Greetings... I am a new member to DaniWeb. My Wife's system began its current symptoms about a week ago 08-10-2012. First sporadically, then seemed to escalate exponentially until 08-12-2012 when she could no longer:
1. double-click on her icons in... (we must right-click and choose OPEN)
a. the START menu
b. desktop
c. Quick Launch (which disappears after each reboot after we have clicked to have it display)
2. We could no longer move icons on the desktop to another location until I ran
a. regsvr32 ole32.dll and
b. regsvr32 /i shell32.dll
c. It solved the problem of icon movement, but still cannot double-click icons to execute applications
3. At one point we'd lost the ability to get into MSCONFIG
a. I used the entire pathname temporarily
b. I then downloaded the MSCONFIG app and placed it in the correct location (it is working now)
4. During an AVAST scan several blocks of ram display with (Trj) errors (I created screenprints if you need them)
5. 08-17-2012 I have run per readme instructions: MS Malicious Software Removal Tool, ATF Cleaner and GMER (2ce)
6. I have the following files/scans for submission
a. 08-16-2012 ComboFix... etc.
b. 08-17-2012 GMERONE (GMERONE_2) and GMERTWO (GMERTWO_2) files with _2 run AFTER Avast and Internet shutdowns
You and Your assistance is greatly appreciated, as we do not desire to wipe the drive and reinstall. Please and kindly help us.
---Rob
Rabbiedab 0 Light Poster
Edited by Rabbiedab
Rabbiedab 0 Light Poster
As an addition... my emails do not show information in the body of the email. And when we try to install program applications we receive 1909 errors the tell us a .LNK could not be created on the desktop, in Program Files and in the Start Menu areas.
---Rob (PLEASE SEE GMERONE and GMERTWO below) - Thank You
GMERONE
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-17 12:20:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-1f Maxtor_6Y160P0 rev.YAR41BW0
Running: 6g2ifgus.exe; Driver: C:\DOCUME~1\ABOZE~1\LOCALS~1\Temp\agldypog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB0E1C162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB0E1BFCD]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB0E9C744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- EOF - GMER 1.0.15 ----
GMERTWO
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-17 12:24:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-1f Maxtor_6Y160P0 rev.YAR41BW0
Running: 6g2ifgus.exe; Driver: C:\DOCUME~1\ABOZE~1\LOCALS~1\Temp\agldypog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB0DDB536]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB0E847BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xB0DDBF52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB0E1BC31]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB0DE6D7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB0DE6DC6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB0DE6F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB0E1B5E5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB0DE6CE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB0DE6E0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB0DE6D30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xB0DDC146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB0DE6F02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xB0DDC8CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB0DDB584]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB0E1C2F7]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB0E1C5AD]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB0DDFF36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB0E1C162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB0E1BFCD]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB0E8489E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB0DDB1EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB0DDB5D2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB0DE02A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB0DDD292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB0DE6DA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB0DE6DE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB0DE6F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB0E1B941]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB0DE6D0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB0DDFAAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB0DE6E8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB0DE6D58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB0DDFCDE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB0DE6F26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB0E84A1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB0E1BE48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB0DDD15E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB0E1BC9A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xB0DDCD08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB0E90338]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB0E1AC58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB0DDB620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB0DDB66E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xB0DDC74A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB0DDB276]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB0DDB426]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB0E1C3FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB0DDB3CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xB0DDCA2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xB0DDCB88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB0DDB496]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xB0DDC468]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xB0DDC5CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB0DDB6BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xB0DDBF96]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB0E9C744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 EUBKMON.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- EOF - GMER 1.0.15 ----
Edited by Rabbiedab because: Added GMER Files
Rabbiedab 0 Light Poster
Downloaded and installed MBAM, with SETUP error messages (5) received stated: CoCreateInstance failed; Code 0x80040154 Class not registered. Each time I clicked OK another popped up... this occurred 5 times. MBAM was run anyway, since I believe those errors are possibly related to the 1909 .LNK errors received on the installation of other applications.
---Rob
Edited by Rabbiedab
Rabbiedab 0 Light Poster
MBAM, DDS, and ATTACH files
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.17.07
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
A Boze :: MTNNJ70 [administrator]
8/17/2012 2:03:52 PM
mbam-log-2012-08-17 (14-03-52).txt
Scan type: Full scan (C:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 308545
Time elapsed: 1 hour(s), 9 minute(s), 27 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by A Boze at 16:06:12 on 2012-08-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT -4:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *Disabled*
FW: AVG Internet Security 2012 *Enabled*
.
============== Running Processes ===============
.
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
svchost.exe
C:Program FilesAVAST SoftwareAvastAvastSvc.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:Program FilesEaseUSTodo BackupbinAgent.exe
C:Program FilesEaseUSTodo BackupbinGuardAgent.exe
C:Program FilesKaspersky LabKaspersky Security Scan 2.0kss.exe
C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
C:WINDOWSSOUNDMAN.EXE
C:Program FilesAcronisTrueImageHomeTrueImageMonitor.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:WINDOWSzHotkey.exe
C:Program FilesCommon FilesAcronisSchedule2schedhlp.exe
C:Program FilesAVAST SoftwareAvastavastUI.exe
C:Program FilesEaseUSTodo BackupbinEuWatch.exe
C:Program FilesMacriumReflectReflectService.exe
C:Program FilesEaseUSTodo BackupbinTrayNotify.exe
C:WINDOWSsystem32tcpsvcs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesKaspersky LabKaspersky Security Scan 2.0kss.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32mqsvc.exe
C:WINDOWSsystem32mqtgsvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:program filesavast softwareavastaswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:program filesskypetoolbarsinternet explorerskypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.7.7529.1424swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:program filesmicrosoftbingbarBingExt.dll"
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:documents and settingsall usersapplication datawecarereminderIEHelperv2.5.0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:program filesmicrosoftbingbarBingExt.dll"
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:program filesavast softwareavastaswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [KSS] "c:program fileskaspersky labkaspersky security scan 2.0kss.exe" /autorun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] c:program filesati technologiesati control panelatiptaxx.exe
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [TrueImageMonitor.exe] "c:program filesacronistrueimagehomeTrueImageMonitor.exe"
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [DiscWizardMonitor.exe] c:program filesseagatediscwizardDiscWizardMonitor.exe
mRun: [CHotkey] zHotkey.exe
mRun: [Acronis Scheduler2 Service] "c:program filescommon filesacronisschedule2schedhlp.exe"
mRun: [avast] "c:program filesavast softwareavastavastUI.exe" /nogui
mRun: [EaseUs Watch] "c:program fileseaseustodo backupbinEuWatch.exe"
mRun: [EaseUs Tray] "c:program fileseaseustodo backupbinTrayNotify.exe"
dRun: [Symantec NetDriver Warning] c:progra~1symnet~1SNDWarn.exe
dRunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
Trusted Zone: com.twasia.msi
Trusted Zone: com.twglobal.msi
Trusted Zone: com.twwww.msi
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/icaweb-20070115.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341409221296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340846989109
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces{13A34C5E-D33B-487B-9DBF-ADC21D4E6042} : DhcpNameServer = 192.168.2.1
TCP: Interfaces{811D265C-4B3A-4255-9929-845300D3DFF5} : DhcpNameServer = 192.168.2.1
TCP: Interfaces{FE9D1B70-3CB1-49B3-A56C-AB08F55841B9} : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:program filesskypetoolbarsinternet explorerskypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;c:windowssystem32driverseubakup.sys [2012-8-16 50248]
R0 EUBKMON;EUBKMON;c:windowssystem32driversEUBKMON.sys [2012-8-16 40648]
R0 pssnap;Paramount Software Snapshot Filter;c:windowssystem32driverspssnap.sys [2012-8-6 16064]
R0 vididr;Acronis Virtual Disk;c:windowssystem32driversvididr.sys [2011-12-30 125472]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:windowssystem32driversvsflt53.sys [2011-12-30 83392]
R1 aswSnx;aswSnx;c:windowssystem32driversaswSnx.sys [2012-7-4 721000]
R1 aswSP;aswSP;c:windowssystem32driversaswSP.sys [2012-7-4 353688]
R1 EUDSKACS;EUDSKACS;c:windowssystem32driverseudskacs.sys [2012-8-16 14920]
R1 EUFDDISK;EUFDDISK;c:windowssystem32driversEuFdDisk.sys [2012-8-16 185032]
R1 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2008-10-4 214024]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2012-7-4 21256]
R2 avast! Antivirus;avast! Antivirus;c:program filesavast softwareavastAvastSvc.exe [2012-7-4 44808]
R2 EaseUS Agent;EaseUS Agent Service;c:program fileseaseustodo backupbinAgent.exe [2012-8-16 69192]
R2 Guard Agent;Guard Agent Service;c:program fileseaseustodo backupbinGuardAgent.exe [2012-8-16 23624]
R2 Iprip;RIP Listener;c:windowssystem32svchost.exe -k netsvcs [2004-8-4 14336]
R2 KSS;Kaspersky Security Scan Service;c:program fileskaspersky labkaspersky security scan 2.0kss.exe [2012-4-25 202296]
R2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:program filesmacriumreflectReflectService.exe [2012-8-6 224960]
S1 SBRE;SBRE;??c:windowssystem32driverssbredrv.sys --> c:windowssystem32driversSBREdrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:windowsmicrosoft.netframeworkv4.0.30319mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-1 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:windowssystem32macromedflashFlashPlayerUpdateService.exe [2012-6-29 250056]
S3 BBSvc;Bing Bar Update Service;c:program filesmicrosoftbingbarBBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-1 135664]
S3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2008-10-4 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2008-10-4 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:windowssystem32driversmferkdk.sys [2008-10-4 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:windowssystem32driversmfesmfk.sys [2008-10-4 40552]
S3 Vsp;Vsp;c:windowssystem32driversvsp.sys [2005-4-17 3351]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:windowsmicrosoft.netframeworkv4.0.30319wpfWPFFontCache_v0400.exe [2010-3-18 753504]
S4 DefaultTabSearch;DefaultTabSearch;c:program filesdefaulttabDefaultTabSearch.exe [2012-5-18 563200]
S4 PortEmulator;Port Emulator (Star);c:program filesstarmicronicstsp100software20070601portemu.exe [2007-5-27 98304]
S4 SgtSch2Svc;Seagate Scheduler2 Service;c:program filescommon filesseagateschedule2schedul2.exe [2008-6-24 431384]
S4 Symantec Core LC;Symantec Core LC;c:program filescommon filessymantec sharedccpd-lcsymlcsvc.exe [2006-6-6 1251720]
.
=============== Created Last 30 ================
.
2012-08-17 17:52:27 22344 ----a-w- c:windowssystem32driversmbam.sys
2012-08-17 17:52:27 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2012-08-17 12:54:55 -------- d-----w- C:HJT
2012-08-17 03:44:58 -------- d-----w- c:program filesKaspersky Lab
2012-08-17 03:44:58 -------- d-----w- c:documents and settingsall usersapplication dataKaspersky Lab
2012-08-17 02:30:06 -------- d-----w- c:documents and settingsall usersapplication dataGFI Software
2012-08-17 02:00:02 -------- d-----w- c:documents and settingsa bozelocal settingsapplication dataadaware
2012-08-17 02:00:00 -------- d-----w- c:documents and settingsall usersapplication dataAd-Aware Browsing Protection
2012-08-17 01:54:43 -------- d-----w- c:program filesAd-Aware Antivirus
2012-08-17 01:54:18 -------- d-----w- c:documents and settingsa bozelocal settingsapplication dataDownloaded Installations
2012-08-16 21:41:59 306176 --sha-w- C:EUMONBMP.SYS
2012-08-16 21:04:15 -------- d-----w- c:windowssystem32NtmsData
2012-08-16 20:56:57 19528 ----a-w- c:windowssystem32fbnative.exe
2012-08-16 20:52:09 -------- d-----w- c:documents and settingsa bozelocal settingsapplication dataLittle_Apps
2012-08-16 20:33:08 -------- d-----w- c:program filescommon filesLittle Registry Cleaner
2012-08-16 20:32:16 -------- d-----w- c:program filesLittle Registry Cleaner
2012-08-16 20:25:27 -------- d-----w- c:program filesMacrium
2012-08-16 19:22:05 -------- d-sh--w- C:BOOT
2012-08-16 18:57:45 185032 ----a-w- c:windowssystem32driversEuFdDisk.sys
2012-08-16 18:57:44 50248 ----a-w- c:windowssystem32driverseubakup.sys
2012-08-16 18:57:44 14920 ----a-w- c:windowssystem32driverseudskacs.sys
2012-08-16 18:57:43 40648 ----a-w- c:windowssystem32driversEUBKMON.sys
2012-08-16 18:54:05 -------- d-----w- c:program filesEaseUS
2012-08-12 13:25:44 -------- d-----w- c:documents and settingsall usersapplication dataIObit
2012-08-12 13:25:21 -------- d-----w- c:documents and settingsa bozeapplication dataIObit
2012-08-12 13:25:09 -------- d-----w- c:program filesIObit
2012-08-12 13:08:02 -------- d-----w- c:program filesCCleaner
2012-08-09 01:05:20 -------- d-----w- c:program filesFreeze.com
2012-08-09 01:04:15 99840 -c----w- c:windowssystem32dllcachesrvsvc.dll
2012-08-09 01:03:47 75776 -c----w- c:windowssystem32dllcachestrmfilt.dll
2012-08-09 01:03:47 265728 -c----w- c:windowssystem32dllcachehttp.sys
2012-08-09 01:03:47 25088 -c----w- c:windowssystem32dllcachehttpapi.dll
2012-08-08 19:44:24 -------- d-----w- C:EmergencyUtils
2012-08-08 19:13:14 30512 ----a-w- c:windowssystem32spoolprtprocsw32x86mdippr.dll
2012-08-08 19:13:14 29552 ----a-w- c:windowssystem32mdimon.dll
2012-08-08 19:07:00 471552 -c----w- c:windowssystem32dllcacheaclayers.dll
2012-08-08 18:25:43 139784 -c----w- c:windowssystem32dllcacherdpwd.sys
2012-08-08 18:25:32 12800 -c----w- c:windowssystem32dllcachexpshims.dll
2012-08-08 18:25:30 629760 -c----w- c:windowssystem32dllcachemsfeeds.dll
2012-08-08 18:25:30 55296 -c----w- c:windowssystem32dllcachemsfeedsbs.dll
2012-08-08 18:25:30 521728 -c----w- c:windowssystem32dllcachejsdbgui.dll
2012-08-08 18:25:29 743424 -c----w- c:windowssystem32dllcacheiedvtool.dll
2012-08-08 18:25:29 247808 -c----w- c:windowssystem32dllcacheieproxy.dll
2012-08-08 18:25:29 2000384 -c----w- c:windowssystem32dllcacheiertutil.dll
2012-08-08 18:25:29 11111424 -c----w- c:windowssystem32dllcacheieframe.dll
2012-08-08 18:25:11 599040 -c----w- c:windowssystem32dllcachecrypt32.dll
2012-08-08 18:24:52 1866112 -c----w- c:windowssystem32dllcachewin32k.sys
2012-08-08 18:24:46 177664 -c----w- c:windowssystem32dllcachewintrust.dll
2012-08-08 18:24:45 148480 -c----w- c:windowssystem32dllcacheimagehlp.dll
2012-08-08 18:24:34 23040 -c----w- c:windowssystem32dllcachemciseq.dll
2012-08-08 18:24:34 176128 -c----w- c:windowssystem32dllcachewinmm.dll
2012-08-08 18:24:19 386048 -c----w- c:windowssystem32dllcacheqdvd.dll
2012-08-08 18:24:13 60416 -c----w- c:windowssystem32dllcachepackager.exe
2012-08-08 18:23:39 456320 -c----w- c:windowssystem32dllcachemrxsmb.sys
2012-08-08 18:23:37 10496 -c----w- c:windowssystem32dllcachendistapi.sys
2012-08-08 18:23:31 33280 -c----w- c:windowssystem32dllcachecsrsrv.dll
2012-08-08 18:23:31 293376 -c----w- c:windowssystem32dllcachewinsrv.dll
2012-08-08 18:23:22 551936 -c----w- c:windowssystem32dllcacheoleaut32.dll
2012-08-08 18:23:19 105472 -c----w- c:windowssystem32dllcachemup.sys
2012-08-08 18:23:13 361600 -c----w- c:windowssystem32dllcachetcpip.sys
2012-08-08 18:23:12 45568 -c----w- c:windowssystem32dllcachednsrslvr.dll
2012-08-08 18:23:12 245248 -c----w- c:windowssystem32dllcachemswsock.dll
2012-08-08 18:23:12 149504 -c----w- c:windowssystem32dllcachednsapi.dll
2012-08-08 18:23:12 138496 -c----w- c:windowssystem32dllcacheafd.sys
2012-08-08 18:23:04 290432 -c----w- c:windowssystem32dllcacheatmfd.dll
2012-08-08 18:22:58 229888 -c----w- c:windowssystem32dllcachefxscover.exe
2012-08-08 18:22:46 357888 -c----w- c:windowssystem32dllcachesrv.sys
2012-08-08 18:22:37 677888 -c----w- c:windowssystem32dllcachelhmstsc.exe
2012-08-08 18:22:37 2067456 -c----w- c:windowssystem32dllcachelhmstscx.dll
2012-08-08 18:22:31 270848 -c----w- c:windowssystem32dllcachesbe.dll
2012-08-08 18:22:31 186880 -c----w- c:windowssystem32dllcacheencdec.dll
2012-08-08 18:22:23 135168 -c----w- c:windowssystem32dllcacheshsvcs.dll
2012-08-08 18:22:03 439296 -c----w- c:windowssystem32dllcacheshimgvw.dll
2012-08-08 18:22:01 8462848 -c----w- c:windowssystem32dllcacheshell32.dll
2012-08-08 18:20:10 406016 -c----w- c:windowssystem32dllcacheusp10.dll
2012-08-08 18:20:07 3558912 -c----w- c:windowssystem32dllcachemoviemk.exe
2012-08-08 18:19:52 456704 -c----w- c:windowssystem32dllcachesmtpsvc.dll
2012-08-08 18:19:26 744448 -c----w- c:windowssystem32dllcachehelpsvc.exe
2012-08-08 18:19:19 65536 -c----w- c:windowssystem32dllcacheasycfilt.dll
2012-08-08 18:19:03 692736 -c----w- c:windowssystem32dllcacheinetcomm.dll
2012-08-08 18:19:03 1315328 -c----w- c:windowssystem32dllcachemsoe.dll
2012-08-08 18:18:56 226880 -c----w- c:windowssystem32dllcachetcpip6.sys
2012-08-08 18:18:55 100864 -c----w- c:windowssystem32dllcache6to4svc.dll
2012-08-08 18:18:49 86016 -c----w- c:windowssystem32dllcachecabview.dll
2012-08-08 18:18:34 343040 -c----w- c:windowssystem32dllcachemspaint.exe
2012-08-08 18:18:23 8704 -c----w- c:windowssystem32dllcachetsbyuv.dll
2012-08-08 18:18:23 84992 -c----w- c:windowssystem32dllcacheavifil32.dll
2012-08-08 18:18:23 48128 -c----w- c:windowssystem32dllcacheiyuv_32.dll
2012-08-08 18:18:23 11264 -c----w- c:windowssystem32dllcachemsrle32.dll
2012-08-08 18:18:07 17920 -c----w- c:windowssystem32dllcachemsyuv.dll
2012-08-08 18:18:07 1292288 -c----w- c:windowssystem32dllcachequartz.dll
2012-08-08 18:18:01 474112 -c----w- c:windowssystem32dllcacheshlwapi.dll
2012-08-08 18:16:58 204800 -c----w- c:windowssystem32dllcachemswebdvd.dll
2012-08-08 18:15:57 218112 -c----w- c:windowssystem32dllcachewordpad.exe
2012-08-08 18:15:50 286720 -c----w- c:windowssystem32dllcachegdi32.dll
2012-08-08 18:15:48 337920 -c----w- c:windowssystem32dllcachenetapi32.dll
2012-08-08 18:15:32 331776 -c----w- c:windowssystem32dllcachemsadce.dll
2012-08-08 18:15:27 253952 -c----w- c:windowssystem32dllcachees.dll
2012-08-08 18:15:22 74240 -c----w- c:windowssystem32dllcachemscms.dll
2012-08-08 18:15:01 90112 -c----w- c:windowssystem32dllcachewshext.dll
2012-08-08 18:15:01 180224 -c----w- c:windowssystem32dllcachescrobj.dll
2012-08-08 18:15:01 172032 -c----w- c:windowssystem32dllcachescrrun.dll
2012-08-08 18:15:01 155648 -c----w- c:windowssystem32dllcachewscript.exe
2012-08-08 18:15:01 135168 -c----w- c:windowssystem32dllcachecscript.exe
2012-08-08 18:14:59 272128 -c----w- c:windowssystem32dllcachebthport.sys
2012-08-08 18:14:56 203136 -c----w- c:windowssystem32dllcachermcast.sys
2012-08-07 20:08:17 -------- d---a-w- C:Kaspersky Rescue Disk 10.0
2012-08-06 19:05:10 12992 ----a-w- c:windowssystem32driversPSVolAcc.sys
2012-08-06 19:05:02 16064 ----a-w- c:windowssystem32driverspssnap.sys
2012-08-06 19:04:56 53952 ----a-w- c:windowssystem32driverspsmounter.sys
2012-08-04 20:16:18 -------- d-----w- C:1081a87273cf5e78fa
2012-08-04 19:25:14 -------- d-----w- c:documents and settingsa bozelocal settingsapplication datavisi_coupon
2012-08-04 19:24:36 -------- d-----w- c:documents and settingsall usersapplication dataWeCareReminder
2012-08-04 19:24:14 -------- d-----w- c:documents and settingsall usersapplication dataTarma Installer
2012-08-04 19:24:12 -------- d-----w- c:program filesDefaultTab
2012-08-04 19:24:06 -------- d-----w- c:documents and settingsa bozeapplication dataDefaultTab
.
==================== Find3M ====================
.
2012-08-15 17:19:57 426184 ----a-w- c:windowssystem32FlashPlayerApp.exe
2012-08-15 17:19:56 70344 ----a-w- c:windowssystem32FlashPlayerCPLApp.cpl
2012-07-06 13:58:51 78336 ----a-w- c:windowssystem32browser.dll
2012-07-04 14:32:05 221184 ------w- c:windowssystem32ATIDEMGR.dll
2012-07-04 14:31:17 9324032 ------w- c:windowssystem32RTLCPL.EXE
2012-07-04 14:31:17 77824 ----a-w- c:windowsSOUNDMAN.EXE
2012-07-04 14:31:16 16166912 ------w- c:windowssystem32ALSNDMGR.CPL
2012-07-04 14:31:16 156672 ------w- c:windowssystem32RTLCPAPI.dll
2012-07-04 14:31:15 2300928 ------w- c:windowssystem32driversALCXWDM.SYS
2012-07-04 14:30:40 70144 ------w- c:windowssystem32driversRtlnicxp.sys
2012-07-04 14:05:18 139784 ------w- c:windowssystem32driversrdpwd.sys
2012-07-03 16:21:53 721000 ----a-w- c:windowssystem32driversaswSnx.sys
2012-07-03 16:21:32 41224 ----a-w- c:windowsavastSS.scr
2012-07-03 13:40:15 1866112 ------w- c:windowssystem32win32k.sys
2012-07-02 17:49:33 916992 ----a-w- c:windowssystem32wininet.dll
2012-07-02 17:49:32 43520 ------w- c:windowssystem32licmgr10.dll
2012-07-02 17:49:32 1469440 ------w- c:windowssystem32inetcpl.cpl
2012-07-02 12:05:43 385024 ------w- c:windowssystem32html.iec
2012-06-20 13:12:08 3993600 ----a-w- c:program filesGUT55.tmp
2012-06-07 00:59:42 1070152 ----a-w- c:windowssystem32MSCOMCTL.OCX
2012-06-05 15:50:25 1372672 ----a-w- c:windowssystem32msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:windowssystem32msxml3.dll
2012-06-04 21:35:26 222448 ------w- c:windowssystem32muweb.dll
2012-06-04 04:32:08 152576 ----a-w- c:windowssystem32schannel.dll
2012-06-02 19:19:44 22040 ------w- c:windowssystem32wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:windowssystem32wuaucpl.cpl
2012-06-02 19:19:38 15384 ------w- c:windowssystem32wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ------w- c:windowssystem32wuapi.dll.mui
2012-06-02 19:19:30 17944 ------w- c:windowssystem32wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:windowssystem32mucltui.dll
2012-06-02 19:18:58 17136 ----a-w- c:windowssystem32mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:windowssystem32crypt32.dll
2000-02-24 21:07:14 570128 -c--a-w- c:program filescommon filesDAO350.DLL
1996-08-06 03:00:00 456464 -c--a-w- c:program filescommon filesDAO3032.DLL
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0DR0 -> DeviceIdeIdeDeviceP4T0L0-1f
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EE140] -> DeviceHarddisk0DR0[0x8A6C8AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE140] -> Device000007e[0x8A6E5650]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE140] -> DeviceIdeIdeDeviceP4T0L0-1f[0x8A69BD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
DeviceParallel0.5 -> ??LPTENUM#IMGVP0#4&2c514809&0&LPT1.5#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
.
============= FINISH: 16:07:33.95 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: DeviceHarddiskVolume1
Install Date: 7/5/2012 1:19:49 AM
System Uptime: 8/17/2012 3:59:33 PM (1 hours ago)
.
Motherboard: | | MS-7093
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 1989/199mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 107.977 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is CDROM ()
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394NIC1394988DA710DC00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394NIC1394988DA710DC00
Service: NIC1394
.
Class GUID: {1860459D-4692-4825-B761-44A725991050}
Description: Acronis Backup Archive Explorer
Device ID: ROOTACRONISDEVICES002
Manufacturer: Acronis, Inc.
Name: Acronis Backup Archive Explorer
PNP Device ID: ROOTACRONISDEVICES002
Service: timounter
.
Class GUID: {1860459D-4692-4825-B761-44A725991050}
Description: Acronis Backup Archive Explorer
Device ID: ROOTSEAGATEDEVICES000
Manufacturer: Acronis, Inc.
Name: Acronis Backup Archive Explorer
PNP Device ID: ROOTSEAGATEDEVICES000
Service: timounter
.
==== System Restore Points ===================
.
RP1: 7/5/2012 1:28:14 AM - System Checkpoint
RP2: 7/5/2012 1:36:30 AM - Installed Windows Internet Explorer 8.
RP3: 7/5/2012 2:15:07 AM - Installed Windows XP Service Pack 3.
RP4: 7/5/2012 7:37:02 PM - System Checkpoint
RP5: 7/7/2012 4:37:07 PM - System Checkpoint
RP6: 7/10/2012 12:33:33 PM - System Checkpoint
RP7: 7/15/2012 5:33:32 PM - System Checkpoint
RP8: 7/19/2012 10:15:24 AM - System Checkpoint
RP9: 7/26/2012 12:02:08 PM - System Checkpoint
RP10: 7/31/2012 11:50:54 AM - System Checkpoint
RP11: 8/1/2012 4:39:06 PM - System Checkpoint
RP12: 8/7/2012 9:26:48 AM - System Checkpoint
RP13: 8/7/2012 10:59:46 AM - Configured Microsoft Office Home and Student 2007
RP14: 8/7/2012 11:00:57 AM - Configured Microsoft Office Home and Student 2007
RP15: 8/8/2012 1:29:30 PM - Removed Microsoft Office Home and Student 2007
RP16: 8/8/2012 1:30:07 PM - Removed Microsoft Office Home and Student 2007
RP17: 8/8/2012 1:51:11 PM - Installed Windows XP KB942288-v3.
RP18: 8/8/2012 2:27:48 PM - Software Distribution Service 3.0
RP19: 8/8/2012 3:09:02 PM - Software Distribution Service 3.0
RP20: 8/8/2012 3:13:12 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP21: 8/8/2012 4:20:49 PM - Removed NetAssistant
RP22: 8/8/2012 9:05:16 PM - Removed NetAssistant
RP23: 8/8/2012 9:05:37 PM - Software Distribution Service 3.0
RP24: 8/8/2012 9:27:03 PM - Removed SavetheChildren Reminder by We-Care.com v4.1.17.4
RP25: 8/8/2012 9:35:51 PM - Installed Microsoft Office Professional 2007
RP26: 8/8/2012 9:37:57 PM - Configured Microsoft Office Home and Student 2007
RP27: 8/8/2012 9:43:31 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP28: 8/8/2012 9:43:51 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP29: 8/8/2012 10:04:36 PM - Software Distribution Service 3.0
RP30: 8/10/2012 9:34:24 AM - System Checkpoint
RP31: 8/12/2012 9:37:22 PM - System Checkpoint
RP32: 8/13/2012 6:00:34 PM - Software Distribution Service 3.0
RP33: 8/14/2012 10:04:01 AM - Software Distribution Service 3.0
RP34: 8/15/2012 12:04:51 AM - Software Distribution Service 3.0
RP35: 8/15/2012 4:50:21 AM - Software Distribution Service 3.0
RP36: 8/16/2012 5:58:25 AM - System Checkpoint
RP37: 8/16/2012 4:20:07 PM - Installed Macrium Reflect Free Edition
RP38: 8/16/2012 4:22:59 PM - Removed Macrium Reflect Free Edition
RP39: 8/16/2012 4:25:17 PM - Installed Macrium Reflect Free Edition
RP40: 8/16/2012 4:32:16 PM - I
RP41: 8/16/2012 4:36:53 PM - Before Little Registry Cleaner Registry Fix
RP42: 8/16/2012 4:38:33 PM - Before Little Registry Cleaner Registry Fix
RP43: 8/16/2012 4:39:24 PM - Before Little Registry Cleaner Registry Fix
RP44: 8/16/2012 4:40:24 PM - Before Little Registry Cleaner Registry Fix
RP45: 8/16/2012 4:41:21 PM - Before Little Registry Cleaner Registry Fix
RP46: 8/16/2012 4:42:49 PM - Before Little Registry Cleaner Registry Fix
RP47: 8/16/2012 4:44:07 PM - Before Little Registry Cleaner Registry Fix
RP48: 8/16/2012 4:44:58 PM - Before Little Registry Cleaner Registry Fix
RP49: 8/16/2012 11:44:57 PM - Installed Kaspersky Security Scan.
.
==== Installed Programs ======================
.
Acronis True Image WDÂ Edition
Ad-Aware Browsing Protection
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader X (10.1.4)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
avast! Free Antivirus
Avery Wizard 3.1
Bi-Admin
Bing Bar
Brother BRAdmin Professional 2.59
Brother Driver Deployment Wizard
Brother HL-5250DN
CCleaner
Citrix Presentation Server Web Client for Win32
Compatibility Pack for the 2007 Office system
Contributions @ Home
CT-S300 x32 v157
Data Lifeguard Diagnostic for Windows
Davar3 (remove all files)
DefaultTab Chrome
Digital Media Reader
EaseUS Todo Backup Free 5.0
Freeze.com NetAssistant
Glary Undelete 1.8.0.468
Glary Utilities 2.41.0.1358
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Product Detection
IrfanView (remove only)
ISO Recorder
Java Auto Updater
Java(TM) 6 Update 29
Kaspersky Security Scan
LightScribe 1.4.136.1
Linksys PrintServer Driver
Little Registry Cleaner
LiveReg (Symantec Corporation)
Macrium Reflect Free Edition
Malwarebytes Anti-Malware version 1.62.0.1300
Membership Plus 6.0 for Windows
Membership Plus 7.0
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Default Manager
Microsoft Download Manager
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Software Update for Web Folders (English) 12
Microsoft UI Engine
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Windows Journal Viewer
Microsoft Word Viewer 97
Modem Assistant
Mozilla Firefox 9.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Multimedia Keyboard Driver
NetAssistant
OGA Notifier 2.0.0048.0
Photo Pos Pro
Platform
Quick View Plus
Quicken Deluxe 98
QuickVerse 2009 Starter
Realtek AC'97 Audio
SavetheChildren Reminder by We-Care.com v4.1.17.4
SeaTools for Windows
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976323)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Skype Toolbars
Skypeâ„¢ 4.2
Soft Data Fax Modem with SmartCP
Symantec KB-DocID:2003093015493306
TSP100 Setup Version 3.0.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687400) 32-Bit Edition
Update for Windows XP (KB2345886)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
VIA Audio Driver Setup Program
VIA Platform Device Manager
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Live OneCare safety scanner
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
8/16/2012 11:38:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
8/15/2012 4:04:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 001109136211 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/13/2012 2:29:05 AM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D851F103-8C90-4321-AFF0-58BA5BD421C2} to the user NT AUTHORITYSYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
8/13/2012 10:58:49 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}
8/13/2012 10:01:38 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
8/13/2012 10:01:38 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
8/12/2012 9:48:12 AM, error: Service Control Manager [7034] - The Advanced SystemCare Service 5 service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 8:44:20 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001109136211 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
Edited by Rabbiedab because: Added mbam dds attach files
ben.matthews18 0 Light Poster
Forget iv, back the lot up and wipe it, simple
Rabbiedab 0 Light Poster
Ben... kindly elaborate on "forget iv, back the lot up and wipe it".
Thanks,
---Rob
gerbil 216 Industrious Poster
Hello, Rabbie, some things for you to do.
GMER shows nothing, nor does MBAM.
DDS shows that you have two AV services, my advice would be to uninstall AVG - get and run the uninstaller tool from their website for complete removal.
Or if you so wish, do that procedure to Avast and keep AVG.
Next, go to the Norton site and get their removal tool for the product you had, and run it.
Next, go to the McAfee site and get their removal tool for the product you had, and run it.
I'd uninstall Adaware in preference to MBAM, the latter now is far better. As a browser protection, well, your AV service should provide that.
In IE options, I'd clear out all trusted zone entries, including the MSI ones. Trust no-one.
Acronis, Paramount, Macrium and Easeus? That's a collection.
Little Registry Cleaner. I doubt you could tell the difference after running it. IoBit.
What is in C:\BOOT?
What is c:\program files\GUT55.tmp?
Would you please get RogueKiller from http://majorgeeks.com/RogueKiller_d6983.html
-start it with a dclick and wait for the initial scan to complete. Press the report button, post the log that pops in notepad. Do not remove anything at this stage.
Rabbiedab 0 Light Poster
How kind of you gerbil to respond. I will follow your directions to the "T" and will post what you have requested. Again thank you for Y-O-U, your time and your expertise.
---RAB
Rabbiedab 0 Light Poster
Greetings gerbil,
Sorry it took so long to get back to you. This system is so bogged down with nasties
it is rather difficult to get the necessary information requested, which results in my
having to find the work-arounds to provide the requests.
I took your advice and removed the ghost AVG -
AVG was uninstalled months ago before Avast was installed -
However,
AVG's Removal tool ran successfully
Norton's Removal tool ran successfully
McAfee's Removal tool ran successfully
.
I uninstalled Ad-Aware and kept MBAM
.
In IE options, I tried to clear out all trusted zone entries, including the MSIs
but none of the following MSIs would stay removed
http://asia.msi.com.tw - http://gobal.msi.com/tw - http://www.msi.com.tw
.
Acronis, Paramount, Macrium and Easeus? That's a collection
I wasn't sure of what you desired me to do with these... however,
EaseUS was uninstalled because it would not allow me to SAFEBOOT it always
(hung at EUBAKUP)
Acronis I believe is not necessary. It shows up in Device Manager with
exclamation points and can, I believe be removed
Macrium Reflect is what I use to create "just-in-case" image and clone files
I do not know what Paramount is. It no longer show up in Program Files or Add/Remove
Little Registry Cleaner, you're right I'm not sure if I could tell the difference after running it. I run IObit because it "seems" to periodically catch something.
C:\BOOT no longer appears in the root of drive C.
It is a folder that typically contains the reflect.cfg fi
The GUT55.tmp no longer exists in thProgram File directory.
What I do see is GUM54.tmp which is the Google CrashUpdater file folder
Got RogueKiller from http://majorgeeks.com/RogueKiller_d6983.html
and renamed it RK just in case the nasties have the intelligence to decipher
what the program is and prevent it from installing successfully, like MBAM (no .LNK files can be created [1909 error code])
.
The RK report follows.....
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: A Boze [Admin rights]
Mode: Scan -- Date: 08/21/2012 03:50:20
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Maxtor 6Y160P0 +++++
--- User ---
[MBR] cc06d9d8ebe9159cb7d401e8e2800180
[BSP] 59fc22baf5ca17141c6b76e622d9bf77 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
gerbil 216 Industrious Poster
Thanks, Rabbie, for that info.
I see now that C:\BOOT\ (reflect.cfg) is a Macrium folder. That's fine, I just could not tell.
"Acronis, Paramount, Macrium and Easeus? That's a collection" I wasn't making any point there, really, except that i was thinking that any one of them should suffice as a keeper; no harm at all in playing with stuff, though. They're all good. I played with Easeus for a bit, and then kept MiniTools Partition Wizard (I'm not actually recommending it, just chatting).
I think this: DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab ... ie MSI LiveUpdate is what could be holding those 3 URLs in your trusted Zone? They are safe in themselves, I just think it is not a good habit to get into, trusting sites so that they bypass your normal net security checks.
Registry cleaners... examine closely the entries they suggest removing; some keys don't appear to have any data associated with them, but a software may check to see that the key exists.
c:\program files\GUT55.tmp - it seemed a strange place for a temp file, but i see now that it was asscociated with Google. They live by their own rules.
Stuff to do:
Go here... http://www.vistax64.com/tutorials/233243-default-file-type-associations-restore.html and get the lnk file associaton reg file, merge it. That should fix your dclick problem with icons.
QuickLaunch: I think that repairing the lnk file association will fix this, if not then navigate to this folder: C:\Users\YOU\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch ...temporarily set explorer so as to not hide Protected OpSys files via Folder Options, then rename desktop.ini to desktop.ini.bad. Close and restart explorer.
I'd like to see that Combofix log.
Edited by gerbil
Rabbiedab 0 Light Poster
Thank you much gerbil
.
When I try to post the ComboFix info I get a message that tells me to use the Code button.
I do that and it stll does not work. How do I get you the data?
.
As far as I remember I did not place those msi files in the Security tab.
I do not know how or why they got there. Is this an indicator of the problem?
.
The following URL gives me an oops can't find this site address message.
http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.
I just want to ensure my understanding of your directions so I may follow them:
In taking note of the .LNK association site it indicates VISTA 64-bit and
I'm running Win XP 32-bit. Will it matter if I run the VISTA association reg file against Win XP? http:/
gerbil 216 Industrious Poster
THIS is the XP lnk file association fix download: http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
Well caught [nothing would have died...]. Just extract the .reg file, rclick it and choose Merge.
Here is the parent page of the site, it's pretty handy, Knox is well respected. http://www.dougknox.com/xp/file_assoc.htm
As far as the Combofix log is concerned, zip it and attach it to a post. I have no idea why the code button does not work for you, it's a site bug that makes you even have to use it.
This... DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab is an ActiveX control; it's not working so you can remove it: got to Windows\downloaded program files folder, select it, rclick and choose Remove.
Edited by gerbil
mikehussey 0 Newbie Poster
ok good one
Rabbiedab 0 Light Poster
gerbil I aoologize... it seems my mouse and keyboard are conspiring against me LOL (I'm seriously believing their drivers are affected by the nasties as well). I cannot get the 8/14-15/2012 ComboFix report to post at the moment. So, Iim going to try one more thing. I will create a new report file and name it something else and attach it.
Rabbiedab 0 Light Poster
gerbil I aoologize... it seems my mouse and keyboard are conspiring against
me LOL (I'm seriously believing their drivers are affected by the nasties as
well). I cannot get the 8/14-15/2012 ComboFix report to post at the moment.
So, Iim going to try one more thing. I will create a new report file and name
it something else and attach it.
Rabbiedab 0 Light Poster
gerbil...
A. The dougknox.com zipfile download worked
B. when I click on the URL below in #1 the URL in #2 popsup
1. http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
2. POPUP
jar:file:///C:/Program%20Files/Mozilla%
20Firefox/omni.ja!/chrome/browser/content/browser/undefinedliveupdate.msi.com
.twautobios/LOnline/install.cab
gerbil 216 Industrious Poster
Rabbie, please don't run Combofix again - I would like to see the report from the first one. If that sys is giving you problems transfer the log by UFD to another sys and post it.
As I put in the previous post, just remove that MSI ActiveX control. If you visit the site again to download a file it will give you a fresh one.
Edited by gerbil
Rabbiedab 0 Light Poster
We've never had a virus attack like this one. Ah finally I'm able to get to Daniweb. Our systems had been taken over by a plethora of these vermin. I was able to run something called (prevx/webroot) on my system to delete some nasties and here I am finally on Daniweb again. I will get the combofix file of her system for you, but I'm not sure of what UFD stands for. Please forgive my ignorance.
gerbil 216 Industrious Poster
UFD = USB FlashDrive.
Without a log from Combofix I cannot see what has happened. I can only guess as to your attack vector. Could you post your screenshots of the Avast ram message concerning a trojan?
==Download OTL from http://oldtimer.geekstogo.com/OTL.exe to your Desktop.
- Double click on the icon to start the application.
- Press Scan All Users, Minimal Output, Standard Registry ALL, check both LOP and Purity boxes
- Under the Custom Scan box paste this in:
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
- Press Run Scan.
The scan will take maybe 5 minutes; a notepad will present [saved to the place from where you ran OTL.exe] - please post.
Edited by gerbil
Rabbiedab 0 Light Poster
gerbil,
I hope the Combofix attaches to this post
---rabbie
Edited by Rabbiedab because: I don't see my combofix file attached
Rabbiedab 0 Light Poster
gerbil,
can yo see the combofix report recently inserted into forum?
gerbil 216 Industrious Poster
Nope, no combofix attachment.. :(
Don't wory about that Teredo service in the attachment above :http://technet.microsoft.com/en-us/library/bb457011.aspx
Rabbiedab 0 Light Poster
The OTL was run... but I'm having trouble pasting the report output!
Each time I try to save the report ALT-S the following message comes up: "The code snippet in your post is formatted incorrectly. Please use the Code button in the editor toolbar when posting whitespace-sensitive text or curly braces." I don't have a clue how I can get you the combofix and the OTL reports.
Rabbie
Rabbiedab 0 Light Poster
gerbil thank you for the heads up on Teredo. I'm at wits end this evening as I'm sure you are, witth your other newbies like me :-). The reports can be attached to an email. Do you have a "just-for-junk" email acount I can send the attachments to? I even thought of creating a Yahoo group just for the exchange of files like these. But even there I could not create an new group. Our systems are truly nastied to the Nth degree. The screenprints of the ram problem have also mysteriously gone into oblivion. This is an attack like none other. There must be a way for me to get combofix and otl reports to you. I remember some years ago there were FTP servers... are they still in around?
gerbil 216 Industrious Poster
Ah. It's a nuisance to have to use it because it makes the post more difficult to read, but press the Code button above where you would type a response, use Ctrl-V to paste into the window and press Insert code Snippet, then Reply button as per usual.
Rabbiedab 0 Light Poster
ComboFix 12-08-14.03 - A Boze 08/15/2012 0:16.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1399 [GMT -4:00]
Running from: c:\documents and settings\A Boze\My Documents\Downloads\ComboFix is FREE\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Internet Security 2012 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\addon.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\amazon_ie.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\bing.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\DefaultTabStart.exe
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\DefaultTabWrap.dll
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\DT.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\DTUpdate.exe
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\facebook_ie.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\google.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\search_here_ie.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\searchhere.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\twitter_ie.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\uninstalldt.exe
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\wikipedia_ie.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\yahoo.ico
c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\youtube_ie.ico
c:\program files\Internet Explorer\SET2E.tmp
c:\program files\Internet Explorer\SET2F.tmp
c:\program files\Internet Explorer\SET4.tmp
c:\program files\Internet Explorer\SET4E9.tmp
c:\program files\Internet Explorer\SET4EB.tmp
c:\program files\Internet Explorer\SET5.tmp
c:\program files\Internet Explorer\SET7.tmp
c:\program files\Internet Explorer\SET8.tmp
c:\program files\Internet Explorer\SET9.tmp
c:\program files\Internet Explorer\SET9DE.tmp
c:\program files\Internet Explorer\SET9DF.tmp
c:\program files\Internet Explorer\SETA.tmp
c:\program files\Internet Explorer\SETB.tmp
c:\program files\Internet Explorer\SETC.tmp
c:\program files\Internet Explorer\SETD.tmp
c:\program files\Internet Explorer\SETE.tmp
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\MailSwitch.ocx
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\SET10.tmp
c:\windows\system32\SET11.tmp
c:\windows\system32\SET12.tmp
c:\windows\system32\SET13.tmp
c:\windows\system32\SET14.tmp
c:\windows\system32\SET15.tmp
c:\windows\system32\SET16.tmp
c:\windows\system32\SET17.tmp
c:\windows\system32\SET18.tmp
c:\windows\system32\SET19.tmp
c:\windows\system32\SET1A.tmp
c:\windows\system32\SET1B.tmp
c:\windows\system32\SET1C.tmp
c:\windows\system32\SET1D.tmp
c:\windows\system32\SET1E.tmp
c:\windows\system32\SET20.tmp
c:\windows\system32\SET21.tmp
c:\windows\system32\SET22.tmp
c:\windows\system32\SET23.tmp
c:\windows\system32\SET24.tmp
c:\windows\system32\SET25.tmp
c:\windows\system32\SET26.tmp
c:\windows\system32\SET27.tmp
c:\windows\system32\SET36.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET38.tmp
c:\windows\system32\SET39.tmp
c:\windows\system32\SET3A.tmp
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET3C.tmp
c:\windows\system32\SET3D.tmp
c:\windows\system32\SET3E.tmp
c:\windows\system32\SET3F.tmp
c:\windows\system32\SET40.tmp
c:\windows\system32\SET41.tmp
c:\windows\system32\SET42.tmp
c:\windows\system32\SET43.tmp
c:\windows\system32\SET45.tmp
c:\windows\system32\SET46.tmp
c:\windows\system32\SET47.tmp
c:\windows\system32\SET48.tmp
c:\windows\system32\SET49.tmp
c:\windows\system32\SET4A.tmp
c:\windows\system32\SET4B.tmp
c:\windows\system32\SET4C.tmp
c:\windows\system32\SET4D.tmp
c:\windows\system32\SET4D8.tmp
c:\windows\system32\SET4D9.tmp
c:\windows\system32\SET4DA.tmp
c:\windows\system32\SET4DB.tmp
c:\windows\system32\SET4DE.tmp
c:\windows\system32\SET4DF.tmp
c:\windows\system32\SET4E.tmp
c:\windows\system32\SET4E0.tmp
c:\windows\system32\SET4E4.tmp
c:\windows\system32\SET4E5.tmp
c:\windows\system32\SET4E6.tmp
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET50.tmp
c:\windows\system32\SET51.tmp
c:\windows\system32\SET52.tmp
c:\windows\system32\SET53.tmp
c:\windows\system32\SET54.tmp
c:\windows\system32\SET55.tmp
c:\windows\system32\SET56.tmp
c:\windows\system32\SET57.tmp
c:\windows\system32\SET58.tmp
c:\windows\system32\SET59.tmp
c:\windows\system32\SET5A.tmp
c:\windows\system32\SET5B.tmp
c:\windows\system32\SET5C.tmp
c:\windows\system32\SET5D.tmp
c:\windows\system32\SET5E.tmp
c:\windows\system32\SET5F.tmp
c:\windows\system32\SET60.tmp
c:\windows\system32\SET61.tmp
c:\windows\system32\SET62.tmp
c:\windows\system32\SET63.tmp
c:\windows\system32\SET64.tmp
c:\windows\system32\SET65.tmp
c:\windows\system32\SET66.tmp
c:\windows\system32\SET67.tmp
c:\windows\system32\SET68.tmp
c:\windows\system32\SET6A.tmp
c:\windows\system32\SET6A7.tmp
c:\windows\system32\SET6A8.tmp
c:\windows\system32\SET6B.tmp
c:\windows\system32\SET6C.tmp
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6E.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET71.tmp
c:\windows\system32\SET80.tmp
c:\windows\system32\SET81.tmp
c:\windows\system32\SET82.tmp
c:\windows\system32\SET83.tmp
c:\windows\system32\SET84.tmp
c:\windows\system32\SET85.tmp
c:\windows\system32\SET86.tmp
c:\windows\system32\SET87.tmp
c:\windows\system32\SET88.tmp
c:\windows\system32\SET89.tmp
c:\windows\system32\SET8A.tmp
c:\windows\system32\SET8B.tmp
c:\windows\system32\SET8C.tmp
c:\windows\system32\SET8D.tmp
c:\windows\system32\SET8F.tmp
c:\windows\system32\SET90.tmp
c:\windows\system32\SET91.tmp
c:\windows\system32\SET92.tmp
c:\windows\system32\SET93.tmp
c:\windows\system32\SET94.tmp
c:\windows\system32\SET9E6.tmp
c:\windows\system32\SET9E7.tmp
c:\windows\system32\SET9E8.tmp
c:\windows\system32\SET9E9.tmp
c:\windows\system32\SET9EA.tmp
c:\windows\system32\SET9EB.tmp
c:\windows\system32\SET9EC.tmp
c:\windows\system32\SET9ED.tmp
c:\windows\system32\SET9EE.tmp
c:\windows\system32\SET9EF.tmp
c:\windows\system32\SET9F0.tmp
c:\windows\system32\SET9F2.tmp
c:\windows\system32\SET9F3.tmp
c:\windows\system32\SET9F4.tmp
c:\windows\system32\SET9F6.tmp
c:\windows\system32\SET9F7.tmp
c:\windows\system32\SET9F8.tmp
c:\windows\system32\SET9F9.tmp
c:\windows\system32\SET9FA.tmp
c:\windows\system32\SET9FB.tmp
c:\windows\system32\SET9FC.tmp
c:\windows\system32\SET9FD.tmp
c:\windows\system32\SET9FE.tmp
c:\windows\system32\SET9FF.tmp
c:\windows\system32\SETA00.tmp
c:\windows\system32\SETA01.tmp
c:\windows\system32\SETA02.tmp
c:\windows\system32\SETA03.tmp
c:\windows\system32\SETA04.tmp
c:\windows\system32\SETA05.tmp
c:\windows\system32\SETA06.tmp
c:\windows\system32\SETA07.tmp
c:\windows\system32\SETA08.tmp
c:\windows\system32\SETA09.tmp
c:\windows\system32\SETA5.tmp
c:\windows\system32\SETA6.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETAB.tmp
c:\windows\system32\SETAC.tmp
c:\windows\system32\SETAD.tmp
c:\windows\system32\SETAE.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB2.tmp
c:\windows\system32\SETB3.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETB6.tmp
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETB8.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETBA.tmp
c:\windows\system32\SETBB.tmp
c:\windows\system32\SETBC.tmp
c:\windows\system32\SETC.tmp
c:\windows\system32\SETCB.tmp
c:\windows\system32\SETCD.tmp
c:\windows\system32\SETCE.tmp
c:\windows\system32\SETCF.tmp
c:\windows\system32\SETD.tmp
c:\windows\system32\SETD0.tmp
c:\windows\system32\SETD1.tmp
c:\windows\system32\SETD3.tmp
c:\windows\system32\SETD4.tmp
c:\windows\system32\SETD5.tmp
c:\windows\system32\SETD7.tmp
c:\windows\system32\SETD8.tmp
c:\windows\system32\SETD9.tmp
c:\windows\system32\SETDA.tmp
c:\windows\system32\SETDB.tmp
c:\windows\system32\SETDC.tmp
c:\windows\system32\SETDE.tmp
c:\windows\system32\SETDF.tmp
c:\windows\system32\SETE.tmp
c:\windows\system32\SETF.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DefaultTabUpdate
-------\Legacy_DefaultTabUpdate
-------\Service_DefaultTabUpdate
-------\Service_DefaultTabUpdate
.
.
((((((((((((((((((((((((( Files Created from 2012-07-15 to 2012-08-15 )))))))))))))))))))))))))))))))
.
.
2012-08-12 13:31 . 2012-08-12 13:31 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2012-08-12 13:25 . 2012-08-12 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-08-12 13:25 . 2012-08-12 13:25 -------- d-----w- c:\documents and settings\A Boze\Application Data\IObit
2012-08-12 13:25 . 2012-08-12 13:25 -------- d-----w- c:\program files\IObit
2012-08-12 13:08 . 2012-08-12 13:08 -------- d-----w- c:\program files\CCleaner
2012-08-09 01:05 . 2012-08-09 01:05 -------- d-----w- c:\program files\Freeze.com
2012-08-09 01:04 . 2010-08-27 05:57 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2012-08-09 01:03 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2012-08-09 01:03 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2012-08-09 01:03 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2012-08-08 21:08 . 2012-08-08 21:12 -------- d-----w- c:\documents and settings\A Boze\Application Data\ImgBurn
2012-08-08 21:07 . 2012-08-08 21:07 -------- d-----w- c:\program files\ImgBurn
2012-08-08 19:44 . 2012-08-08 19:48 -------- d-----w- C:\EmergencyUtils
2012-08-08 19:13 . 2009-02-26 23:18 29552 ----a-w- c:\windows\system32\mdimon.dll
2012-08-08 19:13 . 2006-10-26 23:58 30512 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2012-08-08 19:07 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-08-08 18:25 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-08-08 18:25 . 2012-07-02 17:49 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-08-08 18:25 . 2012-07-02 17:49 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-08-08 18:25 . 2012-07-02 17:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-08-08 18:25 . 2012-07-02 17:49 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-08-08 18:25 . 2012-07-03 03:19 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-08-08 18:25 . 2012-07-02 17:49 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-08-08 18:25 . 2012-07-02 17:49 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-08-08 18:25 . 2012-07-02 17:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-08-08 18:25 . 2012-05-31 13:22 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2012-08-08 18:24 . 2012-07-03 13:40 1866112 -c----w- c:\windows\system32\dllcache\win32k.sys
2012-08-08 18:24 . 2012-02-29 14:10 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2012-08-08 18:24 . 2012-02-29 14:10 148480 -c----w- c:\windows\system32\dllcache\imagehlp.dll
2012-08-08 18:24 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll
2012-08-08 18:24 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll
2012-08-08 18:24 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll
2012-08-08 18:24 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-08-08 18:23 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-08-08 18:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-08-08 18:23 . 2011-11-25 21:57 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2012-08-08 18:23 . 2011-10-28 05:31 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2012-08-08 18:23 . 2010-12-20 17:32 551936 -c----w- c:\windows\system32\dllcache\oleaut32.dll
2012-08-08 18:23 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-08-08 18:23 . 2008-06-20 11:51 361600 -c----w- c:\windows\system32\dllcache\tcpip.sys
2012-08-08 18:23 . 2011-08-17 13:49 138496 -c----w- c:\windows\system32\dllcache\afd.sys
2012-08-08 18:23 . 2011-03-03 06:55 149504 -c----w- c:\windows\system32\dllcache\dnsapi.dll
2012-08-08 18:23 . 2009-04-20 17:17 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2012-08-08 18:23 . 2008-06-20 16:02 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
2012-08-08 18:23 . 2011-02-15 12:56 290432 -c----w- c:\windows\system32\dllcache\atmfd.dll
2012-08-08 18:22 . 2011-02-11 13:25 229888 -c----w- c:\windows\system32\dllcache\fxscover.exe
2012-08-08 18:22 . 2011-02-17 13:18 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-08-08 18:22 . 2011-02-02 07:58 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2012-08-08 18:22 . 2011-01-27 11:57 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2012-08-08 18:22 . 2011-10-18 11:13 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2012-08-08 18:22 . 2011-02-09 13:53 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2012-08-08 18:22 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2012-08-08 18:22 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2012-08-08 18:22 . 2012-06-08 14:26 8462848 -c----w- c:\windows\system32\dllcache\shell32.dll
2012-08-08 18:20 . 2010-04-16 15:36 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2012-08-08 18:20 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-08-08 18:19 . 2010-03-05 18:45 456704 -c----w- c:\windows\system32\dllcache\smtpsvc.dll
2012-08-08 18:19 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-08-08 18:19 . 2010-03-05 14:37 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll
2012-08-08 18:19 . 2011-10-10 14:22 692736 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2012-08-08 18:19 . 2010-01-29 15:01 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2012-08-08 18:18 . 2010-02-11 12:02 226880 -c----w- c:\windows\system32\dllcache\tcpip6.sys
2012-08-08 18:18 . 2010-02-12 04:33 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2012-08-08 18:18 . 2010-01-13 14:01 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2012-08-08 18:18 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2012-08-08 18:18 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2012-08-08 18:18 . 2009-11-27 16:07 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2012-08-08 18:18 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2012-08-08 18:18 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2012-08-08 18:18 . 2011-11-03 15:28 1292288 -c----w- c:\windows\system32\dllcache\quartz.dll
2012-08-08 18:18 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2012-08-08 18:18 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2012-08-08 18:16 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2012-08-08 18:15 . 2010-07-12 12:55 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2012-08-08 18:15 . 2008-10-23 12:36 286720 -c----w- c:\windows\system32\dllcache\gdi32.dll
2012-08-08 18:15 . 2012-07-06 13:58 337920 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-08-08 18:15 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-08-08 18:15 . 2008-07-07 20:26 253952 -c----w- c:\windows\system32\dllcache\es.dll
2012-08-08 18:15 . 2008-06-24 16:43 74240 -c----w- c:\windows\system32\dllcache\mscms.dll
2012-08-08 18:15 . 2008-05-09 10:53 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2012-08-08 18:15 . 2008-05-09 10:53 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2012-08-08 18:15 . 2008-05-09 10:53 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2012-08-08 18:15 . 2008-05-08 11:24 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2012-08-08 18:15 . 2008-05-07 09:07 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2012-08-08 18:14 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-08-08 18:14 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-08-07 20:08 . 2012-08-08 13:22 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-04 20:16 . 2012-08-04 20:17 -------- d-----w- C:\1081a87273cf5e78fa
2012-08-04 19:55 . 2012-08-09 01:15 -------- d-----w- c:\program files\7-Zip
2012-08-04 19:25 . 2012-08-04 19:25 -------- d-----w- c:\documents and settings\A Boze\Local Settings\Application Data\visi_coupon
2012-08-04 19:24 . 2012-08-04 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2012-08-04 19:24 . 2012-08-08 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-08-04 19:24 . 2012-08-04 19:24 -------- d-----w- c:\program files\DefaultTab
2012-08-04 19:24 . 2012-08-15 04:23 -------- d-----w- c:\documents and settings\A Boze\Application Data\DefaultTab
2012-08-04 19:23 . 2012-08-08 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 22:19 . 2012-06-29 15:19 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-02 22:19 . 2011-06-26 14:11 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-04 14:32 . 2012-07-04 14:52 221184 ------w- c:\windows\system32\ATIDEMGR.dll
2012-07-04 14:31 . 2009-10-03 05:51 9324032 ------w- c:\windows\system32\RTLCPL.EXE
2012-07-04 14:31 . 2009-10-03 05:50 77824 ----a-w- c:\windows\SOUNDMAN.EXE
2012-07-04 14:31 . 2009-10-03 05:51 156672 ------w- c:\windows\system32\RTLCPAPI.dll
2012-07-04 14:31 . 2009-10-03 05:50 16166912 ------w- c:\windows\system32\ALSNDMGR.CPL
2012-07-04 14:31 . 2009-10-03 05:50 2300928 ------w- c:\windows\system32\drivers\ALCXWDM.SYS
2012-07-04 14:30 . 2004-04-14 01:14 70144 ------w- c:\windows\system32\drivers\Rtlnicxp.sys
2012-07-04 14:05 . 2005-04-16 07:05 139784 ------w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 17:46 . 2011-12-28 15:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 16:21 . 2012-07-05 00:24 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-07-05 00:24 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2012-07-05 00:24 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2012-07-05 00:24 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2012-07-05 00:24 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2012-07-05 00:24 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2012-07-05 00:24 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2012-07-05 00:24 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2012-07-05 00:23 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2012-07-05 00:23 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-03 13:40 . 2004-08-04 12:00 1866112 ------w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-06-20 13:12 . 2012-06-20 13:12 3993600 ----a-w- c:\program files\GUT55.tmp
2012-06-07 00:59 . 2012-06-07 00:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-05 15:50 . 2009-08-19 22:07 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35 . 2005-04-16 07:08 210968 ------w- c:\windows\system32\wuweb.dll
2012-06-04 21:35 . 2010-03-25 00:21 222448 ------w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2009-08-06 23:24 22040 ------w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 15384 ------w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2005-04-16 07:08 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2005-04-16 07:08 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2012-07-05 00:30 15384 ------w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2005-05-26 08:16 45080 ------w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2005-04-16 07:22 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2005-04-16 07:08 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-06 23:24 17944 ------w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2005-04-16 07:08 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2005-04-16 07:08 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2010-03-25 00:21 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2010-03-25 00:21 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2000-02-24 21:07 . 2010-07-02 17:26 570128 -c--a-w- c:\program files\Common Files\DAO350.DLL
1996-08-06 03:00 . 2010-07-02 17:26 456464 -c--a-w- c:\program files\Common Files\DAO3032.DLL
2011-12-21 07:24 . 2011-12-28 15:59 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-23 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-06-22 395392]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-06-22 2637824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]
"CHotkey"="zHotkey.exe" [2004-05-17 543232]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"SoundMan"="SOUNDMAN.EXE" [2012-07-04 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\A Boze\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^A Boze^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^A Boze^Start Menu^Programs^Startup^Membership Plus QuickView.lnk]
backup=c:\windows\pss\Membership Plus QuickView.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^A Boze^Start Menu^Programs^Startup^TrueAssistant.lnk]
backup=c:\windows\pss\TrueAssistant.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
backup=c:\windows\pss\AudioDeck.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-14 00:36 196608 -c----w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 05:50 204800 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sha-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 13:09 36864 ----a-w- c:\windows\ShowWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2004-11-15 19:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"MBackMonitor"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"CryptSvc"=3 (0x3)
"awhost32"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"wlidsvc"=2 (0x2)
"IISADMIN"=2 (0x2)
"PrismXL"=2 (0x2)
"PortEmulator"=3 (0x3)
"ose"=3 (0x3)
"DefaultTabUpdate"=2 (0x2)
"DefaultTabSearch"=2 (0x2)
"BBSvc"=3 (0x3)
"idsvc"=3 (0x3)
"AcrSch2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [12/30/2011 10:53 PM 125472]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [12/30/2011 10:53 PM 83392]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/4/2012 8:24 PM 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/4/2012 8:24 PM 353688]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/4/2012 8:24 PM 21256]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 8:56 PM 431384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 1:26 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/29/2012 11:19 AM 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 1:26 AM 135664]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [4/17/2005 3:46 AM 3351]
S4 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S4 DefaultTabSearch;DefaultTabSearch;c:\program files\DefaultTab\DefaultTabSearch.exe [5/18/2012 5:00 AM 563200]
S4 PortEmulator;Port Emulator (Star);c:\program files\StarMicronics\TSP100\Software\20070601\portemu.exe [5/27/2007 1:13 PM 98304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-29 22:19]
.
2012-08-15 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-05 16:21]
.
2012-08-15 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-05-22 21:09]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 05:26]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 05:26]
.
2012-08-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
AddRemove-DefaultTab - c:\documents and settings\A Boze\Application Data\DefaultTab\DefaultTab\uninstalldt.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-15 00:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-1f
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
1 ntkrnlpa!IofCallDriver[0x804EE140] -> \Device\Harddisk0\DR0[0x8A9D3AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE140] -> \Device\0000007a[0x8AA67A40]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE140] -> \Device\Ide\IdeDeviceP4T0L0-1f[0x8AA1F940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Parallel0.5 -> \??\LPTENUM#IMGVP0#4&2c514809&0&LPT1.5#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\msdtc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\zHotkey.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2012-08-15 00:32:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-15 04:32
ComboFix2.txt 2012-07-04 04:33
.
Pre-Run: 117,988,372,480 bytes free
Post-Run: 117,942,439,936 bytes free
.
- - End Of File - - E5EA7412B55817CAE02E70A9720881E7
gerbil 216 Industrious Poster
And this is a pure shot in the dark, but run this scan:aswMBR.exe
aswMBR.exe
==Download aswMBR from http://www.bleepingcomputer.com/download/aswmbr/
Start it, press Scan [it will download virus definitions from Avast], wait the 3 or 4 minutes until it says Scan completed then press Save Log. Post that, please. Do NOT fix anything at this stage.
An MBR.dat file will appear on your desktop, it is a copy of your MBR. Do not delete it.
gerbil 216 Industrious Poster
You could try using the Private Messages system [top of Daniweb window] to give me your logs [zip them if you will] and I will then post them in the body of this forum article for you.
Edited by gerbil
gerbil 216 Industrious Poster
I'm also caught with the dreaded Code Snippet detection bug. So anyway:
There are a few things to tidy up, but first, some advice: there are a lot of items under MSCONFIG Startup and Services which have been disallowed (prevented from starting) - MSCONFIG is fine to use for debugging/troubleshooting, but thereafter entries should not be left unchecked. The offending items/programs should be uninstalled or otherwise removed. If items are unchecked in MSCONFIG and an uninstallation is attempted then it will not complete -manual removal from registry is then required.
For example, if you no longer use Intellipoint mouse, the program should be uninstalled, but only after rechecking the startup item in MSCONFIG. If you do use it, then your mouse will be running on default windows mouse software with attendant reduced properties/capabilities. But before you deal with MSCONFIG do these things in order:
I don't know what this is... something to so with Avast? If not known, delete C:\1081a87273cf5e78fa
Delete these two:
c:\program files\DefaultTab
c:\documents and settings\A Boze\Application Data\DefaultTab
Now to MSCONFIG. You should recheck all those startup items, I doubt if they are causing problems.
Same goes for Services. There are several entries for Symantec, entries for Mcafee, Acronis, some services you do need, and even a couple for the malware.
Once again, I suggest you enable them all, and then....
Remove this service:
DefaultTabSearch;DefaultTabSearch;c:\program files\DefaultTab\DefaultTabSearch.exe [5/18/2012 5:00 AM 563200]
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service Startup type to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now, I think the required name will be DefaultTabSearch.
Now rerun the removal tools for Symantec, McAfee.
Post those OTL and AswMBR logs along with your observations.
Rabbiedab 0 Light Poster
Greetings gerbil,
First allow me to articulate I have high esteem for you, your patience and definitely your professionalism. Second, allow me to THANK YOU for everything you are doing to get my Wife and I productive again. You're amazing!!!
Third, I have copied and pasted your instructions to a Word docx file to print and save for future reference, as well as, for guidance in following the instructions so carefully outlined. Again... we can't thank you enough.
Have a Wonderfully Peaceful Day,
---Rabbie and his Soul Mate
Edited by Rabbiedab
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.