1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Slow Windows boot up- Malware?

Discussion in 'Malware and Virus Removal Archive' started by LarryB, 2012/12/02.

  1. 2012/12/02
    LarryB

    LarryB Well-Known Member Thread Starter

    Joined:
    2002/01/09
    Messages:
    847
    Likes Received:
    10
    [Inactive] Slow Windows boot up- Malware?

    I noticed that slow boot up threads are shown in this forum. My pre-Windows boot up is OK and is pretty much unchanged for the last 6 months or more, but once you log in to Windows, the remaining Windows "boot up" has gotten very slow and since it happened kind of suddenly, I am suspicious. I have always used a little applet called Lanled so that I can view internet activity real time (both directions). The Lanled systray icon is the last to appear and it always appeared quickly after the others had loaded. Now they all load slowly and the gap before the Lanled icon appears is now 30-45 seconds or so. If I then I click on the IE8 shorcut, the IE window will not appear for another 30 or 45 seconds, loading slowly at that time. After a few minutes, everything runs OK, though video seems slower and jerkier than it used to be.

    I ran all the tools I know of (Mbam Pro/always active), RegSeeker, TFC, Spybot, CC Cleaner, and have uninstalled any new software, looked through my ActiveX and BHO lists. No benefits. So, here I am. Maybe I should be in a different forum, don't know. I have had no alerts, error messages, BSODs or malware/trojan findings.

    If I ever have any suspicions of a site, I run Free Internet Window Washer before shutting down in order to clear out any weird items in the IE Cache. I have all the suggested log files ready to post. Let me know if you want me do that.

    Please advise. Thanks!!
     
    Last edited: 2012/12/02
    LarryB,
    #1
  2. 2012/12/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================

    Go ahead and post all required logs.
     
    broni,
    #2


  3. to hide this advert.

  4. 2012/12/02
    LarryB

    LarryB Well-Known Member Thread Starter

    Joined:
    2002/01/09
    Messages:
    847
    Likes Received:
    10
    Hey, great. Thanks. Here we go....

    mbam-log-2012-12-02 (08-37-23).txt

    Malwarebytes Anti-Malware (PRO) 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.02.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Dad :: BLOCKFAMILY [administrator]

    Protection: Enabled

    12/2/2012 8:37:23 AM
    mbam-log-2012-12-02 (08-37-23).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 325281
    Time elapsed: 17 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    ---------------------------------------------------------
    aswMBR.txt

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-12-02 09:10:23
    -----------------------------
    09:10:23.468 OS Version: Windows 5.1.2600 Service Pack 3
    09:10:23.468 Number of processors: 2 586 0x2302
    09:10:23.468 ComputerName: BLOCKFAMILY UserName: Dad
    09:10:25.000 Initialize success
    09:11:02.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006c
    09:11:02.109 Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3
    09:11:02.109 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006d
    09:11:02.109 Disk 1 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3
    09:11:02.156 Disk 0 MBR read successfully
    09:11:02.156 Disk 0 MBR scan
    09:11:02.156 Disk 0 Windows XP default MBR code
    09:11:02.156 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
    09:11:02.156 Disk 0 scanning sectors +488392065
    09:11:02.218 Disk 0 scanning C:\WINDOWS\system32\drivers
    09:11:09.859 Service scanning
    09:11:15.140 Service MpKsl55b20e21 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{764AFD5C-0DED-4505-9915-D77098F0D2E5}\MpKsl55b20e21.sys **LOCKED** 32
    09:11:21.265 Modules scanning
    09:11:28.734 Disk 0 trace - called modules:
    09:11:28.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
    09:11:28.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a653ab8]
    09:11:28.765 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8a5cdac0]
    09:11:28.765 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\0000006c[0x8a654030]
    09:11:28.765 Scan finished successfully
    09:11:37.281 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dad\Desktop\MBR.dat "
    09:11:37.328 The log file has been saved successfully to "C:\Documents and Settings\Dad\Desktop\aswMBR.txt "

    -----------------------------------------------------
    dds.txt

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_37
    Run by Dad at 9:13:16 on 2012-12-02
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1293 [GMT -8:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
    C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
    C:\WINDOWS\system32\tbctray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\IE New Window Maximizer\iemaximizer.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\PrintKey2000\Printkey2000.exe
    C:\Program Files\Quick ShutDown\qsd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://www.fastmail.fm/html/?MLS=LN-*&u=9a1841ac&&hasjs=1
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
    StartupFolder: c:\docume~1\dad\startm~1\programs\startup\notify.lnk - c:\program files\lewe\notifyplus\Notify.exe
    StartupFolder: c:\docume~1\dad\startm~1\programs\startup\quicks~1.lnk - c:\program files\quick shutdown\qsd.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ieneww~1.lnk - c:\program files\ie new window maximizer\iemaximizer.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Notify Check.lnk.disabled
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDriveAutoRun = dword:67108835
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245599404234
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1345095504203
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 172.16.0.1
    TCP: Interfaces\{B4DE80D6-26CD-4D2C-B108-F218DDADD539} : NameServer = 4.2.2.1,4.2.2.2
    TCP: Interfaces\{B4DE80D6-26CD-4D2C-B108-F218DDADD539} : DHCPNameServer = 172.16.0.1
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
    R1 MpKsl55b20e21;MpKsl55b20e21;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{764afd5c-0ded-4505-9915-d77098f0d2e5}\MpKsl55b20e21.sys [2012-12-2 29904]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-26 399432]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-26 676936]
    R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\motorola mobility\motorola device manager\MotoHelperService.exe [2012-5-18 116632]
    R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-3-23 31920]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-9-24 656480]
    R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-10-2 3064000]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-6 24652]
    R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2011-8-19 22176]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-26 22856]
    R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-6-23 149632]
    R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-6-23 554304]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
    S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-9-5 12672]
    S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2009-10-11 823296]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
    S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-9-24 1328736]
    S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2003-6-13 19232]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2074-05-08 02:38:48 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
    2012-12-02 17:10:25 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{764afd5c-0ded-4505-9915-d77098f0d2e5}\MpKsl55b20e21.sys
    2012-12-02 14:46:17 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{764afd5c-0ded-4505-9915-d77098f0d2e5}\mpengine.dll
    2012-12-01 01:36:51 6812136 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-11-13 16:20:15 -------- d-----w- c:\program files\Microsoft Bootvis
    2012-11-12 00:18:10 -------- d-s---w- C:\ComboFix
    2012-11-11 23:06:06 -------- d-----w- C:\_OTM
    .
    ==================== Find3M ====================
    .
    2012-11-19 14:22:16 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-11-19 14:22:16 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
    2012-09-30 02:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-24 22:32:24 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-09-24 22:32:20 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2012-09-24 20:51:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500KS-00MJB0 rev.02.01C03 -> Harddisk0\DR0 -> \Device\0000006d
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
    c:\windows\system32\drivers\nvata.sys NVIDIA Corporation NVIDIA nForce(TM) IDE Driver
    1 ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Harddisk0\DR0[0x8A653AB8]
    3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\0000006e[0x8A5CDAC0]
    5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\0000006c[0x8A654030]
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    user != kernel MBR !!!
    sectors 488397166 (+135): user != kernel
    .
    ============= FINISH: 9:13:53.51 ===============
    ----------------------------------------------------------------
    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/21/2009 7:27:56 AM
    System Uptime: 12/2/2012 8:02:28 AM (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | A8N-SLI DELUXE
    Processor: Dual Core AMD Opteron(tm) Processor 165 | Socket 939 | 2528/280mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 233 GiB total, 66.441 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable
    G: is FIXED (NTFS) - 233 GiB total, 76.353 GiB free.
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: NVIDIA nForce Networking Controller
    Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&1F09082D&0&01
    Manufacturer: NVIDIA
    Name: NVIDIA nForce Networking Controller
    PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&1F09082D&0&01
    Service: NVENETFD
    .
    ==== System Restore Points ===================
    .
    RP1: 11/4/2012 8:11:53 PM - System Checkpoint
    RP2: 11/5/2012 6:05:48 AM - Software Distribution Service 3.0
    RP3: 11/6/2012 6:22:58 AM - Software Distribution Service 3.0
    RP4: 11/7/2012 6:23:30 AM - System Checkpoint
    RP5: 11/7/2012 6:25:43 PM - Software Distribution Service 3.0
    RP6: 11/8/2012 7:18:59 PM - System Checkpoint
    RP7: 11/9/2012 6:10:40 AM - Software Distribution Service 3.0
    RP8: 11/10/2012 6:56:48 AM - Software Distribution Service 3.0
    RP9: 11/11/2012 9:05:48 AM - Software Distribution Service 3.0
    RP10: 11/12/2012 9:13:56 AM - System Checkpoint
    RP11: 11/12/2012 7:04:27 PM - Software Distribution Service 3.0
    RP12: 11/13/2012 8:20:14 AM - Installed Microsoft Bootvis
    RP13: 11/13/2012 7:07:16 PM - Software Distribution Service 3.0
    RP14: 11/14/2012 7:25:35 PM - Software Distribution Service 3.0
    RP15: 11/14/2012 7:50:54 PM - Software Distribution Service 3.0
    RP16: 11/15/2012 8:37:43 PM - Software Distribution Service 3.0
    RP17: 11/16/2012 9:04:17 PM - System Checkpoint
    RP18: 11/17/2012 7:13:27 AM - Software Distribution Service 3.0
    RP19: 11/18/2012 8:17:48 AM - Software Distribution Service 3.0
    RP20: 11/19/2012 8:19:50 AM - System Checkpoint
    RP21: 11/19/2012 12:09:33 PM - Software Distribution Service 3.0
    RP22: 11/20/2012 6:16:09 PM - Software Distribution Service 3.0
    RP23: 11/21/2012 6:54:37 PM - System Checkpoint
    RP24: 11/22/2012 6:38:39 AM - Software Distribution Service 3.0
    RP25: 11/23/2012 8:02:05 AM - Software Distribution Service 3.0
    RP26: 11/24/2012 8:27:01 AM - System Checkpoint
    RP27: 11/24/2012 3:03:08 PM - Software Distribution Service 3.0
    RP28: 11/25/2012 3:10:38 PM - System Checkpoint
    RP29: 11/25/2012 7:02:10 PM - Software Distribution Service 3.0
    RP30: 11/26/2012 7:07:24 PM - System Checkpoint
    RP31: 11/27/2012 5:35:48 AM - Software Distribution Service 3.0
    RP32: 11/28/2012 6:56:11 AM - Software Distribution Service 3.0
    RP33: 11/29/2012 7:01:19 AM - Software Distribution Service 3.0
    RP34: 11/30/2012 7:22:51 AM - System Checkpoint
    RP35: 11/30/2012 5:36:48 PM - Software Distribution Service 3.0
    RP36: 12/2/2012 6:46:07 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    1ClickDownloader
    3DMark05
    ABBYY FineReader 6.0 Sprint
    Acrobat.com
    Adobe Download Manager
    Adobe Flash Player 11 ActiveX
    Adobe Help Center 2.1
    Adobe Photoshop Elements 5.0
    Adobe Reader XI
    Adobe Shockwave Player 11.6
    Age of Empires III
    AIM 6
    Amazon Add to Wish List IE Extension 1.2
    American Greetings® Art & More Store
    AnyTime Organizer
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Display Driver
    Audacity 2.0
    Auslogics Disk Defrag
    AviSynth 2.5
    Bonjour
    CameraHelperMsi
    CCleaner
    Cisco Connect
    CleanMem
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    CPUID HWMonitor 1.14
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    DVD slideshow GUI 0.9.3.6
    EPSON Attach To Email
    EPSON Copy Utility 3
    EPSON Event Manager
    EPSON File Manager
    EPSON Perf 3490 3590 Guide
    EPSON Scan
    EPSON Scan Assistant
    erLT
    EVEREST Home Edition v2.20
    EVGA Precision 1.7.1
    ffdshow [rev 3029] [2009-07-10]
    Fogware e-mail Back-up and Relocator
    Free Internet Window Washer
    Google Update Helper
    Hauppauge WinTV
    Hauppauge WinTV Infrared Remote
    Hauppauge WinTV IR Blaster
    Hauppauge WinTV Scheduler
    Hauppauge WinTV TV Services
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB2756822)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB954550-v5)
    hp deskjet 5550 series (Remove only)
    HP Driver Diagnostics
    IcoFX 1.5.01
    Ideal DVD Copy V4.1.2
    IE New Window Maximizer 2.4
    ImgBurn
    Inpaint 4.3
    InterVideo FilterSDK for Hauppauge
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 37
    jv16 PowerTools 1.3
    Keylogger Hunter 1.0
    Logitech Webcam Software
    LWS Facebook
    LWS Gallery
    LWS Help_main
    LWS Launcher
    LWS Motion Detection
    LWS Pictures And Video
    LWS Twitter
    LWS Video Mask Maker
    LWS VideoEffects
    LWS Webcam Software
    LWS WLM Plugin
    LWS YouTube Plugin
    Malwarebytes Anti-Malware version 1.65.1.1000
    Marvell Miniport Driver
    MHTML Converter
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Bootvis
    Microsoft Office 97, Professional Edition
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Web Publishing Wizard 1.52
    Motorola Device Manager
    Motorola Device Software Update
    Motorola Mobile Drivers Installation 5.6.0
    Mozilla Firefox (3.6.28)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB2721691)
    MSXML 4.0 SP3 Parser (KB973685)
    MWSnap 3
    nanoPEG-Editor 2.3 Hauppauge Edition
    NotifyPlus
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    OGA Notifier 2.0.0048.0
    Online Manuals for WinTV (English)
    Outlook Express Quick Backup
    PC Inspector File Recovery
    PC Probe II
    Photocopier 3.05
    PowerDVD
    PrintKey2000
    PrintMaster
    PrintMaster 7.00
    Quick Letter Writer v10.05.2009
    Quick ShutDown
    QuickTime
    RealDownloader
    Revo Uninstaller 1.91
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Update Manager
    Safari
    SE Backup
    Secunia PSI (3.0.0.4001)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB2744842)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2724197)
    Security Update for Windows XP (KB2727528)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB2761226)
    Serif DrawPlus 3.0
    SimpleCopier
    Skype Click to Call
    Skype™ 5.10
    Spybot - Search & Destroy
    Steam
    swMSM
    Total Commander (Remove or Repair)
    Turtle Beach Santa Cruz
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows Internet Explorer 8 (KB2632503)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2492386)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2736233)
    Update for Windows XP (KB2749655)
    Update for Windows XP (KB971029)
    Viewpoint Media Player
    VLC Media Player
    VLC media player 2.0.4
    WebFldrs XP
    Windows 7 Upgrade Advisor
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Media Encoder 9 Series
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 9 Series Winter Fun Pack
    WinX HD Video Converter Deluxe 3.12.2
    XMedia Recode 2.2.8.9
    Xvid 1.2.2 final uninstall
    ZipGenius 6 (6.3.1.2640)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/29/2012 6:52:46 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    11/29/2012 6:52:46 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/28/2012 9:30:23 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    11/28/2012 8:45:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AsIO Fips MpFilter Processor
    11/28/2012 8:44:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/27/2012 5:31:05 PM, error: Service Control Manager [7000] - The ATI WDM TV Tuner service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/27/2012 5:31:05 PM, error: Service Control Manager [7000] - The ATI WDM TV Audio Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/27/2012 5:31:05 PM, error: Service Control Manager [7000] - The ATI WDM Specialized PCD Codec service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/27/2012 5:31:05 PM, error: Service Control Manager [7000] - The ATI WDM Specialized MVD Codec service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/27/2012 5:28:45 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the nvsvc service.
    .
    ==== End Of File ===========================
     
    LarryB,
    #3
  5. 2012/12/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
    broni,
    #4
  6. 2012/12/02
    LarryB

    LarryB Well-Known Member Thread Starter

    Joined:
    2002/01/09
    Messages:
    847
    Likes Received:
    10
    RKreport[1]_S_12022012_02d2138.txt

    RogueKiller V8.3.1 [Dec 2 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Dad [Admin rights]
    Mode : Scan -- Date : 12/02/2012 21:38:09

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 1 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500KS-00MJB0 +++++
    --- User ---
    [MBR] d01e1f2aa7b73ab091fed3fc9e11cfa1
    [BSP] 1fce5c469a5ee7652ace1171737b5ad8 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive1: WDC WD2500KS-00MJB0 +++++
    --- User ---
    [MBR] 5c10920cfd4b4eaf9566da65e3f940a4
    [BSP] 768004481fd971e7e24b4cb506d44795 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1]_S_12022012_02d2138.txt >>
    RKreport[1]_S_12022012_02d2138.txt

    ----------------------------------------------------------------

    RKreport[2]_D_12022012_02d2139.txt


    RogueKiller V8.3.1 [Dec 2 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Dad [Admin rights]
    Mode : Remove -- Date : 12/02/2012 21:39:17

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 1 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500KS-00MJB0 +++++
    --- User ---
    [MBR] d01e1f2aa7b73ab091fed3fc9e11cfa1
    [BSP] 1fce5c469a5ee7652ace1171737b5ad8 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    +++++ PhysicalDrive1: WDC WD2500KS-00MJB0 +++++
    --- User ---
    [MBR] 5c10920cfd4b4eaf9566da65e3f940a4
    [BSP] 768004481fd971e7e24b4cb506d44795 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2]_D_12022012_02d2139.txt >>
    RKreport[1]_S_12022012_02d2138.txt ; RKreport[2]_D_12022012_02d2139.txt
     
    LarryB,
    #5
  7. 2012/12/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    So far I don't see anything malicious.

    Let's run one more scan.

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ===============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
    broni,
    #6
  8. 2012/12/03
    LarryB

    LarryB Well-Known Member Thread Starter

    Joined:
    2002/01/09
    Messages:
    847
    Likes Received:
    10
    Having trouble stopping MSE. I stopped the exe file in Task Manager but ComboFix still detects an active MSE scanner. Any suggestions? Thanks.
     
    LarryB,
    #7
  9. 2012/12/03
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    Open MSE, select the Settings tab, click Real-time protection and un-check Turn on real-time protection.
     
    Admin.,
    #8
  10. 2012/12/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If Combofix still complains run it anyway.
     
    broni,
    #9
  11. 2012/12/03
    LarryB

    LarryB Well-Known Member Thread Starter

    Joined:
    2002/01/09
    Messages:
    847
    Likes Received:
    10
    OK, got it! Why may I ask did I have to download the Recovery Console? Can I somehow eliminate the new 2 second delay in my boot up?
    ------------------------------------------------------------
    ComboFix 12-12-02.01 - Dad 12/03/2012 20:35:09.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1486 [GMT -8:00]
    Running from: c:\documents and settings\Dad\Desktop\Your_name.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator.BLOCKFAMILY\Application Data\lpuninstall.jpg
    c:\documents and settings\Dad\Application Data\SCPSP5.DLL
    c:\documents and settings\Dad\Application Data\SCPSS5.DLL
    c:\documents and settings\Dad\WINDOWS
    c:\windows\pkunzip.pif
    c:\windows\pkzip.pif
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-04 to 2012-12-04 )))))))))))))))))))))))))))))))
    .
    .
    2074-05-08 02:38 . 2006-11-22 04:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2012-12-03 14:49 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12D05C74-DDBA-4BC0-8548-C006FA52514A}\mpengine.dll
    2012-12-02 14:46 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-11-13 16:20 . 2012-11-13 17:20 -------- d-----w- c:\program files\Microsoft Bootvis
    2012-11-11 23:06 . 2012-11-11 23:06 -------- d-----w- C:\_OTM
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-19 14:22 . 2012-04-04 13:18 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-11-19 14:22 . 2011-11-13 15:20 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-10-22 08:37 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-10-02 18:04 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
    2012-09-30 02:54 . 2010-02-26 16:10 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-24 22:32 . 2012-06-17 19:20 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-09-24 22:32 . 2010-05-31 17:32 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2012-09-24 20:51 . 2012-06-17 19:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
    "MSC "= "c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
    "TraySantaCruz "= "c:\windows\system32\tbctray.exe" [2003-06-23 290816]
    .
    c:\documents and settings\Administrator.BLOCKFAMILY\Start Menu\Programs\Startup\
    Uninstall LastPass RunOnce.lnk.disabled [2012-5-14 2073]
    .
    c:\documents and settings\Dad\Start Menu\Programs\Startup\
    Notify.lnk - c:\program files\Lewe\NotifyPlus\Notify.exe [2009-6-23 880640]
    Quick ShutDown.lnk - c:\program files\Quick ShutDown\qsd.exe [2003-2-18 294400]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    IE New Window Maximizer.lnk - c:\program files\IE New Window Maximizer\iemaximizer.exe [2005-2-8 356352]
    Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-10 344064]
    Notify Check.lnk.disabled [2009-7-11 1642]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-12-20 869376]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk.disabled]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk.disabled]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk.disabled]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk.disabled]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk.disabled]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Event Reminder.lnk.disabled]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Secunia PSI.lnk]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-09-24 04:43 926896 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-08-28 04:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVGAPrecision]
    2009-04-28 01:19 298000 ----a-w- c:\program files\EVGA Precision\EVGAPrecision.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2002-12-10 00:19 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-09-10 06:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-04-19 03:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2012-10-13 20:03 1353080 ----a-w- c:\program files\Steam\Steam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2012-09-17 19:41 254896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe "=c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe "
    "atr.exe "=
    "AtiPTA "=atiptaxx.exe
    "KernelFaultCheck "=%systemroot%\system32\dumprep 0 -k
    "SoundMan "=SOUNDMAN.EXE
    "nwiz "=nwiz.exe /install
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    "RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe "
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" -atboottime
    "LWS "=c:\program files\Logitech\LWS\Webcam Software\LWS.exe -hide
    "EEventManager "=c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\AIM6\\aim6.exe "=
    "c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\WINDOWS\\system32\\dxdiag.exe "=
    "c:\\Program Files\\SimpleCopier\\simplecopier.exe "=
    "c:\\WINDOWS\\system32\\mmc.exe "=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\1ClickDownload\\1ClickDownloader.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP "= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/26/2012 4:05 PM 399432]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/26/2010 8:11 AM 676936]
    R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [5/18/2012 8:37 AM 116632]
    R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/23/2012 11:31 AM 31920]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [9/24/2012 4:46 AM 656480]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 1:26 AM 450848]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/6/2009 11:01 AM 24652]
    R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [8/19/2011 1:26 AM 22176]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/26/2010 8:10 AM 22856]
    R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [6/23/2003 11:15 AM 149632]
    R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [6/23/2003 11:15 AM 554304]
    S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 10:29 AM 3290304]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
    S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [10/11/2009 12:23 PM 823296]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 6:19 AM 15544]
    S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [9/24/2012 4:46 AM 1328736]
    S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [6/13/2003 3:45 PM 19232]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-04 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 14:22]
    .
    2012-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
    .
    2012-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 16:40]
    .
    2012-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 16:40]
    .
    2012-12-04 c:\windows\Tasks\MpIdleTask.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 00:25]
    .
    2012-11-05 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1614895754-527237240-682003330-1003.job
    - c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2012-03-23 19:33]
    .
    2012-11-05 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1614895754-527237240-682003330-1003.job
    - c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2012-03-23 19:31]
    .
    2012-11-05 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1614895754-527237240-682003330-1003.job
    - c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2012-03-23 19:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.fastmail.fm/html/?MLS=LN-*&u=9a1841ac&&hasjs=1
    uInternet Settings,ProxyOverride = *.local;192.168.*.*
    Trusted Zone: lycos.com\webmail
    TCP: DhcpNameServer = 172.16.0.1
    TCP: Interfaces\{B4DE80D6-26CD-4D2C-B108-F218DDADD539}: NameServer = 4.2.2.1,4.2.2.2
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-03 20:40
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500KS-00MJB0 rev.02.01C03 -> Harddisk0\DR0 -> \Device\0000006e
    .
    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user != kernel MBR !!!
    sectors 488397166 (+135): user != kernel
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker5 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @DACL=(02 0010)
    @= "{00020424-0000-0000-C000-000000000046} "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @DACL=(02 0010)
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
    @= "?????????????????? v1 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @= "{E23FE9C6-778E-49D4-B537-38FCDE4887D8} "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
    @= "?????????????????? v2 "
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @= "{9BE31822-FDAD-461B-AD51-BE1D1C159921} "
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
    @DACL=(02 0000)
    .
    Completion time: 2012-12-03 20:42:45
    ComboFix-quarantined-files.txt 2012-12-04 04:42
    .
    Pre-Run: 71,221,100,544 bytes free
    Post-Run: 71,244,849,152 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect /bootlog
    .
    - - End Of File - - 75C4B3A07B0E3B5D2B56968E48240C0B
     
    LarryB,
    #10
  12. 2012/12/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Recovery Console is an important troubleshooting tool and it should be present on every XP computer.

    I don't see anything malicious there.

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.
     
    broni,
    #11
  13. 2012/12/03
    LarryB

    LarryB Well-Known Member Thread Starter

    Joined:
    2002/01/09
    Messages:
    847
    Likes Received:
    10
    My heartfelt thanks for your time and experience.
     
    LarryB,
    #12
  14. 2012/12/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    [​IMG]
     
    broni,
    #13

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...