1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Google Redirect

Discussion in 'Malware and Virus Removal Archive' started by callmecarm, 2011/05/03.

Thread Status:
Not open for further replies.
  1. 2011/05/03
    callmecarm

    callmecarm Inactive Thread Starter

    Joined:
    2011/05/02
    Messages:
    4
    Likes Received:
    0
    [Inactive] Google Redirect

    For the last month every time I do a Google Search all the links will redirect me to some random spam websites. Since I updated to the latest version of Firefox (4.0.1) it's actually only gotten worse. Now the spam websites will appear randomly in new tabs when nothing is being clicked. Worst of all I had just realized that my only firewall, which is Windows Firewall, was off (don't remember turning it off, not something I would do). AND I was using my ex-roommate's unsecured internet connection for the last few months as well, so must have caught some nasty things.

    First and foremost have run Malwarebytes as it has fixed some really nasty viruses for me in the past. Caught a few things on the quick scan in safe mode. But the spam continues. Have run Ad-Aware, caught a handful of things. Ran Avg, caught another 30 minor viruses. Yet still I'm being redirected to these **** websites and continuing popups in tabs. There was a similar situation posted on this forum where the person suggested combofix followed by Malwarebyte's. Considering doing this myself after backing up my hard drive but would prefer customized expert advice. PLEASE ADVISE! Attaching logs now:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6485

    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    5/1/2011 4:30:05 PM
    mbam-log-2011-05-01 (16-30-05).txt

    Scan type: Quick scan
    Objects scanned: 173553
    Time elapsed: 11 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 4
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Value: host -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Value: id -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aeprjvdb (Rogue.AntivirusSuite.Gen) -> Value: aeprjvdb -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\carm\Desktop\help and support center.lnk (Rogue.Link) -> Quarantined and deleted successfully.

    GMER 1.0.15.15572 - http://www.gmer.net
    Rootkit scan 2011-05-03 01:07:09
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHV2080AH rev.000000A0
    Running: x1ixd3tk.exe; Driver: C:\DOCUME~1\carm\LOCALS~1\Temp\uxtdqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 86639348 ZwConnectPort
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF789D87E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF789DBFE]

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\o2mmb.sys entry point in "init" section [0xF69E1320]
    .rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xF71AB194]
    ? System32\Drivers\avgtdix.sys The system cannot find the path specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D000A
    .text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009E000A
    .text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009C000C
    .text C:\WINDOWS\System32\svchost.exe[1380] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0088000A
    .text C:\WINDOWS\System32\svchost.exe[1380] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00AA000A
    .text C:\WINDOWS\Explorer.EXE[2040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
    .text C:\WINDOWS\Explorer.EXE[2040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[2040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\Program Files\Veoh Networks\Veoh\VeohClient.exe[3836] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86520AEA
    Device \Driver\atapi \Device\Ide\IdePort0 sdcplh.sys
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86520AEA
    Device \Driver\atapi \Device\Ide\IdePort1 sdcplh.sys
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 86520AEA
    Device \Driver\atapi \Device\Ide\IdePort2 sdcplh.sys
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 86520AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sdcplh.sys

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskFUJITSU_MHV2080AH_______________________000000A0#5&124f809b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    ---- Processes - GMER 1.0.15 ----

    Library C:\WINDOWS\system32\avgrsstx.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [984] 0x6C1B0000

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious modification; TDL3 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000000d

    Kernel Drivers (total 148):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EC000 \WINDOWS\system32\hal.dll
    0xF7D2D000 \WINDOWS\system32\KDCOM.DLL
    0xF7C3D000 \WINDOWS\system32\BOOTVID.dll
    0xF77DE000 ACPI.sys
    0xF7D2F000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF77CD000 pci.sys
    0xF782D000 isapnp.sys
    0xF783D000 ohci1394.sys
    0xF784D000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7C41000 compbatt.sys
    0xF7C45000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7DF5000 pciide.sys
    0xF7AAD000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7D31000 intelide.sys
    0xF77AF000 pcmcia.sys
    0xF785D000 MountMgr.sys
    0xF7790000 ftdisk.sys
    0xF7D33000 dmload.sys
    0xF776A000 dmio.sys
    0xF7C49000 ACPIEC.sys
    0xF7DF6000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF7AB5000 PartMgr.sys
    0xF786D000 VolSnap.sys
    0xF7752000 atapi.sys
    0xF787D000 disk.sys
    0xF788D000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7732000 fltMgr.sys
    0xF7720000 sr.sys
    0xF789D000 Lbd.sys
    0xF78AD000 PxHelp20.sys
    0xF7709000 KSecDD.sys
    0xF76F6000 WudfPf.sys
    0xF7669000 Ntfs.sys
    0xF763C000 NDIS.sys
    0xF7621000 Mup.sys
    0xF78BD000 agp440.sys
    0xF7A6D000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF6D47000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF6D33000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7B6D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6D10000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7B75000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF6A0E000 \SystemRoot\system32\DRIVERS\w22n51.sys
    0xF7D57000 \SystemRoot\system32\drivers\MbxStby.sys
    0xF69E1000 \SystemRoot\system32\drivers\o2mmb.sys
    0xF7A7D000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7D15000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7B7D000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF7A8D000 \SystemRoot\system32\DRIVERS\smcirda.sys
    0xF7D19000 \SystemRoot\system32\DRIVERS\irenum.sys
    0xF69CD000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF7A9D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7B85000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF699F000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7D5B000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7B8D000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF71B0000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7B95000 \SystemRoot\system32\drivers\Afc.sys
    0xF71A0000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7150000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF697C000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7B9D000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF68EB000 \SystemRoot\system32\drivers\smwdm.sys
    0xF68C7000 \SystemRoot\system32\drivers\portcls.sys
    0xF7140000 \SystemRoot\system32\drivers\drmk.sys
    0xF68AF000 \SystemRoot\system32\drivers\aeaudio.sys
    0xF6779000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7BAD000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF75D9000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF7CC9000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7EA5000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7BB5000 \SystemRoot\system32\DRIVERS\rasirda.sys
    0xF7BBD000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7130000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7CD1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6762000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7120000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF78ED000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF6751000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF78FD000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7BC5000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7BCD000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF66F8000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF790D000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7BD5000 \SystemRoot\system32\DRIVERS\SymIM.sys
    0xF7D77000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF669F000 \SystemRoot\system32\DRIVERS\update.sys
    0xF6E03000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF794D000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF797D000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7BED000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xAA717000 \SystemRoot\System32\Drivers\SRTSP.SYS
    0xAA63E000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080316.017\NAVEX15.SYS
    0xAA62B000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080316.017\NAVENG.SYS
    0xF79AD000 \SystemRoot\System32\Drivers\SRTSPX.SYS
    0xF7D8B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7EB2000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7D8D000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7BFD000 \SystemRoot\System32\drivers\vga.sys
    0xF7D8F000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7D91000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7C05000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7C0D000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7D21000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA5F8000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA5A0000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xAA566000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xAA545000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF79BD000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xAA4F5000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xAA4C8000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xAA4A3000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xF75ED000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0xF7D99000 \SystemRoot\System32\Drivers\SYMDNS.SYS
    0xF7AE5000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
    0xAA48D000 \SystemRoot\System32\Drivers\SYMFW.SYS
    0xF7AED000 \SystemRoot\System32\Drivers\SYMIDS.SYS
    0xAA44F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20080314.001\SymIDSCo.sys
    0xAA42D000 \SystemRoot\System32\drivers\afd.sys
    0xF79CD000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF79DD000 \SystemRoot\System32\drivers\sdcplh.sys
    0xAA402000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xAA393000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF79ED000 \SystemRoot\System32\Drivers\Fips.SYS
    0xAA333000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xF7D9B000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
    0xAA7A0000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAA2F7000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7B45000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7EB7000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF060000 \SystemRoot\System32\ati3duag.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA9559000 \SystemRoot\system32\DRIVERS\irda.sys
    0xA968B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA911D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7DE9000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xA8FF0000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA9429000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA8C73000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA8C50000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xA8287000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA7A83000 \??\C:\DOCUME~1\carm\LOCALS~1\Temp\uxtdqpog.sys
    0xA7A58000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 42):
    0 System Idle Process
    4 System
    856 C:\WINDOWS\system32\smss.exe
    960 csrss.exe
    984 C:\WINDOWS\system32\winlogon.exe
    1032 C:\WINDOWS\system32\services.exe
    1044 C:\WINDOWS\system32\lsass.exe
    1216 C:\WINDOWS\system32\ati2evxx.exe
    1244 C:\WINDOWS\system32\svchost.exe
    1336 svchost.exe
    1380 C:\WINDOWS\system32\svchost.exe
    1436 C:\WINDOWS\system32\svchost.exe
    1616 svchost.exe
    1696 svchost.exe
    300 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    1272 C:\WINDOWS\system32\spoolsv.exe
    264 svchost.exe
    308 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    488 C:\Program Files\Bonjour\mDNSResponder.exe
    2040 C:\WINDOWS\explorer.exe
    2240 C:\Program Files\Java\jre6\bin\jqs.exe
    2564 C:\WINDOWS\system32\HPZipm12.exe
    2892 C:\WINDOWS\system32\svchost.exe
    3072 C:\Program Files\Viewpoint\Common\ViewpointService.exe
    3436 C:\WINDOWS\AGRSMMSG.exe
    3492 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    3700 C:\Program Files\iTunes\iTunesHelper.exe
    3720 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    3744 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3828 C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
    3836 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    3880 C:\Program Files\Messenger\msmsgs.exe
    4076 C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    252 C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
    2628 C:\Program Files\iPod\bin\iPodService.exe
    2332 alg.exe
    2364 C:\WINDOWS\system32\svchost.exe
    4212 C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    3104 C:\Documents and Settings\carm\My Documents\Downloads\x1ixd3tk.exe
    260 C:\Program Files\Mozilla Firefox\firefox.exe
    2544 C:\Program Files\Mozilla Firefox\plugin-container.exe
    1316 C:\Documents and Settings\carm\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: FUJITSUMHV2080AH, Rev: 000000A0

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by carm at 1:10:59.68 on Tue 05/03/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.312 [GMT -4:00]
    .
    AV: Doctor Web Anti-Virus *Enabled/Outdated* {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Norton AntiVirus *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton AntiVirus *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
    C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\Documents and Settings\carm\My Documents\Downloads\x1ixd3tk.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\carm\My Documents\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    mURLSearchHooks: H - No File
    mWinlogon: SFCDisable=4 (0x4)
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: {ee77e1f9-b23c-4c5f-a971-221869cfe51e} - c:\windows\system32\nnnml.dll
    TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
    uRun: [<NO NAME>]
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Owaba] rundll32.exe "c:\windows\dr4kbd32.dll ",Startup
    uRun: [Google Update] "c:\documents and settings\carm\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [LidPolicy] c:\program files\hewlett-packard\lidswitch policy\pwrschem.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
    mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe "
    mRun: [ATIModeChange] Ati2mdxx.exe
    mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe "
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [Intel AppUp(SM) center] "c:\program files\intel\intelappstore\bin\serviceManager.lnk "
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA "& "inst=NwA3AC0ANAAwADIANAAxADQANAAzADQALQBVADgANQArADEALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAFQANAAtAEYAUAA5ACsANgAtAEIAQQBSADkARwArADEALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAyAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA "& "prod=90 "& "ver=9.0.894
    dRun: [rhfilpgq] c:\documents and settings\networkservice\local settings\application data\cnkbkkasa\haadwbqtssd.exe
    StartupFolder: c:\docume~1\carm\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
    IE: &Search
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: {3AEC3373-C823-4853-97D4-5B5549833BC3} - No File
    LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnml
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\carm\applic~1\mozilla\firefox\profiles\ulcgtnu2.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b7ef9b7&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\documents and settings\carm\application data\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\carm\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\carm\application data\kalydo\kalydoplayer\npkalydo.dll
    FF - plugin: c:\documents and settings\carm\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\carm\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\carm\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\ksolo\npAVX.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.50524.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-2 64512]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-18 24652]
    R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2007-12-28 182101]
    R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2007-12-28 5689]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080316.017\NAVENG.SYS [2008-3-16 82256]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080316.017\NAVEX15.SYS [2008-3-16 895408]
    R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-3-3 1245064]
    R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
    S0 rfyioy;rfyioy;c:\windows\system32\drivers\avqbjei.sys --> c:\windows\system32\drivers\avqbjei.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-2 136176]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]
    S2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\drweb\spider.sys [2008-1-4 308600]
    S2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\drweb\spidernt.exe [2008-1-4 218648]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23904]
    S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2007-12-26 13626]
    S3 e75db204-f951-48af-a89e-6da3b954fa0c;e75db204-f951-48af-a89e-6da3b954fa0c;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-2 136176]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]
    S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-18 44928]
    S3 udfpt;udfpt;c:\windows\system32\drivers\udfpt.sys --> c:\windows\system32\drivers\udfpt.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-05-03 03:55:07 388096 ----a-r- c:\docume~1\carm\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-05-03 03:55:05 -------- d-----w- c:\program files\Trend Micro
    2011-05-02 19:31:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-05-02 04:29:05 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-04-22 15:05:33 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-22 15:05:31 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-04-22 15:05:31 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-04-22 15:05:31 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-04-22 15:05:31 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-04-22 15:05:31 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
    2011-04-22 15:05:31 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
    2011-04-22 15:05:31 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-04-22 15:05:31 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-04-22 15:05:31 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-04-19 03:57:14 -------- d-----w- c:\docume~1\carm\applic~1\DDMSettings
    2011-04-05 21:10:15 -------- d-----w- c:\docume~1\carm\applic~1\Rovio
    2011-04-05 21:03:44 -------- d-----w- c:\docume~1\carm\locals~1\applic~1\Intel
    .
    ==================== Find3M ====================
    .
    2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-02-03 17:09:02 37376 ----a-w- c:\windows\system32\libusb0.dll
    2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: FUJITSU_MHV2080AH rev.000000A0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86520EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8498c872; SUB DWORD [EBP-0x4], 0x8498c12e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86756AB8]
    3 CLASSPNP[0xF788E05B] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000098[0x867AF128]
    5 ACPI[0xF77E4620] -> nt!IofCallDriver[0x804E37D5] -> [0x867664E8]
    [0x86321240] -> IRP_MJ_CREATE -> 0x86520EC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskFUJITSU_MHV2080AH_______________________000000A0#5&124f809b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86520AEA
    user & kernel MBR OK
    sectors 156301486 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 1:12:46.41 ===============
     
    callmecarm,
    #1
  2. 2011/05/03
    callmecarm

    callmecarm Inactive Thread Starter

    Joined:
    2011/05/02
    Messages:
    4
    Likes Received:
    0
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/7/2005 11:24:05 AM
    System Uptime: 5/3/2011 12:28:58 AM (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 088C
    Processor: Intel(R) Pentium(R) M processor 1600MHz | U10 | 1195/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 9.578 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\00A2718B5000
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\00A2718B5000
    Service: NIC1394
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom NetXtreme Gigabit Ethernet
    Device ID: PCI\VEN_14E4&DEV_165E&SUBSYS_088C103C&REV_03\4&16793A72&0&70F0
    Manufacturer: Broadcom
    Name: Broadcom NetXtreme Gigabit Ethernet
    PNP Device ID: PCI\VEN_14E4&DEV_165E&SUBSYS_088C103C&REV_03\4&16793A72&0&70F0
    Service: b57w2k
    .
    ==== System Restore Points ===================
    .
    RP481: 2/4/2011 12:18:37 AM - System Checkpoint
    RP482: 2/4/2011 1:54:41 AM - Software Distribution Service 3.0
    RP483: 2/4/2011 2:02:46 AM - Removed MediaImpression
    RP484: 2/4/2011 2:08:49 AM - Removed BN eReader
    RP485: 2/5/2011 2:23:25 AM - System Checkpoint
    RP486: 2/15/2011 12:03:30 AM - System Checkpoint
    RP487: 2/18/2011 2:58:28 AM - System Checkpoint
    RP488: 2/20/2011 3:21:55 PM - System Checkpoint
    RP489: 2/22/2011 7:30:18 PM - System Checkpoint
    RP490: 2/24/2011 12:27:20 AM - System Checkpoint
    RP491: 2/25/2011 3:29:32 PM - System Checkpoint
    RP492: 3/1/2011 1:39:08 PM - System Checkpoint
    RP493: 3/4/2011 11:33:17 AM - System Checkpoint
    RP494: 3/5/2011 12:11:24 PM - System Checkpoint
    RP495: 3/6/2011 12:25:06 PM - System Checkpoint
    RP496: 3/8/2011 12:46:26 PM - System Checkpoint
    RP497: 3/9/2011 1:30:35 PM - System Checkpoint
    RP498: 3/13/2011 1:14:25 PM - System Checkpoint
    RP499: 3/14/2011 8:41:17 PM - Avg Update
    RP500: 3/14/2011 8:43:04 PM - Avg Update
    RP501: 3/15/2011 7:07:39 PM - Installed Windows Internet Explorer 8.
    RP502: 3/15/2011 8:04:07 PM - Installed iTunes
    RP503: 3/15/2011 11:02:55 PM - Installed Java(TM) 6 Update 24
    RP504: 3/20/2011 3:17:51 PM - System Checkpoint
    RP505: 4/2/2011 12:54:38 PM - System Checkpoint
    RP506: 4/3/2011 1:25:41 PM - System Checkpoint
    RP507: 4/12/2011 6:58:58 PM - System Checkpoint
    RP508: 4/17/2011 12:29:03 PM - System Checkpoint
    RP509: 4/25/2011 11:48:56 AM - System Checkpoint
    RP510: 4/28/2011 9:33:08 PM - System Checkpoint
    RP511: 4/29/2011 9:45:40 PM - System Checkpoint
    RP512: 5/1/2011 11:50:41 AM - System Checkpoint
    RP513: 5/2/2011 12:25:38 AM - Installed Ad-Aware
    RP514: 5/2/2011 12:28:23 AM - Installed Ad-Aware
    RP515: 5/2/2011 11:55:03 PM - Installed HiJackThis
    RP516: 5/3/2011 12:42:44 AM - Removed AVG Free 9.0
    RP517: 5/3/2011 12:45:39 AM - Installed AVG Free 9.0
    .
    ==== Installed Programs ======================
    .
    .
    µTorrent
    Ad-Aware
    Ad-Aware Email Scanner for Outlook
    Adobe AIR
    Adobe Digital Editions
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.6
    Adobe Shockwave Player
    Agere Systems AC'97 Modem
    AIM 7
    AiO_Scan_CDA
    Amazon Kindle For PC
    Amazon MP3 Downloader 1.0.9
    AnalogX AutoTune
    AppCore
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Audacity 1.2.6
    Audiosurf
    AviSynth 2.5
    Bonjour
    Broadcom NetXtreme Ethernet Controller
    Canon MP150
    Canon MP170
    ccCommon
    Component Framework
    Critical Update for Windows Media Player 11 (KB959772)
    DeepBurner v1.8.0.224
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    Download Updater (AOL LLC)
    Dr.Web
    EA Download Manager
    EA Download Manager UI
    Facebook Plug-In
    Finale NotePad 2008
    Google Earth Plug-in
    Google Talk Plugin
    Google Update Helper
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Notebook LidSwitch Policy
    HP Product Detection
    HP PSC & OfficeJet 6.1.A
    inSSIDer
    Intel AppUp(SM) center
    InterActual Player
    InterVideo WinDVD
    IrfanView (remove only)
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) 6 Update 3
    Java(TM) 6 Update 4
    Java(TM) 6 Update 7
    Kalydo Player 3.09.00
    Kobo
    kSolo Recorder
    LAME v3.98.2 for Audacity
    Last.fm 1.5.4.27091
    LucasArts' Monkey 4
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mobipocket Reader 6.1
    Monopoly
    Mozilla Firefox 4.0.1 (x86 en-US)
    MSXML 6 Service Pack 2 (KB973686)
    Norton AntiVirus
    Norton AntiVirus Help
    Norton Protection Center
    O2Micro MemoryCardBus Windows Driver
    O2Micro SmartCardBus Reader Windows Driver Installer
    OpenOffice.org 2.4
    OverDrive Media Console
    Pando Media Booster
    PCFriendly
    QFolder
    Quick Launch Buttons 5.00 B3
    QuickTime
    RealPlayer
    Realtek USB 2.0 Card Reader
    Scan
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    SPBBC 32bit
    Symantec Real Time Storage Protection Component
    SymNet
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx20 drivers.
    The Sims™ 2 Double Deluxe
    The Sims™ 2 Store Edition
    TIPCIxx20
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VeohTV BETA
    VideoLAN VLC media player 0.8.6d
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Winamp
    Windows Genuine Advantage Notifications (KB905474)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The Symantec Core LC service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:24 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    5/3/2011 12:20:23 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    5/3/2011 12:20:07 AM, error: Service Control Manager [7034] - The Symantec Lic NetConnect service service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:07 AM, error: Service Control Manager [7034] - The LiveUpdate Notice service terminated unexpectedly. It has done this 1 time(s).
    5/3/2011 12:20:07 AM, error: Service Control Manager [7031] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    5/3/2011 12:20:07 AM, error: Service Control Manager [7031] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service.
    5/3/2011 12:20:05 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    5/2/2011 9:22:38 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    5/2/2011 8:52:37 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    5/2/2011 8:29:22 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    5/2/2011 8:17:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    5/2/2011 4:22:38 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    5/2/2011 12:22:42 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    5/2/2011 10:22:40 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    5/1/2011 4:34:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    5/1/2011 4:15:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/1/2011 4:10:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 eabfiltr eeCtrl Fips intelppm SRTSP SRTSPX SYMTDI
    5/1/2011 4:10:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments " " in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
    5/1/2011 10:03:20 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    4/30/2011 12:32:41 AM, error: Service Control Manager [7001] - The SpIDer Guard for Windows service depends on the SpIDer Guard File System Monitor service which failed to start because of the following error: The system has reached its licensed logon limit. Please try again later.
    4/30/2011 12:32:41 AM, error: Service Control Manager [7000] - The SpIDer Guard File System Monitor service failed to start due to the following error: The system has reached its licensed logon limit. Please try again later.
    4/30/2011 12:32:27 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    4/30/2011 12:32:27 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    4/28/2011 9:40:06 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 000E35E43778 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    4/28/2011 9:39:42 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000E35E43778. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    4/28/2011 9:39:37 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
    .
    ==== End Of File ===========================
     
    callmecarm,
    #2


  3. to hide this advert.

  4. 2011/05/03
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Welcome to WindowsBBS :)

    I see you have P2P software ( Limewire, BitTorrent, uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them,

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    PeteC,
    #3
  5. 2011/05/03
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    You are running an outdated, non supported Windows Version (= vulnerable) without any Anti-virus... perfectly normal you got infected.
     
    Arie,
    #4
  6. 2011/05/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================

    You're infected with a rootkit, possibly more...

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
    broni,
    #5
  7. 2011/05/03
    callmecarm

    callmecarm Inactive Thread Starter

    Joined:
    2011/05/02
    Messages:
    4
    Likes Received:
    0
    My anti-virus software are Ad-Aware, AVG and Malwarebytes. Norton and Dr. Web are both corrupt and I have to delete all of the corrupted files before reinstalling them but idk how. I've had techie friends try and delete the files but they couldn't do anything about them.
    I have deleted my Utorrent even though I never used it anyway.

    Have done what you asked, rebooted and system seems better, so far. Log:

    2011/05/03 21:13:54.0693 2800 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/03 21:13:55.0033 2800 ================================================================================
    2011/05/03 21:13:55.0033 2800 SystemInfo:
    2011/05/03 21:13:55.0033 2800
    2011/05/03 21:13:55.0033 2800 OS Version: 5.1.2600 ServicePack: 2.0
    2011/05/03 21:13:55.0033 2800 Product type: Workstation
    2011/05/03 21:13:55.0033 2800 ComputerName: COW-7
    2011/05/03 21:13:55.0053 2800 UserName: carm
    2011/05/03 21:13:55.0053 2800 Windows directory: C:\WINDOWS
    2011/05/03 21:13:55.0053 2800 System windows directory: C:\WINDOWS
    2011/05/03 21:13:55.0053 2800 Processor architecture: Intel x86
    2011/05/03 21:13:55.0053 2800 Number of processors: 1
    2011/05/03 21:13:55.0053 2800 Page size: 0x1000
    2011/05/03 21:13:55.0053 2800 Boot type: Normal boot
    2011/05/03 21:13:55.0053 2800 ================================================================================
    2011/05/03 21:13:55.0704 2800 Initialize success
    2011/05/03 21:14:06.0830 3040 ================================================================================
    2011/05/03 21:14:06.0830 3040 Scan started
    2011/05/03 21:14:06.0830 3040 Mode: Manual;
    2011/05/03 21:14:06.0830 3040 ================================================================================
    2011/05/03 21:14:09.0224 3040 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/03 21:14:09.0304 3040 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/05/03 21:14:09.0414 3040 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
    2011/05/03 21:14:09.0514 3040 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/03 21:14:09.0624 3040 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
    2011/05/03 21:14:09.0704 3040 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/03 21:14:09.0895 3040 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2011/05/03 21:14:10.0085 3040 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/05/03 21:14:10.0626 3040 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/05/03 21:14:11.0076 3040 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/03 21:14:11.0166 3040 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/03 21:14:11.0367 3040 ati2mtag (155f93d1d3b3de83b0ca5ec44ba627e1) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/05/03 21:14:11.0517 3040 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/03 21:14:11.0687 3040 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/03 21:14:11.0998 3040 b57w2k (9948740f9043aca23b8fddf8b9651160) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2011/05/03 21:14:12.0438 3040 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/03 21:14:12.0789 3040 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/03 21:14:13.0199 3040 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/03 21:14:13.0530 3040 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/03 21:14:13.0810 3040 Cdrom (8b6644f296f875db63771a3ba74de9ea) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/03 21:14:13.0810 3040 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 8b6644f296f875db63771a3ba74de9ea, Fake md5: af9c19b3100fe010496b1a27181fbf72
    2011/05/03 21:14:13.0820 3040 Cdrom - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/05/03 21:14:14.0081 3040 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/05/03 21:14:14.0161 3040 COH_Mon (4ecde31d8cf3c342bef518af954f513b) C:\WINDOWS\system32\Drivers\COH_Mon.sys
    2011/05/03 21:14:14.0191 3040 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/05/03 21:14:14.0261 3040 CONAN (32b0ac2449d9ef70b719bfaf631f998a) C:\WINDOWS\system32\drivers\o2mmb.sys
    2011/05/03 21:14:14.0431 3040 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/03 21:14:14.0551 3040 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/03 21:14:14.0661 3040 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/03 21:14:14.0701 3040 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/03 21:14:14.0792 3040 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/03 21:14:14.0882 3040 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/03 21:14:14.0952 3040 DUBE100 (66c4d14afe14d94db639052296c93855) C:\WINDOWS\system32\DRIVERS\DUBE100.sys
    2011/05/03 21:14:15.0072 3040 eabfiltr (81b7808d3b5892388f33273119c2dc31) C:\WINDOWS\system32\drivers\EABFiltr.sys
    2011/05/03 21:14:15.0162 3040 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys
    2011/05/03 21:14:15.0272 3040 eeCtrl (e89cc1363cb7f5320ae3b41c1333d0c3) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/05/03 21:14:15.0382 3040 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/03 21:14:15.0463 3040 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/03 21:14:15.0643 3040 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/03 21:14:15.0703 3040 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/03 21:14:15.0813 3040 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/05/03 21:14:15.0863 3040 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/03 21:14:15.0893 3040 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/03 21:14:15.0983 3040 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/05/03 21:14:16.0083 3040 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/03 21:14:16.0204 3040 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/03 21:14:16.0344 3040 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/05/03 21:14:16.0414 3040 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/05/03 21:14:16.0484 3040 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/05/03 21:14:16.0564 3040 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/03 21:14:16.0714 3040 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/03 21:14:16.0784 3040 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/03 21:14:16.0895 3040 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/03 21:14:16.0965 3040 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/03 21:14:17.0055 3040 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/05/03 21:14:17.0145 3040 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/03 21:14:17.0175 3040 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/03 21:14:17.0245 3040 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/03 21:14:17.0325 3040 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/03 21:14:17.0455 3040 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
    2011/05/03 21:14:17.0526 3040 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/03 21:14:17.0616 3040 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/03 21:14:17.0706 3040 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/03 21:14:17.0806 3040 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/03 21:14:17.0916 3040 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/03 21:14:18.0096 3040 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
    2011/05/03 21:14:18.0196 3040 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
    2011/05/03 21:14:18.0337 3040 MbxStby (4c32b247524f91db486d21dcb84d9c23) C:\WINDOWS\system32\drivers\MbxStby.sys
    2011/05/03 21:14:18.0397 3040 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/03 21:14:18.0467 3040 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/03 21:14:18.0537 3040 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/03 21:14:18.0617 3040 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/03 21:14:18.0677 3040 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/03 21:14:18.0777 3040 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/03 21:14:18.0978 3040 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/03 21:14:19.0488 3040 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/03 21:14:19.0709 3040 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/03 21:14:19.0779 3040 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/03 21:14:19.0829 3040 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/03 21:14:19.0879 3040 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/03 21:14:19.0939 3040 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/03 21:14:20.0089 3040 NAVENG (69974d54db3ae9b63d6c721705f36bbc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080316.017\NAVENG.SYS
    2011/05/03 21:14:20.0179 3040 NAVEX15 (d79498c50b79550704c91f1d70528f11) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080316.017\NAVEX15.SYS
    2011/05/03 21:14:20.0370 3040 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/03 21:14:20.0400 3040 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/03 21:14:20.0440 3040 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/03 21:14:20.0490 3040 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/03 21:14:20.0520 3040 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/03 21:14:20.0560 3040 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/03 21:14:20.0600 3040 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/03 21:14:20.0890 3040 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/05/03 21:14:20.0930 3040 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/03 21:14:21.0061 3040 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/03 21:14:21.0211 3040 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/03 21:14:21.0261 3040 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/03 21:14:21.0281 3040 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/03 21:14:21.0351 3040 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/05/03 21:14:21.0431 3040 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/03 21:14:21.0461 3040 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/03 21:14:21.0511 3040 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/03 21:14:21.0571 3040 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/03 21:14:21.0682 3040 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/03 21:14:21.0812 3040 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/05/03 21:14:22.0312 3040 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/03 21:14:22.0403 3040 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/03 21:14:22.0483 3040 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/03 21:14:22.0563 3040 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/03 21:14:22.0743 3040 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/03 21:14:22.0813 3040 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2011/05/03 21:14:22.0853 3040 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/03 21:14:22.0913 3040 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/03 21:14:22.0953 3040 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/03 21:14:23.0094 3040 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/03 21:14:23.0164 3040 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/03 21:14:23.0234 3040 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/03 21:14:23.0354 3040 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/03 21:14:23.0444 3040 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/03 21:14:23.0614 3040 sdcplh (b7ea2f12416693d2d9bffaaa5eff7037) C:\WINDOWS\system32\drivers\sdcplh.sys
    2011/05/03 21:14:23.0684 3040 SDTHOOK (f88d17b93621eeb8bef33b81e3af9207) C:\WINDOWS\system32\DRIVERS\SDTHOOK.sys
    2011/05/03 21:14:23.0754 3040 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/03 21:14:23.0845 3040 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/03 21:14:23.0895 3040 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/03 21:14:23.0985 3040 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/03 21:14:24.0105 3040 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
    2011/05/03 21:14:24.0245 3040 smwdm (3a11abb30c6a64173f99c8c42e76827c) C:\WINDOWS\system32\drivers\smwdm.sys
    2011/05/03 21:14:24.0556 3040 SPBBCDrv (72c6d9494cfb97cc799b12dfd01920f3) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    2011/05/03 21:14:24.0746 3040 SPIDER (d691b7b7fa5b88b0ebe76a2e15f87c50) C:\PROGRA~1\DrWeb\spider.sys
    2011/05/03 21:14:25.0086 3040 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/03 21:14:25.0136 3040 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/03 21:14:25.0197 3040 SRTSP (e0e54a571d4323567e95e11fe76a5ff3) C:\WINDOWS\system32\Drivers\SRTSP.SYS
    2011/05/03 21:14:25.0307 3040 SRTSPL (4e44f0e22df824d318988caa6f321c30) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    2011/05/03 21:14:25.0397 3040 SRTSPX (d3bb40427cf3d02e56bba97feda0a3aa) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
    2011/05/03 21:14:25.0487 3040 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/03 21:14:25.0577 3040 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/03 21:14:25.0627 3040 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/03 21:14:25.0777 3040 SYMDNS (fbc9c3b9805849e4cd78aa920e8cd26d) C:\WINDOWS\System32\Drivers\SYMDNS.SYS
    2011/05/03 21:14:25.0847 3040 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2011/05/03 21:14:25.0888 3040 SYMFW (4c1638572e422554944619b2ee51c9a9) C:\WINDOWS\System32\Drivers\SYMFW.SYS
    2011/05/03 21:14:25.0968 3040 SYMIDS (f7faa5e4eae4cb7bf31495bc92cbabca) C:\WINDOWS\System32\Drivers\SYMIDS.SYS
    2011/05/03 21:14:26.0158 3040 SYMIDSCO (1db45c243188f7b4c51dd7305d7e5cbb) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20080314.001\SymIDSCo.sys
    2011/05/03 21:14:26.0278 3040 SymIM (d63eb5a6857c31dc341450ba0f252d79) C:\WINDOWS\system32\DRIVERS\SymIM.sys
    2011/05/03 21:14:26.0308 3040 SymIMMP (d63eb5a6857c31dc341450ba0f252d79) C:\WINDOWS\system32\DRIVERS\SymIM.sys
    2011/05/03 21:14:26.0368 3040 SYMNDIS (76c3312df7481931df665a63a36a9011) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
    2011/05/03 21:14:26.0468 3040 SYMREDRV (fc89356b6aa9dee10a284c18215c5b60) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    2011/05/03 21:14:26.0528 3040 SYMTDI (9d32181eb6586758071e9ff012fb9ab0) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    2011/05/03 21:14:26.0719 3040 SynTP (1a8e6b04907687a8eed75c8031b679fd) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/05/03 21:14:26.0809 3040 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/03 21:14:26.0969 3040 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/03 21:14:27.0089 3040 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/03 21:14:27.0189 3040 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/03 21:14:27.0310 3040 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/03 21:14:27.0490 3040 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/03 21:14:27.0580 3040 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/03 21:14:27.0660 3040 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/05/03 21:14:27.0720 3040 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/05/03 21:14:27.0790 3040 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/03 21:14:27.0890 3040 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/03 21:14:27.0981 3040 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/05/03 21:14:28.0071 3040 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/03 21:14:28.0131 3040 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/03 21:14:28.0171 3040 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/03 21:14:28.0291 3040 uwmimyesosoo (d7dbfbc453b645111e6d21142305e80b) C:\WINDOWS\system32\drivers\uwmimyesosoo.sys
    2011/05/03 21:14:28.0381 3040 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/03 21:14:28.0471 3040 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/03 21:14:28.0792 3040 w22n51 (5bc494442773035da902ab30cdca11e7) C:\WINDOWS\system32\DRIVERS\w22n51.sys
    2011/05/03 21:14:29.0122 3040 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/03 21:14:29.0232 3040 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/03 21:14:29.0403 3040 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/05/03 21:14:29.0523 3040 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/05/03 21:14:29.0573 3040 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/05/03 21:14:29.0623 3040 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/05/03 21:14:29.0673 3040 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/05/03 21:14:29.0783 3040 ================================================================================
    2011/05/03 21:14:29.0783 3040 Scan finished
    2011/05/03 21:14:29.0783 3040 ================================================================================
    2011/05/03 21:14:29.0793 2052 Detected object count: 1
    2011/05/03 21:15:31.0141 2052 Cdrom (8b6644f296f875db63771a3ba74de9ea) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/03 21:15:31.0141 2052 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 8b6644f296f875db63771a3ba74de9ea, Fake md5: af9c19b3100fe010496b1a27181fbf72
    2011/05/03 21:15:33.0775 2052 Backup copy found, using it..
    2011/05/03 21:15:33.0805 2052 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured after reboot
    2011/05/03 21:15:33.0805 2052 Rootkit.Win32.TDSS.tdl3(Cdrom) - User select action: Cure
    2011/05/03 21:15:46.0393 3328 Deinitialize success
     
    callmecarm,
    #6
  8. 2011/05/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Well done :)

    As for your AV programs....
    I don't see AVG running, so if you're planning on installing it, don't do it.
    I don't recommend AVG anymore. Too many issues.

    Run Norton Removal Tool: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    Run Dr. Web Remover: ftp://ftp.drweb.com/pub/drweb/tools/drw_remover.exe

    When done....

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #7
  9. 2011/05/06
    callmecarm

    callmecarm Inactive Thread Starter

    Joined:
    2011/05/02
    Messages:
    4
    Likes Received:
    0
    ComboFix 11-05-05.04 - carm 05/06/2011 7:56.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.668 [GMT -4:00]
    Running from: c:\documents and settings\carm\My Documents\Downloads\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\carm\WINDOWS
    C:\install.exe
    c:\program files\Helper
    c:\windows\system32\drivers\uwmimyesosoo.sys
    c:\windows\system32\ffuwksee.dllbox
    c:\windows\system32\lmnnn.ini
    c:\windows\system32\lmnnn.ini2
    c:\windows\system32\thfabama.ini
    c:\windows\system32\winlogon.bak
    .
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\qoobox\Quarantine\C\WINDOWS\system32\winlogon.bak.vir
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_DOMAINSERVICE
    -------\Legacy_FCI
    -------\Legacy_SYSLIBRARY
    -------\Service_SysLibrary
    -------\Legacy_uwmimyesosoo
    -------\Service_uwmimyesosoo
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-06 06:29 . 2011-05-06 11:30 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-03 05:59 . 2011-05-03 05:59 -------- d-----w- c:\program files\SIW
    2011-05-03 03:55 . 2011-05-03 03:55 388096 ------r- c:\documents and settings\carm\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-05-03 03:55 . 2011-05-03 03:55 -------- d-----w- c:\program files\Trend Micro
    2011-05-02 19:31 . 2011-05-02 04:40 16432 ------w- c:\windows\system32\lsdelete.exe
    2011-05-02 04:29 . 2011-04-29 16:12 64512 ------w- c:\windows\system32\drivers\Lbd.sys
    2011-04-22 15:05 . 2011-04-29 23:51 142296 ------w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-04-22 15:05 . 2011-04-29 23:51 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
    2011-04-22 15:05 . 2011-04-29 23:51 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-04-22 15:05 . 2011-04-29 23:51 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-04-22 15:05 . 2011-04-29 23:51 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2011-04-22 15:05 . 2011-04-29 23:51 465880 ------w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-04-22 15:05 . 2011-04-29 23:51 15832 ------w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-04-22 15:05 . 2011-04-29 23:51 89048 ------w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-04-22 15:05 . 2011-04-29 23:51 1892184 ------w- c:\program files\Mozilla Firefox\d3dx9_42.dll
    2011-04-22 15:05 . 2011-04-29 23:51 1974616 ------w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
    2011-04-19 03:57 . 2011-04-19 03:57 -------- d-----w- c:\documents and settings\carm\Application Data\DDMSettings
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-04 01:16 . 2004-08-03 22:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-05-02 04:40 . 2010-04-02 00:49 98392 ------w- c:\windows\system32\drivers\SBREDrv.sys
    2011-02-18 20:36 . 2009-09-15 22:34 4184352 ------w- c:\windows\system32\usbaaplrc.dll
    2011-02-18 20:36 . 2008-10-07 04:36 41984 ------w- c:\windows\system32\drivers\usbaapl.sys
    2011-04-29 23:51 . 2011-04-22 15:05 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    Code:
    <pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\iTunes\iTunesHelper .exe
c:\windows\system32\ctfmon .exe
</pre>
    .
    ------- Sigcheck -------
    .
    [-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
    [7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
    .
    c:\windows\System32\ctfmon.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Veoh "= "c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
    "EA Core "= "c:\program files\Electronic Arts\EADM\Core.exe" [N/A]
    "Owaba "= "c:\windows\dr4kbd32.dll" [N/A]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [N/A]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [N/A]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
    "LidPolicy "= "c:\program files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe" [N/A]
    "AGRSMMSG "= "AGRSMMSG.exe" [2004-08-24 88363]
    "ATIModeChange "= "Ati2mdxx.exe" [2001-09-04 28672]
    "Turbine Download Manager Tray Icon "= "c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [N/A]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    "DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Intel AppUp(SM) center "= "c:\program files\Intel\IntelAppStore\bin\serviceManager.lnk" [2011-04-05 933]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL "= "start http:" [X]
    .
    c:\documents and settings\carm\Start Menu\Programs\Startup\
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications "= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Documents and Settings\\carm\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56171:TCP "= 56171:TCP:pando Media Booster
    "56171:UDP "= 56171:UDP:pando Media Booster
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/2/2011 12:29 AM 64512]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/18/2008 1:00 AM 24652]
    R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [12/28/2007 9:11 PM 182101]
    R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [12/28/2007 9:11 PM 5689]
    S0 rfyioy;rfyioy;c:\windows\system32\drivers\avqbjei.sys --> c:\windows\system32\drivers\avqbjei.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2010 12:54 PM 136176]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/29/2011 12:11 PM 2146496]
    S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [12/26/2007 6:11 AM 13626]
    S3 e75db204-f951-48af-a89e-6da3b954fa0c;e75db204-f951-48af-a89e-6da3b954fa0c;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2010 12:54 PM 136176]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/29/2011 12:11 PM 15232]
    S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [1/18/2008 5:49 AM 44928]
    S3 udfpt;udfpt;c:\windows\system32\drivers\udfpt.sys --> c:\windows\system32\drivers\udfpt.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 16:11]
    .
    2011-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 16:54]
    .
    2011-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 16:54]
    .
    2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-746137067-1957994488-1003Core.job
    - c:\documents and settings\carm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-05 19:15]
    .
    2011-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-746137067-1957994488-1003UA.job
    - c:\documents and settings\carm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-05 19:15]
    .
    2011-05-06 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-08 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    FF - ProfilePath - c:\documents and settings\carm\Application Data\Mozilla\Firefox\Profiles\ulcgtnu2.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b7ef9b7&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{EE77E1F9-B23C-4C5F-A971-221869CFE51E} - c:\windows\system32\nnnml.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
    SafeBoot-klmdb.sys
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
    AddRemove-{980A182F-E0A2-4A40-94C1-AE0C1235902E} - c:\program files\Pando Networks\Media Booster\uninst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-06 08:06
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
    @Denied: (Full) (LocalSystem)
    "OOBETimer "=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
    "LastWPAEventLogged "=hex:d5,07,05,00,06,00,07,00,0f,00,38,00,24,00,fd,02
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1396)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\WgaTray.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\AGRSMMSG.exe
    c:\program files\Intel\IntelAppStore\bin\serviceManager.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-06 08:16:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-06 12:16
    .
    Pre-Run: 9,606,889,472 bytes free
    Post-Run: 9,400,782,848 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    .
    - - End Of File - - 503ADB68A0B8249934D15DCE8DD436F2
     
    callmecarm,
    #8
  10. 2011/05/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, make sure to allow recovery console installation on next Combofix run.

    =======================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ( "drive-by-install ") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    =====================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\iTunes\iTunesHelper .exe
c:\windows\system32\ctfmon .exe

FCopy::
c:\windows\system32\dllcache\ctfmon.exe | c:\windows\System32\ctfmon.exe

File::
c:\windows\dr4kbd32.dll
c:\windows\system32\drivers\avqbjei.sys
d:\cds300\cds300.dll
c:\windows\system32\drivers\udfpt.sys


Folder::

Driver::
rfyioy
e75db204-f951-48af-a89e-6da3b954fa0c
udfpt

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Owaba "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
 "AvgUninstallURL "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=dword:00000000
 "FirewallOverride "=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
 "DisableMonitoring "=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "DisableNotifications "=-

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #9
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...