Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

How do i remove win.32/cryptor, TR/Crypt.XPACK.Gen, and Malware.gen? [


  • This topic is locked This topic is locked

#16
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hi thhenry. We will now run two scans and remove any McAfee remnants.

Step 1

The next step is to make sure all the remnants of McAfee have been removed using the removal tool. Please download and run this file. Let me know if it reports Cleanup Successful or Cleanup Unsuccessful. Restart after running.

Step 2

The following instructions are for running a scan using ESET anti-virus via an online implementation and a scan with Malwarebytes' Anti-Malware (they are free). These scans will find any remaining infections that aren't already cleaned.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 3

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the options Scan unwanted applications and Enable Anti-Stealth technology (both under Advanced settings) are checked
  • Click Start (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Things to see in your next post:
McAfee clean results
MBAM log
ESET log

  • 0

Advertisements


#17
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi the uninstaller for Mcafee worked just fine. It said that it uninstalled everything successfully.


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.12.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Acer :: ACER-PC [administrator]

Protection: Enabled

2/12/2012 6:31:20 PM
mbam-log-2012-02-12 (18-31-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186192
Time elapsed: 29 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Adware.Hotbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Mp3Tube (Adware.Mp3Tube) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://mp3tubetoolba...a151f27fa6f361a) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Acer\My Documents\Downloads\setup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\searchplugins\Mp3Tube.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully.

(end)


2012/02/12 18:30:48 -0600 ACER-PC Acer MESSAGE Starting protection
2012/02/12 18:30:58 -0600 ACER-PC Acer MESSAGE Protection started successfully
2012/02/12 18:30:58 -0600 ACER-PC Acer MESSAGE Executing scheduled update: Daily
2012/02/12 18:31:01 -0600 ACER-PC Acer MESSAGE Starting IP protection
2012/02/12 18:31:19 -0600 ACER-PC Acer MESSAGE IP Protection started successfully
2012/02/12 18:31:26 -0600 ACER-PC Acer MESSAGE Starting database refresh
2012/02/12 18:31:26 -0600 ACER-PC Acer MESSAGE Scheduled update executed successfully: database updated from version v2012.02.12.05 to version v2012.02.13.01
2012/02/12 18:31:26 -0600 ACER-PC Acer MESSAGE Stopping IP protection
2012/02/12 18:31:27 -0600 ACER-PC Acer MESSAGE IP Protection stopped
2012/02/12 18:31:38 -0600 ACER-PC Acer MESSAGE Database refreshed successfully
2012/02/12 18:31:38 -0600 ACER-PC Acer MESSAGE Starting IP protection
2012/02/12 18:31:58 -0600 ACER-PC Acer MESSAGE IP Protection started successfully
2012/02/12 19:04:24 -0600 ACER-PC Acer MESSAGE Starting protection
2012/02/12 19:04:42 -0600 ACER-PC Acer MESSAGE Protection started successfully
2012/02/12 19:04:45 -0600 ACER-PC Acer MESSAGE Starting IP protection
2012/02/12 19:04:57 -0600 ACER-PC Acer MESSAGE IP Protection started successfully


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=5aff93596de3854ab9504791975d59ab
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-13 02:51:49
# local_time=2012-02-12 08:51:49 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 679046 679046 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=117260
# found=1
# cleaned=1
# scan_time=5328
C:\Documents and Settings\Acer\My Documents\Downloads\winamp562_full_emusic-7plus_en-us.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
  • 0

#18
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hello Henry. We will now run a special scan with AVP to search for malware. Please do the following:

  • Download AVPTool from Here to your desktop (use version 11)
  • Run the program you have just downloaded to your desktop
  • Accept the license agreement

    First we will run a virus scan
  • Click the cog in the upper right

    Posted Image
  • Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

    Posted Image
  • Allow AVP to delete all infections found
  • Once it has finished select report tab (last tab)
  • Select Detected threads report from the left and press Save button
  • Save it to your desktop and attach to your next post

    Now the Analysis
  • Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

    Posted Image
  • On completion click the link to locate the zip file to upload and attach to your next post

    Posted Image

Things to see in your next post:
AVP scan results
AVP analysis results

  • 0

#19
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Status: Disinfected (events: 18)
2/15/2012 4:40:57 PM Disinfected Trojan program Exploit.Java.Agent.fw C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000034.file/apache/adidas.class High
2/15/2012 4:42:31 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.i C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000035.file/lat.class High
2/15/2012 4:42:37 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.l C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000037.file/morale.class High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.JS.Pdfka.fhv C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000082.file High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.JS.Pdfka.fhh C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000083.file High
2/15/2012 4:56:39 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.fz C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000455.file/xmltree/alpina.class High
2/15/2012 4:56:39 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.eo C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000455.file/xmltree/umbro.class High
2/15/2012 4:56:39 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.l C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000457.file High
2/15/2012 4:58:19 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.ct C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000461.file/morale.class High
2/15/2012 4:58:19 PM Disinfected Trojan program Exploit.Java.Agent.fw C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000463.file High
2/15/2012 4:58:19 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.ct C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000465.file High
2/15/2012 4:58:19 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.eo C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000471.file High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.Java.Agent.fw C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000034.file High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.i C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000035.file High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.l C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000037.file High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.fz C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000455.file High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.ct C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc/120125123051000-000461.file High
2/15/2012 5:25:06 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.eo C:\Documents and Settings\Acer\Application Data\AVG\Rescue\PC Tuneup 2011\120125123051000.rsc High
Status: Deleted (events: 2)
2/15/2012 4:40:56 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\Acer\Local Settings\Temporary Internet Files\Content.IE5\T4B45BF7\ajs[1].php High
2/15/2012 4:40:56 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\Acer\Local Settings\Temporary Internet Files\Content.IE5\USTCT5D5\ajs[1].php High


<?xml version="1.0" encoding="windows-1251" ?>
- <!-- AVZ XML Report
-->
- <AVZ Version="4.35" LogDate="15.02.2012 19:51:33" WinDir="C:\WINDOWS\" OS_MjVer="5" OS_MiVer="1" OS_Build="2600" BootMode="0" OS_CSDV="Service Pack 3" ProfileDir="C:\Documents and Settings\Acer" Session="Console" IsWow64="False" IsAdmin="True" IsSRDisabled="False" MainDBDate="12/30/1899" CompHash="CE462FC23375AC5472BC36CC68481637">
<PROCESS />
<DLL />
- <KERNELOBJ>
<ITEM File="C:\WINDOWS\System32\Drivers\dump_iaStor.sys" CheckResult="-1" Base="A00DF000" MemSize="0DA000" Descr="" LegalCopyright="" />
</KERNELOBJ>
<Service />
- <Drivers>
<ITEM File="Abiosdsk.sys" Name="Abiosdsk" CheckResult="-1" Type="1" State="1" />
<ITEM File="Atdisk.sys" Name="Atdisk" CheckResult="-1" Type="1" State="1" />
<ITEM File="Changer.sys" Name="Changer" CheckResult="-1" Type="1" State="1" />
<ITEM File="lbrtfdc.sys" Name="lbrtfdc" CheckResult="-1" Type="1" State="1" />
<ITEM File="PCIDump.sys" Name="PCIDump" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDCOMP.sys" Name="PDCOMP" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDFRAME.sys" Name="PDFRAME" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDRELI.sys" Name="PDRELI" CheckResult="-1" Type="1" State="1" />
<ITEM File="PDRFRAME.sys" Name="PDRFRAME" CheckResult="-1" Type="1" State="1" />
<ITEM File="Simbad.sys" Name="Simbad" CheckResult="-1" Type="1" State="1" />
<ITEM File="WDICA.sys" Name="WDICA" CheckResult="-1" Type="1" State="1" />
</Drivers>
- <AUTORUN>
<ITEM File="C:\Documents and Settings\Acer\Local Settings\Temp\_uninst_37346804.bat" CheckResult="-1" Enabled="1" Type="LNK" Size="337" Attr="rsAh" CreateDate="15.02.2012 14:56:52" ChageDate="15.02.2012 14:56:54" MD5="BE6D8680575CE4C02D9B88D1A4759740" X1="C:\Documents and Settings\Acer\Start Menu\Programs\Startup\" X2="C:\Documents and Settings\Acer\Start Menu\Programs\Startup\_uninst_37346804.lnk" X3="" />
<ITEM File="C:\WINDOWS\System32\Drivers\lbrtfdc.sys" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\PrintFilterPipelineSvc.exe" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\appmgmts.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters" X3="ServiceDll" />
<ITEM File="C:\WINDOWS\System32\appmgmts.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\Application Management" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\appmgr.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\Software Installation" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\fdeploy.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\File Deployment" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\fdeploy.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\Folder Redirection" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\hidserv.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\HidServ\Parameters" X3="ServiceDll" />
<ITEM File="C:\WINDOWS\System32\igmpv2.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ipbootp.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\iprip2.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ntbackup.exe" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\Application\ntbackup" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ospf.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\ospfmib.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\polagent.dll" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\System32\tssdis.exe" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir" X3="EventMessageFile" />
<ITEM File="C:\WINDOWS\system32\MsSip1.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1" X3="$DLL" />
<ITEM File="C:\WINDOWS\system32\MsSip2.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2" X3="$DLL" />
<ITEM File="C:\WINDOWS\system32\MsSip3.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3" X3="$DLL" />
<ITEM File="C:\WINDOWS\system32\asr_fmt.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Asr\Commands" X3="ASR format utility for volumes" />
<ITEM File="C:\WINDOWS\system32\asr_ldm.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Asr\Commands" X3="ASR utility for Logical Disk Manager" />
<ITEM File="C:\WINDOWS\system32\asr_pfu.exe" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Asr\Commands" X3="ASR protected file utility" />
<ITEM File="C:\WINDOWS\system32\psxss.exe" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="System\CurrentControlSet\Control\Session Manager\SubSystems" X3="Posix" />
<ITEM File="C:\WINDOWS\system32\stisvc.exe" CheckResult="-1" Enabled="-1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="SYSTEM\CurrentControlSet\Services\Eventlog\System" X3="EventMessageFile" />
<ITEM File="appmgmts.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}" X3="DLLName" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2=".DEFAULT\Control Panel\IOProcs" X3="MVB" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2="S-1-5-19\Control Panel\IOProcs" X3="MVB" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2="S-1-5-20\Control Panel\IOProcs" X3="MVB" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2="S-1-5-18\Control Panel\IOProcs" X3="MVB" />
<ITEM File="mvfs32.dll" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_USERS" X2="S-1-5-21-381150471-1547963291-1499398264-1006\Control Panel\IOProcs" X3="MVB" />
<ITEM File="vgafix.fon" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3="fixedfon.fon" />
<ITEM File="vgaoem.fon" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3="oemfonts.fon" />
<ITEM File="vgasys.fon" CheckResult="-1" Enabled="1" Type="REG" X1="HKEY_LOCAL_MACHINE" X2="Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3="fonts.fon" />
</AUTORUN>
- <BHO>
<ITEM File="" CheckResult="-1" Enabled="1" BHOType="1" RegKey="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" CLSID="{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" BHOType="3" RegKey="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions" CLSID="{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" BHOType="3" RegKey="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions" CLSID="{2670000A-7350-4f3c-8081-5663EE0C6C49}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" BHOType="3" RegKey="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions" CLSID="{92780B25-18CC-41C8-B9BE-3C9C571A8263}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" BHOType="4" RegKey="HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks" CLSID="{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" Descr="" LegalCopyright="" />
</BHO>
- <ExplorerExt>
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Display Panning CPL Extension" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{42071714-76d4-11d1-8b24-00a0c9068ff3}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Shell extensions for file compression" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{764BF0E1-F219-11ce-972D-00AA00A14F56}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Encryption Context Menu" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="Taskbar and Start Menu" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{0DF44EAA-FF21-4412-828E-260A8728E7F1}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="User Accounts" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{7A9D77BD-5403-11d2-8785-2E0420524153}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="IE User Assist" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" Descr="" LegalCopyright="" />
<ITEM File="" CheckResult="-1" Enabled="1" ExtType="1" ExtName="AVG Find Extension" RegKey="SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID="{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" Descr="" LegalCopyright="" />
</ExplorerExt>
<PrintEXT />
<TaskScheduler />
- <SPI>
<ITEM File="C:\WINDOWS\System32\mswsock.dll" CheckResult="-1" SPIType="1" SPINaim="Tcpip" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\System32\winrnr.dll" CheckResult="-1" SPIType="1" SPINaim="NTDS" Descr="LDAP RnR Provider DLL" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="16896" Attr="rsAh" CreateDate="22.07.2010 01:37:48" ChageDate="14.04.2008 06:00:00" MD5="D72B9EC3337B247A666F098F3D6B43DE" />
<ITEM File="C:\WINDOWS\System32\mswsock.dll" CheckResult="-1" SPIType="1" SPINaim="Network Location Awareness (NLA) Namespace" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\Program Files\Bonjour\mdnsNSP.dll" CheckResult="-1" SPIType="1" SPINaim="mdnsNSP" Descr="Bonjour Namespace Provider" LegalCopyright="Copyright © 2003-2011 Apple Inc." Size="121704" Attr="rsAh" CreateDate="12.07.2011 10:20:50" ChageDate="12.07.2011 10:20:50" MD5="2B81226910F765A9191EB9DB93743237" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD Tcpip [TCP/IP]" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD Tcpip [UDP/IP]" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD Tcpip [RAW/IP]" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\rsvpsp.dll" CheckResult="-1" SPIType="3" SPINaim="RSVP UDP Service Provider" Descr="Microsoft Windows Rsvp 1.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="92672" Attr="rsAh" CreateDate="22.07.2010 01:37:42" ChageDate="14.04.2008 06:00:00" MD5="72451FD61DDBB0A1FB071B7C3CDE5594" />
<ITEM File="C:\WINDOWS\system32\rsvpsp.dll" CheckResult="-1" SPIType="3" SPINaim="RSVP TCP Service Provider" Descr="Microsoft Windows Rsvp 1.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="92672" Attr="rsAh" CreateDate="22.07.2010 01:37:42" ChageDate="14.04.2008 06:00:00" MD5="72451FD61DDBB0A1FB071B7C3CDE5594" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{8BD0CA87-B3DF-4443-9DC2-9AE017AD133C}] SEQPACKET 3" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{8BD0CA87-B3DF-4443-9DC2-9AE017AD133C}] DATAGRAM 3" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{74BA604B-5279-44AB-B72D-C0B1C49B7837}] SEQPACKET 5" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{74BA604B-5279-44AB-B72D-C0B1C49B7837}] DATAGRAM 5" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{02980E43-A8E8-48E5-B772-F0A6BCF685A9}] SEQPACKET 4" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{02980E43-A8E8-48E5-B772-F0A6BCF685A9}] DATAGRAM 4" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{B2E1F897-5ABB-4884-A318-35C48567C78D}] SEQPACKET 0" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{B2E1F897-5ABB-4884-A318-35C48567C78D}] DATAGRAM 0" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{C052465B-D467-480D-8FF2-CCD59018E87B}] SEQPACKET 1" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{C052465B-D467-480D-8FF2-CCD59018E87B}] DATAGRAM 1" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9C0BC73-F8A9-4621-A711-912F2354EE45}] SEQPACKET 2" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9C0BC73-F8A9-4621-A711-912F2354EE45}] DATAGRAM 2" Descr="Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright="© Microsoft Corporation. All rights reserved." Size="245248" Attr="rsAh" CreateDate="22.07.2010 01:37:38" ChageDate="20.06.2008 10:02:47" MD5="943337D786A56729263071623BBB9DE5" />
</SPI>
<DPF />
<CPL />
<ActiveSetup />
- <HOSTS>
<ITEM Line="яю1" />
</HOSTS>
- <ProtocolExt>
<ITEM File="mscoree.dll" CheckResult="-1" Enabled="1" RegKey="SOFTWARE\Classes\PROTOCOLS\Filter\application/octet-stream" CLSID="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" Descr="Microsoft .NET Runtime Execution Engine" LegalCopyright="© Microsoft Corporation. All rights reserved." />
<ITEM File="mscoree.dll" CheckResult="-1" Enabled="1" RegKey="SOFTWARE\Classes\PROTOCOLS\Filter\application/x-complus" CLSID="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" Descr="Microsoft .NET Runtime Execution Engine" LegalCopyright="© Microsoft Corporation. All rights reserved." />
<ITEM File="mscoree.dll" CheckResult="-1" Enabled="1" RegKey="SOFTWARE\Classes\PROTOCOLS\Filter\application/x-msdownload" CLSID="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" Descr="Microsoft .NET Runtime Execution Engine" LegalCopyright="© Microsoft Corporation. All rights reserved." />
</ProtocolExt>
- <SuspFiles>
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" VirType="4" Descr="Kernel-mode hook" />
<ITEM File="\SystemRoot\system32\DRIVERS\6703567drv.sys" VirType="4" Descr="Kernel-mode hook" />
</SuspFiles>
- <RK_KM>
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtAdjustPrivilegesToken" FIndx="11" HookPtr="9E886690" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtClose" FIndx="25" HookPtr="9E886F94" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtConnectPort" FIndx="31" HookPtr="9E887DC8" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateEvent" FIndx="35" HookPtr="9E888312" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateFile" FIndx="37" HookPtr="9E887270" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateKey" FIndx="41" HookPtr="9E885500" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateMutant" FIndx="43" HookPtr="9E8881F8" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateNamedPipeFile" FIndx="44" HookPtr="9E88627E" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreatePort" FIndx="46" HookPtr="9E8880CC" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateSection" FIndx="50" HookPtr="9E886426" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateSemaphore" FIndx="51" HookPtr="9E888432" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateThread" FIndx="53" HookPtr="9E886C1C" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtCreateWaitablePort" FIndx="56" HookPtr="9E888162" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtDebugActiveProcess" FIndx="57" HookPtr="9E889B1A" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtDeleteKey" FIndx="63" HookPtr="9E885B0A" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtDeleteValueKey" FIndx="65" HookPtr="9E885EBE" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtDeviceIoControlFile" FIndx="66" HookPtr="9E8876F2" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtDuplicateObject" FIndx="68" HookPtr="9E88AD26" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtEnumerateKey" FIndx="71" HookPtr="9E88600A" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtEnumerateValueKey" FIndx="73" HookPtr="9E8860A2" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtFsControlFile" FIndx="84" HookPtr="9E887500" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtLoadDriver" FIndx="97" HookPtr="9E889C0C" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtLoadKey" FIndx="98" HookPtr="9E8854DC" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtLoadKey2" FIndx="99" HookPtr="9E8854EE" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtMapViewOfSection" FIndx="108" HookPtr="9E88A374" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtNotifyChangeKey" FIndx="111" HookPtr="9E8861CE" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenEvent" FIndx="114" HookPtr="9E8883A8" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenFile" FIndx="116" HookPtr="9E887016" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenKey" FIndx="119" HookPtr="9E8856C0" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenMutant" FIndx="120" HookPtr="9E888288" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenProcess" FIndx="122" HookPtr="9E8868CC" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenSection" FIndx="125" HookPtr="9E88A10E" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenSemaphore" FIndx="126" HookPtr="9E8884C8" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtOpenThread" FIndx="128" HookPtr="9E8867BE" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtQueryKey" FIndx="160" HookPtr="9E88613A" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtQueryMultipleValueKey" FIndx="161" HookPtr="9E885D72" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtQuerySection" FIndx="167" HookPtr="9E88A6AE" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtQueryValueKey" FIndx="177" HookPtr="9E88599C" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtQueueApcThread" FIndx="180" HookPtr="9E889FA0" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtRenameKey" FIndx="192" HookPtr="9E885C2C" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtReplaceKey" FIndx="193" HookPtr="9E884F16" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtReplyPort" FIndx="194" HookPtr="9E88882C" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtReplyWaitReceivePort" FIndx="195" HookPtr="9E8886F2" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtRequestWaitReplyPort" FIndx="200" HookPtr="9E8898B4" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtRestoreKey" FIndx="204" HookPtr="9E88528E" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtResumeThread" FIndx="206" HookPtr="9E88ABC8" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSaveKey" FIndx="207" HookPtr="9E884EAE" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSecureConnectPort" FIndx="210" HookPtr="9E887B0E" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSetContextThread" FIndx="213" HookPtr="9E886E38" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSetInformationToken" FIndx="230" HookPtr="9E889154" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSetSecurityObject" FIndx="237" HookPtr="9E889DAA" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSetSystemInformation" FIndx="240" HookPtr="9E88A7FE" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSetValueKey" FIndx="247" HookPtr="9E885816" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSuspendProcess" FIndx="253" HookPtr="9E88A8F0" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSuspendThread" FIndx="254" HookPtr="9E88AA2A" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtSystemDebugControl" FIndx="255" HookPtr="9E889A3E" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtTerminateProcess" FIndx="257" HookPtr="9E886A68" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtTerminateThread" FIndx="258" HookPtr="9E8869C8" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtUnmapViewOfSection" FIndx="267" HookPtr="9E88A552" HookType="1" />
<ITEM File="C:\WINDOWS\system32\DRIVERS\6703567drv.sys" FNaim="NtWriteVirtualMemory" FIndx="277" HookPtr="9E886B52" HookType="1" />
<ITEM File="\SystemRoot\system32\DRIVERS\6703567drv.sys" FNaim="NtQueryPerformanceCounter" FIndx="165" HookPtr="805CB942" HookType="3" />
<ITEM File="\SystemRoot\system32\DRIVERS\6703567drv.sys" FNaim="" FIndx="387" HookPtr="805CB942" HookType="3" />
</RK_KM>
- <IPU>
<ITEM Code="1" X1="TermService" X2="Terminal Services" />
<ITEM Code="1" X1="SSDPSRV" X2="SSDP Discovery Service" />
<ITEM Code="1" X1="TlntSvr" />
<ITEM Code="1" X1="Schedule" X2="Task Scheduler" />
<ITEM Code="1" X1="mnmsrvc" X2="NetMeeting Remote Desktop Sharing" />
<ITEM Code="1" X1="RDSessMgr" X2="Remote Desktop Help Session Manager" />
<ITEM Code="3" />
<ITEM Code="5" />
<ITEM Code="8" X1="1" />
</IPU>
- <WIZARD-TSW>
<ITEM ID="58" Level="3" Fixed="0" />
<ITEM ID="59" Level="3" Fixed="0" />
<ITEM ID="60" Level="1" Fixed="0" />
<ITEM ID="61" Level="2" Fixed="0" />
</WIZARD-TSW>
</AVZ>
  • 0

#20
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hi Henry, I need to have the analysis results as an attached file not copied into the post. Please attach the file from the analysis. If you can't find it follow these instructions:

  • Click the Start Menu
  • Click Search
  • If it says Windows Search on top of the left part of the screen, do the following two steps, otherwise skip them
  • Scroll to the bottom on the left part of the window
  • Click Click here to use Search Companion
  • Click All files and folders
  • Type sysinfo.zip in the All or part of the file name: field
  • Select the drive to look at in the Look in drop down list
  • Click the search button
  • Wait for the search to finish
  • The search results will tell you the location of the file in the In Folder column

If you still can't find it please repeat the analysis instructions from the previous post and then attach the file.
  • 0

#21
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
avptool_sysinfo.zip

Attached Files


  • 0

#22
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hi thhenry. I finished analyzing your AVP analysis log. We will now do a quick clean with AVP as well as upload a file to check if it is malware or not.

Step 1

  • Re-run AVPTool
  • Select the Manual Disinfection tab and press Script execution

    Posted Image
  • Where it states Insert text script in the following box copy the below script and press Run script
    Copy from Begin until End

    Posted Image

    begin
    SetAVZPMStatus(True);
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     DeleteService('PCIDump');
     DeleteFile('PCIDump.sys');
     DeleteFile('C:\Documents and Settings\Acer\Local Settings\Temp\_uninst_71758050.bat');
    BC_ImportDeletedList;
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.

  • Your system will reboot on completion, if it does not please do so yourself
  • On completion please run another analysis scan and attach the zip file

Step 2

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

  • Go to this site
  • Click the browse button on the top of the page
  • Navigate to this file C:\WINDOWS\system32\MsSip1.dll and click the open button
  • Click the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button
  • Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Things to see in your next post:
attach AVP analysis zip file
Virscan upload result

  • 0

#23
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
avptool_sysinfo.zip

Attached Files


  • 0

#24
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi there was not a file under C:\WINDOWS\system32\MsSip1.dll , but the closest one i found to it was mssip32.dll. here are the results for this file

VirSCAN.org Scanned Report :
Scanned time : 2009/12/19 16:28:03 (PST)
Scanner results: Scanners did not find malware!
File Name : mssip32.dll
File Size : 4608 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 0e921c7e1284afde99e1c4ae217a7eec
SHA1 : 17153190983d709b89f82cb6da208c6d3a047a1a
Online report : http://r.virscan.org...7aba68cb9a709a5

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091219020142 2009-12-19 0.08 -
AhnLab V3 2009.12.20.00 2009.12.20 2009-12-20 0.08 -
AntiVir 8.2.1.114 7.10.2.22 2009-12-18 0.43 -
Antiy 2.0.18 20091218.3500546 2009-12-18 0.12 -
Arcavir 2009 200912191333 2009-12-19 0.03 -
Authentium 5.1.1 200912191506 2009-12-19 1.20 -
AVAST! 4.7.4 091219-1 2009-12-19 0.00 -
AVG 8.5.288 270.14.115/2576 2009-12-20 0.31 -
BitDefender 7.81008.4750036 7.29526 2009-12-20 4.13 -
CA (VET) 35.1.0 7184 2009-12-18 0.08 -
ClamAV 0.95.2 10200 2009-12-19 0.01 -
Comodo 3.13 3302 2009-12-19 0.08 -
CP Secure 1.3.0.5 2009.12.20 2009-12-20 0.03 -
Dr.Web 4.44.0.9170 2009.12.19 2009-12-19 7.86 -
F-Prot 4.4.4.56 20091219 2009-12-19 1.25 -
F-Secure 7.02.73807 2009.12.19.08 2009-12-19 0.18 -
Fortinet 11.292- 11.292 2009-12-19 0.08 -
GData 19.9421/19.634 20091219 2009-12-19 0.08 -
ViRobot 20091218 2009.12.18 2009-12-18 0.08 -
Ikarus T3.1.01.79 2009.12.19.74801 2009-12-19 4.13 -
JiangMin 13.0.900 2009.12.19 2009-12-19 0.08 -
Kaspersky 5.5.10 2009.12.19 2009-12-19 0.15 -
KingSoft 2009.2.5.15 2009.12.19.22 2009-12-19 0.08 -
McAfee 5.3.00 5837 2009-12-19 3.35 -
Microsoft 1.5302 2009.12.20 2009-12-20 0.08 -
Norman 6.01.09 6.01.00 2009-12-19 2.00 -
Panda 9.05.01 2009.12.18 2009-12-18 0.08 -
Trend Micro 9.000-1003 6.704.08 2009-12-20 0.03 -
Quick Heal 10.00 2009.12.19 2009-12-19 0.08 -
Rising 20.0 22.26.05.04 2009-12-19 0.08 -
Sophos 3.03.0 4.49 2009-12-20 2.65 -
Sunbelt 3.9.2388.2 5571 2009-12-19 0.08 -
Symantec 1.3.0.24 20091219.003 2009-12-19 0.05 -
nProtect 20091218.02 6640190 2009-12-18 0.08 -
The Hacker 6.5.0.3 v00100 2009-12-19 0.08 -
VBA32 3.12.12.0 20091219.1607 2009-12-19 2.24 -
VirusBuster 4.5.11.10 10.118.2/2018700 2009-12-19 2.36 -
  • 0

#25
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hello thhenry. We will now upload two files to this thread so I can look at them to see if they're malicious or not. Please do the following:

  • Click Add Reply to start a new message for this thread
  • Click the Browse button below the text box for the message
  • Navigate to this folder: C:\Documents and Settings\Acer\Local Settings\Temp in the File Upload dialog box
  • If you can't navigate to the folder because it's hidden simply type the folder in the File name text box then press enter
  • Right-click the _uninst_.bat file then click Send To then click Compressed (zipped) Folder
  • Select _uninst_.zip then click the Open button
  • Click the Attach This File button
  • Repeat the above instructions this time for the file _uninst_00725245.bat in the same folder
  • Post the reply

  • 0

Advertisements


#26
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
i do not see the _uninst_.bat file or the _uninst_00725245.bat file in my temp folder
  • 0

#27
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hi thhenry. The .bat files are probably hidden from your view so we'll temporarily unhide them and see what happens. Please do the following:

  • Open My Computer
  • Go to the Tools menu
  • Click the Folder Options entry
  • Go to the View tab
  • Under the Advanced settings section under the Hidden files and folders subsection select Show hidden files and folders
  • Scroll down one line in the Advanced settings section
  • Deselect Hide protected operating system files (recommended)
  • Click Yes in the dialog box that appears
  • Click the OK button
  • Now repeat the thread file upload instructions. Let me know if you still can't see the files.
  • Once done uploading repeat the above instructions but reverse the selections in the Advanced settings section

  • 0

#28
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Those settings are already selected and deselected. maybe those files got deleted in the process of scanning ???
  • 0

#29
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Let's try a different approach now. We will now pull out the big gun - Combofix. This ought to find anything that might be hiding. Take note of any dialog boxes that pop up while running Combofix other than the Disclaimer or the Recovery Console prompt and make not of what they say then describe in your next post. Make sure to connect the computer to the Internet beforehand and answer yes to the recovery console prompt. Please do the following:

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#30
thhenry

thhenry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
ComboFix 12-02-24.02 - Acer 02/24/2012 16:45:50.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.336 [GMT -6:00]
Running from: c:\documents and settings\Acer\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-20 03:03 . 2012-02-20 03:03 -------- d-----w- c:\documents and settings\Administrator
2012-02-20 02:23 . 2012-02-20 02:23 11264 ----a-w- c:\windows\system32\drivers\uzixmzmz.sys
2012-02-15 20:30 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 20:30 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-13 01:12 . 2012-02-13 01:12 -------- d-----w- c:\program files\ESET
2012-02-13 00:28 . 2012-02-13 00:28 -------- d-----w- c:\documents and settings\Acer\Application Data\Malwarebytes
2012-02-13 00:28 . 2012-02-13 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-13 00:28 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-13 00:28 . 2012-02-13 00:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-10 05:45 . 2012-02-10 05:45 -------- d-----w- c:\documents and settings\Acer\Application Data\Auslogics
2012-02-10 05:44 . 2012-02-10 05:44 -------- d-----w- c:\program files\Auslogics
2012-02-04 01:26 . 2012-02-04 01:26 -------- d-----w- C:\_OTL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-17 21:15 . 2011-06-27 23:41 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2010-07-22 07:37 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2010-07-22 07:37 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2010-07-22 07:37 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2010-07-22 07:37 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2010-07-22 07:37 385024 ----a-w- c:\windows\system32\html.iec
2012-02-18 00:37 . 2011-10-19 02:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 02:40 120176 ----a-w- c:\program files\EgisTec MyWinLocker\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-22 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S6000Mnt"="S6000Rmv.dll " [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-17 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-17 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-17 141336]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2009-12-11 59936]
"SuiteTray"="c:\program files\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-05-27 337264]
"EgisUpdate"="c:\program files\EgisTec IPS\EgisUpdate.exe" [2010-03-11 201584]
"EgisTecPMMUpdate"="c:\program files\EgisTec IPS\PmmUpdate.exe" [2010-03-11 407920]
"mwlDaemon"="c:\program files\EgisTec MyWinLocker\x86\mwlDaemon.exe" [2010-05-27 349552]
"Norton Online Backup"="c:\program files\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 966488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-06-22 968272]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-05 1692968]
"RTHDCPL"="RTHDCPL.EXE" [2010-03-12 19521056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2011-07-25 525752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2010-7-22 704032]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\VirtualDJ\\virtualdj_pro.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\drivers\mwlPSDFilter.sys [7/22/2010 3:04 AM 17840]
R1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\drivers\mwlPSDNserv.sys [7/22/2010 3:04 AM 15280]
R1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\drivers\mwlPSDVDisk.sys [7/22/2010 3:04 AM 58800]
R1 uzixmzmz;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzixmzmz.sys [2/19/2012 8:23 PM 11264]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [7/19/2010 2:11 AM 321104]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/12/2012 6:28 PM 652360]
R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [7/25/2011 10:51 AM 1105848]
R2 NOBU;Norton Online Backup;c:\program files\Symantec\Norton Online Backup\NOBuAgent.exe [6/1/2010 4:27 PM 2057560]
R2 PaceLicenseDServices;PACE License Services;c:\program files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [11/8/2010 12:09 AM 2647552]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [7/22/2010 3:12 AM 260640]
R2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [7/22/2010 2:56 AM 243232]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 1:03 AM 30944]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/30/2010 3:50 AM 61552]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/12/2012 6:28 PM 20464]
R3 MWLService;MyWinLocker Service;c:\program files\EgisTec MyWinLocker\x86\MWLService.exe [5/26/2010 8:41 PM 305520]
R3 S6000KNT;S6000KNT_WebCam Driver;c:\windows\system32\drivers\S6000KNT.sys [12/16/2010 6:55 PM 3221120]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2012\avgfws.exe [11/23/2011 2:36 AM 2391832]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2011 5:33 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/22/2010 2:30 AM 1691480]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 1:03 AM 30944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2011 5:33 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-27 23:33]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-27 23:33]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-381150471-1547963291-1499398264-1006Core.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 23:24]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-381150471-1547963291-1499398264-1006UA.job
- c:\documents and settings\Acer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 23:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aod255&r=0xph1210k655l0414wu05w4722u197
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Acer\Application Data\Mozilla\Firefox\Profiles\to53ajy0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo-Mp3Tube
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{1A706628-DEF5-4325-97E3-2FF5A6C0677D} - c:\documents and settings\Acer\Local Settings\Application Data\TLM Professional\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-24 17:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2592)
c:\windows\system32\WININET.dll
c:\program files\EgisTec MyWinLocker\x86\psdprotect.dll
c:\program files\EgisTec MyWinLocker\x86\sysenv.dll
c:\program files\EgisTec MyWinLocker\x86\XmlLite.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-24 17:16:55
ComboFix-quarantined-files.txt 2012-02-24 23:16
.
Pre-Run: 81,579,753,472 bytes free
Post-Run: 82,298,208,256 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C7C02550BE80C94C43D34D3DE9B9B3CA

Hi my computer still seems to be kind of slow but not as slow as when i first got the virus.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP