:06:58.0953 2600 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:06:58.0953 2600 cbidf2k - ok
20:06:58.0968 2600 cd20xrnt - ok
20:06:58.0984 2600 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:06:58.0984 2600 Cdaudio - ok
20:06:59.0046 2600 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:06:59.0046 2600 Cdfs - ok
20:06:59.0250 2600 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:06:59.0250 2600 Cdrom - ok
20:06:59.0265 2600 cerc6 - ok
20:06:59.0312 2600 Changer - ok
20:06:59.0390 2600 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
20:06:59.0390 2600 CmBatt - ok
20:06:59.0421 2600 CmdIde - ok
20:06:59.0453 2600 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
20:06:59.0453 2600 Compbatt - ok
20:06:59.0531 2600 Cpqarray - ok
20:06:59.0593 2600 dac2w2k - ok
20:06:59.0703 2600 dac960nt - ok
20:06:59.0765 2600 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:06:59.0765 2600 Disk - ok
20:06:59.0828 2600 DLABMFSM (0659e6e0a95564f958d9df7313f7701e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
20:06:59.0828 2600 DLABMFSM - ok
20:06:59.0843 2600 DLABOIOM (8691c78908f0bd66170669db268369f2) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
20:06:59.0843 2600 DLABOIOM - ok
20:06:59.0859 2600 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
20:06:59.0859 2600 DLACDBHM - ok
20:06:59.0875 2600 DLADResM (5615744a1056933b90e6ac54feb86f35) C:\WINDOWS\system32\DLA\DLADResM.SYS
20:06:59.0875 2600 DLADResM - ok
20:06:59.0890 2600 DLAIFS_M (1aeca2afa5005ce4a550cf8eb55a8c88) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
20:06:59.0890 2600 DLAIFS_M - ok
20:06:59.0906 2600 DLAOPIOM (840e7f6abb885c72b9ffddb022ef5b6d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
20:06:59.0906 2600 DLAOPIOM - ok
20:06:59.0921 2600 DLAPoolM (0294d18731ac05da80132ce88f8a876b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
20:06:59.0921 2600 DLAPoolM - ok
20:06:59.0937 2600 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
20:06:59.0937 2600 DLARTL_M - ok
20:06:59.0953 2600 DLAUDFAM (cca4e121d599d7d1706a30f603731e59) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
20:06:59.0953 2600 DLAUDFAM - ok
20:06:59.0968 2600 DLAUDF_M (7dab85c33135df24419951da4e7d38e5) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
20:06:59.0968 2600 DLAUDF_M - ok
20:07:00.0046 2600 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:07:00.0078 2600 dmboot - ok
20:07:00.0109 2600 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:07:00.0109 2600 dmio - ok
20:07:00.0125 2600 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:07:00.0140 2600 dmload - ok
20:07:00.0234 2600 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:07:00.0234 2600 DMusic - ok
20:07:00.0343 2600 dpti2o - ok
20:07:00.0390 2600 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:07:00.0390 2600 drmkaud - ok
20:07:00.0453 2600 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
20:07:00.0468 2600 DRVMCDB - ok
20:07:00.0484 2600 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
20:07:00.0484 2600 DRVNDDM - ok
20:07:00.0531 2600 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:07:00.0531 2600 Fastfat - ok
20:07:00.0562 2600 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
20:07:00.0562 2600 Fdc - ok
20:07:00.0578 2600 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:07:00.0578 2600 Fips - ok
20:07:00.0593 2600 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:07:00.0593 2600 Flpydisk - ok
20:07:00.0640 2600 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:07:00.0640 2600 FltMgr - ok
20:07:00.0671 2600 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:07:00.0671 2600 Fs_Rec - ok
20:07:00.0718 2600 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:07:00.0718 2600 Ftdisk - ok
20:07:00.0765 2600 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:07:00.0765 2600 Gpc - ok
20:07:00.0984 2600 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:07:00.0984 2600 HDAudBus - ok
20:07:01.0046 2600 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:07:01.0046 2600 HidUsb - ok
20:07:01.0093 2600 hpn - ok
20:07:01.0234 2600 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
20:07:01.0234 2600 HSF_DPV - ok
20:07:01.0281 2600 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
20:07:01.0281 2600 HSXHWAZL - ok
20:07:01.0500 2600 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:07:01.0500 2600 HTTP - ok
20:07:01.0546 2600 i2omgmt - ok
20:07:01.0578 2600 i2omp - ok
20:07:01.0656 2600 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:07:01.0671 2600 i8042prt - ok
20:07:01.0921 2600 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:07:02.0125 2600 ialm - ok
20:07:02.0265 2600 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:07:02.0265 2600 Imapi - ok
20:07:02.0281 2600 ini910u - ok
20:07:02.0296 2600 IntelIde - ok
20:07:02.0343 2600 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:07:02.0343 2600 intelppm - ok
20:07:02.0406 2600 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:07:02.0406 2600 Ip6Fw - ok
20:07:02.0453 2600 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:07:02.0453 2600 IpFilterDriver - ok
20:07:02.0500 2600 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:07:02.0500 2600 IpInIp - ok
20:07:02.0546 2600 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:07:02.0546 2600 IpNat - ok
20:07:02.0578 2600 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:07:02.0578 2600 IPSec - ok
20:07:02.0625 2600 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:07:02.0625 2600 IRENUM - ok
20:07:02.0796 2600 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:07:02.0796 2600 isapnp - ok
20:07:02.0875 2600 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:07:02.0875 2600 Kbdclass - ok
20:07:02.0921 2600 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:07:02.0921 2600 kbdhid - ok
20:07:02.0968 2600 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:07:02.0968 2600 kmixer - ok
20:07:03.0031 2600 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:07:03.0046 2600 KSecDD - ok
20:07:03.0078 2600 lbrtfdc - ok
20:07:03.0171 2600 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:07:03.0171 2600 mdmxsdk - ok
20:07:03.0265 2600 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:07:03.0265 2600 mnmdd - ok
20:07:03.0406 2600 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:07:03.0406 2600 Modem - ok
20:07:03.0468 2600 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:07:03.0468 2600 Mouclass - ok
20:07:03.0546 2600 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:07:03.0546 2600 mouhid - ok
20:07:03.0578 2600 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:07:03.0578 2600 MountMgr - ok
20:07:03.0593 2600 mraid35x - ok
20:07:03.0625 2600 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:07:03.0625 2600 MRxDAV - ok
20:07:03.0718 2600 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:07:03.0734 2600 MRxSmb - ok
20:07:03.0812 2600 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:07:03.0812 2600 Msfs - ok
20:07:03.0953 2600 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:07:03.0968 2600 MSKSSRV - ok
20:07:04.0015 2600 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:07:04.0015 2600 MSPCLOCK - ok
20:07:04.0046 2600 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:07:04.0046 2600 MSPQM - ok
20:07:04.0125 2600 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:07:04.0125 2600 mssmbios - ok
20:07:04.0156 2600 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:07:04.0171 2600 Mup - ok
20:07:04.0218 2600 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:07:04.0218 2600 NDIS - ok
20:07:04.0296 2600 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:07:04.0296 2600 NdisTapi - ok
20:07:04.0406 2600 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:07:04.0406 2600 Ndisuio - ok
20:07:04.0531 2600 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:07:04.0531 2600 NdisWan - ok
20:07:04.0625 2600 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:07:04.0625 2600 NDProxy - ok
20:07:04.0703 2600 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:07:04.0703 2600 NetBIOS - ok
20:07:04.0750 2600 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:07:04.0750 2600 NetBT - ok
20:07:04.0812 2600 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:07:04.0812 2600 Npfs - ok
20:07:04.0875 2600 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:07:04.0890 2600 Ntfs - ok
20:07:04.0984 2600 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:07:04.0984 2600 Null - ok
20:07:05.0406 2600 nv (c116d2b008a1640c4484a1dcd1abe12c) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:07:05.0718 2600 nv - ok
20:07:05.0765 2600 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:07:05.0765 2600 NwlnkFlt - ok
20:07:05.0812 2600 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:07:05.0828 2600 NwlnkFwd - ok
20:07:05.0906 2600 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
20:07:05.0906 2600 Parport - ok
20:07:05.0921 2600 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:07:05.0921 2600 PartMgr - ok
20:07:06.0031 2600 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:07:06.0031 2600 ParVdm - ok
20:07:06.0187 2600 PBADRV (9ec004140e1b675acdeb07f66ee797a4) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
20:07:06.0203 2600 PBADRV - ok
20:07:06.0296 2600 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:07:06.0296 2600 PCI - ok
20:07:06.0312 2600 PCIDump - ok
20:07:06.0328 2600 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:07:06.0328 2600 PCIIde - ok
20:07:06.0375 2600 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
20:07:06.0390 2600 Pcmcia - ok
20:07:06.0406 2600 PDCOMP - ok
20:07:06.0406 2600 PDFRAME - ok
20:07:06.0421 2600 PDRELI - ok
20:07:06.0437 2600 PDRFRAME - ok
20:07:06.0453 2600 perc2 - ok
20:07:06.0468 2600 perc2hib - ok
20:07:06.0515 2600 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:07:06.0515 2600 PptpMiniport - ok
20:07:06.0578 2600 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:07:06.0578 2600 PSched - ok
20:07:06.0593 2600 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:07:06.0593 2600 Ptilink - ok
20:07:06.0625 2600 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:07:06.0625 2600 PxHelp20 - ok
20:07:06.0640 2600 ql1080 - ok
20:07:06.0656 2600 Ql10wnt - ok
20:07:06.0656 2600 ql12160 - ok
20:07:06.0671 2600 ql1240 - ok
20:07:06.0687 2600 ql1280 - ok
20:07:06.0718 2600 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:07:06.0718 2600 RasAcd - ok
20:07:06.0843 2600 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:07:06.0843 2600 Rasl2tp - ok
20:07:06.0859 2600 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:07:06.0859 2600 RasPppoe - ok
20:07:06.0875 2600 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:07:06.0875 2600 Raspti - ok
20:07:06.0890 2600 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:07:06.0890 2600 Rdbss - ok
20:07:06.0906 2600 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:07:06.0906 2600 RDPCDD - ok
20:07:06.0968 2600 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:07:06.0968 2600 rdpdr - ok
20:07:07.0031 2600 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:07:07.0046 2600 RDPWD - ok
20:07:07.0093 2600 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:07:07.0093 2600 redbook - ok
20:07:07.0171 2600 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:07:07.0187 2600 Secdrv - ok
20:07:07.0281 2600 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:07:07.0281 2600 serenum - ok
20:07:07.0406 2600 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:07:07.0406 2600 Serial - ok
20:07:07.0437 2600 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:07:07.0437 2600 Sfloppy - ok
20:07:07.0453 2600 Simbad - ok
20:07:07.0453 2600 Sparrow - ok
20:07:07.0515 2600 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:07:07.0515 2600 splitter - ok
20:07:07.0593 2600 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:07:07.0593 2600 sr - ok
20:07:07.0656 2600 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:07:07.0671 2600 Srv - ok
20:07:07.0781 2600 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
20:07:07.0796 2600 STHDA - ok
20:07:07.0921 2600 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:07:07.0921 2600 swenum - ok
20:07:08.0046 2600 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:07:08.0046 2600 swmidi - ok
20:07:08.0062 2600 symc810 - ok
20:07:08.0062 2600 symc8xx - ok
20:07:08.0078 2600 sym_hi - ok
20:07:08.0093 2600 sym_u3 - ok
20:07:08.0140 2600 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:07:08.0140 2600 sysaudio - ok
20:07:08.0234 2600 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:07:08.0234 2600 Tcpip - ok
20:07:08.0296 2600 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINDOWS\system32\Drivers\tcusb.sys
20:07:08.0296 2600 TcUsb - ok
20:07:08.0343 2600 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:07:08.0343 2600 TDPIPE - ok
20:07:08.0359 2600 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:07:08.0359 2600 TDTCP - ok
20:07:08.0390 2600 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:07:08.0406 2600 TermDD - ok
20:07:08.0406 2600 TosIde - ok
20:07:08.0484 2600 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:07:08.0484 2600 Udfs - ok
20:07:08.0546 2600 UIUSys - ok
20:07:08.0671 2600 ultra - ok
20:07:08.0781 2600 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:07:08.0781 2600 Update - ok
20:07:08.0875 2600 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
20:07:08.0875 2600 usbaudio - ok
20:07:08.0953 2600 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:07:08.0953 2600 usbccgp - ok
20:07:09.0031 2600 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
20:07:09.0031 2600 USBCCID - ok
20:07:09.0078 2600 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:07:09.0078 2600 usbehci - ok
20:07:09.0171 2600 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:07:09.0171 2600 usbhub - ok
20:07:09.0203 2600 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:07:09.0218 2600 usbprint - ok
20:07:09.0312 2600 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:07:09.0312 2600 usbscan - ok
20:07:09.0328 2600 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:07:09.0328 2600 USBSTOR - ok
20:07:09.0359 2600 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:07:09.0359 2600 usbuhci - ok
20:07:09.0421 2600 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:07:09.0421 2600 VgaSave - ok
20:07:09.0437 2600 ViaIde - ok
20:07:09.0468 2600 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:07:09.0468 2600 VolSnap - ok
20:07:09.0500 2600 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:07:09.0500 2600 Wanarp - ok
20:07:09.0593 2600 WaveFDE (db626c46997c2430d4958da5c7ffb969) C:\WINDOWS\system32\DRIVERS\WaveFDE.sys
20:07:09.0593 2600 WaveFDE - ok
20:07:09.0656 2600 WavxDMgr (51e756f2bfb5e3adcb15f966ad293231) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
20:07:09.0656 2600 WavxDMgr - ok
20:07:09.0671 2600 WDICA - ok
20:07:09.0718 2600 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:07:09.0734 2600 wdmaud - ok
20:07:09.0859 2600 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
20:07:09.0859 2600 winachsf - ok
20:07:09.0937 2600 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
20:07:09.0937 2600 WmiAcpi - ok
20:07:10.0000 2600 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:07:10.0187 2600 \Device\Harddisk0\DR0 - ok
20:07:10.0187 2600 MBR (0x1B8) (a722c1f6856752bbe88ba2f06d676904) \Device\Harddisk1\DR2
20:07:12.0640 2600 \Device\Harddisk1\DR2 - ok
20:07:12.0671 2600 Boot (0x1200) (a715af0fab0d1756f08b14bf0a52f99b) \Device\Harddisk0\DR0\Partition0
20:07:12.0671 2600 \Device\Harddisk0\DR0\Partition0 - ok
20:07:12.0671 2600 ============================================================
20:07:12.0671 2600 Scan finished
20:07:12.0671 2600 ============================================================
20:07:12.0687 2560 Detected object count: 1
20:07:12.0687 2560 Actual detected object count: 1
20:08:30.0718 2560 Backup copy found, using it..
20:08:30.0734 2560 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
20:08:30.0734 2560 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
20:08:46.0140 0312 Deinitialize success
  • 0

#9
melanie11127
Posted 16 December 2011 - 07:18 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-16 20:15:37
-----------------------------
20:15:37.562 OS Version: Windows 5.1.2600 Service Pack 3
20:15:37.562 Number of processors: 2 586 0xF06
20:15:37.562 ComputerName: MELANIE UserName: admin
20:15:38.218 Initialize success
20:16:20.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:16:20.640 Disk 0 Vendor: FUJITSU_MHW2060BH 00850012 Size: 57231MB BusType: 3
20:16:20.656 Disk 0 MBR read successfully
20:16:20.656 Disk 0 MBR scan
20:16:20.656 Disk 0 Windows XP default MBR code
20:16:20.671 Disk 0 scanning sectors +117194175
20:16:20.781 Disk 0 scanning C:\WINDOWS\system32\drivers
20:16:27.343 Service scanning
20:16:28.625 Modules scanning
20:16:38.140 Disk 0 trace - called modules:
20:16:38.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys tskC.tmp hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:16:38.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d62ab8]
20:16:38.156 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000075[0x89e02f18]
20:16:38.156 5 tskC.tmp[b9f69620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89dfd940]
20:16:38.484 Scan finished successfully
20:17:17.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\admin\Desktop\MBR.dat"
20:17:17.421 The log file has been saved successfully to "C:\Documents and Settings\admin\Desktop\aswMBR.txt"
  • 0

#10
melanie11127
Posted 16 December 2011 - 07:32 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I guess you can tell from the TDSSKiller log, the scan said the following, "Virus.Win32.Rloader.a Service: ACPI" and in bright red letters, "Malware Object, high risk" so I continued with the cure. It rebooted and then I went onto next step. Everything was behaving as it's supposed to, nothing dragging along. One thing I did notice, on the reboots, it made me type in my password. I had installed a security suite that allows me to log in/access files with a finger swipe. Will I have to reload that or is it still somewhere on the computer, just disabled while we're fixing?

Thanks!
Melanie :killcomp:
  • 0

Advertisements

#11
maliprog
Posted 17 December 2011 - 02:03 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Good job! You will have to reinstall that software when we finish with cleaning. That is best way. Now let's see if there is anything left. This scan can take a while so please be patient.

Step 1

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Step 2

Please don't forget to include these items in your reply:

  • VRT log
It would be helpful if you could post each log in separate post
  • 0

#12
melanie11127
Posted 17 December 2011 - 12:09 PM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I included my F: drive in the scan. I was afraid that if I finally clean all this up, it would be awful to have my own flash drive re-infect everything. Glad I did, because VRT found threats in my backup files and deleted them. I can't believe what a mess this malware has made of my computer! Do you think the VRT was enough to clean up that flash drive, or does it need more checking? My VRT log is attached.Attached File  VRT log.txt   1.08KB   214 downloads
  • 0

#13
maliprog
Posted 17 December 2011 - 01:51 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
This is standard antivirus scan so you did good job. Additionally you can disinfect it and protect your system from future infection caused by this drive.

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

How is your system now? Any problems now?
  • 0

#14
melanie11127
Posted 18 December 2011 - 09:29 AM

melanie11127

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I've had no symptoms of infection since running Combofix. But like you said in previous posts, just because it's acting OK doesn't mean that it's clean. It's amazing how much infection was still present even after symptoms stopped. I ran the drive disinfectant, also. Am I all clean now? :unsure:

Should I remove any of the cleaning software?

I used to use AVG Free, but too many automatic updates, one of them upgraded to a free trial & deleted all my LAN settings. A relative of mine has Avast, but it let through this same malware and now he can't disable Avast to run anything other cleaning software. He called the makers of Avast, they said it would be $79.99 to remove Avast!

Usually, I just keep MBAM and run that every few days. Do you have any suggestions for what I should keep for maintenance?

Edited by melanie11127, 18 December 2011 - 09:38 AM.

  • 0

#15
maliprog
Posted 18 December 2011 - 10:54 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi melanie11127,

AVG is also good antivirus but I personally don't use it. You must also understand that your Internet browsing habits is crucial to your safety. I personally use Microsoft Security Essentials and I have safe surfing habits too :).

Here is my antivirus recomendation:


Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP