Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Am I infected? [Solved]


  • This topic is locked This topic is locked

#16
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hello Emeraldnzl,


Ran RogueKiller twice, added the 4 reports. Ran AdwCleaner.
Should I be changing passwords or something?

Indexx
---------------------------------------
1st

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : boss [Admin rights]
Mode : Scan -- Date : 01/05/2013 14:43:56

¤¤¤ Bad processes : 1 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\WINDOWS\qvphook.dll -> UNLOADED

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[37] : NtCreateFile @ 0x80577E64 -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB677536A)
SSDT[116] : NtOpenFile @ 0x80578F62 -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB6775CD8)
SSDT[145] : NtQueryDirectoryFile @ 0x80578C44 -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB6775842)
SSDT[154] : NtQueryInformationProcess @ 0x805CB7DA -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB67721E0)
SSDT[224] : NtSetInformationFile @ 0x80579DCA -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB6776142)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9120821AS +++++
--- User ---
[MBR] 991996b194097dee05d629eabe406ace
[BSP] 148bc81b10889459167713687c8765ef : Toshiba tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 99323 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 203431095 | Size: 14111 Mo
2 - [XXXXXX] UNKNOWN (0xd7) [VISIBLE] Offset (sectors): 232332030 | Size: 1027 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST9120821AS +++++
--- User ---
[MBR] d57a58d47f66da2786870bbfcb90da9e
[BSP] d36868f70c651480cfee4978577e3d5d : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_01052013_02d1443.txt >>
RKreport[1]_S_01052013_02d1443.txt

2nd

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : boss [Admin rights]
Mode : Remove -- Date : 01/05/2013 14:44:26

¤¤¤ Bad processes : 1 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\WINDOWS\qvphook.dll -> UNLOADED

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[37] : NtCreateFile @ 0x80577E64 -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB677536A)
SSDT[116] : NtOpenFile @ 0x80578F62 -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB6775CD8)
SSDT[145] : NtQueryDirectoryFile @ 0x80578C44 -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB6775842)
SSDT[154] : NtQueryInformationProcess @ 0x805CB7DA -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB67721E0)
SSDT[224] : NtSetInformationFile @ 0x80579DCA -> HOOKED (\??\C:\WINDOWS\system32\windrvNT.sys @ 0xB6776142)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9120821AS +++++
--- User ---
[MBR] 991996b194097dee05d629eabe406ace
[BSP] 148bc81b10889459167713687c8765ef : Toshiba tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 99323 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 203431095 | Size: 14111 Mo
2 - [XXXXXX] UNKNOWN (0xd7) [VISIBLE] Offset (sectors): 232332030 | Size: 1027 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST9120821AS +++++
--- User ---
[MBR] d57a58d47f66da2786870bbfcb90da9e
[BSP] d36868f70c651480cfee4978577e3d5d : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_01052013_02d1444.txt >>
RKreport[1]_S_01052013_02d1443.txt ; RKreport[2]_D_01052013_02d1444.txt

3rd

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : boss [Admin rights]
Mode : Shortcuts HJfix -- Date : 01/05/2013 14:49:35

¤¤¤ Bad processes : 1 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\WINDOWS\qvphook.dll -> UNLOADED

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 17 / Fail 0
Start menu: Success 2 / Fail 0
User folder: Success 56 / Fail 0
My documents: Success 3 / Fail 3
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 150 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[F:] \Device\CdRom0 -- 0x5 --> Skipped

Finished : << RKreport[3]_SC_01052013_02d1449.txt >>
RKreport[1]_S_01052013_02d1443.txt ; RKreport[2]_D_01052013_02d1444.txt ; RKreport[3]_SC_01052013_02d1449.txt

4th

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : boss [Admin rights]
Mode : Shortcuts HJfix -- Date : 01/05/2013 14:56:05

¤¤¤ Bad processes : 1 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\WINDOWS\qvphook.dll -> UNLOADED

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 5 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 1 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[F:] \Device\CdRom0 -- 0x5 --> Skipped

Finished : << RKreport[4]_SC_01052013_02d1456.txt >>
RKreport[1]_S_01052013_02d1443.txt ; RKreport[2]_D_01052013_02d1444.txt ; RKreport[3]_SC_01052013_02d1449.txt ; RKreport[4]_SC_01052013_02d1456.txt

---------------------------------------------------------------------------------


# AdwCleaner v2.104 - Logfile created 01/05/2013 at 14:59:24
# Updated 29/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : boss - LASRIUS
# Boot Mode : Normal
# Running from : C:\Documents and Settings\boss.LASRIUS\My Documents\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.11

[OK] Registry is clean.

-\\ Mozilla Firefox v8.0.1 (en-US)

*************************

AdwCleaner[S1].txt - [827 octets] - [05/01/2013 14:59:24]

########## EOF - C:\AdwCleaner[S1].txt - [886 octets] ##########
  • 0

Advertisements


#17
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Should I be changing passwords or something?


Well I am not seeing serious infection at this point but I think it makes sense to regularly change your passwords anyway.

Now

You appear not to have updated your Windows to Service Pack 3. SP3 will update your system files and may solve some of your machines symptoms.

You will need to use Internet Explorer to download:

Please go to Windows updates

You may need to allow Microsoft to install an active x component to check your machine before it downloads. Let it do that.

Come back if you have any difficulties.

When finished tell me and we will move to the next action.
  • 0

#18
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hello Emeraldnzl,

Just tried firefox to see if any changes when trying ebay zonealarm showed the my.g again. When I clicked no it then blocked 4 attemps to the same with slightly different address.
Added a screenshot photo.

Attached Thumbnails

  • Image1.jpg

  • 0

#19
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Don't know what is going on there.

my.g is suspicious but those IP addresses resolve to EBay. Do you use EBay?

E_TATIHTE.EXE is your Epson printer.

The Adwcleaner one was aimed at cleaning redirections... hmm... let's do the SP3 thing and after that look at the possible redirection thing again.
  • 0

#20
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hello Emeraldnzl,

Yes, I run an ebay store and use paypal daily.
I knew about E_TATIHTE.EXE I put in non Epson printer ink cart. and my printer is trying to tattle on me. LOL.
Do you think that I'm safe using paypal right now and can I do some overdue banking maybe?

Thanks again for all of your help.

Indexx
  • 0

#21
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Do you think that I'm safe using paypal right now and can I do some overdue banking maybe?


Up to you, if it were me I would wait until we are finished. If it is urgent I would use another computer or, at the very least, change my password and change it again afterwards.

How are we going with SP3?
  • 0

#22
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hello Emeraldnzl,

SP3 done. Most of my old hardware still works too. I think I now get hi def adds to boot.
Will turn many of the reawoke stuff off when we're done though.
Whats next?
Thanks,

Indexx
  • 0

#23
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello Indexx,

Your Flashplayer is out of date. Older versions are vunerable to attack.

Go here to download the latest Adobe Flash Player

Make sure you untick the box "Yes, install McAfee Security Scan Plus - optional" before downloading.

Step 2

Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to update.

Note: Before you download ensure you uncheck the "Yes install McAfee" option. That is foistware.

http://www.adobe.com.../readstep2.html

Next

Download and run Junkware removal Tool by thisisu
When the scan completes a log will be produced please post it back here.

Finally in this post

  • Close all windows and open OTL again.
  • Double click on the OTL icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • Under Files Created within check the none button
  • Under Files Modified Within check the none button
  • Under the Custom Scan box paste this in:
    drivers32
    baseservices
    drives
    %SYSTEMDRIVE%\*.exe
    %PROGRAMFILES%\*.exe
    /md5start
    services.*
    /md5stop
    
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open a notepad window. OTL.Txt. This is saved in the same location as OTL.

Note: If the log doesn't appear where you saved OTL then a copy of the OTL log is saved in a text file at

:\_OTL\MovedFiles
in most cases this will be C:\_OTL\MovedFiles

Please copy (Edit->Select All, Edit->Copy) the contents post back here.

When you return please post
  • Junkware removal log
  • OTL. txt

  • 0

#24
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Good morning Emeraldnzl,

Will do.
Is there any way to keep adobe from updating every 20 minuets? Can I turn off it's updating all together or to on demand?

Indexx
  • 0

#25
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Is there any way to keep adobe from updating every 20 minuets? Can I turn off it's updating all together or to on demand?


Go to the link below for instructions about that:

http://helpx.adobe.c...bat-reader.html

You should be aware that out of date versions are vunerable to attack and I would recommend you update regularly in any event.

Alternatively you might consider this one although don't let it install the browser toolbar:

For a good reader that uses less memory download Foxit Reader from here.

Care: When installing you will come to a window installing a browser toolbar. Ensure you uncheck the two boxes which include foistware to change your search engine to Ask.
  • 0

Advertisements


#26
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hello Emeraldnzl,

Here you go;

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.4.1 (01.06.2013:2)
OS: Microsoft Windows XP x86
Ran by boss on Sun 01/06/2013 at 12:58:44.68
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/06/2013 at 13:06:17.90
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----------------------------------------------------------------------------------------------------------


OTL logfile created on: 1/6/2013 7:48:02 PM - Run 5
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\boss.LASRIUS\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.04 Mb Total Physical Memory | 673.51 Mb Available Physical Memory | 65.90% Memory free
2.40 Gb Paging File | 2.18 Gb Available in Paging File | 90.91% Paging File free
Paging file location(s): C:\pagefile.sys 1536 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.00 Gb Total Space | 24.25 Gb Free Space | 25.00% Space Free | Partition Type: NTFS
Drive D: | 111.79 Gb Total Space | 35.98 Gb Free Space | 32.19% Space Free | Partition Type: NTFS
Drive E: | 13.75 Gb Total Space | 0.77 Gb Free Space | 5.61% Space Free | Partition Type: FAT32

Computer Name: LASRIUS | User Name: boss | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/03 20:23:20 | 000,170,408 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/12/27 10:29:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\boss.LASRIUS\My Documents\Downloads\Copy of OTL.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2011/04/24 11:01:00 | 000,219,008 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_TATIHVA.EXE
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/23 22:38:28 | 000,968,696 | ---- | M] (Zone Labs, LLC) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2006/08/23 22:38:26 | 000,075,768 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2003/07/25 01:40:06 | 000,335,872 | ---- | M] (Globe Software) -- C:\Program Files\Globe Software\StatBar\StatBar.exe


========== Modules (No Company Name) ==========

MOD - [2006/08/23 22:40:50 | 000,145,408 | ---- | M] () -- C:\WINDOWS\system32\ZoneLabs\lib\pyd\pyexpat.pyd
MOD - [2006/08/23 22:40:50 | 000,047,104 | ---- | M] () -- C:\WINDOWS\system32\ZoneLabs\lib\pyd\_socket.pyd
MOD - [2006/08/23 22:40:50 | 000,026,624 | ---- | M] () -- C:\WINDOWS\system32\ZoneLabs\lib\pyd\signedDll.pyd
MOD - [2006/08/23 22:40:50 | 000,026,624 | ---- | M] () -- C:\WINDOWS\system32\ZoneLabs\lib\pyd\pyvsinit.pyd
MOD - [2006/08/23 22:37:52 | 000,796,584 | ---- | M] () -- C:\WINDOWS\system32\libeay32_0.9.6l.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2013/01/03 20:23:20 | 000,170,408 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011/06/09 13:01:00 | 000,521,600 | ---- | M] (SEIKO EPSON CORPORATION) [Disabled | Stopped] -- C:\Program Files\epson\EpsonCustomerParticipation\EPCP.exe -- (EpsonCustomerParticipation)
SRV - [2006/08/23 22:38:26 | 000,075,768 | ---- | M] (Zone Labs, LLC) [Auto | Running] -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/04/14 23:39:23 | 000,003,712 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\socketlock.sys -- (SocketLock)
DRV - [2010/04/13 23:04:56 | 000,035,363 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\windrvNT.sys -- (windrvNT)
DRV - [2008/04/14 00:25:10 | 000,202,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST)
DRV - [2008/04/14 00:09:46 | 000,092,544 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC)
DRV - [2006/08/23 22:38:36 | 000,392,824 | ---- | M] (Zone Labs, LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2006/08/03 00:53:32 | 000,029,680 | ---- | M] (Zone Labs, LLC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2006/04/18 05:29:06 | 000,569,856 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/03/14 12:02:54 | 001,428,480 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51)
DRV - [2006/03/02 05:03:32 | 000,057,096 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2005/09/20 04:30:56 | 000,162,432 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/09/19 14:24:20 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/09/19 14:24:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2005/09/19 14:23:52 | 000,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/08/22 09:07:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/08/22 09:06:16 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/08/22 09:06:10 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/08/04 00:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{B6A5E4C4-2536-4B0D-A258-F4FBBEDB455B}: "URL" = http://search.yahoo....=utf-8&fr=b2ie7
IE - HKCU\..\SearchScopes\{C4236BF9-A0E9-4F8D-BD96-F06419E16F30}: "URL" = http://en.wikipedia....h={searchTerms}
IE - HKCU\..\SearchScopes\{C739D6C0-6E08-42FF-A68D-5540E553A401}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{D21C353A-29E5-4F69-AF31-8432DDF80CBF}: "URL" = http://www.google.co...age={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/09 01:12:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/12/09 01:13:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\boss.LASRIUS\Application Data\Mozilla\Extensions
[2011/12/09 01:12:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/20 22:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

O1 HOSTS File: ([2004/08/10 09:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Norton AntiVirus) - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll File not found
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - HKCU..\Run: [EPLTarget\P0000000000000000] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHVA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe (Globe Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = @ [binary data]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_10)
O16 - DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_10)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B8D85FDC-2F63-4DE8-A44A-CF8EBE7B5205}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\boss.LASRIUS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\boss.LASRIUS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - C:\WINDOWS\qvphook.dll (Inso Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | --S- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 14:01:14 | 000,000,053 | --S- | M] () - E:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3fhg - C:\WINDOWS\System32\mp3fhg.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

========== Custom Scans ==========

========== Base Services ==========
SRV - [2008/04/14 05:42:14 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/14 05:42:12 | 000,006,656 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 05:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2008/04/14 05:41:52 | 000,077,824 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 05:41:52 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 05:41:52 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2008/04/14 05:41:54 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/14 05:41:54 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2008/04/14 05:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 05:42:10 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/14 05:41:56 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/14 05:42:24 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 05:41:54 | 000,023,552 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 05:42:18 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 05:42:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 05:42:02 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/04/14 05:42:02 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2008/04/14 05:42:38 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 05:42:04 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 05:42:04 | 000,186,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2008/04/14 05:42:06 | 000,399,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/14 05:42:04 | 000,435,200 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 05:42:06 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/14 05:42:12 | 000,080,896 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2008/04/14 05:42:08 | 000,096,768 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2008/04/14 05:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 05:42:08 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 05:42:06 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 05:41:58 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 05:42:08 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 05:42:08 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2008/04/14 05:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 05:42:40 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 05:41:52 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/14 05:41:56 | 000,331,264 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess)
SRV - [2008/04/14 05:42:10 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/14 05:42:30 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 05:42:10 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2008/04/14 05:41:50 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2008/04/14 05:41:54 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 05:42:12 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2008/04/14 05:42:10 | 000,132,096 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: ST9120821AS
Partitions: 3
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: ST9120821AS
Partitions: 1
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 97.00GB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 14.00GB
Starting Offset: 104156720640
Hidden sectors: 0


DeviceID: Disk #0, Partition #2
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 1.00GB
Starting Offset: 118953999360
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 112.00GB
Starting Offset: 32256
Hidden sectors: 0


< %SYSTEMDRIVE%\*.exe >

< %PROGRAMFILES%\*.exe >
[2008/03/10 13:48:26 | 002,939,142 | ---- | M] () -- C:\Program Files\FLVplayr.exe

< MD5 for: SERVICES >
[2004/08/10 09:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES._ >
[2004/08/10 01:00:00 | 000,001,989 | ---- | M] () MD5=29BB3BBBE3D49156A42BFB3DD000F554 -- C:\I386\SERVICES._

< MD5 for: SERVICES.DAT >
[2013/01/02 22:13:04 | 000,001,473 | ---- | M] () MD5=108383F37C9E5A81588433B23995EBD8 -- C:\JRT\services.dat

< MD5 for: SERVICES.EX_ >
[2004/08/10 01:00:00 | 000,049,955 | ---- | M] () MD5=85A738BA493104ED103B26CADEB8B543 -- C:\I386\SERVICES.EX_

< MD5 for: SERVICES.EXE >
[2009/02/06 05:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2008/04/13 18:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\services.exe
[2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\system32\services.exe
[2009/02/06 11:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[2009/02/06 04:22:21 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=4712531AB7A01B7EE059853CA17D39BD -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[2009/02/06 05:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[2004/08/10 01:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\pebuilder3110a\BartPE\I386\SYSTEM32\SERVICES.EXE
[2004/08/10 09:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SERVICES.LNK >
[2011/02/15 10:26:12 | 000,001,604 | ---- | M] () MD5=1596DD7F1BD41F128DF5C147A9920A7D -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MS_ >
[2004/08/10 01:00:00 | 000,003,649 | ---- | M] () MD5=64E9F61D2ED093C361862DE36433B5E1 -- C:\I386\SERVICES.MS_

< MD5 for: SERVICES.MSC >
[2004/08/10 09:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< End of report >
  • 0

#27
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Please go to Virus Total

Click on the button Choose File

Copy/paste this file and path into the white box beside File Name in the window that pops up:

C:\Program Files\FLVplayr.exe

Press Scan it- this will submit the file for testing.

Please wait for all the scanners to finish then copy and paste the results in your next response.

And tell me, are you still getting those Firewall alerts?
  • 0

#28
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hello Emeraldnzl,

Could not scan C:\Program Files\FLVplayr.exe. I could not view, delete or look at with quickview plus.
I booted in safe mode and deleted file. Rebooted and looked but it's not in recycle bin. Not sure where file came from but it's been there awhile. All of this started a few weeks ago.
Just tried firefox and ebay still tries to open with my.g . Many google hits point at a gamer group thing. When I click no on zonealarm it blocked 4 attemps to the same. Aol opened with a aol sounding site but blocked this
Plugin Container for Firefox was blocked from connecting to the Internet (50.16.215.100:DNS).
Destination IP 50.16.215.100:53
Direction Outgoing (connect)
Action Taken Blocked
Count 5
Source DNS
Destination DNS zedoimpressionslb-1439392850.us-east-1.elb.amazonaws

And this;

Description Plugin Container for Firefox was blocked from connecting to the Internet (192.168.1.254:DNS).
Rating High
Date / Time 2013/01/06 22:36:02-6:00 GMT
Type Program Access
Program plugin-container.exe
Source IP
Destination IP 192.168.1.254:53
Direction Outgoing (connect)
Action Taken Blocked
Count 1
Source DNS
Destination DNS launchmodem

Hmmmm

Indexx
  • 0

#29
Indexx

Indexx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hello,
I might add that zonealarm wsa at one time blocking firefox from listening to ports 1051 and 1053. then this morning 1842 and 1844.
Now it's 1269 and 1271
It's not blocking IE.

Edited by Indexx, 06 January 2013 - 11:19 PM.

  • 0

#30
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Could not scan C:\Program Files\FLVplayr.exe. I could not view, delete or look at with quickview plus.
I booted in safe mode and deleted file. Rebooted and looked but it's not in recycle bin. Not sure where file came from but it's been there awhile.


You shouldn't see files executable or otherwise in the root of Program Files. It's not absolutely certain that they are bad because they are there. Might have been put there by mistake somewhere along the line. It is suspicious though.

All of this started a few weeks ago.
Just tried firefox and ebay still tries to open with my.g . Many google hits point at a gamer group thing. When I click no on zonealarm it blocked 4 attemps to the same. Aol opened with a aol sounding site but blocked this
Plugin Container for Firefox was blocked from connecting to the Internet (50.16.215.100:DNS).


Can't make up my mind whether these are false positives i.e. ZoneAlarm is blocking innocent sites for some reason; or, if there is something bad on your machine that I am not seeing.

That one - (50.16.215.100:DNS) is part of Amazon. amazonaws is to do with Amazon's web service. Do you use Amazon at all?

That together with the ebay blocking makes me think it is ZoneAlarm being overly protective. Has it asked you at some earlier time whether to allow them or not?

Also, do you use gmail through ebay or somesuch?

Oh I see you have posted again.

I might add that zonealarm wsa at one time blocking firefox from listening to ports 1o52 and 1053. then this morning 1842 and 1844.
Now it's 1269 and 1271
It's not blocking IE.


Let's do this then and see if it makes a difference:

Please run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    FF - prefs.js..browser.search.update: false
    FF - prefs.js..browser.startup.homepage: "about:blank"
    FF - user.js - File not found
    [2011/12/09 01:13:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\boss.LASRIUS\Application Data\Mozilla\Extensions
    [2011/12/09 01:12:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    
    :Commands
    [emptytemp]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.The log is saved in the same location as OTL.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP