1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Blaster Worm AfterMath

Discussion in 'Malware and Virus Removal Archive' started by ravn87, 2011/04/09.

Page 1 of 3
  1. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    [Resolved] Blaster Worm AfterMath

    Hi Broni. :) A highly infected Laptop recently fell into my lap, burdened with the "BLASTER WORM." I was able to get rid of the worm w/ instructions from various research I had done, but now I'm trying to put the laptop back together. Pete C. directed me to the Malware Forum, so I'm following his advice. At first I thought I had the Malware issues under control, and all I had to contend with was the infected System Files to replace. Turns out the case was a little trickier than at first perceived.

    And this is my journey so Far - here's a summary:

    The initial state was a highly infected computer, the cause of which identified itself as the BLASTER WORM. It had a generic no-brand spyware scanner GUI titled "Spyware Protection 2011." The tabs in the columns were basically useless props, and the scanner was constantly scanning on bootup, "finding" really bad compromising files on the system, no doubt put there by the worm itself. It rendered the computer all but useless by locking the user completely out of any *.EXE files at all. No run command, no Command prompt, no Regedit, not even a basic solitaire game. But luckily for me, it sustained Windows Explorer access that I was able to take advantage of. It was also lucky that it caught a worm that was self-identifying.

    *********************************************
    Step one: Research (greater detail on accompanying thread)
    So I looked al over the net and found various tools and instruction sets for blasting the blaster worm and downloaded them all. I found Norton Malware instructions, and various other manual deletion instructions. Bleeping Computer also had its own instructions for the Blaster worm, where I also found various new tools that I downloaded and proceeded with.

    Step two: Act

    LAPTOP System Information:

    PC Make & Model: IBM Thinkpad 23737CU Laptop (No idea what year)
    Mainboard (Motherboard): IBM 23737CU
    Processor: Intel Pentium M processor 1500MHz
    Memory: 767 mb RAM
    Video Card: ATI Mobility Radeon 7500 | NetMeeting Driver | RDPDD Chained DD (Display adapters)
    Hard Drive #1: C:\ 74.5GB
    Hard Drive #2: N/A
    Hard Drive #3: N/A
    Hard Drive #4: N/A
    Optical Drive #1(CD drv): D:\ Matshita ujda 745 DVD/CD-RW
    Optical Drive #2: N/A
    Power Supply: AC adapter
    Sound Card: SoundMax Digital Audio
    Floppy Drive?: No
    Internet Connection: DSL cable (for diagnostic purposes),
    Modem/Router?: mainly wireless adapter
    Monitor #1: 1X; Default Montior
    Monitor #2: N/A
    Operating System: Win XP Pro. SP3 (Build 2600)
    32/64 Bit OS: 32
    ***********************************************************************************

    Steps so far: (what explained on the other thread)
    -------------------
    - Planted RKILL.exe (renamed) into the start-up folder to kill the malware processes and rebooted the computer: SUCCESS
    - (Per Bleeping Computer.com) Used DEFOGGER to kill drives = SUCCESS
    - Turned off System Restore = SUCCESS
    - Ran Blaster worm Fixers + manual removal: SUCCESS
    - Ran MBAM + SAS = SUCCESS (have logs)
    - Ran SPYBOT S&D portable = FAILED
    - Prog was a scam copy for malware
    - Found out sys-restore was reactivated, so ran a System Restore to undo Spybot Scammer, but not formally uninstalled. = SUCCESS
    - Tried to make a system external backup = FAILED
    - tried an SFC check = FAILED
    - No external retail disk, DLL Cache is corrupted


    New Steps:
    ------------------
    - Installed Zone Alarm Firewall = SUCCESS + FAILED
    - Successful install, but was blocked from use by unknown source
    in Normal Boot Mode
    - Uninstalled Zone Alarm and reinstalled in safe mode w/ networking = PARTIAL SUCCESS
    - Partial Successful install, but could not scan all progs on install as
    requested while in safe mode. So had to skip.
    - Successful Access to ZA control Panel in Safe Mode w/ Networking,
    proceeded to shutdown internet access
    - Installed Avira Antivir + update = SUCCESS + FAILED
    - Successful install, but COULD NOT update at all in Safe Mode w/
    Networking
    - Reconfiguration: - ZA for AVIRA access = FAILED
    - ZA for internet access = FAILED
    - AVIRA for ZA = FAILED
    - Turned off Avira Guard = FAILED

    *

    Im still trial-and-erroring it withthe firewall thing however. It used to be I'd just turn it on, and that's it. Little experience on firewall network and port configuration.

    - Uninstalled ZA to update Avira (revert back to Windows Firewall default settings) = SUCCESSFUL uninstall, FAILED updates (never reinstalled)
    - UNinstalled Avira, cleaned computer, rebooted, reinstalled Avira in Safe Mode = SUCCESSFUL
    - Checked internet connection via my google Chrome Browser (my fave) = CHROME BROWSER FAILED
    - Checked IE8 browser = SUCCESS (straight connection)
    - Checked Firefox browser = SUCCESS (straight connection)
    - Conclusion: Chrome is corrupted
    - One more AVIRA update attempt = FAILED
    - Ran a PRE-UPDATE Avira scan in Safe mode = SUCCESS (found and removed 3 objects including Gamevance object)
    - Rebooted into Normal Mode to update Avira = SUCCESS (finally!) - I LEARNED THE HARD WAY!!
    - Ran a POST-update scan in normal mode from AVIRA and a Post-update scan in safe mode = SUCCESS (both came back clean - have logs)
    - Uninstalled Avira to install AVAST = SUCCESS to both
    - UPdate AVAST in safe mode = FAILED
    - Configured Windows Firewall for avast = STILL FAILED TO UPDATE
    - tried to Run a pre-update scan from AVAST in safe mode= TOTAL FAILED
    - rebooted into normal mode to update AVAST = FAILED
    - tried to run a pre-update Avast scan in Normal mode = TOTAL FAIL.
    - uninstalled AVAST = SUCCESS
    - Ran COMODO antivirus CLOUD SCANNER = SUCCESS + FAILED
    - successfully ran a thorough in depth scan with deep file digging in record time and turned up massive amounts.
    - Failed to produce a save-able log, failed to allow me to copy and paste results, failed to remove w/out a Comodo account - basically turned out to be exactly that: just a scanner, good to evaluate but that's it.
    - Successfully tells me the location of each rogue file. (at least that and the scanner depth & timing is useful)
    - Uninstalled a few rogue programs, to lighten the load = SUCCESS
    - UPDATED CCLEANER and sorted through the start-up list = SUCCESS
    - Did a thorough disk cleaning and wiping with CCleaner and TFC cleaner. = SUCCESS
    - Experimented and researched COMODO with no avail as to logging results = LOG attempt FAILED
    - Ran TRENDMICRO HOUSECALL antivirus scanner in safe mode w/ networking = SUCCESS (came back completely clean unlike COMODO)
    - Reupdated SAS and MBAM in safe mode w/ networking = SUCCESS
    - Ran SAS in Safe mode = SUCCESS (have log)
    - Ran MBAM = SUCCESS (have log)
    - Cleaned off the Saved user docs onto my x-hdd (I know...really late!) = SUCCESS
    - Found an item in Start menu called "PC DOCTOR" and ran it in both normal and safe mode boot = FAILED both times
    - something is completely blocking access to it at all
    - ran SYSINTERNALS PROCEXP.exe to see if it starts at all, it does, but shuts down immediately
    - Noticed in PROC EXP that things verify signatures faster in safe mode than it does in normal mode
    - Normal mode everything FIRST shows up as unable to verify even if it's been on a few minutes already, I closed PROCEXP, and reopened to refresh, and it was able to verify all sigs from MS successfully, but not the LENOVO computer system components. Lenovo components don't even show up in PROCEXP in safe mode.

    Currently installed to this point: MBAM and Comodo Cloud Scanner. That's it. No Anti-virus, no Firewall
    Disposition to this point: Internet Disconnected, Running in Safe Mode w/ Networking
    FINALLY to the WINBBS tools:
    - Ran renamed GMER first = SUCCESS
    - Ran MBRcheck = SUCCESS
    - Ran DDS = SUCCESS
     
    SUMMARY up to now:
    -------------------------------
    - Blaster Worm is gone
    - Most everything updated scanned and worked that I've attempted.
    - Not avast, and trouble w/ avira
    - Spybot was a scam - "fixed" with Sys-restore
    - Zone Alarm was completely blocked in Normal mode - remains uninstalled
    - Avast was TOTALLY blocked in EVERY MODE - remains uninstalled
    - Avira was prevented from updating at all in SAFE MODE, success in normal - remains uninstalled
    - Google Chrome quit working - remains uninstalled
    - other browsers still work
    - a couple objects keep showing up in various scanners, even though they were wiped in previous scanners.
    * - Another point: for whatever reason, I can't configure my mouse pad either. Can't figure out why. The mouse itself still works, but the settings in control panel, it opens, but I can't select much. It won't let me.


    Plus a lot of the scanners that we used last time don't seem to want to work anymore. Panda keeps giving me trouble, Kaspersky refuses to work, and ESET isn't functional anymore, so online scanners are out. Guess I'll just have to download from bitdefender, Norton, etc. to find the infections and manually remove them myself.

    Looks like I need this thread anyway. <:D hehe. So here we go. :)

    Now without further adue, the scans:
     
    ravn87,
    #1
  2. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    Most Current Scan: Avira Anti-virus Post Update Scan = Safe Mode
    --------------------------------------
    Other scan: Avira Pre-Update ScanOther Scan: Avira Post-Update Scan Normal Mode
    --------------------------------------



    Avira AntiVir Personal
    Report file date: Tuesday, April 05, 2011 18:33

    Scanning for 2566524 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Safe mode
    Username : Vegeta
    Computer name : HOMEPC

    Version information:
    BUILD.DAT : 10.0.0.635 31822 Bytes 3/7/2011 12:15:00
    AVSCAN.EXE : 10.0.3.5 435368 Bytes 3/4/2011 21:36:52
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 19:57:04
    LUKE.DLL : 10.0.3.2 104296 Bytes 3/4/2011 21:36:59
    LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 21:37:07
    VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 21:37:08
    VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 21:37:08
    VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 21:37:08
    VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 21:37:08
    VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 21:37:08
    VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 21:37:08
    VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 21:37:08
    VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 21:37:08
    VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 21:37:08
    VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 21:37:09
    VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 21:37:09
    VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 21:37:09
    VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 21:37:09
    VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 21:37:09
    VBASE016.VDF : 7.11.3.183 140288 Bytes 2/22/2011 21:37:09
    VBASE017.VDF : 7.11.3.216 124416 Bytes 2/24/2011 01:02:23
    VBASE018.VDF : 7.11.3.251 159232 Bytes 2/28/2011 23:08:03
    VBASE019.VDF : 7.11.4.33 148992 Bytes 3/2/2011 01:30:49
    VBASE020.VDF : 7.11.4.73 150016 Bytes 3/6/2011 23:14:47
    VBASE021.VDF : 7.11.4.108 122880 Bytes 3/8/2011 01:21:25
    VBASE022.VDF : 7.11.4.150 133120 Bytes 3/10/2011 01:21:26
    VBASE023.VDF : 7.11.4.183 122368 Bytes 3/14/2011 01:21:26
    VBASE024.VDF : 7.11.4.228 123392 Bytes 3/16/2011 01:21:27
    VBASE025.VDF : 7.11.5.8 246272 Bytes 3/21/2011 01:21:28
    VBASE026.VDF : 7.11.5.38 137216 Bytes 3/23/2011 01:21:29
    VBASE027.VDF : 7.11.5.82 151552 Bytes 3/27/2011 01:21:30
    VBASE028.VDF : 7.11.5.122 154112 Bytes 3/30/2011 01:21:31
    VBASE029.VDF : 7.11.5.174 206336 Bytes 4/4/2011 01:21:32
    VBASE030.VDF : 7.11.5.175 2048 Bytes 4/4/2011 01:21:33
    VBASE031.VDF : 7.11.5.202 108032 Bytes 4/6/2011 01:21:33
    Engineversion : 8.2.4.202
    AEVDF.DLL : 8.1.2.1 106868 Bytes 3/4/2011 21:36:49
    AESCRIPT.DLL : 8.1.3.58 1266042 Bytes 4/6/2011 01:21:49
    AESCN.DLL : 8.1.7.2 127349 Bytes 3/4/2011 21:36:48
    AESBX.DLL : 8.1.3.2 254324 Bytes 3/4/2011 21:36:48
    AERDL.DLL : 8.1.9.9 639347 Bytes 4/6/2011 01:21:47
    AEPACK.DLL : 8.2.4.15 524662 Bytes 4/6/2011 01:21:46
    AEOFFICE.DLL : 8.1.1.20 205177 Bytes 4/6/2011 01:21:44
    AEHEUR.DLL : 8.1.2.96 3412341 Bytes 4/6/2011 01:21:43
    AEHELP.DLL : 8.1.16.1 246134 Bytes 3/4/2011 21:36:41
    AEGEN.DLL : 8.1.5.4 397684 Bytes 4/6/2011 01:21:37
    AEEMU.DLL : 8.1.3.0 393589 Bytes 3/4/2011 21:36:40
    AECORE.DLL : 8.1.19.2 196983 Bytes 3/4/2011 21:36:40
    AEBB.DLL : 8.1.1.0 53618 Bytes 3/4/2011 21:36:39
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/4/2011 21:36:53
    AVPREF.DLL : 10.0.0.0 44904 Bytes 3/4/2011 21:36:52
    AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 21:27:13
    AVREG.DLL : 10.0.3.2 53096 Bytes 3/4/2011 21:36:52
    AVSCPLR.DLL : 10.0.3.2 84328 Bytes 3/4/2011 21:36:53
    AVARKT.DLL : 10.0.22.6 231784 Bytes 3/4/2011 21:36:50
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 3/4/2011 21:36:51
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 21:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/4/2011 21:36:53
    NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 21:27:21
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 3/4/2011 21:37:12
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/4/2011 21:37:12

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium
    Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

    Start of the scan: Tuesday, April 05, 2011 18:33

    Starting search for hidden objects.
    The driver could not be initialized.

    The scan of running processes will be started
    Scan process 'avscan.exe' - '61' Module(s) have been scanned
    Scan process 'avcenter.exe' - '63' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '81' Module(s) have been scanned
    Scan process 'svchost.exe' - '67' Module(s) have been scanned
    Scan process 'svchost.exe' - '40' Module(s) have been scanned
    Scan process 'svchost.exe' - '35' Module(s) have been scanned
    Scan process 'lsass.exe' - '51' Module(s) have been scanned
    Scan process 'services.exe' - '29' Module(s) have been scanned
    Scan process 'winlogon.exe' - '63' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '462' files ).


    Starting the file scan:

    Begin scan in 'C:\' <IBM_PRELOAD>


    End of the scan: Tuesday, April 05, 2011 20:22
    Used time: 1:48:47 Hour(s)

    The scan has been done completely.

    5338 Scanned directories
    395622 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    395622 Files not concerned
    7773 Archives were scanned
    0 Warnings
    0 Notes
     
    ravn87,
    #2


  3. to hide this advert.

  4. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    Super Anti Spyware:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 04/06/2011 at 04:36 AM

    Application Version : 4.50.1002

    Core Rules Database Version : 6760
    Trace Rules Database Version: 4572

    Scan type : Complete Scan
    Total Scan Time : 00:41:38

    Memory items scanned : 287
    Memory threats detected : 0
    Registry items scanned : 7547
    Registry threats detected : 0
    File items scanned : 24263
    File threats detected : 11

    Adware.Tracking Cookie
    .doubleclick.net [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    ad.yieldmanager.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    ad.yieldmanager.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .myroitracking.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .clicksor.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .clicksor.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .clicksor.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .clicksor.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .clicksor.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .atdmt.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
    .atdmt.com [ C:\Sandbox\user\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\cookies.sqlite ]
     
    ravn87,
    #3
  5. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    Malwarebytes Anti Malware:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6283

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    4/6/2011 5:00:43 AM
    mbam-log-2011-04-06 (05-00-43).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 209512
    Time elapsed: 18 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\documents and settings\user\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com (Adware.GamesVance) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)
     
    ravn87,
    #4
  6. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    GMER Anti-Root:

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-07 01:45:13
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BEVE-00UYT0 rev.01.04A01
    Running: kqeklu4u.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kxtdipow.sys


    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F79E47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F79E486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F79E486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F79E47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F79E47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F79E486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F79E486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F79E47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F79E486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F79E486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F79E47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- Files - GMER 1.0.15 ----

    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000034.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000043.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000358.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000374.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000539.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000600.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000613.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000623.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000630.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000663.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2\A0000699.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP4\A0003041.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP7\A0004278.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0004529.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0004542.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0004583.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0004860.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0004894.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0005052.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0005346.exe:BAK 23040 bytes executable
    ADS C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP8\A0006947.exe:BAK 23040 bytes executable

    ---- EOF - GMER 1.0.15 ----
     
    ravn87,
    #5
  7. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    MBR Check:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 98):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EF000 \WINDOWS\system32\hal.dll
    0xF79E0000 \WINDOWS\system32\KDCOM.DLL
    0xF78F0000 \WINDOWS\system32\BOOTVID.dll
    0xF7491000 ACPI.sys
    0xF79E2000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF7480000 pci.sys
    0xF74E0000 isapnp.sys
    0xF78F4000 compbatt.sys
    0xF78F8000 \WINDOWS\System32\DRIVERS\BATTC.SYS
    0xF7AA8000 pciide.sys
    0xF7760000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7462000 pcmcia.sys
    0xF74F0000 MountMgr.sys
    0xF7443000 ftdisk.sys
    0xF78FC000 ACPIEC.sys
    0xF7AA9000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
    0xF7768000 PartMgr.sys
    0xF7500000 Shockprf.sys
    0xF7510000 VolSnap.sys
    0xF742B000 atapi.sys
    0xF7520000 disk.sys
    0xF7530000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF740B000 fltmgr.sys
    0xF73F9000 sr.sys
    0xF7770000 PxHelp20.sys
    0xF73E2000 KSecDD.sys
    0xF7355000 Ntfs.sys
    0xF79E4000 ANCSQ.sys
    0xF7328000 \WINDOWS\System32\drivers\NDIS.SYS
    0xF7540000 ohci1394.sys
    0xF7550000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
    0xF730E000 Mup.sys
    0xF7560000 agp440.sys
    0xF7790000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF7291000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7798000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xF726D000 \SystemRoot\System32\DRIVERS\e100b325.sys
    0xF7590000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF77A8000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF7241000 \SystemRoot\System32\DRIVERS\SynTP.sys
    0xF79E8000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF77B0000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF77B8000 \SystemRoot\System32\DRIVERS\ibmpmdrv.sys
    0xF75A0000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF75B0000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF75C0000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF721E000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF77D0000 \SystemRoot\System32\DRIVERS\rasirda.sys
    0xF77E0000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF75D0000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF7984000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF7207000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF75E0000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF75F0000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF71F6000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF7600000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF7800000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF7810000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF71C6000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF7610000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF79EE000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF7168000 \SystemRoot\System32\DRIVERS\update.sys
    0xF79A4000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF7620000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF7630000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF79D8000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF79F2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B8B000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79F6000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7848000 \SystemRoot\System32\drivers\vga.sys
    0xF7064000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0xF79FA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7858000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7868000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF72D5000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xF7031000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xF6FD8000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF6FB0000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF6F8A000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xF6F68000 \SystemRoot\System32\drivers\afd.sys
    0xF7640000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF6F3D000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xF6ECD000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF7660000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF6EB5000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A00000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF7158000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7898000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7AEF000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBFF50000 \SystemRoot\System32\framebuf.dll
    0xBF012000 \SystemRoot\System32\ATMFD.DLL
    0xF69C1000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xF6765000 \SystemRoot\System32\DRIVERS\srv.sys
    0xF64CC000 \??\C:\DOCUME~1\user\LOCALS~1\Temp\kxtdipow.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 15):
    0 System Idle Process
    4 System
    544 C:\WINDOWS\system32\smss.exe
    600 csrss.exe
    624 C:\WINDOWS\system32\winlogon.exe
    668 C:\WINDOWS\system32\services.exe
    680 C:\WINDOWS\system32\lsass.exe
    828 C:\WINDOWS\system32\svchost.exe
    912 svchost.exe
    980 C:\WINDOWS\system32\svchost.exe
    1052 svchost.exe
    1128 svchost.exe
    1564 C:\WINDOWS\explorer.exe
    1692 C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
    1972 C:\Documents and Settings\user\Desktop\WINBBS TOOLS\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800BEVE-00UYT0, Rev: 01.04A01

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 91DFF5EBA9B4894A1AD4644CDED7012A51464633


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
    ravn87,
    #6
  8. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    DDS Scan 1:


    .
    DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
    Run by Vegeta at 1:48:05.77 on Thu 04/07/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.557 [GMT -7:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\user\Desktop\WINBBS TOOLS\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uURLSearchHooks: H - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [S3TRAY2] S3Tray2.exe
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [TpShocks] TpShocks.exe
    mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
    mRun: [TP4EX] tp4ex.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [<NO NAME>]
    mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
    mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
    mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
    mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
    mRun: [frymxins] "c:\program files\ati technologies\fire gl 3d studio max\atiimxgl "
    mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
    mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\\PkgMgr.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266422316168
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266422292133
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.3952199074
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: QConGina - QConGina.dll
    Notify: tpfnf2 - notifyf2.dll
    Notify: tphotkey - tphklock.dll
    LSA: Notification Packages = scecli pwdmon
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\f6pggpgg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.google.com/
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: No History: tito@no-history - %profile%\extensions\tito@no-history
    FF - Ext: LinkExtend: {cf47767d-5f3a-4e32-9fce-5d79565c9702} - %profile%\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}
    FF - Ext: OptimizeGoogle: optimizegoogle@optimizegoogle.com - %profile%\extensions\optimizegoogle@optimizegoogle.com
    FF - Ext: pidder: firefox@pidder.com - %profile%\extensions\firefox@pidder.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2004-12-17 6912]
    S1 SASDIFSV;SASDIFSV;c:\docume~1\user\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\docume~1\user\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
    S1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-4-29 16384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-11 133104]
    S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2004-4-30 12288]
    .
    =============== Created Last 30 ================
    .
    2011-04-06 07:51:24 -------- d-----w- c:\program files\COMODO
    2011-04-06 07:51:16 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2011-04-06 06:33:06 -------- d-----w- c:\program files\CCleaner
    2011-04-06 01:18:10 -------- d-----w- c:\windows\Internet Logs
    2011-04-05 13:24:41 -------- d-----w- c:\program files\CheckPoint
    2011-04-03 23:49:13 31529 ----a-w- c:\windows\system32\dllcache\brzwlan.sys
    2011-04-03 23:49:13 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2011-04-03 23:49:12 60416 ----a-w- c:\windows\system32\dllcache\brserwdm.sys
    2011-04-03 23:49:12 11008 ----a-w- c:\windows\system32\dllcache\brusbmdm.sys
    2011-04-03 23:49:12 10368 ----a-w- c:\windows\system32\dllcache\brusbscn.sys
    2011-04-03 23:49:11 9728 ----a-w- c:\windows\system32\dllcache\brserif.dll
    2011-04-03 23:49:11 5120 ----a-w- c:\windows\system32\dllcache\brscnrsm.dll
    2011-04-03 23:49:10 39552 ----a-w- c:\windows\system32\dllcache\brparwdm.sys
    2011-04-03 23:49:09 3168 ----a-w- c:\windows\system32\dllcache\brparimg.sys
    2011-04-03 23:49:07 41472 ----a-w- c:\windows\system32\dllcache\brmfusb.dll
    2011-04-03 23:49:06 32256 ----a-w- c:\windows\system32\dllcache\brmfrsmg.exe
    2011-04-03 23:43:59 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
    2011-04-03 23:42:59 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
    2011-04-03 23:42:59 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-04-03 23:42:57 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
    2011-04-03 23:42:56 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
    2011-04-03 23:42:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
    2011-04-03 23:42:54 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
    2011-04-03 23:42:53 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
    2011-04-03 23:42:53 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
    2011-04-03 23:42:52 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
    2011-04-03 23:42:52 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
    2011-04-03 23:42:51 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
    2011-04-03 23:42:32 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-04-03 06:33:19 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-03 06:16:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-03 06:16:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-03 06:16:00 -------- d-----w- c:\docume~1\user\applic~1\Free Download Manager
    2011-04-03 06:16:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\FreeDownloadManager.ORG
    2011-04-02 22:49:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-02 22:47:50 -------- d-----w- c:\program files\SpybotPortable
    2011-04-02 11:26:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\WEngineLite
    2011-04-02 08:33:10 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-04-02 08:26:13 -------- d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
    2011-04-02 08:26:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2011-04-02 08:26:00 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2011-04-02 08:25:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-02 08:25:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-02 08:25:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-02 08:25:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-02 02:00:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
    2011-04-02 02:00:27 -------- d-----w- c:\docume~1\user\locals~1\applic~1\NPE
    2011-04-02 00:49:33 -------- d-----w- c:\docume~1\user\locals~1\applic~1\FreeFixer
    2011-04-02 00:49:33 -------- d-----w- c:\docume~1\user\applic~1\FreeFixer
    2011-04-02 00:49:28 -------- d-----w- c:\program files\FreeFixer
    2011-04-01 12:52:16 -------- d-----w- c:\docume~1\user\applic~1\GetRightToGo
    2011-04-01 10:41:17 -------- d-----w- c:\program files\EraseDrop Portable
    2011-03-19 03:35:47 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-03-19 03:35:45 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    .
    ==================== Find3M ====================
    .
    2011-04-07 00:03:03 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2011-04-07 00:02:43 17920 ----a-w- c:\windows\system32\rpcnetp.dll
    2011-04-07 00:02:42 56680 ----a-w- c:\windows\system32\rpcnet.dll
    2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 1:48:25.80 ===============
     
    ravn87,
    #7
  9. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    DDS scan 2:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/17/2010 3:13:40 PM
    System Uptime: 4/6/2011 5:15:15 PM (8 hours ago)
    .
    Motherboard: IBM | | 23737CU
    Processor: Intel(R) Pentium(R) M processor 1500MHz | None | 1495/400mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 57.526 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 4/1/2011 2:32:02 AM - System Checkpoint
    RP2: 4/2/2011 4:26:08 AM - Installed VZAccess Manager.
    RP3: 4/2/2011 7:39:04 PM - Spybot-S&D Spyware removal
    RP4: 4/2/2011 11:15:24 PM - Restore Operation
    RP5: 4/3/2011 1:46:13 AM - Revo Uninstaller's restore point - Ask Toolbar
    RP6: 4/3/2011 1:49:59 AM - Revo Uninstaller's restore point - GOM Player
    RP7: 4/4/2011 2:27:13 AM - System Checkpoint
    RP8: 4/5/2011 6:51:02 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Access IBM
    Access IBM Message Center
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    Agere Systems AC'97 Modem
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    ATI HYDRAVISION
    CCleaner
    COMODO Cloud Scanner
    ERUNT 1.1j
    FIRE GL driver for 3D Studio MAX/VIZ
    FreeFixer
    Google Update Helper
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    IBM RecordNow!
    IBM Rescue and Recovery with Rapid Restore
    IBM Themes
    IBM ThinkPad Battery MaxiMiser and Power Management Features
    IBM ThinkPad UltraNav Wizard
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    InterVideo WinDVD
    Java(TM) 6 Update 20
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Data Access Components KB870669
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Windows Journal Viewer
    Mouse Suite
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NTREGOPT 1.1j
    OGA Notifier 2.0.0048.0
    PC-Doctor for Windows
    Revo Uninstaller 1.85
    Scroll Lock Indicator Utility
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Software Informer 1.0 BETA
    Software Installer
    Sonic Update Manager
    System Migration Assistant 5.0
    ThinkPad Configuration
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Integrated 56K Modem
    ThinkPad Keyboard Customizer Utility
    ThinkPad Power Management Driver
    ThinkPad Presentation Director
    ThinkPad UltraNav Driver
    ThinkVantage Access Connections
    ThinkVantage Active Protection System
    TrackPoint Accessibility Features
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB982632)
    Wallpapers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    WOT for Internet Explorer
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/5/2011 9:13:20 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX8\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/5/2011 8:40:48 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC avgio avipbb Fips IBMTPCHK intelppm SASDIFSV SASKUTIL ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP
    4/5/2011 6:30:45 AM, error: Service Control Manager [7034] - The Sandboxie Service service terminated unexpectedly. It has done this 1 time(s).
    4/5/2011 4:58:34 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX9\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/3/2011 6:50:07 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_21027.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:06 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_21025.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:05 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20949.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:04 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20936.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:03 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20932.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:02 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20924.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:01 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20880.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:00 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20871.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:59 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20838.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:58 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20833.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:57 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20424.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:56 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20423.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20420.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:54 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20297.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:49 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20290.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:48 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20285.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:47 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20284.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:46 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20280.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:40 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20278.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:39 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20277.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:38 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20273.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:20 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\asp.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:18 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\aqueue.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:15 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\appconf.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:10 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0804.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:08 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0412.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:06 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0411.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:04 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0404.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\admexs.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:25 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\1033\tcptsat.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:24 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\tcptest.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:21 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\shtml.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:20 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\isapi\shtml.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:49 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fpremadm.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:47 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\1033\fpmmcsat.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:46 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fpmmc.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:43 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fpexedll.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:42 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\fpcount.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:41 PM, information: Windows File Protection [64021] - The system file c:\program files\microsoft frontpage\version3.0\bin\fp98swin.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:40 PM, information: Windows File Protection [64021] - The system file c:\program files\microsoft frontpage\version3.0\bin\fp98sadm.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:39 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4awel.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:36 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4awebs.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:35 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4avss.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:34 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bots\vinavbar\fp4avnb.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:33 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4atxt.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:32 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4areg.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:31 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4apws.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:30 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4anscp.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:28 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4amsft.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:23 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\cfgwiz.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:19 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\_vti_aut\author.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:18 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\isapi\_vti_aut\author.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:44:29 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\staxmem.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:44:20 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\logui.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:24:05 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\isatq.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:24:03 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\infoadmn.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:59 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\inetmgr.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisrtl.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:54 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\iisrstas.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:49 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iismap.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:47 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisext.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:37 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\coadmin.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:36 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\cnfgprts.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:34 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certwiz.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:30 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\adsiis.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 5:00:34 AM, information: Windows File Protection [64021] - The system file c:\windows\system32\admwprox.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:50:01 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20269.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:58 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20108.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:57 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20107.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:56 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20106.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20105.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:53 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20005.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:50 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20004.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:49 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20003.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:48 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20002.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:47 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20001.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:46 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20000.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:45 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1361.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:43 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1149.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:40 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1148.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:39 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1147.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:30 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1146.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:29 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1145.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:28 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1144.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:27 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1143.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:26 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1142.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:25 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1141.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:24 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1140.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:23 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1047.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:20 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10008.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:19 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10003.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:17 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10002.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:15 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10001.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:09 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\browscap.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:44:15 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\bopomofo.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:44:10 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\big5.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:43:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\authfilt.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:43:36 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\asptxn.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:43:35 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\aspperf.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:43:31 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\aqadmin.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:43:15 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\adsiisex.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:43:12 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\adrot.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:43:08 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\admxprox.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:42:41 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\wamregps.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:42:23 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsloc.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:42:20 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\inetmgr.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:42:17 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\iisui.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:42:13 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisrstap.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:42:10 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisreset.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:42:04 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\ftpsapi2.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:41:54 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certmap.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 1:57:56 AM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\_vti_adm\admin.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 1:57:56 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Vegeta.
    4/3/2011 1:57:40 AM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\isapi\_vti_adm\admin.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 1:57:19 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    4/2/2011 5:20:39 AM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 000D602D097D has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    4/2/2011 4:19:48 AM, error: Application Popup [877] - There was error [DATABASE OPEN FAILED] processing the driver database.
    4/2/2011 4:16:41 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX6\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/2/2011 4:07:37 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Trend Micro RUBotted Service service to connect.
    4/2/2011 4:07:37 AM, error: Service Control Manager [7000] - The Trend Micro RUBotted Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/2/2011 4:06:35 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    4/2/2011 12:24:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC Fips IBMTPCHK intelppm ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP
    4/2/2011 12:13:03 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX5\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/2/2011 12:12:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    4/2/2011 12:07:02 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ANC Fips IBMTPCHK intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ShockMgr Smapint Tcpip TDSMAPI TfFsMon TfSysMon TPHKDRV TPPWR TSMAPIP
    4/2/2011 12:07:02 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    4/2/2011 12:07:02 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/2/2011 12:07:02 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/2/2011 12:07:02 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
    4/2/2011 11:11:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service VSS with arguments " " in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
    4/2/2011 11:02:57 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
    4/2/2011 11:02:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    4/2/2011 11:00:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
    4/2/2011 10:36:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments " " in order to run the server: {000C101C-0000-0000-C000-000000000046}
    4/2/2011 10:17:09 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
    4/2/2011 10:17:09 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX7\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/2/2011 10:17:09 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
    4/2/2011 10:15:56 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX4\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/2/2011 10:13:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC Fips IBMTPCHK intelppm SASDIFSV SASKUTIL ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP
    4/2/2011 10:12:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/2/2011 10:09:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    4/2/2011 10:09:58 PM, error: Service Control Manager [7000] - The PMEM service failed to start due to the following error: The system cannot find the file specified.
    4/2/2011 10:09:58 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/1/2011 9:33:15 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SMR162\0000 disappeared from the system without first being prepared for removal.
    4/1/2011 8:33:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    4/1/2011 8:17:44 PM, error: Dhcp [1002] - The IP address lease 76.213.226.26 for the Network Card with network address 000D602D097D has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    4/1/2011 8:08:08 PM, error: Dhcp [1002] - The IP address lease 76.213.228.196 for the Network Card with network address 000D602D097D has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    4/1/2011 7:17:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC eeCtrl Fips IBMTPCHK intelppm SAVRT SAVRTPEL ShockMgr Smapint SPBBCDrv SYMTDI TDSMAPI TPHKDRV TPPWR TSMAPIP
    4/1/2011 11:31:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TfSysMon
    4/1/2011 11:27:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC Fips IBMTPCHK intelppm ShockMgr Smapint TDSMAPI TfFsMon TfSysMon TPHKDRV TPPWR TSMAPIP
    4/1/2011 11:03:19 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX2\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/1/2011 1:51:01 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
    ravn87,
    #8
  10. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    I would post the log that RKILL.exe gave me, but I didn'tsave the first one. I forgot to remove RKILL.exe from the start-up folder in "ALL Programs list" after I dealt with the worm and rebooted the computer, and it gave me a replacement log that has no trace of the Blaster worm mal-processes on it. So I figured it was kinda pointless to post.

    Anyway, thank you Broni. I appreciate the help. I would've posted right away after scanning the computer, but I was trying to organize my posts for PETE C. and find a lot of answers towards my millions of questions I bombarded the poor guy with. <:)
     
    ravn87,
    #9
  11. 2011/04/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hi
    Thanks for all info :)

    Any particular reason, why all scans were run from Safe Mode?

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
    broni,
    #10
  12. 2011/04/09
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    I read somewhere a while back that anytime you do any scans or run anti-malware, that it's best to do it in Safe mode as there's less processes locking things up and hiding things from the scans, you would get better results that way. So I've been following that for a while.

    Do you need me to rerun all the scans in Normal mode?

    BootKit Remover also gave me this other "Bootkit_Remover_Debug_log," do you need that one as well?
    *******************************
    BootRemover log:


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 1f2dced1b5f3eb6b60dcaf50ffe15a32

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
    ravn87,
    #11
  13. 2011/04/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    MBAM is designed to run in normal mode.
    You use safe mode only in a case, when it doesn't want to work in normal mode.
    Same applies to DDS, but for now, re-run just MBAM in normal mode.
    Make sure, you update it first.

    When done....

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #12
  14. 2011/04/10
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    ok I ran the DDS scans anyway:
    DDS REDO Normal Boot scan 1
    DDS ATTACH redo normal boot scan 2

    And I realize you may not have had access to the AVIRA scans after all, so here's a repost to the links. I can't find how I can edit the previous post.

    Avira post update scan: Normal Boot
    Avira Pre-Update Scan



    Combo fix:

    ComboFix 11-04-10.01 - Vegeta 04/10/2011 15:53:05.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.483 [GMT -7:00]
    Running from: e:\winbbs tools\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Documents
    c:\windows\system32\drivers\etc\lmhosts
    .
    Infected copy of c:\windows\system32\autochk.exe was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\autochk.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-06 07:51 . 2011-04-06 12:02 -------- d-----w- c:\program files\COMODO
    2011-04-06 07:51 . 2011-04-06 07:51 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2011-04-06 06:33 . 2011-04-06 06:55 -------- d-----w- c:\program files\CCleaner
    2011-04-06 01:18 . 2011-04-06 01:18 -------- d-----w- c:\windows\Internet Logs
    2011-04-05 13:24 . 2011-04-05 13:24 -------- d-----w- c:\program files\CheckPoint
    2011-04-03 23:49 . 2001-08-17 20:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2011-04-03 23:49 . 2001-08-17 19:11 31529 ----a-w- c:\windows\system32\dllcache\brzwlan.sys
    2011-04-03 23:49 . 2001-08-17 20:12 10368 ----a-w- c:\windows\system32\dllcache\brusbscn.sys
    2011-04-03 23:49 . 2001-08-17 20:12 60416 ----a-w- c:\windows\system32\dllcache\brserwdm.sys
    2011-04-03 23:49 . 2001-08-17 20:12 11008 ----a-w- c:\windows\system32\dllcache\brusbmdm.sys
    2011-04-03 23:49 . 2001-08-18 05:36 9728 ----a-w- c:\windows\system32\dllcache\brserif.dll
    2011-04-03 23:49 . 2001-08-18 05:36 5120 ----a-w- c:\windows\system32\dllcache\brscnrsm.dll
    2011-04-03 23:49 . 2001-08-17 20:12 39552 ----a-w- c:\windows\system32\dllcache\brparwdm.sys
    2011-04-03 23:49 . 2001-08-17 20:12 3168 ----a-w- c:\windows\system32\dllcache\brparimg.sys
    2011-04-03 23:49 . 2001-08-18 05:36 41472 ----a-w- c:\windows\system32\dllcache\brmfusb.dll
    2011-04-03 23:49 . 2001-08-18 05:36 32256 ----a-w- c:\windows\system32\dllcache\brmfrsmg.exe
    2011-04-03 23:43 . 2001-08-18 05:36 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
    2011-04-03 23:42 . 2008-04-14 05:06 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
    2011-04-03 23:42 . 2001-08-17 19:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-04-03 23:42 . 2008-04-14 05:06 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
    2011-04-03 23:42 . 2001-08-18 05:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
    2011-04-03 23:42 . 2001-08-17 21:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
    2011-04-03 23:42 . 2008-04-14 07:16 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
    2011-04-03 23:42 . 2008-04-14 07:10 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
    2011-04-03 23:42 . 2001-08-17 19:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
    2011-04-03 23:42 . 2001-08-17 21:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
    2011-04-03 23:42 . 2001-08-17 20:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
    2011-04-03 23:42 . 2001-08-17 21:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
    2011-04-03 23:42 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-04-03 06:33 . 2011-04-03 06:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-03 06:16 . 2011-04-03 06:16 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-03 06:16 . 2011-04-06 06:22 -------- d-----w- c:\documents and settings\user\Application Data\Free Download Manager
    2011-04-03 06:16 . 2011-04-03 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
    2011-04-03 06:15 . 2011-04-06 06:25 -------- d-----w- c:\program files\NOS
    2011-04-02 22:49 . 2011-04-03 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-04-02 22:47 . 2011-04-03 06:16 -------- d-----w- c:\program files\SpybotPortable
    2011-04-02 11:26 . 2011-04-06 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite
    2011-04-02 08:33 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-04-02 08:26 . 2011-04-02 08:26 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
    2011-04-02 08:26 . 2011-04-02 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-04-02 08:26 . 2011-04-02 08:26 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2011-04-02 08:25 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-02 08:25 . 2011-04-02 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-02 08:25 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-02 08:25 . 2011-04-02 08:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-02 08:21 . 2011-04-06 12:13 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-04-02 08:21 . 2011-04-02 08:21 -------- d-----w- c:\documents and settings\user\Application Data\InstallShield
    2011-04-02 02:00 . 2011-04-02 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2011-04-02 02:00 . 2011-04-02 03:16 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\NPE
    2011-04-02 00:49 . 2011-04-02 01:59 -------- d-----w- c:\documents and settings\user\Application Data\FreeFixer
    2011-04-02 00:49 . 2011-04-02 00:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\FreeFixer
    2011-04-02 00:49 . 2011-04-02 00:49 -------- d-----w- c:\program files\FreeFixer
    2011-04-01 12:52 . 2011-04-02 03:13 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo
    2011-04-01 10:41 . 2011-04-01 10:41 -------- d-----w- c:\program files\EraseDrop Portable
    2011-03-19 03:35 . 2011-03-19 03:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2011-03-19 03:35 . 2011-03-19 03:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-10 22:58 . 2005-11-08 23:13 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2011-04-10 22:58 . 2005-05-18 18:36 56680 ----a-w- c:\windows\system32\rpcnet.dll
    2011-04-09 23:13 . 2005-11-08 23:13 17920 ----a-w- c:\windows\system32\rpcnetp.dll
    2011-02-15 20:33 . 2008-01-22 01:43 34816 ----a-w- c:\windows\system32\identprv.dll
    2011-02-09 13:53 . 2002-11-27 07:15 186880 ------w- c:\windows\system32\encdec.dll
    2011-02-09 13:53 . 2002-11-27 07:15 270848 ------w- c:\windows\system32\sbe.dll
    2011-02-02 07:58 . 2003-02-21 01:08 2067456 ------w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2003-02-21 01:08 677888 ------w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 1980-01-01 16:00 439296 ------w- c:\windows\system32\shimgvw.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "frymxins "= "c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X]
    "S3TRAY2 "= "S3Tray2.exe" [2001-10-12 69632]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
    "TPKMAPHELPER "= "c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-08-24 864256]
    "TpShocks "= "TpShocks.exe" [2005-08-23 86016]
    "TPHOTKEY "= "c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
    "TP4EX "= "tp4ex.exe" [2005-08-24 40960]
    "EZEJMNAP "= "c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-09-01 237568]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
    "IBMPRC "= "c:\ibmtools\UTILS\ibmprc.exe" [2004-12-17 90112]
    "BMMLREF "= "c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "QCWLICON "= "c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-09-06 86016]
    "TPKBDLED "= "c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
    "PRONoMgrWired "= "c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-07 86016]
    "Mouse Suite 98 Daemon "= "ICO.EXE" [2003-11-20 57344]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-09-06 11:08 262144 ----a-w- c:\windows\system32\QConGina.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 07:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-06-17 06:23 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
    path=c:\documents and settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    2008-04-14 13:42 380416 ------w- c:\windows\system32\irprops.cpl
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 13:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
    2010-01-27 00:58 256280 ----a-r- c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
    2004-01-21 06:28 581632 ------w- c:\program files\IBM\Messages By IBM\ibmmessages.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 21:01 110592 ------w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe "=
    "c:\\Program Files\\CCleaner\\CCleaner.exe "=
    "c:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWIZARD.EXE "=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\COMODO\\COMODO Cloud Scanner\\CloudScanner.exe "=
    "c:\\Documents and Settings\\user\\Desktop\\ANTI-MALWARE\\HousecallLauncher.exe "=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=
    "c:\\Documents and Settings\\user\\Desktop\\ANTI-MALWARE\\SAS_91348230.COM "=
    .
    R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [12/17/2004 4:05 AM 6912]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [4/29/2004 11:56 PM 16384]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 7:23 PM 133104]
    S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [4/30/2004 12:24 AM 12288]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2005-11-09 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-04-30 09:38]
    .
    2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 02:23]
    .
    2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 02:23]
    .
    2011-04-10 c:\windows\Tasks\User_Feed_Synchronization-{D95B32E8-0CD8-4F8F-9323-DAE448CE658B}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: No History: tito@no-history - %profile%\extensions\tito@no-history
    FF - Ext: LinkExtend: {cf47767d-5f3a-4e32-9fce-5d79565c9702} - %profile%\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}
    FF - Ext: OptimizeGoogle: optimizegoogle@optimizegoogle.com - %profile%\extensions\optimizegoogle@optimizegoogle.com
    FF - Ext: pidder: firefox@pidder.com - %profile%\extensions\firefox@pidder.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
    Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    Notify-NavLogon - (no file)
    MSConfigStartUp-Gamevance - c:\program files\Gamevance\gamevance32.exe
    MSConfigStartUp-SandboxieControl - c:\program files\Sandboxie\SbieCtrl.exe
    MSConfigStartUp-Uninstall Adobe Download Manager - c:\program files\NOS\bin\getPlus_Helper.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-10 15:58
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}\0409]
    @SACL=
    "Version "= "1.0.0.2 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(696)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    .
    - - - - - - - > 'explorer.exe'(3180)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\tp4ex.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    c:\windows\System32\QCONSVC.EXE
    c:\windows\system32\tp4cross.exe
    c:\windows\system32\ICO.EXE
    c:\windows\system32\rpcnet.exe
    c:\windows\System32\TPHDEXLG.EXE
    c:\windows\system32\TpKmpSVC.exe
    c:\windows\system32\wdfmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-10 16:01:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-10 23:01
    .
    Pre-Run: 61,943,529,472 bytes free
    Post-Run: 61,849,522,176 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 880811B9BF1FFFD84A4D58940807F3B1
     
    Last edited: 2011/04/10
    ravn87,
    #13
  15. 2011/04/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    All logs have to be pasted.
    Please, paste both DDS logs.

    Also, my instructions clearly say to run Combofix from the desktop.
    Please, move ComboFix.exe to correct location.
     
    broni,
    #14
  16. 2011/04/10
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    do u want the avira scans posted as well?
     
    ravn87,
    #15
  17. 2011/04/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You may as well.
     
    broni,
    #16
  18. 2011/04/10
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    ComboFix 11-04-10.01 - Vegeta 04/10/2011 17:15:02.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.477 [GMT -7:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-06 07:51 . 2011-04-06 12:02 -------- d-----w- c:\program files\COMODO
    2011-04-06 07:51 . 2011-04-06 07:51 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2011-04-06 06:33 . 2011-04-06 06:55 -------- d-----w- c:\program files\CCleaner
    2011-04-06 01:18 . 2011-04-06 01:18 -------- d-----w- c:\windows\Internet Logs
    2011-04-05 13:24 . 2011-04-05 13:24 -------- d-----w- c:\program files\CheckPoint
    2011-04-03 23:49 . 2001-08-17 20:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2011-04-03 23:49 . 2001-08-17 19:11 31529 ----a-w- c:\windows\system32\dllcache\brzwlan.sys
    2011-04-03 23:49 . 2001-08-17 20:12 10368 ----a-w- c:\windows\system32\dllcache\brusbscn.sys
    2011-04-03 23:49 . 2001-08-17 20:12 60416 ----a-w- c:\windows\system32\dllcache\brserwdm.sys
    2011-04-03 23:49 . 2001-08-17 20:12 11008 ----a-w- c:\windows\system32\dllcache\brusbmdm.sys
    2011-04-03 23:49 . 2001-08-18 05:36 9728 ----a-w- c:\windows\system32\dllcache\brserif.dll
    2011-04-03 23:49 . 2001-08-18 05:36 5120 ----a-w- c:\windows\system32\dllcache\brscnrsm.dll
    2011-04-03 23:49 . 2001-08-17 20:12 39552 ----a-w- c:\windows\system32\dllcache\brparwdm.sys
    2011-04-03 23:49 . 2001-08-17 20:12 3168 ----a-w- c:\windows\system32\dllcache\brparimg.sys
    2011-04-03 23:49 . 2001-08-18 05:36 41472 ----a-w- c:\windows\system32\dllcache\brmfusb.dll
    2011-04-03 23:49 . 2001-08-18 05:36 32256 ----a-w- c:\windows\system32\dllcache\brmfrsmg.exe
    2011-04-03 23:43 . 2001-08-18 05:36 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
    2011-04-03 23:42 . 2008-04-14 05:06 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
    2011-04-03 23:42 . 2001-08-17 19:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-04-03 23:42 . 2008-04-14 05:06 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
    2011-04-03 23:42 . 2001-08-18 05:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
    2011-04-03 23:42 . 2001-08-17 21:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
    2011-04-03 23:42 . 2008-04-14 07:16 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
    2011-04-03 23:42 . 2008-04-14 07:10 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
    2011-04-03 23:42 . 2001-08-17 19:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
    2011-04-03 23:42 . 2001-08-17 21:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
    2011-04-03 23:42 . 2001-08-17 20:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
    2011-04-03 23:42 . 2001-08-17 21:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
    2011-04-03 23:42 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-04-03 06:33 . 2011-04-03 06:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-03 06:16 . 2011-04-03 06:16 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-03 06:16 . 2011-04-06 06:22 -------- d-----w- c:\documents and settings\user\Application Data\Free Download Manager
    2011-04-03 06:16 . 2011-04-03 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
    2011-04-03 06:15 . 2011-04-06 06:25 -------- d-----w- c:\program files\NOS
    2011-04-02 22:49 . 2011-04-03 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-04-02 22:47 . 2011-04-03 06:16 -------- d-----w- c:\program files\SpybotPortable
    2011-04-02 11:26 . 2011-04-06 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite
    2011-04-02 08:33 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-04-02 08:26 . 2011-04-02 08:26 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
    2011-04-02 08:26 . 2011-04-02 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-04-02 08:26 . 2011-04-02 08:26 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2011-04-02 08:25 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-02 08:25 . 2011-04-02 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-02 08:25 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-02 08:25 . 2011-04-02 08:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-02 08:21 . 2011-04-06 12:13 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-04-02 08:21 . 2011-04-02 08:21 -------- d-----w- c:\documents and settings\user\Application Data\InstallShield
    2011-04-02 02:00 . 2011-04-02 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2011-04-02 02:00 . 2011-04-02 03:16 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\NPE
    2011-04-02 00:49 . 2011-04-02 01:59 -------- d-----w- c:\documents and settings\user\Application Data\FreeFixer
    2011-04-02 00:49 . 2011-04-02 00:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\FreeFixer
    2011-04-02 00:49 . 2011-04-02 00:49 -------- d-----w- c:\program files\FreeFixer
    2011-04-01 12:52 . 2011-04-02 03:13 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo
    2011-04-01 10:41 . 2011-04-01 10:41 -------- d-----w- c:\program files\EraseDrop Portable
    2011-03-19 03:35 . 2011-03-19 03:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2011-03-19 03:35 . 2011-03-19 03:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 00:11 . 2005-11-08 23:13 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2011-04-10 22:58 . 2005-05-18 18:36 56680 ----a-w- c:\windows\system32\rpcnet.dll
    2011-04-09 23:13 . 2005-11-08 23:13 17920 ----a-w- c:\windows\system32\rpcnetp.dll
    2011-02-15 20:33 . 2008-01-22 01:43 34816 ----a-w- c:\windows\system32\identprv.dll
    2011-02-09 13:53 . 2002-11-27 07:15 186880 ------w- c:\windows\system32\encdec.dll
    2011-02-09 13:53 . 2002-11-27 07:15 270848 ------w- c:\windows\system32\sbe.dll
    2011-02-02 07:58 . 2003-02-21 01:08 2067456 ------w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2003-02-21 01:08 677888 ------w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 1980-01-01 16:00 439296 ------w- c:\windows\system32\shimgvw.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "frymxins "= "c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X]
    "S3TRAY2 "= "S3Tray2.exe" [2001-10-12 69632]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
    "TPKMAPHELPER "= "c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-08-24 864256]
    "TpShocks "= "TpShocks.exe" [2005-08-23 86016]
    "TPHOTKEY "= "c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
    "TP4EX "= "tp4ex.exe" [2005-08-24 40960]
    "EZEJMNAP "= "c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-09-01 237568]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
    "IBMPRC "= "c:\ibmtools\UTILS\ibmprc.exe" [2004-12-17 90112]
    "BMMLREF "= "c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "QCWLICON "= "c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-09-06 86016]
    "TPKBDLED "= "c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
    "PRONoMgrWired "= "c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-07 86016]
    "Mouse Suite 98 Daemon "= "ICO.EXE" [2003-11-20 57344]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-09-06 11:08 262144 ----a-w- c:\windows\system32\QConGina.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 07:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-06-17 06:23 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
    path=c:\documents and settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    2008-04-14 13:42 380416 ------w- c:\windows\system32\irprops.cpl
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 13:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
    2010-01-27 00:58 256280 ----a-r- c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
    2004-01-21 06:28 581632 ------w- c:\program files\IBM\Messages By IBM\ibmmessages.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 21:01 110592 ------w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe "=
    "c:\\Program Files\\CCleaner\\CCleaner.exe "=
    "c:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWIZARD.EXE "=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\COMODO\\COMODO Cloud Scanner\\CloudScanner.exe "=
    "c:\\Documents and Settings\\user\\Desktop\\ANTI-MALWARE\\HousecallLauncher.exe "=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=
    "c:\\Documents and Settings\\user\\Desktop\\ANTI-MALWARE\\SAS_91348230.COM "=
    .
    R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [12/17/2004 4:05 AM 6912]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [4/29/2004 11:56 PM 16384]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 7:23 PM 133104]
    S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [4/30/2004 12:24 AM 12288]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2005-11-09 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-04-30 09:38]
    .
    2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 02:23]
    .
    2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 02:23]
    .
    2011-04-11 c:\windows\Tasks\User_Feed_Synchronization-{D95B32E8-0CD8-4F8F-9323-DAE448CE658B}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\f6pggpgg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: No History: tito@no-history - %profile%\extensions\tito@no-history
    FF - Ext: LinkExtend: {cf47767d-5f3a-4e32-9fce-5d79565c9702} - %profile%\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}
    FF - Ext: OptimizeGoogle: optimizegoogle@optimizegoogle.com - %profile%\extensions\optimizegoogle@optimizegoogle.com
    FF - Ext: pidder: firefox@pidder.com - %profile%\extensions\firefox@pidder.com
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-10 17:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(696)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    c:\windows\system32\notifyf2.dll
    .
    - - - - - - - > 'explorer.exe'(2024)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-04-10 17:20:17
    ComboFix-quarantined-files.txt 2011-04-11 00:20
    ComboFix2.txt 2011-04-10 23:01
    .
    Pre-Run: 61,856,215,040 bytes free
    Post-Run: 61,836,427,264 bytes free
    .
    - - End Of File - - 44E2C0FA0F0A17881FBBCE47D4645792
     
    ravn87,
    #17
  19. 2011/04/10
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Vegeta at 17:20:55.04 on Sun 04/10/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.481 [GMT -7:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\tp4ex.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\system32\tp4cross.exe
    C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\system32\rpcnet.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\user\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [S3TRAY2] S3Tray2.exe
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [TpShocks] TpShocks.exe
    mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
    mRun: [TP4EX] tp4ex.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
    mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
    mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
    mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
    mRun: [frymxins] "c:\program files\ati technologies\fire gl 3d studio max\atiimxgl "
    mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
    mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\\PkgMgr.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266422316168
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266422292133
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.3952199074
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: QConGina - QConGina.dll
    Notify: tpfnf2 - notifyf2.dll
    Notify: tphotkey - tphklock.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\f6pggpgg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.google.com/
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: No History: tito@no-history - %profile%\extensions\tito@no-history
    FF - Ext: LinkExtend: {cf47767d-5f3a-4e32-9fce-5d79565c9702} - %profile%\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}
    FF - Ext: OptimizeGoogle: optimizegoogle@optimizegoogle.com - %profile%\extensions\optimizegoogle@optimizegoogle.com
    FF - Ext: pidder: firefox@pidder.com - %profile%\extensions\firefox@pidder.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2004-12-17 6912]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-4-29 16384]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\user\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\user\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\user\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\user\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-11 133104]
    S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2004-4-30 12288]
    .
    =============== Created Last 30 ================
    .
    2011-04-10 22:52:28 -------- d-sha-r- C:\cmdcons
    2011-04-10 22:51:25 98816 ----a-w- c:\windows\sed.exe
    2011-04-10 22:51:25 89088 ----a-w- c:\windows\MBR.exe
    2011-04-10 22:51:25 256512 ----a-w- c:\windows\PEV.exe
    2011-04-10 22:51:25 161792 ----a-w- c:\windows\SWREG.exe
    2011-04-06 07:51:24 -------- d-----w- c:\program files\COMODO
    2011-04-06 07:51:16 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2011-04-06 06:33:06 -------- d-----w- c:\program files\CCleaner
    2011-04-06 01:18:10 -------- d-----w- c:\windows\Internet Logs
    2011-04-05 13:24:41 -------- d-----w- c:\program files\CheckPoint
    2011-04-03 23:49:13 31529 ----a-w- c:\windows\system32\dllcache\brzwlan.sys
    2011-04-03 23:49:13 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2011-04-03 23:49:12 60416 ----a-w- c:\windows\system32\dllcache\brserwdm.sys
    2011-04-03 23:49:12 11008 ----a-w- c:\windows\system32\dllcache\brusbmdm.sys
    2011-04-03 23:49:12 10368 ----a-w- c:\windows\system32\dllcache\brusbscn.sys
    2011-04-03 23:49:11 9728 ----a-w- c:\windows\system32\dllcache\brserif.dll
    2011-04-03 23:49:11 5120 ----a-w- c:\windows\system32\dllcache\brscnrsm.dll
    2011-04-03 23:49:10 39552 ----a-w- c:\windows\system32\dllcache\brparwdm.sys
    2011-04-03 23:49:09 3168 ----a-w- c:\windows\system32\dllcache\brparimg.sys
    2011-04-03 23:49:07 41472 ----a-w- c:\windows\system32\dllcache\brmfusb.dll
    2011-04-03 23:49:06 32256 ----a-w- c:\windows\system32\dllcache\brmfrsmg.exe
    2011-04-03 23:43:59 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
    2011-04-03 23:42:59 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
    2011-04-03 23:42:59 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-04-03 23:42:57 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
    2011-04-03 23:42:56 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
    2011-04-03 23:42:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
    2011-04-03 23:42:54 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
    2011-04-03 23:42:53 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
    2011-04-03 23:42:53 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
    2011-04-03 23:42:52 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
    2011-04-03 23:42:52 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
    2011-04-03 23:42:51 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
    2011-04-03 23:42:32 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-04-03 06:33:19 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-03 06:16:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-03 06:16:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-03 06:16:00 -------- d-----w- c:\docume~1\user\applic~1\Free Download Manager
    2011-04-03 06:16:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\FreeDownloadManager.ORG
    2011-04-02 22:49:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-02 22:47:50 -------- d-----w- c:\program files\SpybotPortable
    2011-04-02 11:26:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\WEngineLite
    2011-04-02 08:33:10 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-04-02 08:26:13 -------- d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
    2011-04-02 08:26:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2011-04-02 08:26:00 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2011-04-02 08:25:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-02 08:25:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-02 08:25:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-02 08:25:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-02 02:00:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
    2011-04-02 02:00:27 -------- d-----w- c:\docume~1\user\locals~1\applic~1\NPE
    2011-04-02 00:49:33 -------- d-----w- c:\docume~1\user\locals~1\applic~1\FreeFixer
    2011-04-02 00:49:33 -------- d-----w- c:\docume~1\user\applic~1\FreeFixer
    2011-04-02 00:49:28 -------- d-----w- c:\program files\FreeFixer
    2011-04-01 12:52:16 -------- d-----w- c:\docume~1\user\applic~1\GetRightToGo
    2011-04-01 10:41:17 -------- d-----w- c:\program files\EraseDrop Portable
    2011-03-19 03:35:47 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-03-19 03:35:45 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    .
    ==================== Find3M ====================
    .
    2011-04-11 00:11:10 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2011-04-10 22:58:15 56680 ----a-w- c:\windows\system32\rpcnet.dll
    2011-04-09 23:13:44 17920 ----a-w- c:\windows\system32\rpcnetp.dll
    2011-02-15 20:33:42 34816 ----a-w- c:\windows\system32\identprv.dll
    2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll
    .
    ============= FINISH: 17:21:08.02 ===============
     
    ravn87,
    #18
  20. 2011/04/10
    ravn87

    ravn87 Inactive Thread Starter

    Joined:
    2010/03/10
    Messages:
    85
    Likes Received:
    0
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/17/2010 3:13:40 PM
    System Uptime: 4/10/2011 5:02:28 PM (0 hours ago)
    .
    Motherboard: IBM | | 23737CU
    Processor: Intel(R) Pentium(R) M processor 1500MHz | None | 1196/400mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 57.619 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 4/1/2011 2:32:02 AM - System Checkpoint
    RP2: 4/2/2011 4:26:08 AM - Installed VZAccess Manager.
    RP3: 4/2/2011 7:39:04 PM - Spybot-S&D Spyware removal
    RP4: 4/2/2011 11:15:24 PM - Restore Operation
    RP5: 4/3/2011 1:46:13 AM - Revo Uninstaller's restore point - Ask Toolbar
    RP6: 4/3/2011 1:49:59 AM - Revo Uninstaller's restore point - GOM Player
    RP7: 4/4/2011 2:27:13 AM - System Checkpoint
    RP8: 4/5/2011 6:51:02 AM - System Checkpoint
    RP9: 4/9/2011 5:17:30 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Access IBM
    Access IBM Message Center
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    Agere Systems AC'97 Modem
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    ATI HYDRAVISION
    CCleaner
    COMODO Cloud Scanner
    ERUNT 1.1j
    FIRE GL driver for 3D Studio MAX/VIZ
    FreeFixer
    Google Update Helper
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    IBM RecordNow!
    IBM Rescue and Recovery with Rapid Restore
    IBM Themes
    IBM ThinkPad Battery MaxiMiser and Power Management Features
    IBM ThinkPad UltraNav Wizard
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    InterVideo WinDVD
    Java(TM) 6 Update 20
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Data Access Components KB870669
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Windows Journal Viewer
    Mouse Suite
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NTREGOPT 1.1j
    OGA Notifier 2.0.0048.0
    PC-Doctor for Windows
    Revo Uninstaller 1.85
    Scroll Lock Indicator Utility
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Software Informer 1.0 BETA
    Software Installer
    Sonic Update Manager
    System Migration Assistant 5.0
    ThinkPad Configuration
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Integrated 56K Modem
    ThinkPad Keyboard Customizer Utility
    ThinkPad Power Management Driver
    ThinkPad Presentation Director
    ThinkPad UltraNav Driver
    ThinkVantage Access Connections
    ThinkVantage Active Protection System
    TrackPoint Accessibility Features
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB982632)
    Wallpapers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    WOT for Internet Explorer
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/5/2011 9:13:20 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX8\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/5/2011 9:09:29 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX7\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/5/2011 9:07:46 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    4/5/2011 8:40:48 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC avgio avipbb Fips IBMTPCHK intelppm SASDIFSV SASKUTIL ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP
    4/5/2011 8:36:23 AM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 000D602D097D has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    4/5/2011 6:32:53 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
    4/5/2011 6:32:53 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX4\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/5/2011 6:32:53 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
    4/5/2011 6:30:50 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    4/5/2011 6:30:45 AM, error: Service Control Manager [7034] - The Sandboxie Service service terminated unexpectedly. It has done this 1 time(s).
    4/5/2011 5:40:46 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    4/5/2011 5:40:46 AM, error: Service Control Manager [7000] - The PMEM service failed to start due to the following error: The system cannot find the file specified.
    4/5/2011 5:40:46 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/5/2011 4:58:34 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX9\MFC80U.DLL. Reference error message: The operation completed successfully. .
    4/4/2011 11:35:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC Fips IBMTPCHK intelppm SASDIFSV SASKUTIL ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP
    4/4/2011 11:34:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/3/2011 6:50:07 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_21027.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:06 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_21025.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:05 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20949.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:04 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20936.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:03 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20932.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:02 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20924.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:01 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20880.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:50:00 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20871.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:59 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20838.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:58 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20833.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:57 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20424.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:56 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20423.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20420.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:54 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20297.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:49 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20290.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:48 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20285.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:47 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20284.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:46 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20280.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:40 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20278.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:39 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20277.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:49:38 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20273.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:20 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\asp.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:18 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\aqueue.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:15 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\appconf.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:10 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0804.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:08 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0412.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:06 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0411.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:48:04 PM, information: Windows File Protection [64021] - The system file c:\windows\msagent\intl\agt0404.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\admexs.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:25 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\1033\tcptsat.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:24 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\tcptest.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:21 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\shtml.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:47:20 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\isapi\shtml.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:49 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fpremadm.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:47 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\1033\fpmmcsat.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:46 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fpmmc.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:43 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fpexedll.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:42 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\fpcount.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:41 PM, information: Windows File Protection [64021] - The system file c:\program files\microsoft frontpage\version3.0\bin\fp98swin.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:40 PM, information: Windows File Protection [64021] - The system file c:\program files\microsoft frontpage\version3.0\bin\fp98sadm.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:39 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4awel.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:36 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4awebs.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:35 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4avss.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:34 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bots\vinavbar\fp4avnb.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:33 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4atxt.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:32 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\fp4areg.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:31 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4apws.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:30 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4anscp.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:28 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\servsupp\fp4amsft.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:23 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\bin\cfgwiz.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:19 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\_vti_aut\author.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:46:18 PM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\isapi\_vti_aut\author.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:44:29 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\staxmem.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:44:20 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\logui.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:24:05 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\isatq.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:24:05 PM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Vegeta.
    4/3/2011 6:24:03 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\infoadmn.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:24:01 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsloc.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:24:00 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\inetmgr.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:59 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\inetmgr.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:56 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\iisui.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisrtl.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:54 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\iisrstas.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:51 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisrstap.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:50 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisreset.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:49 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iismap.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:47 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\iisext.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:46 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\ftpsapi2.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:37 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\coadmin.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:36 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\cnfgprts.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:34 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certwiz.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:33 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certmap.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:30 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\adsiis.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:29 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\admwprox.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 6:23:09 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    4/3/2011 5:00:14 AM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\_vti_bin\_vti_adm\admin.exe could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 5:00:03 AM, information: Windows File Protection [64021] - The system file c:\program files\common files\microsoft shared\web server extensions\40\isapi\_vti_adm\admin.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:50:01 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20269.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:58 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20108.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:57 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20107.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:56 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20106.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20105.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:53 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20005.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:50 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20004.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:49 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20003.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:48 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20002.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:47 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20001.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:46 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_20000.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:45 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1361.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:43 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1149.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:40 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1148.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:39 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1147.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:30 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1146.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:29 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1145.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:28 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1144.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:27 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1143.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:26 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1142.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:25 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1141.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:24 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1140.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:23 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_1047.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:20 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10008.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:19 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10003.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:17 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10002.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:15 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\c_10001.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:09 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\browscap.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:49:02 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\bopomofo.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:59 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\big5.nls could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:46 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\authfilt.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:29 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\asptxn.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:27 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\aspperf.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:23 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\aqadmin.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:08 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\adsiisex.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:06 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\adrot.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:48:03 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\admxprox.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/3/2011 4:47:24 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\wamregps.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
    4/10/2011 3:58:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
    4/10/2011 3:52:56 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
    4/10/2011 3:44:36 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    .
    ==== End Of File ===========================
     
    ravn87,
    #19
  21. 2011/04/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't see any AV program running.
    What happened to Avira?
     
    Last edited: 2011/04/10
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...