Solved Persistent Trojan Maljava, Random Popups in firefox and slow pc

Celmak1 · 2011/02/11

[Resolved] Persistent Trojan Maljava, Random Popups in firefox and slow pc

Hello again,

I shall try to make it as concise as possible:

1-) Beginning late last week, My auto protect anti virus program (Symantec) started detecting and deleting what it called trojan maljava. This repeated itself 4 times till now. What happens is that java.exe would go nuts, slow down my computer while i am surfing the net (e.g yahoo mail, wbbs, talkingpointsmemo etc) and once the tab responsible is closed and java.exe dies, symantec moves in to counter trojan attacks that come in batches of 4 in a 10 min span. Attacks stop after that. I administered full scans (with system restore off as symantec suggested) after each attack and in the first two (i.e thursday and then sunday last week) symantec found and quarantined multiple compressed files. After the second attack, i decided to check my firefox plug in updates and realized that my java plug ins were out of date. Updating them did not solve problem though as I had two more attacks after that. The only difference now is that symantec full scans find no threats.

2-) Another problem is random popups. They appear randomly and infrequently when my browser (firefox) is on. It even happens in youtube. I am not sure if they are related or not.

3-) Finally, I have general slowness issues. After a tfc reboot, svchost.exe and wuauclt.exe burn a lot of memory for 5-7 mins before they die and slow down my pc significantly. A similar thing sometimes happens when i connect to the internet (wireless).

Now that the story id out of the way...... here are the logs as requested:

LOG-1: MalwareBytes

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5740

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/11/2011 3:16:27 PM
mbam-log-2011-02-11 (15-16-27).txt

Scan type: Quick scan
Objects scanned: 151965
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

LOG-2: GMER

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-11 16:09:13
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2080BH_PL rev.00000029
Running: 2sq021en.exe; Driver: C:\DOCUME~1\CEMTHE~1\LOCALS~1\Temp\fgtdqpow.sys

---- System - GMER 1.0.15 ----

SSDT FE20E2A0 ZwConnectPort
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0xA9DAE620]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF7592EBF]
? C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS The system cannot find the file specified. !
? C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1720] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs A8A4C400
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [528] 0x10000000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1240] 0x01420000

---- EOF - GMER 1.0.15 ----

Celmak1 · 2011/02/11

oooo before i forget... GMER did give me a rootkit warning window towards the end and i clicked ok. Now the last three logs

LOG-3: MBRCheck

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 165):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF8AC3000 \WINDOWS\system32\KDCOM.DLL
0xF89D3000 \WINDOWS\system32\BOOTVID.dll
0xF8574000 ACPI.sys
0xF8AC5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8563000 pci.sys
0xF85C3000 isapnp.sys
0xF85D3000 ohci1394.sys
0xF85E3000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF89D7000 compbatt.sys
0xF89DB000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8B8B000 pciide.sys
0xF8843000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8545000 pcmcia.sys
0xF85F3000 MountMgr.sys
0xF8526000 ftdisk.sys
0xF8AC7000 dmload.sys
0xF8500000 dmio.sys
0xF89DF000 ACPIEC.sys
0xF8B8C000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF884B000 PartMgr.sys
0xF8603000 VolSnap.sys
0xF84E8000 atapi.sys
0xF84B6000 KR10N.sys
0xF849E000 \WINDOWS\system32\drivers\SCSIPORT.SYS
0xF8613000 disk.sys
0xF8623000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF847E000 fltmgr.sys
0xF846C000 sr.sys
0xF8456000 DRVMCDB.SYS
0xF8633000 PxHelp20.sys
0xF843F000 KSecDD.sys
0xF842C000 WudfPf.sys
0xF839F000 Ntfs.sys
0xF8372000 NDIS.sys
0xF8358000 Mup.sys
0xF8653000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF87D3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8A97000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF75F6000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF75E2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF75BA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF88DB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7596000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF88E3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF756E000 \SystemRoot\system32\drivers\tifm21.sys
0xF755A000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF87E3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF88EB000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7521000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF8AEB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF88F3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF87F3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF88FB000 \SystemRoot\system32\drivers\iviaspi.sys
0xF8A9B000 \SystemRoot\system32\drivers\pfc.sys
0xF8AED000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF8803000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8813000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF74FE000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8C19000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7791000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF831F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF74E7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7781000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7771000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF898B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF74D6000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7761000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF8993000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF899B000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF74A6000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7751000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8AF1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7448000 \SystemRoot\system32\DRIVERS\update.sys
0xF8303000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF82FF000 \SystemRoot\system32\DRIVERS\tbiosdrv.sys
0xF8AF3000 \SystemRoot\system32\DRIVERS\NBSMI.sys
0xF7741000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA3B3000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA38F000 \SystemRoot\system32\drivers\portcls.sys
0xF8713000 \SystemRoot\system32\drivers\drmk.sys
0xF8723000 \SystemRoot\system32\DRIVERS\Tvs.sys
0xF89BB000 \SystemRoot\system32\DRIVERS\tsxt_kern_i386.sys
0xF89CB000 \SystemRoot\system32\DRIVERS\wowhd_kern_i386.sys
0xF8733000 \SystemRoot\system32\DRIVERS\csiidecoder_kern_i386.sys
0xAA27C000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF8853000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8793000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xAA227000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0xAA20A000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xAA1CE000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xF8ABF000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF87A3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF889B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF88AB000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xF87B3000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xA9F54000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF8323000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF88B3000 \SystemRoot\system32\DRIVERS\point32.sys
0xF8B49000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C44000 \SystemRoot\System32\Drivers\Null.SYS
0xF8B59000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8923000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF8943000 \SystemRoot\System32\drivers\vga.sys
0xF8B67000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8B73000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA9F1B000 \SystemRoot\System32\Drivers\meiudf.sys
0xA9F0A000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF894B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF895B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAA1FE000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9EF7000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9E9E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9E5E000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xA9E38000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF8663000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF8673000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA9E10000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA9DC6000 \SystemRoot\System32\drivers\afd.sys
0xF8683000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9DA4000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF8973000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA9D79000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9D09000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8693000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9CAB000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA9C93000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8B85000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7428000 \SystemRoot\System32\drivers\Dxapi.sys
0xF896B000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8BD4000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBF159000 \SystemRoot\System32\ATMFD.DLL
0xAA00F000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF8CE2000 \SystemRoot\System32\DLA\DLADResN.SYS
0xA9B3D000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xA9DFC000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF8B25000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF88BB000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xA9B25000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xA9B0F000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xF890B000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA9B03000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA9ABB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9AB3000 \SystemRoot\system32\DRIVERS\netdevio.sys
0xA964A000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9937000 \SystemRoot\system32\drivers\sysaudio.sys
0xA95FA000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA92BC000 \SystemRoot\System32\Drivers\HTTP.sys
0xA914C000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9355000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xA8757000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys
0xA860C000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110210.003\navex15.sys
0xA85F8000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110210.003\naveng.sys
0xA8784000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xA97EF000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA7702000 \??\C:\DOCUME~1\CEMTHE~1\LOCALS~1\Temp\fgtdqpow.sys
0xA8A4C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 65):
0 System Idle Process
4 System
436 C:\WINDOWS\system32\smss.exe
492 csrss.exe
528 C:\WINDOWS\system32\winlogon.exe
576 C:\WINDOWS\system32\services.exe
588 C:\WINDOWS\system32\lsass.exe
768 C:\WINDOWS\system32\svchost.exe
840 svchost.exe
880 C:\WINDOWS\system32\svchost.exe
936 C:\WINDOWS\system32\svchost.exe
1008 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1100 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1240 C:\WINDOWS\explorer.exe
1292 svchost.exe
1336 svchost.exe
1408 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1464 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1596 C:\WINDOWS\system32\spoolsv.exe
1684 svchost.exe
1784 C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
1900 C:\Program Files\Symantec AntiVirus\DefWatch.exe
1924 C:\WINDOWS\system32\DVDRAMSV.exe
1944 C:\WINDOWS\ehome\ehrecvr.exe
1964 C:\WINDOWS\ehome\ehSched.exe
204 C:\Program Files\Java\jre6\bin\jqs.exe
388 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
480 svchost.exe
268 C:\WINDOWS\system32\svchost.exe
592 C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
928 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
1024 C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
1136 mcrdsvc.exe
1720 C:\WINDOWS\system32\searchindexer.exe
2636 C:\WINDOWS\system32\dllhost.exe
2748 alg.exe
3144 C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
3156 C:\WINDOWS\system32\TDispVol.exe
3200 C:\WINDOWS\system32\hkcmd.exe
3224 C:\WINDOWS\system32\igfxpers.exe
3248 C:\WINDOWS\ehome\ehtray.exe
3312 C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe
3344 C:\WINDOWS\ehome\ehmsas.exe
3332 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3396 C:\WINDOWS\agrsmmsg.exe
3408 C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
3420 C:\WINDOWS\system32\TPSMain.exe
3448 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
3484 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
3576 C:\WINDOWS\system32\TPSBattM.exe
3584 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
3612 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
3620 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3628 C:\PROGRA~1\SYMANT~1\VPTray.exe
3820 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3876 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4052 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
1980 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
228 C:\WINDOWS\system32\ctfmon.exe
460 C:\WINDOWS\system32\RAMASST.exe
1328 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
1888 C:\WINDOWS\system32\svchost.exe
2060 C:\WINDOWS\system32\searchprotocolhost.exe
3904 searchfilterhost.exe
4032 C:\Documents and Settings\Cem the Greywolf\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2080BHPL, Rev: 00000029

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528

Done!

Celmak1 · 2011/02/11

and DDS logs

LOG-4: DDS.txt

DDS (Ver_10-12-12.02) - NTFSx86
Run by Cem the Greywolf at 16:32:58.53 on Fri 02/11/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.125 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Cem the Greywolf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe "
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - hxxp://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157673358311
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254596490216
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file:///D:/win/setup/iamce.dll
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://www.tgrthaber.com.tr/CanliYayin/ampx2.6.1.11_en_dl.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cemthe~1\applic~1\mozilla\firefox\profiles\rvlbc31j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.lse.ac.uk/
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-5 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-5 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-24 1715904]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110210.003\naveng.sys [2011-2-11 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110210.003\navex15.sys [2011-2-11 1360760]
RUnknown SASDIFSV;SASDIFSV; [x]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-31 136176]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-24 124608]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\vmuvc.sys --> c:\windows\system32\drivers\VMUVC.sys [?]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftuvc.sys --> c:\windows\system32\drivers\vvftUVC.sys [?]

=============== Created Last 30 ================

2011-02-11 14:57:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-11 14:57:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-11 14:57:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-21 14:44:37 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

============= FINISH: 16:35:05.17 ===============

LOG-5: Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/7/2006 11:21:00 PM
System Uptime: 2/11/2011 1:37:18 PM (3 hours ago)

Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
Processor: Genuine Intel(R) CPU T1350 @ 1.86GHz | U1 | 1862/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 50.044 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&2803E7C1&0&00E2
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&2803E7C1&0&00E2
Service: w39n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_FF101179&REV_02\4&6B16D5B&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_FF101179&REV_02\4&6B16D5B&0&40F0
Service: E100B

==== System Restore Points ===================

RP7: 2/11/2011 4:26:27 AM - System Checkpoint

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader X
Age of Mythology Gold
AutoUpdate
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD-RAM Driver
EAX Unified
ESPNMotion
Full Tilt Poker
GemMaster Mystic
Google Update Helper
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
Java Auto Updater
Java(TM) 6 Update 23
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Rise Of Nations
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
Mozilla Firefox (3.6.13)
mPfMgr
mPfWiz
mProSafe
MSN
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MSXML4 Parser
mWlsSafe
mXML
mZConfig
Office 2003 Trial Assistant
Otto
Realtek High Definition Audio Driver
Rise of Nations Thrones and Patriots
SD Secure Module
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype Toolbars
Skypeâ„¢ 5.0
Sonic DLA
Sonic Encoders
Sonic RecordNow!
Symantec AntiVirus
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA TV Tuner 4.0.12.73
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows Search 4.0
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

2/9/2011 7:41:51 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/8/2011 7:08:53 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.101 with the system having network hardware address 00:16:EA:2C:70:40. Network operations on this system may be disrupted as a result.
2/5/2011 7:08:01 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001302D0BF1C. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/4/2011 4:24:38 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:37 PM, error: Service Control Manager [7034] - The TOSHIBA Application Service service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:36 PM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:36 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:36 PM, error: Service Control Manager [7034] - The Symantec AntiVirus Definition Watcher service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:36 PM, error: Service Control Manager [7034] - The Swupdtmr service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:36 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:36 PM, error: Service Control Manager [7034] - The DVD-RAM_Service service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:36 PM, error: Service Control Manager [7034] - The ConfigFree Service service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:24:35 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
2/4/2011 4:13:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/4/2011 2:52:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SASDIFSV SASKUTIL SAVRT SAVRTPEL SYMTDI
2/11/2011 3:39:15 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

==== End Of File ===========================

broni · 2011/02/11

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

================================================================

It looks like possible Bamital trojan.
We'll see....

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\Explorer.exe
- C:\WINDOWS\system32\winlogon.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

Celmak1 · 2011/02/11

Hi Broni,

No.1: Winlogon.exe Scan Results

Antivirus Version Last update Result

AhnLab-V3 2011.02.06.00 2011.02.06 -

AntiVir 7.11.3.50 2011.02.11 -

Antiy-AVL 2.0.3.7 2011.02.11 -

Avast 4.8.1351.0 2011.02.11 -

Avast5 5.0.677.0 2011.02.11 -

AVG 10.0.0.1190 2011.02.11 -

BitDefender 7.2 2011.02.11 -

CAT-QuickHeal 11.00 2011.02.11 -

ClamAV 0.96.4.0 2011.02.11 -

Commtouch 5.2.11.5 2011.02.11 -

Comodo 7657 2011.02.11 -

DrWeb 5.0.2.03300 2011.02.11 -

Emsisoft 5.1.0.2 2011.02.11 -

eSafe 7.0.17.0 2011.02.10 -

eTrust-Vet 36.1.8154 2011.02.11 -

F-Prot 4.6.2.117 2011.02.04 -

F-Secure 9.0.16160.0 2011.02.11 -

Fortinet 4.2.254.0 2011.02.11 -

GData 21 2011.02.11 -

Ikarus T3.1.1.97.0 2011.02.11 -

Jiangmin 13.0.900 2011.02.11 -

K7AntiVirus 9.83.3828 2011.02.11 -

Kaspersky 7.0.0.125 2011.02.11 -

McAfee 5.400.0.1158 2011.02.11 -

McAfee-GW-Edition 2010.1C 2011.02.11 -

Microsoft 1.6502 2011.02.11 -

NOD32 5866 2011.02.11 -

Norman 6.07.03 2011.02.11 -

nProtect 2011-01-27.01 2011.02.02 -

Panda 10.0.3.5 2011.02.11 -

PCTools 7.0.3.5 2011.02.11 -

Prevx 3.0 2011.02.11 -

Rising 23.44.04.07 2011.02.11 -

Sophos 4.61.0 2011.02.11 -

SUPERAntiSpyware 4.40.0.1006 2011.02.11 -

Symantec 20101.3.0.103 2011.02.11 -

TheHacker 6.7.0.1.126 2011.02.10 -

TrendMicro 9.200.0.1012 2011.02.11 -

TrendMicro-HouseCall 9.200.0.1012 2011.02.11 -

VBA32 3.12.14.3 2011.02.11 -

VIPRE 8386 2011.02.11 -

ViRobot 2011.2.11.4305 2011.02.11 -

VirusBuster 13.6.195.0 2011.02.11 -

MD5: ed0ef0a136dec83df69f04118870003e

SHA1: f77a7cd78877527023ebfb35e83b75ef59d3df07

SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e

File size: 507904 bytes

Scan date: 2011-02-11 22:57:03 (UTC)

Celmak1 · 2011/02/11

not sure whether you need these or not but to be on the safe side (Still from winlogon.exe scan)

Additional information
Show all
MD5 : ed0ef0a136dec83df69f04118870003e
SHA1 : f77a7cd78877527023ebfb35e83b75ef59d3df07
SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e
ssdeep: 6144:kNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+lcDKao6nSKH
sRqOMgxZg
File size : 507904 bytes
First seen: 2009-02-11 22:16:03
Last seen : 2011-02-11 22:57:03
TrID:
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows NT Logon Application
original name: WINLOGON.EXE
internal name: winlogon
file version.: 5.1.2600.5512 (xpsp.080413-2113)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x3E5E1
timedatestamp....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x70991, 0x70A00, 6.82, 39d0278af55c2446adf638b9f0236aff
.data, 0x72000, 0x4E70, 0x2000, 6.28, 44bd27282514b5e3a27b570106930d8d
.rsrc, 0x77000, 0x9020, 0x9200, 3.62, 8b50f3590d97bb27639f10bacbc53187

[[ 20 import(s) ]]
ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
GDI32.dll: RemoveFontResourceW, AddFontResourceW
KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
NDdeApi.dll: -, -, -, -
ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
WS2_32.dll: -, -, getaddrinfo
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 461312
CompanyName: Microsoft Corporation
EntryPoint: 0x3e5e1
FileDescription: Windows NT Logon Application
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 496 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 21315.20512
InitializedDataSize: 57856
InternalName: winlogon
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: WINLOGON.EXE
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:04:13 23:04:09+02:00
UninitializedDataSize: 0

broni · 2011/02/11

I need only that first part.

Celmak1 · 2011/02/11

No. 2 explorer.exe Scan

Antivirus Version Last update Result

AhnLab-V3 2011.02.06.00 2011.02.06 -

AntiVir 7.11.3.50 2011.02.11 -

Antiy-AVL 2.0.3.7 2011.02.11 -

Avast 4.8.1351.0 2011.02.11 -

Avast5 5.0.677.0 2011.02.11 -

AVG 10.0.0.1190 2011.02.11 -

BitDefender 7.2 2011.02.11 -

CAT-QuickHeal 11.00 2011.02.11 -

ClamAV 0.96.4.0 2011.02.11 -

Commtouch 5.2.11.5 2011.02.11 -

Comodo 7657 2011.02.11 -

DrWeb 5.0.2.03300 2011.02.11 -

Emsisoft 5.1.0.2 2011.02.11 -

eTrust-Vet 36.1.8154 2011.02.11 -

F-Prot 4.6.2.117 2011.02.04 -

F-Secure 9.0.16160.0 2011.02.11 -

Fortinet 4.2.254.0 2011.02.11 -

GData 21 2011.02.11 -

Ikarus T3.1.1.97.0 2011.02.11 -

Jiangmin 13.0.900 2011.02.11 -

K7AntiVirus 9.83.3828 2011.02.11 -

Kaspersky 7.0.0.125 2011.02.11 -

McAfee 5.400.0.1158 2011.02.11 -

McAfee-GW-Edition 2010.1C 2011.02.11 -

Microsoft 1.6502 2011.02.11 -

NOD32 5866 2011.02.11 -

Norman 6.07.03 2011.02.11 -

nProtect 2011-01-27.01 2011.02.02 -

Panda 10.0.3.5 2011.02.11 -

PCTools 7.0.3.5 2011.02.11 -

Prevx 3.0 2011.02.12 -

Rising 23.44.04.07 2011.02.11 -

Sophos 4.61.0 2011.02.11 -

SUPERAntiSpyware 4.40.0.1006 2011.02.11 -

Symantec 20101.3.0.103 2011.02.11 -

TheHacker 6.7.0.1.126 2011.02.10 -

TrendMicro 9.200.0.1012 2011.02.11 -

TrendMicro-HouseCall 9.200.0.1012 2011.02.11 -

VBA32 3.12.14.3 2011.02.11 -

VIPRE 8387 2011.02.11 -

ViRobot 2011.2.11.4305 2011.02.11 -

VirusBuster 13.6.195.0 2011.02.11 -

MD5: 12896823fb95bfb3dc9b46bcaedc9923

SHA1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f

SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455

File size: 1033728 bytes

Scan date: 2011-02-11 23:12:25 (UTC)

Additional information
Show all
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455
ssdeep: 12288:HHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:nmfty/wAvN7lrvbkf8w
0VnH1/g/J/k
File size : 1033728 bytes
First seen: 2009-02-09 08:59:31
Last seen : 2011-02-11 23:12:25
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Explorer
original name: EXPLORER.EXE
internal name: explorer
file version.: 6.00.2900.5512 (xpsp.080413-2105)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1A55F
timedatestamp....: 0x48025C30 (Sun Apr 13 19:17:04 2008)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x44C09, 0x44E00, 6.38, fd89c9ce334764ffdbb62637ad9b5809
.data, 0x46000, 0x1DB4, 0x1800, 1.30, 983f35021232560eaaa99fcbc1b7d359
.rsrc, 0x48000, 0xB2268, 0xB2400, 6.63, 95339c37646fa93e3695e06572a21889
.reloc, 0xFB000, 0x374C, 0x3800, 6.78, ec335057489badbf6d8142b57175fd91

[[ 13 import(s) ]]
ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
BROWSEUI.dll: -, -, -, -
GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
OLEAUT32.dll: -, -
SHDOCVW.dll: -, -, -
SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 282112
CompanyName: Microsoft Corporation
EntryPoint: 0x1a55f
FileDescription: Windows Explorer
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 1010 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
FileVersionNumber: 6.0.2900.5512
ImageVersion: 5.1
InitializedDataSize: 752128
InternalName: explorer
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: EXPLORER.EXE
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.00.2900.5512
ProductVersionNumber: 6.0.2900.5512
Subsystem: Windows GUI
SubsystemVersion: 4.1
TimeStamp: 2008:04:13 21:17:04+02:00
UninitializedDataSize: 0

Celmak1 · 2011/02/11

oops sorry broni i have copied and pasted it a few seconds before seeing your message

broni · 2011/02/11

Not a problem

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Celmak1 · 2011/02/11

Broni,
Unfortunately, I am feeling depleted at the moment and gotta go and sleep. I downloaded zip file to my desktop and will be doing requested scan first thing in the morning tomorrow. Thanks again for your help, see you tomorrow

broni · 2011/02/11

No problem

Celmak1 · 2011/02/12

Hi Broni,
If i knew that scan would take less than a min, i would have done it last night By the way, I still have two files quarantined in symantec. Would you like to see what they are?

tdsskiller log as requested

2011/02/12 13:45:56.0687 1044 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/12 13:45:56.0796 1044 ================================================================================
2011/02/12 13:45:56.0796 1044 SystemInfo:
2011/02/12 13:45:56.0796 1044
2011/02/12 13:45:56.0796 1044 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/12 13:45:56.0796 1044 Product type: Workstation
2011/02/12 13:45:56.0796 1044 ComputerName: CEM
2011/02/12 13:45:56.0796 1044 UserName: Cem the Greywolf
2011/02/12 13:45:56.0796 1044 Windows directory: C:\WINDOWS
2011/02/12 13:45:56.0796 1044 System windows directory: C:\WINDOWS
2011/02/12 13:45:56.0796 1044 Processor architecture: Intel x86
2011/02/12 13:45:56.0796 1044 Number of processors: 1
2011/02/12 13:45:56.0796 1044 Page size: 0x1000
2011/02/12 13:45:56.0796 1044 Boot type: Normal boot
2011/02/12 13:45:56.0796 1044 ================================================================================
2011/02/12 13:45:57.0718 1044 Initialize success
2011/02/12 13:46:15.0359 2100 ================================================================================
2011/02/12 13:46:15.0359 2100 Scan started
2011/02/12 13:46:15.0359 2100 Mode: Manual;
2011/02/12 13:46:15.0359 2100 ================================================================================
2011/02/12 13:46:16.0812 2100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/12 13:46:16.0906 2100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/02/12 13:46:17.0046 2100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/12 13:46:17.0187 2100 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/02/12 13:46:17.0296 2100 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/12 13:46:17.0421 2100 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/02/12 13:46:17.0875 2100 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/02/12 13:46:18.0187 2100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/12 13:46:18.0281 2100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/12 13:46:18.0453 2100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/12 13:46:18.0531 2100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/12 13:46:18.0671 2100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/12 13:46:18.0765 2100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/12 13:46:18.0890 2100 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/12 13:46:19.0140 2100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/12 13:46:19.0234 2100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/12 13:46:19.0359 2100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/12 13:46:19.0593 2100 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/02/12 13:46:19.0843 2100 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/02/12 13:46:20.0140 2100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/12 13:46:20.0250 2100 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/02/12 13:46:20.0375 2100 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/02/12 13:46:20.0468 2100 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/02/12 13:46:20.0531 2100 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/02/12 13:46:20.0578 2100 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/02/12 13:46:20.0703 2100 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/02/12 13:46:20.0765 2100 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/02/12 13:46:20.0812 2100 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/02/12 13:46:20.0875 2100 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/02/12 13:46:21.0031 2100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/12 13:46:21.0234 2100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/12 13:46:21.0296 2100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/12 13:46:21.0359 2100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/12 13:46:21.0546 2100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/12 13:46:21.0656 2100 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/02/12 13:46:21.0718 2100 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/02/12 13:46:21.0828 2100 E100B (2646883e6dd867cd872d5b51b6036710) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/12 13:46:21.0968 2100 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/02/12 13:46:22.0140 2100 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/02/12 13:46:22.0234 2100 EraserUtilDrvI10 (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys
2011/02/12 13:46:22.0453 2100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/12 13:46:22.0562 2100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/02/12 13:46:22.0640 2100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/12 13:46:22.0687 2100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/12 13:46:22.0796 2100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/12 13:46:22.0984 2100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/12 13:46:23.0046 2100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/12 13:46:23.0125 2100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/12 13:46:23.0250 2100 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/12 13:46:23.0328 2100 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/12 13:46:23.0609 2100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/12 13:46:23.0796 2100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/12 13:46:23.0953 2100 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/12 13:46:24.0250 2100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/12 13:46:24.0515 2100 IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/12 13:46:24.0875 2100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/12 13:46:25.0046 2100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/12 13:46:25.0140 2100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/12 13:46:25.0218 2100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/12 13:46:25.0296 2100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/12 13:46:25.0406 2100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/12 13:46:25.0578 2100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/12 13:46:25.0703 2100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/12 13:46:25.0765 2100 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/02/12 13:46:25.0828 2100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/12 13:46:25.0921 2100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/12 13:46:26.0062 2100 KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
2011/02/12 13:46:26.0171 2100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/12 13:46:26.0359 2100 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
2011/02/12 13:46:26.0468 2100 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/02/12 13:46:26.0562 2100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/12 13:46:26.0687 2100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/12 13:46:26.0875 2100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/12 13:46:27.0000 2100 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/12 13:46:27.0093 2100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/12 13:46:27.0218 2100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/12 13:46:27.0390 2100 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/12 13:46:27.0515 2100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/12 13:46:27.0609 2100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/12 13:46:27.0687 2100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/12 13:46:27.0781 2100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/12 13:46:27.0953 2100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/12 13:46:28.0031 2100 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/12 13:46:28.0171 2100 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/12 13:46:28.0250 2100 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/12 13:46:28.0390 2100 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110211.006\naveng.sys
2011/02/12 13:46:28.0468 2100 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110211.006\navex15.sys
2011/02/12 13:46:28.0671 2100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/12 13:46:28.0765 2100 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/12 13:46:28.0859 2100 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/12 13:46:28.0937 2100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/12 13:46:29.0000 2100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/12 13:46:29.0218 2100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/12 13:46:29.0296 2100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/12 13:46:29.0375 2100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/12 13:46:29.0500 2100 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/02/12 13:46:29.0640 2100 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/02/12 13:46:29.0796 2100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/12 13:46:29.0875 2100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/12 13:46:30.0031 2100 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/02/12 13:46:30.0140 2100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/12 13:46:30.0281 2100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/12 13:46:30.0359 2100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/12 13:46:30.0468 2100 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/02/12 13:46:30.0578 2100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/02/12 13:46:30.0734 2100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/12 13:46:30.0843 2100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/12 13:46:30.0953 2100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/12 13:46:31.0062 2100 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/12 13:46:31.0125 2100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/02/12 13:46:31.0593 2100 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/02/12 13:46:31.0734 2100 Point32 (b4f59a953ef9e507f0d00c3a68580b8b) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/02/12 13:46:31.0906 2100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/12 13:46:31.0968 2100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/12 13:46:32.0015 2100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/12 13:46:32.0109 2100 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/12 13:46:32.0562 2100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/12 13:46:32.0656 2100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/12 13:46:32.0734 2100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/12 13:46:32.0796 2100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/12 13:46:32.0890 2100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/12 13:46:33.0062 2100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/12 13:46:33.0140 2100 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/12 13:46:33.0234 2100 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/12 13:46:33.0343 2100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/12 13:46:33.0453 2100 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/02/12 13:46:33.0578 2100 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/02/12 13:46:33.0625 2100 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/02/12 13:46:33.0796 2100 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/02/12 13:46:33.0890 2100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/12 13:46:33.0984 2100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/02/12 13:46:34.0109 2100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/02/12 13:46:34.0359 2100 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/12 13:46:34.0578 2100 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/02/12 13:46:34.0687 2100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/12 13:46:34.0906 2100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/12 13:46:35.0031 2100 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/12 13:46:35.0125 2100 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/12 13:46:35.0328 2100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/12 13:46:35.0484 2100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/12 13:46:35.0687 2100 SymEvent (3feeb051c94f5005f56423619315273b) C:\Program Files\Symantec\SYMEVENT.SYS
2011/02/12 13:46:35.0781 2100 SYMREDRV (8d668fe83a439e2166b7defff995cddc) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/02/12 13:46:35.0890 2100 SYMTDI (b825e10cd61046672fef234820842c42) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/02/12 13:46:36.0281 2100 SynTP (cfb41bf11ae95c26133bae3ec2e334bd) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/02/12 13:46:36.0375 2100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/12 13:46:36.0515 2100 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
2011/02/12 13:46:36.0687 2100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/12 13:46:36.0781 2100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/12 13:46:36.0875 2100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/12 13:46:36.0984 2100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/12 13:46:37.0109 2100 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
2011/02/12 13:46:37.0312 2100 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2011/02/12 13:46:37.0406 2100 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
2011/02/12 13:46:37.0531 2100 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
2011/02/12 13:46:37.0656 2100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/12 13:46:37.0828 2100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/12 13:46:37.0953 2100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/12 13:46:38.0156 2100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/12 13:46:38.0250 2100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/12 13:46:38.0343 2100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/12 13:46:38.0453 2100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/12 13:46:38.0609 2100 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/02/12 13:46:38.0703 2100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/12 13:46:38.0953 2100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/12 13:46:39.0296 2100 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/02/12 13:46:39.0531 2100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/12 13:46:39.0671 2100 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/02/12 13:46:39.0781 2100 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/02/12 13:46:39.0921 2100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/12 13:46:40.0125 2100 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/02/12 13:46:40.0296 2100 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/12 13:46:40.0406 2100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/12 13:46:40.0500 2100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/12 13:46:40.0734 2100 ================================================================================
2011/02/12 13:46:40.0734 2100 Scan finished
2011/02/12 13:46:40.0734 2100 ================================================================================

broni · 2011/02/12

By the way, I still have two files quarantined in symantec. Would you like to see what they are?
Click to expand...

Sure.

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Celmak1 · 2011/02/12

Combofix file is on the way.

Quarantined items in symantec are two compressed files that contain infected files:

First One:
Compressed File Name: 5544f2b9-3c48f63c
Original Location: C:\Documents and Settings\Cem the Greywolf\Application Data\Sun\Java\Deployment\cache6.0\57\
Name of the infected file: kilo\perev.class Symantec named it as Trojan.Gen.2

Second One:

Compressed File Name: 58eede43-573d4e35
Original Location: C:\Documents and Settings\Cem the Greywolf\Application Data\Sun\Java\Deployment\cache6.0\3\
Name of the infected files: bpac/purok.class and bpac\KAVS.class Symantec named these as Trojan.ByteVerify

broni · 2011/02/12

OK, go on....

Celmak1 · 2011/02/12

Hi Broni,
Sorry for the delay, internet decided to go crazy on me. Combofix log is below the fold:

ComboFix 11-02-12.01 - Cem the Greywolf 02/12/2011 19:43:58.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.111 [GMT 0:00]
Running from: c:\documents and settings\Cem the Greywolf\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))
.

2011-02-11 14:57 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-11 14:57 . 2011-02-11 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-11 14:57 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 22:32 . 2011-02-01 22:32 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-02-01 22:32 . 2011-02-01 22:32 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-01-21 14:44 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2006-02-15 14:03 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2006-02-15 14:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2006-02-15 14:04 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2006-02-15 14:02 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2006-02-15 14:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2006-02-15 14:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2006-02-15 14:02 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2006-02-15 14:02 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2006-02-15 14:03 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2006-02-15 14:02 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2006-02-15 14:03 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-18 18:12 . 2006-02-15 15:36 81920 ----a-w- c:\windows\system32\isign32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD "= "c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy "= "TFncKy.exe" [BU]
"TDispVol "= "TDispVol.exe" [2005-03-11 73728]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey "= "c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-10-15 88203]
"Tvs "= "c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain "= "TPSMain.exe" [2005-06-01 282624]
"SmoothView "= "c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla "= "c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig "= "c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe "=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe "= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD "=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD "=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 1:00 AM 136176]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys --> c:\windows\system32\Drivers\VMUVC.sys [?]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys --> c:\windows\system32\drivers\vvftUVC.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD25
*Deregistered* - EraserUtilDrvI10
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 00:59]

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 00:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file:///D:/win/setup/iamce.dll
FF - ProfilePath - c:\documents and settings\Cem the Greywolf\Application Data\Mozilla\Firefox\Profiles\rvlbc31j.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.lse.ac.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-12 19:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3992)
c:\windows\system32\WININET.dll
c:\windows\system32\TDispVol.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2011-02-12 20:02:51
ComboFix-quarantined-files.txt 2011-02-12 20:02

Pre-Run: 53,702,983,680 bytes free
Post-Run: 53,674,409,984 bytes free

- - End Of File - - 57BDFE8B1DFC9A4BC70887B3E7FCC407

broni · 2011/02/12

That looks good.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.

Click the Report tab, then click Scan.

Check Drivers, Stealth, and uncheck the rest.

Click OK.

Wait until it's finished and then go to File > Save Report.

Save the report to your Desktop.

Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".

Celmak1 · 2011/02/12

Hi Broni, Below is the Rootkit Unhooker Log

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xAA3B3000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4247552 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA6D73000 C:\WINDOWS\system32\DRIVERS\w39n51.sys 1429504 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0xF75C3000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1355776 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA6872000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110212.004\navex15.sys 1355776 bytes (Symantec Corporation, AV Engine)
0xAA27C000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1126400 bytes (Agere Systems, SoftModem Device Driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xF839F000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA9F54000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xA9D2B000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA9CCD000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF7415000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA9E9E000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA916E000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xAA227000 C:\Program Files\Symantec AntiVirus\savrt.sys 348160 bytes (Symantec Corporation, AutoProtect)
0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA92B6000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA9E5E000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)
0xF74EE000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 233472 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF84B6000 KR10N.sys 204800 bytes (TOSHIBA CORPORATION, TOSHIBA RAID Driver)
0xF7473000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF8574000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA962C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF8372000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA67D2000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA9D9B000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF7587000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA9E10000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF753B000 C:\WINDOWS\system32\drivers\tifm21.sys 163840 bytes (Texas Instruments, tifm21.sys)
0xF8500000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA9E38000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAA38F000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7563000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF74CB000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA9DEE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF847E000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8526000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF8545000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xA69BD000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xAA20A000 C:\Program Files\Symantec\SYMEVENT.SYS 118784 bytes (Symantec Corporation, Symantec Event Library)
0xF8358000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA9F1B000 C:\WINDOWS\System32\Drivers\meiudf.sys 102400 bytes (Matsushita Electric Industrial Co.,Ltd., DVD-RAM UDF File System Driver)
0xF84E8000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA9B47000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xA9CB5000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF849E000 C:\WINDOWS\system32\drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF843F000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF74B4000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA9B5F000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xA9B31000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8456000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0xA95EF000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA685E000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110212.004\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)
0xAA1CE000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)
0xF7527000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF75AF000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA9EF7000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF842C000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF846C000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8563000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF74A3000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA9F0A000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xA89FE000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8813000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8653000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF85D3000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF86A3000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF8733000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8823000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA97B1000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF87B3000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF85E3000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF8623000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF87F3000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF773E000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8603000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF87D3000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF770E000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF86C3000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8803000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF85F3000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF771E000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8743000 C:\WINDOWS\system32\DRIVERS\Tvs.sys 45056 bytes (TOSHIBA Corporation, TOSHIBA Audio Filter Driver)
0xA9FFF000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF85C3000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8703000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xA9689000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF86F3000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8753000 C:\WINDOWS\system32\DRIVERS\csiidecoder_kern_i386.sys 36864 bytes (-, SRS Labs CSII Decoder Kernel DLL)
0xF8613000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF87C3000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF87E3000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF86E3000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF86B3000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA88BE000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF8633000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF8693000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF889B000 C:\DOCUME~1\CEMTHE~1\LOCALS~1\Temp\catchme.sys 32768 bytes
0xF8853000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF895B000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF89BB000 C:\WINDOWS\system32\DRIVERS\tsxt_kern_i386.sys 32768 bytes (-, SRS Labs TruSurround XT kernel DLL)
0xF88F3000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF88A3000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF88BB000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF88C3000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF8843000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF89CB000 C:\WINDOWS\system32\DRIVERS\wowhd_kern_i386.sys 28672 bytes (SRS Labs, Inc., WOW HD kernel mode DLL for Windows)
0xF892B000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF890B000 C:\WINDOWS\system32\drivers\iviaspi.sys 24576 bytes (InterVideo, Inc., InterVideo ASPI Shell)
0xF88FB000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8903000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF88CB000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF88EB000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF894B000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF88D3000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF8953000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF884B000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8993000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF899B000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF898B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF897B000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA8C16000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF89DB000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF8A9B000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA9DDA000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF82FF000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA9AF5000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA9DD6000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF89DF000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF89D3000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF89D7000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF7409000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8ABB000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF8AB7000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF831F000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA9AED000 C:\WINDOWS\system32\DRIVERS\netdevio.sys 12288 bytes (TOSHIBA Corporation., Network Device Usermode I/O protocol)
0xF8A9F000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus(R) ASPI Shell)
0xF8A93000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA8902000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 12288 bytes (Symantec Corporation, Redirector Filter Driver)
0xF7CF2000 C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys 12288 bytes
0xF8B5B000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8AE7000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF8B37000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8AC7000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8B89000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8B49000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8AC3000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8B69000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8AEF000 C:\WINDOWS\system32\DRIVERS\NBSMI.sys 8192 bytes (Toshiba Corporation, Toshiba Notebook PC SMI Driver)
0xA6A08000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xF8B75000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8AED000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8AE5000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8AC5000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8C1B000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8CCC000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8BC5000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8C95000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8B8C000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF8B8B000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

broni · 2011/02/12

Looks good too

How is computer doing?

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Log in or Sign up

Solved Persistent Trojan Maljava, Random Popups in firefox and slow pc

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Persistent Trojan Maljava, Random Popups in firefox and slow pc

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Celmak1 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches