1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Your computer is infected with a virus! (?)

Discussion in 'Malware and Virus Removal Archive' started by mailman, 2010/08/03.

Page 3 of 3
  1. 2010/08/07
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    I ran MBRCheck again, and the MBR is still not right (as far as I know).

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fc

    Kernel Drivers (total 127):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF7B6F000 \WINDOWS\system32\KDCOM.DLL
    0xF7A7F000 \WINDOWS\system32\BOOTVID.dll
    0xF7620000 ACPI.sys
    0xF7B71000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF760F000 pci.sys
    0xF766F000 isapnp.sys
    0xF7C37000 pciide.sys
    0xF78EF000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7B73000 viaide.sys
    0xF7B75000 intelide.sys
    0xF767F000 MountMgr.sys
    0xF75F0000 ftdisk.sys
    0xF78F7000 PartMgr.sys
    0xF768F000 VolSnap.sys
    0xF75D8000 atapi.sys
    0xF75B5000 fasttx2k.sys
    0xF759D000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
    0xF769F000 disk.sys
    0xF76AF000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF757D000 fltmgr.sys
    0xF756B000 sr.sys
    0xF76BF000 PxHelp20.sys
    0xF7554000 KSecDD.sys
    0xF74C7000 Ntfs.sys
    0xF749A000 NDIS.sys
    0xF78FF000 viaagp1.sys
    0xF7486000 srescan.sys
    0xF76CF000 SISAGPX.sys
    0xF76DF000 ohci1394.sys
    0xF76EF000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
    0xF746C000 Mup.sys
    0xF77BF000 \SystemRoot\System32\DRIVERS\nic1394.sys
    0xF6B7C000 \SystemRoot\System32\DRIVERS\amdk7.sys
    0xF6B41000 \SystemRoot\System32\DRIVERS\vtmini.sys
    0xF6B2D000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xF69F7000 \SystemRoot\System32\DRIVERS\AGRSM.sys
    0xF7A17000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6B6C000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF7B33000 \SystemRoot\system32\drivers\pfc.sys
    0xF772F000 \SystemRoot\System32\Drivers\AFS2K.SYS
    0xF773F000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF774F000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF69D4000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF7A1F000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
    0xF7A27000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF69B0000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7A2F000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xF6783000 \SystemRoot\system32\drivers\ALCXWDM.SYS
    0xF675F000 \SystemRoot\system32\drivers\portcls.sys
    0xF775F000 \SystemRoot\system32\drivers\drmk.sys
    0xF776F000 \SystemRoot\System32\DRIVERS\fetnd5bv.sys
    0xF777F000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF7B3B000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF674B000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF778F000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF7A37000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF7B3F000 \SystemRoot\System32\DRIVERS\PS2.sys
    0xF7A3F000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF7DB8000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF779F000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF7B43000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF6734000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF77AF000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF77CF000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7A47000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF6723000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF77DF000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF7A4F000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF7A57000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF77EF000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF7B9F000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF66C5000 \SystemRoot\System32\DRIVERS\update.sys
    0xF7B53000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF77FF000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF781F000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF7BA1000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF7BA5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7CB1000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BA7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7A67000 \SystemRoot\System32\drivers\vga.sys
    0xF7BA9000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BAB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7A6F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7A77000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7148000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xF55BD000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xF5564000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF553C000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF54D1000 \SystemRoot\System32\vsdatant.sys
    0xF54AB000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xF782F000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xF783F000 \SystemRoot\System32\DRIVERS\arp1394.sys
    0xF53E9000 \SystemRoot\System32\drivers\afd.sys
    0xF784F000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF7977000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xF7B03000 \SystemRoot\System32\DRIVERS\srvkp.sys
    0xF53C4000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xF792F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF5399000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xF5329000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF786F000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7D38000 \SystemRoot\System32\Drivers\BANTExt.sys
    0xF4D1D000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF7937000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
    0xF7BAF000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF4CF9000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF789F000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF4CE1000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7BC3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF66AD000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF793F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D9B000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\vtdisp.dll
    0xF038D000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xF04C9000 \??\C:\WINDOWS\system32\drivers\mbam.sys
    0xF03D1000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xF0018000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xEFFDB000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF04A9000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF7C1F000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xEF8CE000 \SystemRoot\System32\DRIVERS\srv.sys
    0xF7957000 \SystemRoot\system32\Drivers\LVPr2Mon.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 50):
    0 System Idle Process
    4 System
    608 C:\WINDOWS\system32\smss.exe
    676 csrss.exe
    700 C:\WINDOWS\system32\winlogon.exe
    744 C:\WINDOWS\system32\services.exe
    756 C:\WINDOWS\system32\lsass.exe
    928 C:\WINDOWS\system32\svchost.exe
    1008 svchost.exe
    1096 C:\WINDOWS\system32\svchost.exe
    1156 svchost.exe
    1304 svchost.exe
    1364 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    1704 C:\WINDOWS\system32\spoolsv.exe
    1756 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1776 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1936 svchost.exe
    420 C:\WINDOWS\explorer.exe
    1220 C:\WINDOWS\system\hpsysdrv.exe
    1224 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    1268 C:\WINDOWS\system32\hphmon05.exe
    1292 C:\hp\KBD\kbd.exe
    1288 C:\WINDOWS\system32\VTTimer.exe
    1336 C:\WINDOWS\AGRSMMSG.exe
    1380 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    1396 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    1556 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    1568 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    1576 C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    1612 C:\Program Files\iTunes\iTunesHelper.exe
    1672 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1812 C:\Program Files\Logitech\Logitech Vid\Vid.exe
    1856 C:\Program Files\Skype\Phone\Skype.exe
    1864 C:\WINDOWS\system32\ctfmon.exe
    1944 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    204 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    268 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    324 C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
    184 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    456 C:\Program Files\Bonjour\mDNSResponder.exe
    468 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    1372 C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    1048 C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    2148 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    2248 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    2284 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    2416 C:\WINDOWS\system32\svchost.exe
    3672 C:\Program Files\iPod\bin\iPodService.exe
    428 alg.exe
    1788 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`32d92000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: ST380011A, Rev: 3.08

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: EC5B6F4B08268D5344F30BFF61C8B587F034795B


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

    ==============

    BTW, I also updated the Logitech Vid software this afternoon via the update icon that was present in the tray. It automatically rebooted the computer without prompting me like I am used to seeing for other software updates that require a reboot.

    Otherwise, I did not notice anything "unusual" during the update (though I am not familiar with Logitech webcam software).
     
    Last edited: 2010/08/07
    mailman,
    #41
  2. 2010/08/07
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    The sites I visited while configuring NoScript were as follows
    • hxxp://www.youtube.com
    • hxxp://www.pandora.com <- EDIT: I added the www that I had forgot.
    • hxxp://www.facebook.com
    • and the owner's banking site.

    I temporarily gave permission to a few of the 3rd party sites associated with those sites. I hope I didn't reinfect this computer. :eek:

    Guessing you would want the DDS logs, so here you go.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 20:29:54.04 on Sat 08/07/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.419 [GMT -4:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Logitech\Logitech Vid\Vid.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://www.yahoo.com/search/ie.html
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_3_12_0.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
    TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_3_12_0.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
    uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
    uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe "
    mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
    mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
    mRun: [KBD] c:\hp\kbd\KBD.EXE
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [VTTimer] VTTimer.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [PS2] c:\windows\system32\ps2.exe
    mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe "
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg SchedulerV2.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: Yahoo! Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
    IE: Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
    IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
    DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
    DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxsrvc.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1hsb50lg.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
    FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
    FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-26 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-7-17 353672]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-26 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-26 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-26 56816]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-5 304464]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-30 88176]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-5 20952]
    S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
    S2 mrtRate;mrtRate; [x]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
    S4 0213051256338582mcinstcleanup;McAfee Application Installer Cleanup (0213051256338582);c:\windows\temp\021305~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\021305~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

    =============== Created Last 30 ================

    2010-08-07 21:27:01 0 d-----w- c:\program files\SpywareBlaster
    2010-08-07 15:17:15 0 d-----w- c:\docume~1\owner\applic~1\Foxit Software
    2010-08-07 15:16:59 0 d-----w- c:\program files\Foxit Software
    2010-08-06 23:56:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2010-08-06 22:27:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-08-06 22:27:16 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-05 19:42:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-05 19:42:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-05 19:42:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-20 01:52:44 0 d-----w- c:\program files\iPod
    2010-07-20 01:52:05 0 d-----w- c:\program files\iTunes
    2010-07-15 07:07:51 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-07-14 20:49:14 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-12 21:54:30 0 d-----r- c:\program files\Skype
    2010-07-12 21:12:27 539160 ----a-r- c:\windows\system32\LVUI2RC.dll
    2010-07-12 21:12:27 539160 ----a-r- c:\windows\system32\LVUI2.dll
    2010-07-12 21:12:27 416280 ----a-r- c:\windows\system32\lvcodec2.dll
    2010-07-12 21:12:25 266828 ----a-r- c:\windows\system32\drivers\LVAFT.cfg
    2010-07-12 21:12:22 6756632 ----a-r- c:\windows\system32\drivers\lvuvc.sys
    2010-07-12 21:12:16 34068 ----a-r- c:\windows\system32\Repository.reg
    2010-07-12 21:12:15 82289 ----a-r- c:\windows\system32\lvcoinst.ini
    2010-07-12 21:12:15 199192 ----a-w- c:\windows\system32\lvci12101110.dll
    2010-07-12 21:12:14 266008 ----a-r- c:\windows\system32\drivers\lvrs.sys
    2010-07-12 21:12:14 114712 ----a-r- c:\windows\system32\drivers\lvpopflt.sys
    2010-07-12 21:09:15 23832 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
    2010-07-12 20:59:47 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
    2010-07-12 20:59:47 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
    2010-07-12 20:59:31 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
    2010-07-12 20:59:31 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
    2010-07-12 20:59:31 20992 -c--a-w- c:\windows\system32\dllcache\dshowext.ax
    2010-07-12 20:59:31 20992 ----a-w- c:\windows\system32\dshowext.ax
    2010-07-12 20:59:24 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-07-12 20:59:24 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

    ==================== Find3M ====================

    2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2004-07-26 22:23:27 0 --sha-w- c:\windows\sminst\HPCD.sys

    ============= FINISH: 20:31:04.26 ===============
     
    Last edited: 2010/08/07
    mailman,
    #42


  3. to hide this advert.

  4. 2010/08/07
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/26/2004 3:27:51 PM
    System Uptime: 8/7/2010 6:50:20 PM (2 hours ago)

    Motherboard: ASUSTek Computer INC. | | Kelut
    Processor: AMD Athlon(tm) XP 2800+ | Socket A | 2083/167mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 70 GiB total, 43.062 GiB free.
    D: is FIXED (FAT32) - 5 GiB total, 0.722 GiB free.
    E: is CDROM (CDFS)
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 8/7/2010 1:06:11 PM - System Checkpoint

    ==== Installed Programs ======================


    Adobe Download Manager
    Adobe Flash Player 10 Plugin
    Agere Systems PCI Soft Modem
    AiO_Scan
    AIOMinimal
    AiOSoftware
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Panorama Maker 3
    ArcSoft PhotoImpression
    Avira AntiVir Personal - Free Antivirus
    Belarc Advisor 7.2
    Bonjour
    BroadJump Client Foundation
    CameraDrivers
    CodeStuff Starter
    Copy
    CreativeProjects
    Director
    DocProc
    Easy Internet Sign-up
    EPSON Online Reference Guide
    EPSON Printer Software
    Fax
    Film Factory
    Foxit Reader
    HijackThis 2.0.2
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Image Zone 3.5
    HP Image Zone Plus 3.5
    HP Instant Support
    HP Organize
    HP Photo & Imaging 3.5 - HP Devices
    HP PSC & OfficeJet 3.5
    HP Software Update
    HP Unload DLL Patch
    hpg2436
    hpg3970
    hpg4600
    hpg5530
    hpg8200
    HPIZ350
    hpmdtab
    HpSdpAppCoreApp
    HPSystemDiagnostics
    InstantShare
    IntelliMover Data Transfer Demo
    InterVideo WinDVD Creator 2
    InterVideo WinDVD Player
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Karen's Hasher
    KBD
    Logitech Vid
    Logitech Webcam Software
    Logitech Webcam Software Driver Package
    Malwarebytes' Anti-Malware
    McAfee Security Scan Plus
    McAfee SiteAdvisor
    Memories Disc Creator 2.0
    MetaFrame Presentation Server Web Client for Win32
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Data Access Components KB870669
    Microsoft Money 2004
    Microsoft Money 2004 System Pack
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard Edition 2003
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word Viewer 2003
    Microsoft Plus! Digital Media Edition
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Works 7.0
    MobileMe Control Panel
    Mozilla Firefox (3.6.8)
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Overland
    PC-Doctor for Windows
    PHOTOfunSTUDIO -viewer-
    PhotoGallery
    Photosmart 140,240,7200,7600,7700,7900 Series
    PrintScreen
    PS2
    PSShortcutsP
    Python 2.2 combined Win32 extensions
    Python 2.2.1
    QFolder
    Quicken 2004
    QuickProjects
    QuickTime
    Readme
    RealOne Player
    S3 S3Display
    S3 S3Gamma2
    S3 S3Info2
    S3 S3Overlay
    Safari
    SBC Self Support Tool
    SBC Yahoo! Applications
    SBC Yahoo! Dial Setup and Installs
    Scan
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB982135)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    SkinsHP1
    SkinsHP2
    Skype Toolbars
    Skypeâ„¢ 4.2
    Spybot - Search & Destroy
    SpywareBlaster 4.3
    SUPERAntiSpyware Free Edition
    Toolkit View(HP)
    TrayApp
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Updates from HP
    VC 9.0 Runtime
    VIA Rhine-Family Fast Ethernet Adapter
    VIA/S3G Display Driver
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Player 9 Hotfix [See KB885492 for more information]
    Windows XP Service Pack 3
    WinPatrol
    Word XML Toolbox for Microsoft Office Word 2003
    Yahoo! Install Manager
    ZoneAlarm

    ==== Event Viewer Messages From Past Week ========

    8/7/2010 10:42:16 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    8/7/2010 10:33:31 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: KLIF
    8/7/2010 10:33:28 AM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
    8/7/2010 1:39:45 AM, error: Service Control Manager [7000] - The KLIF service failed to start due to the following error: The system cannot find the file specified.
    8/7/2010 1:39:41 AM, error: Service Control Manager [7000] - The TSP service failed to start due to the following error: The system cannot find the file specified.
    8/6/2010 8:31:06 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    8/6/2010 8:31:05 PM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
    8/6/2010 8:31:05 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    8/6/2010 8:31:05 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
    8/6/2010 8:31:05 PM, error: Service Control Manager [7034] - The EPSON Printer Status Agent2 service terminated unexpectedly. It has done this 1 time(s).
    8/6/2010 8:31:04 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    8/6/2010 8:31:04 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/6/2010 7:44:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    8/6/2010 7:43:43 PM, error: SRService [104] - The System Restore initialization process failed.
    8/6/2010 7:09:11 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
    8/6/2010 7:09:11 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/6/2010 7:08:42 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments " " in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    8/6/2010 1:38:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    8/6/2010 1:38:48 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/3/2010 4:09:36 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    8/3/2010 3:33:56 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/3/2010 3:33:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

    ==== End Of File ===========================
     
    mailman,
    #43
  5. 2010/08/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Rerun MBRCheck.
    Enter Y, hit ENTER for more options and select option 2.
    When asked for physical disk number, enter 0 (zero).
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
     
    broni,
    #44
  6. 2010/08/08
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    When I returned to the computer today, there was a WinPatrol alert for "McAfee Application Installer Cleanup" wanted to run as a service.
    C:\WINDOWS\temp\0175601281232684mcinst.exe

    I allowed it because, yesterday (after we thought the computer was clean), I had run the "McAfee Security Scan" that has a shortcut on the desktop and I had to walk it through update procedures.

    Avira's "Luke Filewalker" alerted on three files in the "RP1" restore point data
    • Location: C:\System Volume Information\_restore{bunch of hexadecimal numbers}\RP1\
    • Files: A0000004.exe, A0000005.exe, A0000005.exe

    When I ran MBRCheck, there was a flurry of hard drive activity immediately before and during the time I Typed YES and pressed Enter to fix the MBR. I also saw a window flash on the screen and quickly disappear afterwards.

    ===========

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000001fc

    Kernel Drivers (total 127):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF7B6F000 \WINDOWS\system32\KDCOM.DLL
    0xF7A7F000 \WINDOWS\system32\BOOTVID.dll
    0xF7620000 ACPI.sys
    0xF7B71000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF760F000 pci.sys
    0xF766F000 isapnp.sys
    0xF7C37000 pciide.sys
    0xF78EF000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7B73000 viaide.sys
    0xF7B75000 intelide.sys
    0xF767F000 MountMgr.sys
    0xF75F0000 ftdisk.sys
    0xF78F7000 PartMgr.sys
    0xF768F000 VolSnap.sys
    0xF75D8000 atapi.sys
    0xF75B5000 fasttx2k.sys
    0xF759D000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
    0xF769F000 disk.sys
    0xF76AF000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF757D000 fltmgr.sys
    0xF756B000 sr.sys
    0xF76BF000 PxHelp20.sys
    0xF7554000 KSecDD.sys
    0xF74C7000 Ntfs.sys
    0xF749A000 NDIS.sys
    0xF78FF000 viaagp1.sys
    0xF7486000 srescan.sys
    0xF76CF000 SISAGPX.sys
    0xF76DF000 ohci1394.sys
    0xF76EF000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
    0xF746C000 Mup.sys
    0xF77BF000 \SystemRoot\System32\DRIVERS\nic1394.sys
    0xF6B7C000 \SystemRoot\System32\DRIVERS\amdk7.sys
    0xF6B41000 \SystemRoot\System32\DRIVERS\vtmini.sys
    0xF6B2D000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xF69F7000 \SystemRoot\System32\DRIVERS\AGRSM.sys
    0xF7A17000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6B6C000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF7B33000 \SystemRoot\system32\drivers\pfc.sys
    0xF772F000 \SystemRoot\System32\Drivers\AFS2K.SYS
    0xF773F000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF774F000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF69D4000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF7A1F000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
    0xF7A27000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF69B0000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7A2F000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xF6783000 \SystemRoot\system32\drivers\ALCXWDM.SYS
    0xF675F000 \SystemRoot\system32\drivers\portcls.sys
    0xF775F000 \SystemRoot\system32\drivers\drmk.sys
    0xF776F000 \SystemRoot\System32\DRIVERS\fetnd5bv.sys
    0xF777F000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF7B3B000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF674B000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF778F000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF7A37000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF7B3F000 \SystemRoot\System32\DRIVERS\PS2.sys
    0xF7A3F000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF7DB8000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF779F000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF7B43000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF6734000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF77AF000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF77CF000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7A47000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF6723000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF77DF000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF7A4F000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF7A57000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF77EF000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF7B9F000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF66C5000 \SystemRoot\System32\DRIVERS\update.sys
    0xF7B53000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF77FF000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF781F000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF7BA1000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF7BA5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7CB1000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BA7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7A67000 \SystemRoot\System32\drivers\vga.sys
    0xF7BA9000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BAB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7A6F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7A77000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7148000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xF55BD000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xF5564000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF553C000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF54D1000 \SystemRoot\System32\vsdatant.sys
    0xF54AB000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xF782F000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xF783F000 \SystemRoot\System32\DRIVERS\arp1394.sys
    0xF53E9000 \SystemRoot\System32\drivers\afd.sys
    0xF784F000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF7977000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xF7B03000 \SystemRoot\System32\DRIVERS\srvkp.sys
    0xF53C4000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xF792F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF5399000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xF5329000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF786F000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7D38000 \SystemRoot\System32\Drivers\BANTExt.sys
    0xF4D1D000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF7937000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
    0xF7BAF000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF4CF9000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF789F000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF4CE1000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7BC3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF66AD000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF793F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D9B000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\vtdisp.dll
    0xF038D000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xF04C9000 \??\C:\WINDOWS\system32\drivers\mbam.sys
    0xF03D1000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xF0018000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xEFFDB000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF04A9000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF7C1F000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xEF8CE000 \SystemRoot\System32\DRIVERS\srv.sys
    0xF7957000 \SystemRoot\system32\Drivers\LVPr2Mon.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 52):
    0 System Idle Process
    4 System
    608 C:\WINDOWS\system32\smss.exe
    676 csrss.exe
    700 C:\WINDOWS\system32\winlogon.exe
    744 C:\WINDOWS\system32\services.exe
    756 C:\WINDOWS\system32\lsass.exe
    928 C:\WINDOWS\system32\svchost.exe
    1008 svchost.exe
    1096 C:\WINDOWS\system32\svchost.exe
    1156 svchost.exe
    1304 svchost.exe
    1364 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    1704 C:\WINDOWS\system32\spoolsv.exe
    1756 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1776 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1936 svchost.exe
    420 C:\WINDOWS\explorer.exe
    1220 C:\WINDOWS\system\hpsysdrv.exe
    1224 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    1268 C:\WINDOWS\system32\hphmon05.exe
    1292 C:\hp\KBD\kbd.exe
    1288 C:\WINDOWS\system32\VTTimer.exe
    1336 C:\WINDOWS\AGRSMMSG.exe
    1380 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    1396 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    1556 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    1568 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    1576 C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    1612 C:\Program Files\iTunes\iTunesHelper.exe
    1672 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1812 C:\Program Files\Logitech\Logitech Vid\Vid.exe
    1856 C:\Program Files\Skype\Phone\Skype.exe
    1864 C:\WINDOWS\system32\ctfmon.exe
    1944 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    204 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    268 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    324 C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
    184 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    456 C:\Program Files\Bonjour\mDNSResponder.exe
    468 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    1372 C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    1048 C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    2148 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    2248 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    2284 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    2416 C:\WINDOWS\system32\svchost.exe
    3672 C:\Program Files\iPod\bin\iPodService.exe
    428 alg.exe
    2688 C:\Program Files\Mozilla Firefox\firefox.exe
    4012 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    1392 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`32d92000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: ST380011A, Rev: 3.08

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: EC5B6F4B08268D5344F30BFF61C8B587F034795B


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive: 1
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES
    Successfully wrote new MBR code!
    Please reboot your computer to complete the fix.


    Done!

    ================

    Would it be OK to immediately run MBRCheck again and then also after each reboot to see if/when the MBR gets jumbled again?
     
    mailman,
    #45
  7. 2010/08/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You can re-run MBRCheck, but in your case, this message:
    Found non-standard or infected MBR
    would rather be "non-standard ", not an infected MBR.
    Sometimes, computer makers write their own MBR.

    No worries here. Those are your restore points, which we'll reset in a moment, when you continue with the steps from my reply #37.
    Please, go ahead and do it.
     
    broni,
    #46
  8. 2010/08/08
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    OK, I ran MBRCheck again (before resetting the System Restore).

    The MBR still appears as "non-standard" with same hash. I even had MBRCheck "fix" the MBR again and re-checked. I checked the MBR again after resetting System Restore and shutting down > powering up. Each time the same "non-standard" boot record (with same hash) is reported by MBRCheck.

    Your words make me think this is an hp-specific boot record. (The computer is an hp Pavilion desktop.)

    Anyway, the SR now has a fresh start.

    BTW, when I ran DDS last night after discovering the persistent non-standard MBR, I noticed...
    Does the ezsidmv.dat exist (again?) in this computer? (That is one of the files we had ComboFix take care of a couple days ago.)

    =================

    I also noticed in your post #17 the last line you wanted me to paste into OTL has the "vBulletin space ".
    Notice the space between the \ and Auto.

    Therefore, I do not think OTL processed that line as intended.

    Should we address that issue?

    I don't mean to be second-guessing your expertise. I tend to obsess about details and I know you have a BUNCH of other people's malware issues to address. I just think you might have overlooked that.
     
    Last edited: 2010/08/08
    mailman,
    #47
  9. 2010/08/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I believe, we can close this subject.

    I start to believe, it's a harmless file related to some Logitech piece of hardware, but....
    Upload it to VirusTotal and see what we'll get.

    The line, you mentioned is not crucial, if not ran correctly, because in lasts steps, you're obligated to double check Windows updates status anyway.
    Good eye though :)
     
    broni,
    #48
  10. 2010/08/08
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    • VirusTotal: File ezsidmv.dat received on 2010.08.09 00:50:10 (UTC)
    I first thought the file was being stealthy until I remembered to make Windows allow me to see hidden files. :rolleyes:

    Thanks! :)
     
    Last edited: 2010/08/08
    mailman,
    #49
  11. 2010/08/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's good then.

    Complete other steps then...
     
    broni,
    #50
  12. 2010/08/08
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Do you mean the other steps in post #37 again besides System Restore?

    In other words, do you want me to download/run OTL again with the Custom Fixes given there and then run Clean Up again?
     
    mailman,
    #51
  13. 2010/08/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't know....LOL
    You said:
    If you're done with those, then we're done :)
    Unless you have some other issues, or questions...
     
    broni,
    #52
  14. 2010/08/08
    mailman Lifetime Subscription

    mailman Geek Member Thread Starter

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    hehehehe OK

    I already did all of those steps expect step #7. (I even reported I did so but it apparently got lost in the sea of issues you're involved with). :)

    I couldn't uninstall the SiteAdvisor add-on in Firefox yesterday (because the Uninstall button is greyed) but I have since discovered how to do that.

    I had disabled SiteAdvisor and already installed the WOT add-on though.

    ===========

    Anyway, you stated in post #22 that MBRCheck removed a bootkit from this computer.

    One Last Question:
    Should we now reasonably assume that there was NOT a bootkit (in light of the discussion in post #46-48)?

    I have been reading about "bootkits" (such as "Bootkit-Stoned" and "Whistler ") since Friday (first I had heard of the word "bootkit "). If this computer had a bootkit, then I would suggest the owner take measures to start over with a wiped-clean HD and fresh Windows install.

    ===========

    The computer seems to be behaving "normal" (as far as I can tell).

    Therefore, if you do not see anything further to address malware-wise, then I'll give the owner the "computer is clean" notice after you mark this thread "Resolved ".

    THANKS AGAIN for all your help (and patience)! :)
     
    mailman,
    #53
  15. 2010/08/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'd say so.

    You're very welcome :)
    Good luck and stay safe :)
     
    broni,
    #54
Page 3 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...