Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Web surfing sluggish, videos playing oddly, browser freezing, NOD32 fo


  • This topic is locked This topic is locked

#1
MINT2012

MINT2012

    New Member

  • Member
  • Pip
  • 6 posts
Over the last month or so I've been having issues with the PC. It always seems to be a little sluggish, and behaving in ways it was not doing two months ago. I'm using Windows XP and my system has been fine until about two months ago.


For example:

- After firing up the browser, and surfing sites, things in general are just a bit sluggish. It gets to the point that I try to kid myself it's not sluggish but then five mins later something "freezes up" either totally (thus requiring a task manager close down of the browser) or a temp "egg timer appears" freeze. In the latter scenario I delete the cache and restart the brwoser which seems to do the trick, but not in full, and either way I was not having to do that a month ago.*

- When scrolling down a forum post or main index, there can be a subtle "sticky/jittery" feeling, it's not major, but is something that was not there a month ago*

*After the re-start, the web surfing aspect appears to be fine, however the browser continues to hang from time to time even after a re-start.

- When pasting information into form fields/boxes, the dialogue box (that pops up after a right click which allows you to select paste) is taking a nano second longer that it would to appear, its definitely noticeable and again was not something that was "noticeable" a month ago.

- A few months ago I noticed that embedded videos were starting to play in a hugely jerky fashion. I do not have that issue with videos that are played on a media player though, so I suppose my video card is fine.

Two weeks ago or so, I ran Malware Bytes and Spybot S&D and they both came back clean.

A couple of days ago I performed a NOD32 System scan on all of my drives and this is what I got in red:

C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\35\2a0ee6e3-46febc54 » ZIP » gendalf/fire.class - Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\35\2a0ee6e3-46febc54 » ZIP » gendalf/frost.class - Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\35\2a0ee6e3-46febc54 » ZIP » mordor/bilbo.class - Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\35\2a0ee6e3-46febc54 » ZIP » mordor/frodo.class - Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\35\2a0ee6e3-46febc54 » ZIP » mordor/gorlum.class - Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\35\2a0ee6e3-46febc54 » ZIP » mordor/saruman.class - Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\51\7a203773-28e18a86 » ZIP » Anio.class - a variant of Java/Exploit.CVE-2012-1723.L trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\51\7a203773-28e18a86 » ZIP » Ini.class - a variant of Java/Exploit.CVE-2012-1723.BY trojan
C:\Documents and Settings\greg\Application Data\Sun\Java\Deployment\cache\6.0\51\7a203773-28e18a86 » ZIP » Third.class - a variant of Java/Exploit.CVE-2012-1723.AC trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache2247274750876718049.tmp » ZIP » LtVzItMoN.class - a variant of Java/Exploit.CVE-2012-4681.AL trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache2247274750876718049.tmp » ZIP » SuGbt.class - a variant of Java/Exploit.CVE-2012-4681.R trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache2300905826359484335.tmp » ZIP » aKePuo.class - a variant of Java/Exploit.CVE-2012-4681.AY trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache2646151926652220853.tmp » ZIP » aWAiRxfyO.class - a variant of Java/Exploit.CVE-2012-4681.BD trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache5323458470112954663.tmp » ZIP » hw.class - a variant of Java/Exploit.CVE-2012-1723.CQ trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache5323458470112954663.tmp » ZIP » chcyih.class - a variant of Java/Exploit.CVE-2012-1723.CP trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache6440716938464614.tmp » ZIP » TwKxs.class - a variant of Java/Exploit.CVE-2012-4681.BI trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache7023810396750097292.tmp » ZIP » ISoH.class - a variant of Java/Exploit.CVE-2012-4681.BI trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache8133281217361035814.tmp » ZIP » aWAiRxfyO.class - a variant of Java/Exploit.CVE-2012-4681.BD trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache8727750998625741788.tmp » ZIP » ISoH.class - a variant of Java/Exploit.CVE-2012-4681.BI trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache8995035379384165585.tmp » ZIP » QmoFEtnxa.class - a variant of Java/Exploit.CVE-2012-4681.BI trojan
C:\Documents and Settings\greg\Local Settings\Temp\jar_cache9128425672210591734.tmp » ZIP » pevDqpw.class - a variant of Java/Exploit.CVE-2012-4681.BI trojan


I deleted all of the above and then rescanned, after which my system appears to be clean of the above viruses at least.

However, given the unusual behavior my system seems to be exhibiting (as detailed in my opening comments above) can someone here walk me through a check by check process to make sure I haven't missed something?

I'm not sure where to start (ie: with whatever software) and certainly have no clue how to interpret any results such software might return, and as such would really appreciate a pro walking me through the process you guys seem to use.

Something has definitely changed and I would just like to know if I have any nasties lurking around that might have been missed.

I can check into this thread as required.


Many thanks.
  • 0

Advertisements


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


-Download DDS-

  • Please download DDS from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3


    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs

  • In your next post I need the following

  • both reports from DDS
  • report from security check
  • let me know of any problems you may have had

Gringo

  • 0

#3
MINT2012

MINT2012

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo, many thanks for the help.

Please find below:

1) Defogger log
2) Security check log
3) DDS.txt
4) Attach.txt


----BEGIN DEFOGGER LOG---

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 06:09 on 13/11/2012 (greg)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


----END DEFOGGER LOG---


----BEGIN SECURITY CHECK LOG----

Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
ESET NOD32 Antivirus
Sygate Personal Firewall
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Java™ 6 Update 37
Java version out of Date!
Adobe Flash Player 11.5.502.110
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
greg My Documents Downloads Programs\Antivirus_Malware_Removal_detail\SecurityCheck.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 20% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


---END SECURITY CHECK LOG---


---BEGIN DDS.TXT----

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_37
Run by greg at 6:16:56 on 2012-11-13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.767.222 [GMT 0:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Winamp\winamp.exe
C:\TOR_BB\Tor Browser\App\vidalia.exe
C:\TOR_BB\Tor Browser\App\tor.exe
C:\TOR_BB\Tor Browser\FirefoxPortable\App\Firefox\tbb-firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.sony-europe.com/
uProxyServer = localhost:4001
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search &

destroy\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.182.129.84 93.182.120.84
TCP: Interfaces\{2F8DCD41-7D50-404C-82F2-39C754FEDCF24} : DHCPNameServer = 93.182.129.84 93.182.120.84
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\greg\application data\mozilla\firefox\profiles\p18iira9.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\greg\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\greg\application data\mozilla\firefox\profiles\p18iira9.default\extensions\screencaptureelite@plugin\platform\winnt_x86-msvc\components\SCEFF3

Client.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-10-18 05:39; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-05 22:03; {5F590AA2-1221-4113-A6F4-A4BB62414FAC}; c:\documents and settings\greg\application data\mozilla\firefox\profiles\p18iira9.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}.xpi
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-8-3 95896]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2012-8-28 109768]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
S2 CronService;Cron Service for Prey;"c:\prey\platform\windows\cronsvc.exe" --> c:\prey\platform\windows\cronsvc.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S4 vsdatant;vsdatant; [x]
.
=============== File Associations ===============
.
ShellExec: Photoshop.exe: open=c:\program files\adobe\photoshop 7.0\Photoshop.exe
ShellExec: PhotoshopElements.exe: open=c:\program files\adobe\photoshop elements 2\PhotoshopElements.exe
.
=============== Created Last 30 ================
.
2012-11-09 04:39:21 -------- d-----w- c:\documents and settings\greg\local settings\application data\Help
2012-11-04 05:36:04 1409 ----a-w- c:\windows\QTFont.for
2012-11-03 01:16:15 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-11-03 01:16:15 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-11-02 05:18:16 -------- d-----w- C:\photoshop_stuff
2012-10-18 09:57:16 -------- d-----w- C:\TXT
.
==================== Find3M ====================
.
2012-11-08 05:47:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-08 05:47:30 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-24 14:32:24 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 14:32:20 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 12:51:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 6:17:40.65 ===============


----END DDS.TXT----


---BEGIN ATTACH.TXT---

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-07.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 02/12/2010 18:58:24
System Uptime: 12/11/2012 22:11:28 (8 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A7N266VX
Processor: AMD Athlon™ XP 2800+ | SOCKET A | 2127/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 28 GiB total, 1.329 GiB free.
D: is FIXED (NTFS) - 84 GiB total, 0.55 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 466 GiB total, 201.367 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP653: 16/08/2012 23:49:23 - System Checkpoint
RP654: 18/08/2012 00:20:23 - System Checkpoint
RP655: 19/08/2012 02:10:00 - System Checkpoint
RP656: 20/08/2012 03:02:57 - System Checkpoint
RP657: 21/08/2012 03:51:36 - System Checkpoint
RP658: 22/08/2012 21:24:28 - System Checkpoint
RP659: 23/08/2012 00:54:10 - Restore Operation
RP660: 23/08/2012 00:59:49 - Restore Operation
RP661: 24/08/2012 02:09:32 - System Checkpoint
RP662: 25/08/2012 04:13:08 - System Checkpoint
RP663: 26/08/2012 19:30:02 - System Checkpoint
RP664: 28/08/2012 20:21:53 - System Checkpoint
RP665: 30/08/2012 03:35:40 - System Checkpoint
RP666: 30/08/2012 23:30:42 - Installed Java™ 6 Update 35
RP667: 01/09/2012 00:51:54 - System Checkpoint
RP668: 02/09/2012 03:31:08 - System Checkpoint
RP669: 03/09/2012 17:33:44 - System Checkpoint
RP670: 04/09/2012 20:12:22 - System Checkpoint
RP671: 06/09/2012 00:08:34 - System Checkpoint
RP672: 07/09/2012 00:11:35 - System Checkpoint
RP673: 08/09/2012 14:59:17 - System Checkpoint
RP674: 09/09/2012 23:52:38 - System Checkpoint
RP675: 11/09/2012 02:06:20 - System Checkpoint
RP676: 12/09/2012 22:38:38 - System Checkpoint
RP677: 14/09/2012 02:57:41 - System Checkpoint
RP678: 15/09/2012 15:46:34 - System Checkpoint
RP679: 16/09/2012 19:57:11 - System Checkpoint
RP680: 18/09/2012 01:32:18 - System Checkpoint
RP681: 19/09/2012 02:14:09 - System Checkpoint
RP682: 20/09/2012 03:23:17 - System Checkpoint
RP683: 21/09/2012 16:31:03 - System Checkpoint
RP684: 23/09/2012 02:11:08 - System Checkpoint
RP685: 24/09/2012 19:49:36 - System Checkpoint
RP686: 25/09/2012 23:45:24 - System Checkpoint
RP687: 27/09/2012 16:53:26 - System Checkpoint
RP688: 28/09/2012 16:54:34 - System Checkpoint
RP689: 30/09/2012 02:27:16 - System Checkpoint
RP690: 01/10/2012 18:52:19 - System Checkpoint
RP691: 02/10/2012 19:25:21 - System Checkpoint
RP692: 03/10/2012 23:01:10 - System Checkpoint
RP693: 04/10/2012 23:14:08 - System Checkpoint
RP694: 07/10/2012 03:51:32 - System Checkpoint
RP695: 08/10/2012 23:40:00 - System Checkpoint
RP696: 09/10/2012 23:44:33 - System Checkpoint
RP697: 11/10/2012 02:27:07 - System Checkpoint
RP698: 12/10/2012 17:50:43 - System Checkpoint
RP699: 14/10/2012 02:06:04 - System Checkpoint
RP700: 15/10/2012 20:20:39 - System Checkpoint
RP701: 16/10/2012 22:26:26 - System Checkpoint
RP702: 18/10/2012 00:17:42 - System Checkpoint
RP703: 18/10/2012 05:38:15 - Installed Java™ 6 Update 37
RP704: 19/10/2012 16:28:12 - System Checkpoint
RP705: 21/10/2012 00:39:27 - System Checkpoint
RP706: 22/10/2012 00:40:17 - System Checkpoint
RP707: 23/10/2012 22:19:08 - System Checkpoint
RP708: 24/10/2012 23:12:55 - System Checkpoint
RP709: 26/10/2012 18:22:23 - System Checkpoint
RP710: 28/10/2012 02:00:08 - System Checkpoint
RP711: 29/10/2012 22:19:57 - System Checkpoint
RP712: 30/10/2012 22:36:38 - System Checkpoint
RP713: 01/11/2012 00:02:25 - System Checkpoint
RP714: 02/11/2012 18:49:02 - System Checkpoint
RP715: 03/11/2012 23:08:19 - System Checkpoint
RP716: 06/11/2012 03:02:21 - System Checkpoint
RP717: 08/11/2012 05:39:01 - System Checkpoint
RP718: 10/11/2012 03:30:30 - System Checkpoint
RP719: 12/11/2012 00:20:53 - System Checkpoint
RP720: 13/11/2012 02:07:58 - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop 7.0
Adobe Photoshop Elements 2.0
Adobe Premiere 6 LE
Adobe Reader X (10.1.4)
Agere Systems AC'97 Modem
µTorrent
Byki
Byki Express
Canon CanoScan Toolbox 4.1
ESET NOD32 Antivirus
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
Internet Download Manager
IrfanView (remove only)
ISP Selector
ISP Selector (English)
JAP
Java Auto Updater
Java™ 6 Update 37
Junk Mail filter update
Manual CanoScan 3000,3000F
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Mozilla Firefox 16.0.2 (x86 en-GB)
Mozilla Maintenance Service
MSVCRT
NVIDIA Windows 2000/XP Display Drivers
Opera 11.01
PowerDVD
QuickTime
RealOne Player
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
Sony DV Shared Library
Sothink FLV Player
SoulSeek 157 NS 13e
SpeedFan (remove only)
Spybot - Search & Destroy
Sygate Personal Firewall
TextPad 5
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VAIO BrightColor Wallpaper
VAIO DeepSea Wallpaper
VAIO Online Registration (English)
VAIO System Information
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.5
VOR
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xvid 1.2.2 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
09/11/2012 17:05:49, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
09/11/2012 17:05:49, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The service did not start due to a logon failure.
09/11/2012 00:28:36, error: Dhcp [1002] - The IP address lease 196.148.120.10 for the Network Card with network address 000C6E6E8C30 has been denied by the DHCP server 30.18.136.172 (The DHCP Server sent a DHCPNACK message).
09/11/2012 00:27:55, error: Dhcp [1002] - The IP address lease 204.8.156.142 for the Network Card with network address 000C6E6E8C30 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
08/11/2012 05:51:40, error: Service Control Manager [7000] - The Cron Service for Prey service failed to start due to the following error: The system cannot find the path specified.
08/11/2012 05:11:27, error: Service Control Manager [7038] - The ALG service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
08/11/2012 05:11:27, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.
.
==== End Of File ===========================


---END ATTACH.TXT---

Edited by MINT2012, 13 November 2012 - 01:22 AM.

  • 0

#4
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
  • 0

#5
MINT2012

MINT2012

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo,

I've performed the AdwCleaner phase and have a log for that. Unfortunately, I cannot seem to get RogueKiller to run with any success.

I double click the RogueKiller.exe file, the prescan begins, and at around the two or three second mark, RK crashes and the PC goes into a reboot. I've tried to run it four times now (and been sure to delete temp files etc) still with no luck.

I made sure to have my browsers and media player closed, and also unplugged the external drive as requested.

Things went a little intense after the reboots caused by RK, I couldn't even get onto the geekstogo forum?? However, things seem to have settled down a bit after I cleared the temp cache and restarted the PC.

Can you advise?

In the meantime, as requested, here is the AdvCleaner log:

--- BEGIN AdvCLEANER LOG----

# AdwCleaner v2.007 - Logfile created 11/13/2012 at 09:49:56
# Updated 06/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : greg - YOUR-JIKOHAXMOT
# Boot Mode : Normal
# Running from : C:\Documents and Settings\greg\My Documents\Downloads\Programs\Antivirus_Malware_Removal_detail\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-GB)

Profile name : default
File : C:\Documents and Settings\greg\Application Data\Mozilla\Firefox\Profiles\p18iira9.default\prefs.js

[OK] File is clean.

-\\ Opera v11.1.1190.0

File : C:\Documents and Settings\greg\Application Data\Opera\Opera\operaprefs.ini

Deleted : application/x-winampx-1.0.0.1=6,,C:\Program Files\Mozilla Firefox\plugins\npwachk.dll,Winamp Applica[...]
Deleted : application/x-winampx-1.0.0.1=,0

*************************

AdwCleaner[S1].txt - [1965 octets] - [13/11/2012 09:49:56]

########## EOF - C:\AdwCleaner[S1].txt - [2025 octets] ##########


---- END AdvCLEANER LOG-----

Edited by MINT2012, 13 November 2012 - 07:02 AM.

  • 0

#6
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello MINT2012

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#7
MINT2012

MINT2012

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo,

The combofix scan seems to have gone well (log below) and I did read all the instructions three times before beginning, but - being a bit of a dolt - I did still initially forget to turn off the NOD32. ComboFix reminded me to, and then I did turn it off, so I think it's fine? If it isn't and I messed it up, let me know so I can perform another scan if needed?

The scan appeared to go well though, I told Combofix to download the "recovery update" thing from Microsoft.

Can you let me know if it's ok to reboot now, or do I have to do anything else with Combofix before rebooting?

Here is the log:


---BEGIN COMBOFIX LOG----

ComboFix 12-11-13.02 - greg 14/11/2012 2:36.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.767.515 [GMT 0:00]
Running from: c:\documents and settings\greg\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\greg\WINDOWS
c:\windows\help\wmplayer.bak
c:\windows\system32\_000041_.tmp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dllcache\wmpvis.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-10-14 to 2012-11-14 )))))))))))))))))))))))))))))))
.
.
2012-11-13 10:47 . 2012-11-13 10:47 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-11-09 04:39 . 2012-11-09 04:39 -------- d-----w- c:\documents and settings\greg\Local Settings\Application Data\Help
2012-11-04 05:36 . 2012-11-04 05:36 1409 ----a-w- c:\windows\QTFont.for
2012-11-02 05:18 . 2012-11-03 07:30 -------- d-----w- C:\photoshop_stuff
2012-10-18 09:57 . 2012-10-18 09:59 -------- d-----w- C:\TXT
2012-10-18 04:39 . 2012-10-18 04:39 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 05:47 . 2012-04-01 15:14 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-08 05:47 . 2011-05-17 11:26 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 14:32 . 2012-06-28 18:52 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 14:32 . 2011-03-01 20:57 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 12:51 . 2012-06-28 18:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-03 01:16 . 2012-11-03 01:15 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-08-29 3519936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-02 4616192]
"nwiz"="nwiz.exe" [2003-04-02 323584]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 88107]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-12-02 74752]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\OperaTor-3.5_dl1\\OperaTor\\Opera\\opera.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/07/2010 12:31 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [03/08/2010 12:28 95896]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [28/08/2012 13:01 109768]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [04/11/2010 17:15 810144]
S2 CronService;Cron Service for Prey;"c:\prey\platform\windows\cronsvc.exe" --> c:\prey\platform\windows\cronsvc.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.sony-europe.com/
uInternet Settings,ProxyServer = localhost:4001
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
TCP: DhcpNameServer = 93.182.129.84 93.182.120.84
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\greg\Application Data\Mozilla\Firefox\Profiles\p18iira9.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-18 05:39; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-05 22:03; {5F590AA2-1221-4113-A6F4-A4BB62414FAC}; c:\documents and settings\greg\Application Data\Mozilla\Firefox\Profiles\p18iira9.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-14 02:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):47,64,2c,7f,33,3b,e6,38,56,d3,93,e7,17,bd,8b,9c,70,05,36,5f,33,
9a,5b,e7,b4,19,96,41,88,41,45,ee,70,08,61,49,6a,a5,79,f7,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d791543b-fcc3-4788-93c1-2ef53ff61e39}]
@Denied: (Full) (Everyone)
"Model"=dword:00000065
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2012-11-14 02:44:23
ComboFix-quarantined-files.txt 2012-11-14 02:44
.
Pre-Run: 1,628,819,456 bytes free
Post-Run: 1,860,132,864 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 59D1B303B8F07764F91262296B57C4C6


---END COMBOFIX LOG----

As far as the computer seems to be going, the videos on the sites I am having issues with seem to have improved a lot, I'd say around 50% improvement, far less jittery. The browser on some sites is better, but still a little sticky. But yeah, overall I think things are definitely getting there.

I also made note of the "things to do" in the red text. Do I do them as I go or wait until the process is over? ie: should I just update Java now or wait until the checks are all complete? I did mean to ask yesterday.
  • 0

#8
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

update XP to SP3 when we are done and I will get to Java a little later

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
  • 0

#9
MINT2012

MINT2012

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Both logs as requested and two questions:

Q) After the aswMBR scan had completed, one of the options is "FIX MBR" do I have to click that or not? So far I have just clicked "Save log". Can you le me know either way so I can shut down the aswMBR window, thanks.

Q) Is it ok to reboot the computer and also plug my external drive back in yet? Not sure when I can/am meant to do that, thanks.

Here are the logs:

----BEGIN TDSSKILLER LOG---

03:25:51.0593 0192 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
03:25:51.0953 0192 ============================================================
03:25:51.0953 0192 Current date / time: 2012/11/14 03:25:51.0953
03:25:51.0953 0192 SystemInfo:
03:25:51.0953 0192
03:25:51.0953 0192 OS Version: 5.1.2600 ServicePack: 2.0
03:25:51.0953 0192 Product type: Workstation
03:25:51.0953 0192 ComputerName: YOUR-JIKOHAXMOT
03:25:51.0953 0192 UserName: greg
03:25:51.0953 0192 Windows directory: C:\WINDOWS
03:25:51.0953 0192 System windows directory: C:\WINDOWS
03:25:51.0953 0192 Processor architecture: Intel x86
03:25:51.0953 0192 Number of processors: 1
03:25:51.0953 0192 Page size: 0x1000
03:25:51.0953 0192 Boot type: Normal boot
03:25:51.0953 0192 ============================================================
03:25:53.0390 0192 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
03:25:53.0406 0192 ============================================================
03:25:53.0406 0192 \Device\Harddisk0\DR0:
03:25:53.0437 0192 MBR partitions:
03:25:53.0437 0192 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x37E3E01
03:25:53.0453 0192 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x37E3E7F, BlocksNum 0xA7AF942
03:25:53.0453 0192 ============================================================
03:25:53.0484 0192 C: <-> \Device\Harddisk0\DR0\Partition1
03:25:54.0140 0192 D: <-> \Device\Harddisk0\DR0\Partition2
03:25:54.0140 0192 ============================================================
03:25:54.0140 0192 Initialize success
03:25:54.0140 0192 ============================================================
03:26:03.0062 1756 ============================================================
03:26:03.0062 1756 Scan started
03:26:03.0062 1756 Mode: Manual;
03:26:03.0062 1756 ============================================================
03:26:04.0218 1756 ================ Scan system memory ========================
03:26:05.0328 1756 System memory - ok
03:26:05.0328 1756 ================ Scan services =============================
03:26:05.0468 1756 Abiosdsk - ok
03:26:05.0484 1756 abp480n5 - ok
03:26:05.0531 1756 [ A10C7534F7223F4A73A948967D00E69B ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
03:26:05.0531 1756 ACPI - ok
03:26:05.0578 1756 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
03:26:05.0609 1756 ACPIEC - ok
03:26:05.0625 1756 adpu160m - ok
03:26:05.0656 1756 [ 1EE7B434BA961EF845DE136224C30FEC ] aec C:\WINDOWS\system32\drivers\aec.sys
03:26:05.0687 1756 aec - ok
03:26:05.0718 1756 [ 55E6E1C51B6D30E54335750955453702 ] AFD C:\WINDOWS\System32\drivers\afd.sys
03:26:05.0734 1756 AFD - ok
03:26:05.0812 1756 [ 58041495E6D3650C02B1AEC525D24089 ] AgereSoftModem C:\WINDOWS\system32\DRIVERS\AGRSM.sys
03:26:05.0890 1756 AgereSoftModem - ok
03:26:05.0906 1756 Aha154x - ok
03:26:05.0921 1756 aic78u2 - ok
03:26:05.0937 1756 aic78xx - ok
03:26:05.0984 1756 [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter C:\WINDOWS\system32\alrsvc.dll
03:26:05.0984 1756 Alerter - ok
03:26:06.0015 1756 [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG C:\WINDOWS\System32\alg.exe
03:26:06.0031 1756 ALG - ok
03:26:06.0046 1756 AliIde - ok
03:26:06.0078 1756 [ 680AD1C1BB16239E28D8F33A54A7A3C7 ] AmdK7 C:\WINDOWS\system32\DRIVERS\amdk7.sys
03:26:06.0125 1756 AmdK7 - ok
03:26:06.0140 1756 amsint - ok
03:26:06.0156 1756 AppMgmt - ok
03:26:06.0203 1756 [ F0D692B0BFFB46E30EB3CEA168BBC49F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
03:26:06.0250 1756 Arp1394 - ok
03:26:06.0265 1756 asc - ok
03:26:06.0281 1756 asc3350p - ok
03:26:06.0296 1756 asc3550 - ok
03:26:06.0390 1756 [ D33C507942299753868204CC7642FA27 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
03:26:06.0406 1756 aspnet_state - ok
03:26:06.0421 1756 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
03:26:06.0453 1756 AsyncMac - ok
03:26:06.0484 1756 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
03:26:06.0484 1756 atapi - ok
03:26:06.0500 1756 Atdisk - ok
03:26:06.0546 1756 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
03:26:06.0578 1756 Atmarpc - ok
03:26:06.0609 1756 [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
03:26:06.0640 1756 AudioSrv - ok
03:26:06.0671 1756 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
03:26:06.0703 1756 audstub - ok
03:26:06.0734 1756 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
03:26:06.0781 1756 Beep - ok
03:26:06.0828 1756 [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS C:\WINDOWS\system32\qmgr.dll
03:26:06.0875 1756 BITS - ok
03:26:06.0906 1756 [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser C:\WINDOWS\System32\browser.dll
03:26:06.0921 1756 Browser - ok
03:26:07.0015 1756 catchme - ok
03:26:07.0046 1756 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
03:26:07.0078 1756 cbidf2k - ok
03:26:07.0109 1756 [ 6163ED60B684BAB19D3352AB22FC48B2 ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
03:26:07.0156 1756 CCDECODE - ok
03:26:07.0171 1756 cd20xrnt - ok
03:26:07.0203 1756 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
03:26:07.0234 1756 Cdaudio - ok
03:26:07.0265 1756 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
03:26:07.0296 1756 Cdfs - ok
03:26:07.0328 1756 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
03:26:07.0375 1756 Cdrom - ok
03:26:07.0390 1756 Changer - ok
03:26:07.0437 1756 [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc C:\WINDOWS\system32\cisvc.exe
03:26:07.0437 1756 CiSvc - ok
03:26:07.0468 1756 [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
03:26:07.0468 1756 ClipSrv - ok
03:26:07.0500 1756 [ 3C4D595E7F9B747325AEF28B4ADCAAE5 ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
03:26:07.0593 1756 clr_optimization_v2.0.50727_32 - ok
03:26:07.0609 1756 CmdIde - ok
03:26:07.0625 1756 COMSysApp - ok
03:26:07.0656 1756 Cpqarray - ok
03:26:07.0671 1756 CronService - ok
03:26:07.0703 1756 [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
03:26:07.0718 1756 CryptSvc - ok
03:26:07.0734 1756 dac2w2k - ok
03:26:07.0750 1756 dac960nt - ok
03:26:07.0796 1756 [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
03:26:07.0828 1756 DcomLaunch - ok
03:26:07.0859 1756 [ EF545E1A4B043DA4C84E230DD471C55F ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
03:26:07.0890 1756 Dhcp - ok
03:26:07.0937 1756 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
03:26:07.0953 1756 Disk - ok
03:26:07.0968 1756 dmadmin - ok
03:26:08.0015 1756 [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
03:26:08.0078 1756 dmboot - ok
03:26:08.0125 1756 [ 526192BF7696F72E29777BF4A180513A ] DMICall C:\WINDOWS\system32\DRIVERS\DMICall.sys
03:26:08.0156 1756 DMICall - ok
03:26:08.0203 1756 [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio C:\WINDOWS\system32\drivers\dmio.sys
03:26:08.0234 1756 dmio - ok
03:26:08.0265 1756 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
03:26:08.0296 1756 dmload - ok
03:26:08.0328 1756 [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver C:\WINDOWS\System32\dmserver.dll
03:26:08.0375 1756 dmserver - ok
03:26:08.0406 1756 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
03:26:08.0406 1756 DMusic - ok
03:26:08.0453 1756 [ AAC8FFBFD61E784FA3BAC851D4A0BD5F ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
03:26:08.0453 1756 Dnscache - ok
03:26:08.0468 1756 dpti2o - ok
03:26:08.0500 1756 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
03:26:08.0546 1756 drmkaud - ok
03:26:08.0593 1756 [ 1CEB779239965000B8F6ADEE17D4515B ] eamon C:\WINDOWS\system32\DRIVERS\eamon.sys
03:26:08.0625 1756 eamon - ok
03:26:08.0671 1756 [ 7D300A43A7BD8769E0F901BF9E1AE367 ] ehdrv C:\WINDOWS\system32\DRIVERS\ehdrv.sys
03:26:08.0718 1756 ehdrv - ok
03:26:08.0781 1756 [ 1CD97C1DE1EA4C185D2B3FAC1F8513ED ] EhttpSrv C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
03:26:08.0781 1756 EhttpSrv - ok
03:26:08.0828 1756 [ E6A6E6D58A8DCB64A0FFBC43863D0A80 ] ekrn C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
03:26:08.0859 1756 ekrn - ok
03:26:08.0890 1756 [ ECD5F68E32FF5C6A728EB03DC892AE7F ] epfwtdir C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
03:26:08.0953 1756 epfwtdir - ok
03:26:08.0984 1756 [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc C:\WINDOWS\System32\ersvc.dll
03:26:08.0984 1756 ERSvc - ok
03:26:09.0031 1756 [ 37561F8D4160D62DA86D24AE41FAE8DE ] Eventlog C:\WINDOWS\system32\services.exe
03:26:09.0031 1756 Eventlog - ok
03:26:09.0078 1756 [ 60D1A6342238378BFB7545C81EE3606C ] EventSystem C:\WINDOWS\System32\es.dll
03:26:09.0093 1756 EventSystem - ok
03:26:09.0109 1756 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
03:26:09.0140 1756 Fastfat - ok
03:26:09.0187 1756 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
03:26:09.0203 1756 FastUserSwitchingCompatibility - ok
03:26:09.0234 1756 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
03:26:09.0265 1756 Fdc - ok
03:26:09.0296 1756 [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips C:\WINDOWS\system32\drivers\Fips.sys
03:26:09.0296 1756 Fips - ok
03:26:09.0328 1756 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
03:26:09.0359 1756 Flpydisk - ok
03:26:09.0390 1756 [ 3D234FB6D6EE875EB009864A299BEA29 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
03:26:09.0437 1756 FltMgr - ok
03:26:09.0468 1756 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
03:26:09.0500 1756 Fs_Rec - ok
03:26:09.0531 1756 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
03:26:09.0593 1756 Ftdisk - ok
03:26:09.0625 1756 [ 77EBF3E9386DAA51551AF429052D88D0 ] giveio C:\WINDOWS\system32\giveio.sys
03:26:09.0640 1756 giveio - ok
03:26:09.0671 1756 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
03:26:09.0703 1756 Gpc - ok
03:26:09.0750 1756 [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
03:26:09.0765 1756 helpsvc - ok
03:26:09.0796 1756 [ 9376E6893E52B368ABC6255BF54F0B28 ] HidServ C:\WINDOWS\System32\hidserv.dll
03:26:09.0812 1756 HidServ - ok
03:26:09.0843 1756 [ 1DE6783B918F540149AA69943BDFEBA8 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
03:26:09.0875 1756 HidUsb - ok
03:26:09.0875 1756 hpn - ok
03:26:09.0921 1756 [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
03:26:09.0937 1756 HTTP - ok
03:26:09.0968 1756 [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
03:26:09.0984 1756 HTTPFilter - ok
03:26:10.0000 1756 i2omgmt - ok
03:26:10.0015 1756 i2omp - ok
03:26:10.0031 1756 [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
03:26:10.0062 1756 i8042prt - ok
03:26:10.0109 1756 [ AC691CF57CA00169D59F86661EDE60CC ] IDMTDI C:\WINDOWS\system32\DRIVERS\idmtdi.sys
03:26:10.0156 1756 IDMTDI - ok
03:26:10.0187 1756 [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
03:26:10.0234 1756 Imapi - ok
03:26:10.0281 1756 [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService C:\WINDOWS\system32\imapi.exe
03:26:10.0296 1756 ImapiService - ok
03:26:10.0312 1756 ini910u - ok
03:26:10.0328 1756 IntelIde - ok
03:26:10.0375 1756 [ 4448006B6BC60E6C027932CFC38D6855 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
03:26:10.0406 1756 ip6fw - ok
03:26:10.0453 1756 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
03:26:10.0500 1756 IpFilterDriver - ok
03:26:10.0531 1756 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
03:26:10.0562 1756 IpInIp - ok
03:26:10.0609 1756 [ E2168CBC7098FFE963C6F23F472A3593 ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
03:26:10.0625 1756 IpNat - ok
03:26:10.0640 1756 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
03:26:10.0687 1756 IPSec - ok
03:26:10.0718 1756 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
03:26:10.0750 1756 IRENUM - ok
03:26:10.0796 1756 [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
03:26:10.0828 1756 isapnp - ok
03:26:10.0890 1756 [ 691B9B7C0CC1653732717D292D6B305D ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
03:26:10.0890 1756 JavaQuickStarterService - ok
03:26:10.0906 1756 [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
03:26:10.0953 1756 Kbdclass - ok
03:26:10.0984 1756 [ E182FA8E49E8EE41B4ADC53093F3C7E6 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
03:26:11.0015 1756 kbdhid - ok
03:26:11.0046 1756 [ BA5DEDA4D934E6288C2F66CAF58D2562 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
03:26:11.0093 1756 kmixer - ok
03:26:11.0140 1756 [ 674D3E5A593475915DC6643317192403 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
03:26:11.0156 1756 KSecDD - ok
03:26:11.0203 1756 [ 0CB3AF149A0BAC0836022CA307C7A0F8 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
03:26:11.0203 1756 lanmanserver - ok
03:26:11.0250 1756 [ E1F27CFCD114EC9F1E1F44674B2FF9F0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
03:26:11.0250 1756 lanmanworkstation - ok
03:26:11.0265 1756 Lavasoft Kernexplorer - ok
03:26:11.0281 1756 lbrtfdc - ok
03:26:11.0328 1756 [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
03:26:11.0328 1756 LmHosts - ok
03:26:11.0359 1756 [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger C:\WINDOWS\System32\msgsvc.dll
03:26:11.0375 1756 Messenger - ok
03:26:11.0406 1756 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
03:26:11.0437 1756 mnmdd - ok
03:26:11.0484 1756 [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
03:26:11.0484 1756 mnmsrvc - ok
03:26:11.0531 1756 [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
03:26:11.0531 1756 Modem - ok
03:26:11.0546 1756 [ 34E1F0031153E491910E12551400192C ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
03:26:11.0578 1756 Mouclass - ok
03:26:11.0609 1756 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
03:26:11.0640 1756 MountMgr - ok
03:26:11.0703 1756 [ 8BE15F71DE6FF33FC56DCDE7B2B9EFE8 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
03:26:11.0703 1756 MozillaMaintenance - ok
03:26:11.0718 1756 mraid35x - ok
03:26:11.0765 1756 [ 29414447EB5BDE2F8397DC965DBB3156 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
03:26:11.0812 1756 MRxDAV - ok
03:26:11.0859 1756 [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
03:26:11.0921 1756 MRxSmb - ok
03:26:11.0968 1756 [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
03:26:11.0984 1756 MSDTC - ok
03:26:12.0015 1756 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
03:26:12.0046 1756 Msfs - ok
03:26:12.0062 1756 MSIServer - ok
03:26:12.0093 1756 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
03:26:12.0125 1756 MSKSSRV - ok
03:26:12.0140 1756 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
03:26:12.0171 1756 MSPCLOCK - ok
03:26:12.0187 1756 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
03:26:12.0218 1756 MSPQM - ok
03:26:12.0281 1756 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
03:26:12.0296 1756 mssmbios - ok
03:26:12.0328 1756 [ BF13612142995096AB084F2DB7F40F77 ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
03:26:12.0359 1756 MSTEE - ok
03:26:12.0406 1756 [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
03:26:12.0421 1756 Mup - ok
03:26:12.0453 1756 [ 5C8DC6429C43DC6177C1FA5B76290D1A ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
03:26:12.0484 1756 NABTSFEC - ok
03:26:12.0515 1756 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
03:26:12.0531 1756 NDIS - ok
03:26:12.0562 1756 [ 520CE427A8B298F54112857BCF6BDE15 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
03:26:12.0593 1756 NdisIP - ok
03:26:12.0625 1756 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
03:26:12.0625 1756 NdisTapi - ok
03:26:12.0656 1756 [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
03:26:12.0656 1756 Ndisuio - ok
03:26:12.0687 1756 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
03:26:12.0718 1756 NdisWan - ok
03:26:12.0765 1756 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
03:26:12.0781 1756 NDProxy - ok
03:26:12.0812 1756 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
03:26:12.0843 1756 NetBIOS - ok
03:26:12.0875 1756 [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
03:26:12.0937 1756 NetBT - ok
03:26:12.0984 1756 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE C:\WINDOWS\system32\netdde.exe
03:26:13.0000 1756 NetDDE - ok
03:26:13.0015 1756 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
03:26:13.0015 1756 NetDDEdsdm - ok
03:26:13.0046 1756 [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon C:\WINDOWS\system32\lsass.exe
03:26:13.0062 1756 Netlogon - ok
03:26:13.0093 1756 [ 36739B39267914BA69AD0610A0299732 ] Netman C:\WINDOWS\System32\netman.dll
03:26:13.0109 1756 Netman - ok
03:26:13.0140 1756 [ 5C5C53DB4FEF16CF87B9911C7E8C6FBC ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
03:26:13.0140 1756 NIC1394 - ok
03:26:13.0187 1756 [ 097722F235A1FB698BF9234E01B52637 ] Nla C:\WINDOWS\System32\mswsock.dll
03:26:13.0187 1756 Nla - ok
03:26:13.0218 1756 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
03:26:13.0234 1756 Npfs - ok
03:26:13.0296 1756 [ 19A811EF5F1ED5C926A028CE107FF1AF ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
03:26:13.0375 1756 Ntfs - ok
03:26:13.0390 1756 [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
03:26:13.0390 1756 NtLmSsp - ok
03:26:13.0437 1756 [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
03:26:13.0500 1756 NtmsSvc - ok
03:26:13.0546 1756 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
03:26:13.0562 1756 Null - ok
03:26:13.0640 1756 [ 586B3DDB22E468071B63D3A44A6D7CFD ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
03:26:13.0703 1756 nv - ok
03:26:13.0750 1756 [ 163CD7728440A1901E72E7207FA5877A ] nvax C:\WINDOWS\system32\drivers\nvax.sys
03:26:13.0765 1756 nvax - ok
03:26:13.0796 1756 [ F573F587ABED7C750B66AB96143CA1E9 ] nvnforce C:\WINDOWS\system32\drivers\nvapu.sys
03:26:13.0812 1756 nvnforce - ok
03:26:13.0828 1756 [ 4B17A1424F4BAB51681552307F20A2A1 ] NVSvc C:\WINDOWS\System32\nvsvc32.exe
03:26:13.0859 1756 NVSvc - ok
03:26:13.0890 1756 [ FD4339EF4D3C34B2D016077A38618D42 ] nv_agp C:\WINDOWS\system32\DRIVERS\nv_agp.sys
03:26:13.0921 1756 nv_agp - ok
03:26:13.0953 1756 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
03:26:13.0968 1756 NwlnkFlt - ok
03:26:14.0000 1756 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
03:26:14.0015 1756 NwlnkFwd - ok
03:26:14.0062 1756 [ 0951DB8E5823EA366B0E408D71E1BA2A ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
03:26:14.0062 1756 ohci1394 - ok
03:26:14.0078 1756 [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
03:26:14.0140 1756 Parport - ok
03:26:14.0171 1756 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
03:26:14.0187 1756 PartMgr - ok
03:26:14.0250 1756 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
03:26:14.0265 1756 ParVdm - ok
03:26:14.0296 1756 [ 8086D9979234B603AD5BC2F5D890B234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
03:26:14.0328 1756 PCI - ok
03:26:14.0343 1756 PCIDump - ok
03:26:14.0359 1756 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
03:26:14.0406 1756 PCIIde - ok
03:26:14.0437 1756 [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
03:26:14.0468 1756 Pcmcia - ok
03:26:14.0468 1756 PDCOMP - ok
03:26:14.0484 1756 PDFRAME - ok
03:26:14.0500 1756 PDRELI - ok
03:26:14.0515 1756 PDRFRAME - ok
03:26:14.0531 1756 perc2 - ok
03:26:14.0546 1756 perc2hib - ok
03:26:14.0609 1756 [ 37561F8D4160D62DA86D24AE41FAE8DE ] PlugPlay C:\WINDOWS\system32\services.exe
03:26:14.0609 1756 PlugPlay - ok
03:26:14.0640 1756 [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
03:26:14.0640 1756 PolicyAgent - ok
03:26:14.0671 1756 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
03:26:14.0703 1756 PptpMiniport - ok
03:26:14.0718 1756 [ 0D97D88720A4087EC93AF7DBB303B30A ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
03:26:14.0750 1756 Processor - ok
03:26:14.0765 1756 [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
03:26:14.0765 1756 ProtectedStorage - ok
03:26:14.0812 1756 [ 48671F327553DCF1D27F6197F622A668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
03:26:14.0859 1756 PSched - ok
03:26:14.0906 1756 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
03:26:14.0921 1756 Ptilink - ok
03:26:14.0968 1756 [ 153D02480A0A2F45785522E814C634B6 ] PxHelp20 C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
03:26:15.0000 1756 PxHelp20 - ok
03:26:15.0031 1756 ql1080 - ok
03:26:15.0046 1756 Ql10wnt - ok
03:26:15.0062 1756 ql12160 - ok
03:26:15.0078 1756 ql1240 - ok
03:26:15.0093 1756 ql1280 - ok
03:26:15.0140 1756 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
03:26:15.0156 1756 RasAcd - ok
03:26:15.0203 1756 [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto C:\WINDOWS\System32\rasauto.dll
03:26:15.0203 1756 RasAuto - ok
03:26:15.0234 1756 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
03:26:15.0265 1756 Rasl2tp - ok
03:26:15.0296 1756 [ 49B5EED5FB89D39456A2F616CCD8BA5D ] RasMan C:\WINDOWS\System32\rasmans.dll
03:26:15.0312 1756 RasMan - ok
03:26:15.0328 1756 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
03:26:15.0343 1756 RasPppoe - ok
03:26:15.0375 1756 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
03:26:15.0406 1756 Raspti - ok
03:26:15.0437 1756 [ 03B965B1CA47F6EF60EB5E51CB50E0AF ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
03:26:15.0531 1756 Rdbss - ok
03:26:15.0562 1756 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
03:26:15.0593 1756 RDPCDD - ok
03:26:15.0640 1756 [ B54CD38A9EBFBF2B3561426E3FE26F62 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
03:26:15.0640 1756 RDPWD - ok
03:26:15.0687 1756 [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
03:26:15.0718 1756 RDSessMgr - ok
03:26:15.0750 1756 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
03:26:15.0781 1756 redbook - ok
03:26:15.0828 1756 [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
03:26:15.0828 1756 RemoteAccess - ok
03:26:15.0859 1756 [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator C:\WINDOWS\System32\locator.exe
03:26:15.0859 1756 RpcLocator - ok
03:26:15.0906 1756 [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] RpcSs C:\WINDOWS\System32\rpcss.dll
03:26:15.0906 1756 RpcSs - ok
03:26:15.0937 1756 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
03:26:15.0953 1756 RSVP - ok
03:26:15.0984 1756 [ D0AC0B0355A3FFB85EB77B083CD0627C ] rtl8139 C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
03:26:16.0015 1756 rtl8139 - ok
03:26:16.0031 1756 [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs C:\WINDOWS\system32\lsass.exe
03:26:16.0031 1756 SamSs - ok
03:26:16.0078 1756 [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
03:26:16.0078 1756 SCardSvr - ok
03:26:16.0125 1756 [ 92360854316611F6CC471612213C3D92 ] Schedule C:\WINDOWS\system32\schedsvc.dll
03:26:16.0140 1756 Schedule - ok
03:26:16.0187 1756 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
03:26:16.0203 1756 Secdrv - ok
03:26:16.0234 1756 [ B1E0CE09895376871746F36DC5773B4F ] seclogon C:\WINDOWS\System32\seclogon.dll
03:26:16.0250 1756 seclogon - ok
03:26:16.0265 1756 [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS C:\WINDOWS\system32\sens.dll
03:26:16.0281 1756 SENS - ok
03:26:16.0312 1756 [ CD9404D115A00D249F70A371B46D5A26 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
03:26:16.0343 1756 Serial - ok
03:26:16.0390 1756 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
03:26:16.0406 1756 Sfloppy - ok
03:26:16.0453 1756 [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
03:26:16.0468 1756 SharedAccess - ok
03:26:16.0484 1756 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
03:26:16.0484 1756 ShellHWDetection - ok
03:26:16.0500 1756 Simbad - ok
03:26:16.0531 1756 [ 5CAEED86821FA2C6139E32E9E05CCDC9 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
03:26:16.0546 1756 SLIP - ok
03:26:16.0687 1756 [ 8ECA9578BFC7DA42D6D24C862224C5DB ] SmcService C:\Program Files\Sygate\SPF\smc.exe
03:26:16.0750 1756 SmcService - ok
03:26:16.0765 1756 SNP2STD - ok
03:26:16.0781 1756 Sparrow - ok
03:26:16.0828 1756 [ 5D6401DB90EC81B71F8E2C5C8F0FEF23 ] speedfan C:\WINDOWS\system32\speedfan.sys
03:26:16.0875 1756 speedfan - ok
03:26:16.0890 1756 [ 0CE218578FFF5F4F7E4201539C45C78F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
03:26:16.0921 1756 splitter - ok
03:26:16.0953 1756 [ DA81EC57ACD4CDC3D4C51CF3D409AF9F ] Spooler C:\WINDOWS\system32\spoolsv.exe
03:26:16.0968 1756 Spooler - ok
03:26:16.0984 1756 [ E41B6D037D6CD08461470AF04500DC24 ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
03:26:17.0015 1756 sr - ok
03:26:17.0046 1756 [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice C:\WINDOWS\system32\srsvc.dll
03:26:17.0062 1756 srservice - ok
03:26:17.0109 1756 [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
03:26:17.0156 1756 Srv - ok
03:26:17.0187 1756 [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
03:26:17.0203 1756 SSDPSRV - ok
03:26:17.0250 1756 [ B6763F8534AC547CF1AF98AFDFF2EDC8 ] stisvc C:\WINDOWS\system32\wiaservc.dll
03:26:17.0312 1756 stisvc - ok
03:26:17.0343 1756 [ 284C57DF5DC7ABCA656BC2B96A667AFB ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
03:26:17.0375 1756 streamip - ok
03:26:17.0406 1756 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
03:26:17.0437 1756 swenum - ok
03:26:17.0468 1756 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
03:26:17.0484 1756 swmidi - ok
03:26:17.0500 1756 SwPrv - ok
03:26:17.0515 1756 symc810 - ok
03:26:17.0531 1756 symc8xx - ok
03:26:17.0546 1756 sym_hi - ok
03:26:17.0562 1756 sym_u3 - ok
03:26:17.0625 1756 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
03:26:17.0640 1756 sysaudio - ok
03:26:17.0687 1756 [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
03:26:17.0687 1756 SysmonLog - ok
03:26:17.0734 1756 [ FB78839B36025AA286A51289ED28B73E ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
03:26:17.0750 1756 TapiSrv - ok
03:26:17.0781 1756 [ 2A5554FC5B1E04E131230E3CE035C3F9 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
03:26:17.0828 1756 Tcpip - ok
03:26:17.0875 1756 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
03:26:17.0890 1756 TDPIPE - ok
03:26:17.0921 1756 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
03:26:17.0953 1756 TDTCP - ok
03:26:17.0984 1756 [ 99336D4DA97B4EEAAFAB46A4F8E512E6 ] Teefer C:\WINDOWS\system32\Drivers\Teefer.sys
03:26:18.0000 1756 Teefer - ok
03:26:18.0046 1756 [ A540A99C281D933F3D69D55E48727F47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
03:26:18.0062 1756 TermDD - ok
03:26:18.0125 1756 [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService C:\WINDOWS\System32\termsrv.dll
03:26:18.0140 1756 TermService - ok
03:26:18.0171 1756 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] Themes C:\WINDOWS\System32\shsvcs.dll
03:26:18.0187 1756 Themes - ok
03:26:18.0203 1756 TosIde - ok
03:26:18.0234 1756 [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks C:\WINDOWS\system32\trkwks.dll
03:26:18.0234 1756 TrkWks - ok
03:26:18.0281 1756 [ 2AA8F32C3DA1E7BC11669E3E72BFF1A5 ] TrueSight C:\WINDOWS\system32\drivers\TrueSight.sys
03:26:18.0281 1756 TrueSight - ok
03:26:18.0328 1756 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
03:26:18.0375 1756 Udfs - ok
03:26:18.0390 1756 ultra - ok
03:26:18.0437 1756 [ AFF2E5045961BBC0A602BB6F95EB1345 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
03:26:18.0453 1756 Update - ok
03:26:18.0500 1756 [ ACA5D98663D879C6BAAFCEA7E2F1B710 ] upnphost C:\WINDOWS\System32\upnphost.dll
03:26:18.0515 1756 upnphost - ok
03:26:18.0546 1756 [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS C:\WINDOWS\System32\ups.exe
03:26:18.0562 1756 UPS - ok
03:26:18.0609 1756 [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
03:26:18.0640 1756 usbccgp - ok
03:26:18.0671 1756 [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
03:26:18.0734 1756 usbehci - ok
03:26:18.0781 1756 [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
03:26:18.0812 1756 usbhub - ok
03:26:18.0828 1756 [ BDFE799A8531BAD8A5A985821FE78760 ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys
03:26:18.0843 1756 usbohci - ok
03:26:18.0890 1756 [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
03:26:18.0921 1756 usbscan - ok
03:26:18.0953 1756 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
03:26:19.0015 1756 USBSTOR - ok
03:26:19.0046 1756 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
03:26:19.0078 1756 VgaSave - ok
03:26:19.0093 1756 ViaIde - ok
03:26:19.0125 1756 [ EE4660083DEBA849FF6C485D944B379B ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
03:26:19.0156 1756 VolSnap - ok
03:26:19.0171 1756 vsdatant - ok
03:26:19.0218 1756 [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS C:\WINDOWS\System32\vssvc.exe
03:26:19.0250 1756 VSS - ok
03:26:19.0296 1756 [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time C:\WINDOWS\system32\w32time.dll
03:26:19.0296 1756 W32Time - ok
03:26:19.0343 1756 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
03:26:19.0375 1756 Wanarp - ok
03:26:19.0390 1756 WDICA - ok
03:26:19.0421 1756 [ EFD235CA22B57C81118C1AEB4798F1C1 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
03:26:19.0453 1756 wdmaud - ok
03:26:19.0484 1756 [ 265F534EF76832435AFBF771EC97176D ] WebClient C:\WINDOWS\System32\webclnt.dll
03:26:19.0500 1756 WebClient - ok
03:26:19.0531 1756 [ A67340B874DF9EAF5B226E5F3473B9DA ] wg3n C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
03:26:19.0546 1756 wg3n - ok
03:26:19.0593 1756 [ 851216E2816B7B7E74B5F7EF1D4ACFB7 ] wg4n C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
03:26:19.0609 1756 wg4n - ok
03:26:19.0625 1756 [ AEDD1FE0DF660411D15DA3C57CFC2402 ] wg5n C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
03:26:19.0656 1756 wg5n - ok
03:26:19.0687 1756 [ DD0D719A58DF79086462BD5FC972A908 ] wg6n C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
03:26:19.0703 1756 wg6n - ok
03:26:19.0765 1756 [ F399242A80C4066FD155EFA4CF96658E ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
03:26:19.0781 1756 winmgmt - ok
03:26:19.0843 1756 [ C086483E3DBA8C1C0A687EC8D5B3D4C1 ] WmdmPmSN C:\WINDOWS\System32\mspmsnsv.dll
03:26:19.0859 1756 WmdmPmSN - ok
03:26:19.0921 1756 [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
03:26:19.0921 1756 WmiApSrv - ok
03:26:19.0953 1756 [ 93C145DCEB13156322423EFD62D4549A ] wpsdrvnt C:\WINDOWS\System32\drivers\wpsdrvnt.sys
03:26:19.0968 1756 wpsdrvnt - ok
03:26:20.0000 1756 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
03:26:20.0031 1756 WS2IFSL - ok
03:26:20.0078 1756 [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc C:\WINDOWS\system32\wscsvc.dll
03:26:20.0078 1756 wscsvc - ok
03:26:20.0125 1756 [ D5842484F05E12121C511AA93F6439EC ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
03:26:20.0156 1756 WSTCODEC - ok
03:26:20.0187 1756 [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
03:26:20.0203 1756 wuauserv - ok
03:26:20.0250 1756 [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
03:26:20.0281 1756 WZCSVC - ok
03:26:20.0312 1756 [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
03:26:20.0343 1756 xmlprov - ok
03:26:20.0375 1756 ================ Scan global ===============================
03:26:20.0406 1756 [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
03:26:20.0437 1756 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
03:26:20.0484 1756 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
03:26:20.0500 1756 [ 37561F8D4160D62DA86D24AE41FAE8DE ] C:\WINDOWS\system32\services.exe
03:26:20.0515 1756 [Global] - ok
03:26:20.0515 1756 ================ Scan MBR ==================================
03:26:20.0531 1756 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
03:26:20.0671 1756 \Device\Harddisk0\DR0 - ok
03:26:20.0687 1756 ================ Scan VBR ==================================
03:26:20.0687 1756 [ 9EB3C739A54869B610720E5C73FE08CD ] \Device\Harddisk0\DR0\Partition1
03:26:20.0687 1756 \Device\Harddisk0\DR0\Partition1 - ok
03:26:20.0718 1756 [ 279D44525F30C3018478A1C04BA05C76 ] \Device\Harddisk0\DR0\Partition2
03:26:20.0718 1756 \Device\Harddisk0\DR0\Partition2 - ok
03:26:20.0718 1756 ============================================================
03:26:20.0718 1756 Scan finished
03:26:20.0718 1756 ============================================================
03:26:20.0750 1416 Detected object count: 0
03:26:20.0750 1416 Actual detected object count: 0
03:28:51.0203 3356 Deinitialize success


----END TDSSKILLER LOG---


----BEGIN aswMBR LOG-------


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-14 03:28:55
-----------------------------
03:28:55.562 OS Version: Windows 5.1.2600 Service Pack 2
03:28:55.562 Number of processors: 1 586 0xA00
03:28:55.562 ComputerName: YOUR-JIKOHAXMOT UserName: greg
03:28:55.921 Initialize success
03:33:02.640 AVAST engine defs: 12111301
03:33:26.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
03:33:26.500 Disk 0 Vendor: ST3120022A 3.04 Size: 114473MB BusType: 3
03:33:26.515 Disk 0 MBR read successfully
03:33:26.515 Disk 0 MBR scan
03:33:26.578 Disk 0 Windows XP default MBR code
03:33:26.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 28615 MB offset 63
03:33:26.593 Disk 0 Partition - 00 0F Extended LBA 85855 MB offset 58605120
03:33:26.609 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 85855 MB offset 58605183
03:33:26.625 Disk 0 scanning sectors +234436545
03:33:26.687 Disk 0 scanning C:\WINDOWS\system32\drivers
03:33:49.187 Service scanning
03:34:07.671 Modules scanning
03:34:20.515 Disk 0 trace - called modules:
03:34:21.015 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
03:34:21.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f50ab8]
03:34:21.015 3 CLASSPNP.SYS[f759005b] -> nt!IofCallDriver -> \Device\0000005d[0x82fe01f8]
03:34:21.015 5 ACPI.sys[f74e6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fd44d0]
03:34:21.546 AVAST engine scan C:\WINDOWS
03:34:33.359 AVAST engine scan C:\WINDOWS\system32
03:38:09.171 AVAST engine scan C:\WINDOWS\system32\drivers
03:38:27.859 AVAST engine scan C:\Documents and Settings\greg
03:46:54.078 AVAST engine scan C:\Documents and Settings\All Users
03:47:13.953 Scan finished successfully
04:00:47.171 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
04:00:47.265 The log file has been saved successfully to "C:\aswMBR.txt"


----END aswMBR LOG-------

Edited by MINT2012, 13 November 2012 - 10:04 PM.

  • 0

#10
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

yes go ahead and reboot the computer and plug in your drives

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 0

#11
MINT2012

MINT2012

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Gringo,

The PC seems a bit faster, and I seem to have picked up an extra 400mb of free space as compared to prior to performing the scans, so I'm assuming something has gone ok LOL.

I will have a better answer after performing the red text "defragging" and java update, then I'll keep an eye on performance over the next few days and report back

For now, here is the Combofix log after adding the CFscript.txt file:

What else needs scanning? Does everything look ok so far?

----BEGIN COMBOFIX LOG---

ComboFix 12-11-13.03 - greg 14/11/2012 4:54.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.767.441 [GMT 0:00]
Running from: c:\documents and settings\greg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\greg\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-14 to 2012-11-14 )))))))))))))))))))))))))))))))
.
.
2012-11-13 10:47 . 2012-11-13 10:47 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-11-09 04:39 . 2012-11-09 04:39 -------- d-----w- c:\documents and settings\greg\Local Settings\Application Data\Help
2012-11-04 05:36 . 2012-11-04 05:36 1409 ----a-w- c:\windows\QTFont.for
2012-11-02 05:18 . 2012-11-03 07:30 -------- d-----w- C:\photoshop_stuff
2012-10-18 09:57 . 2012-10-18 09:59 -------- d-----w- C:\TXT
2012-10-18 04:39 . 2012-10-18 04:39 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-08 05:47 . 2012-04-01 15:14 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-08 05:47 . 2011-05-17 11:26 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 14:32 . 2012-06-28 18:52 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 14:32 . 2011-03-01 20:57 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 12:51 . 2012-06-28 18:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-03 01:16 . 2012-11-03 01:15 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-08-29 3519936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-02 4616192]
"nwiz"="nwiz.exe" [2003-04-02 323584]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 88107]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-12-02 74752]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\OperaTor-3.5_dl1\\OperaTor\\Opera\\opera.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/07/2010 12:31 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [03/08/2010 12:28 95896]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [28/08/2012 13:01 109768]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [04/11/2010 17:15 810144]
S2 CronService;Cron Service for Prey;"c:\prey\platform\windows\cronsvc.exe" --> c:\prey\platform\windows\cronsvc.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.sony-europe.com/
uInternet Settings,ProxyServer = localhost:4001
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
TCP: DhcpNameServer = 93.182.129.84 93.182.120.84
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\greg\Application Data\Mozilla\Firefox\Profiles\p18iira9.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-18 05:39; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-05 22:03; {5F590AA2-1221-4113-A6F4-A4BB62414FAC}; c:\documents and settings\greg\Application Data\Mozilla\Firefox\Profiles\p18iira9.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-14 05:01
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):47,64,2c,7f,33,3b,e6,38,56,d3,93,e7,17,bd,8b,9c,70,05,36,5f,33,
9a,5b,e7,b4,19,96,41,88,41,45,ee,70,08,61,49,6a,a5,79,f7,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d791543b-fcc3-4788-93c1-2ef53ff61e39}]
@Denied: (Full) (Everyone)
"Model"=dword:00000065
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\WININET.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\program files\Internet Download Manager\IDMNetMon.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-11-14 05:03:30
ComboFix-quarantined-files.txt 2012-11-14 05:03
ComboFix2.txt 2012-11-14 04:42
ComboFix3.txt 2012-11-14 02:44
.
Pre-Run: 1,972,133,888 bytes free
Post-Run: 1,960,722,432 bytes free
.
- - End Of File - - CD83F4B287F0940A93FE6DC8D74C0433


----END COMBOFIX LOG---
  • 0

#12
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

µTorrent
Java™ 6 Update 37
SoulSeek 157 NS 13e
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

  • 0

#13
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
  • 0

#14
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#15
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP