TechSpot

Can't access antivirus site, 5 step reports

Solved
By TheRealTimWells
Mar 10, 2012
  1. Hello
    I'm have problems accessing any antivirus site and microsoft. I am trying to follow your 5 steps, here are my logs, if I've made a mistake or any other problems please let me know otherwise any help fixing the problem would be much appreciated.
    Thanks
    Tim



    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.10.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Ali :: CHANGEME1 [administrator]

    Protection: Enabled

    3/11/2012 12:28:09 AM
    mbam-log-2012-03-11 (00-28-09).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 161070
    Time elapsed: 5 minute(s), 26 second(s)

    Memory Processes Detected: 2
    C:\WINDOWS\system32\A58227\E54A4C.EXE (Worm.AutoRun) -> 348 -> Delete on reboot.
    C:\WINDOWS\system32\216C96\V9ED2F9F.EXE (Trojan.Agent) -> 3420 -> Delete on reboot.

    Memory Modules Detected: 3
    C:\WINDOWS\system32\216C96\krnln.fnr (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\216C96\eAPI.fne (Worm.Autorun) -> Delete on reboot.
    C:\WINDOWS\system32\216C96\dp1.fne (Worm.Autorun) -> Delete on reboot.

    Registry Keys Detected: 19
    HKCR\CLSID\{7952f465-ac46-4a82-b383-870f3784d1cd} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5D79F641-C168-40DF-A32F-BACEA7509E75} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D79F641-C168-40DF-A32F-BACEA7509E75} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{04D2B915-19FF-41E9-994D-95DC898BEA43} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0696F815-A3A9-490A-BB14-9EC3350B1276} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A7D2060-824D-4B17-B00A-759B1B5F30D9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F02C0832-C85C-4B93-8C6F-9DF20121A10D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d09094b3-b426-4f16-a6d9-e211fe222127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7895609d-c8b4-4cf5-a2c7-28223d0c3d92} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|E54A4C (Worm.AutoRun) -> Data: C:\WINDOWS\system32\A58227\E54A4C.EXE -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL|CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 1
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4 (Worm.Autorun) -> Delete on reboot.

    Files Detected: 22
    C:\WINDOWS\system32\A58227\E54A4C.EXE (Worm.AutoRun) -> Delete on reboot.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\krnln.fnr (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\HtmlView.fne (HackTool.Patcher) -> Delete on reboot.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\shell.fne (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\dp1.fne (Worm.Autorun) -> Delete on reboot.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\eAPI.fne (Worm.Autorun) -> Delete on reboot.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\internet.fne (HackTool.Patcher) -> Delete on reboot.
    C:\WINDOWS\system32\216C96\V9ED2F9F.EXE (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\216C96\krnln.fnr (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\216C96\eAPI.fne (Worm.Autorun) -> Delete on reboot.
    C:\WINDOWS\system32\216C96\dp1.fne (Worm.Autorun) -> Delete on reboot.
    C:\Program Files\14res.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\14Uninstall TotalRecipeSearch.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\2bres.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\2bUninstall BetterCareerSearch.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\64res.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\64Uninstall TelevisionFanatic.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\cnvpe.fne (Worm.Autorun) -> Quarantined and deleted successfully.
    C:\Program Files\14res.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Program Files\2bres.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Program Files\64res.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\spec.fne (Worm.Autorun) -> Delete on reboot.

    (end)


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-03-11 01:07:10
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVT-24A23T0 rev.01.01A02
    Running: wnn3s7c3.exe; Driver: C:\DOCUME~1\Ali\LOCALS~1\Temp\fwdcapog.sys


    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] apxqn <-- ROOTKIT !!!
    Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] blzjtmx <-- ROOTKIT !!!
    Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] wofflzn <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Ali at 1:17:09 on 2012-03-11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.516 [GMT 13:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Ali\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Ali\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Google Update] "c:\documents and settings\ali\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart
    dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
    StartupFolder: c:\docume~1\ali\startm~1\programs\startup\e54a4c.lnk - c:\windows\system32\a58227\E54A4C.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/en/downloads/getmodule.aspx?lang=en
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-11 652360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-11 20464]
    S2 apxqn;Time Shell;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
    S2 blzjtmx;Config System;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-26 136176]
    S2 wofflzn;Task Universal;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-3-20 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-26 136176]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
    S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-03-10 11:25:35 -------- d-----w- c:\documents and settings\ali\application data\Malwarebytes
    2012-03-10 11:25:29 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-03-10 11:25:28 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-10 11:25:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\CF6B60
    2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\A58227
    2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\216C96
    2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\18CB3B
    2012-02-25 02:39:25 -------- d-----w- c:\program files\CCleaner
    2012-02-25 02:25:46 -------- d-----w- c:\documents and settings\ali\local settings\application data\WMTools Downloaded Files
    2012-02-19 20:53:03 -------- d-----w- c:\documents and settings\ali\application data\Foxit Software
    2012-02-09 21:21:13 -------- d-----w- c:\program files\Foxit Software
    2012-02-09 21:13:46 -------- d-----w- c:\program files\Installs
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 1:23:30.93 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/21/2011 8:11:58 AM
    System Uptime: 3/11/2012 12:53:40 AM (1 hours ago)
    .
    Motherboard: LENOVO | | Mariana2
    Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU | 798/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 127.989 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) WiFi Link 5100 AGN
    Device ID: PCI\VEN_8086&DEV_4237&SUBSYS_12118086&REV_00\4&20975680&0&00E1
    Manufacturer: Intel Corporation
    Name: Intel(R) WiFi Link 5100 AGN
    PNP Device ID: PCI\VEN_8086&DEV_4237&SUBSYS_12118086&REV_00\4&20975680&0&00E1
    Service: NETw5x32
    .
    Class GUID:
    Description:
    Device ID: ACPI\VPC2004\0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\VPC2004\0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP53: 12/13/2011 3:28:58 PM - System Checkpoint
    RP54: 12/15/2011 12:23:05 PM - System Checkpoint
    RP55: 12/22/2011 11:50:35 AM - System Checkpoint
    RP56: 2/1/2012 2:52:21 PM - System Checkpoint
    RP57: 2/3/2012 11:08:40 AM - System Checkpoint
    RP58: 2/7/2012 9:49:14 AM - System Checkpoint
    RP59: 2/9/2012 10:55:54 AM - System Checkpoint
    RP60: 2/10/2012 2:40:54 PM - System Checkpoint
    RP61: 2/14/2012 11:01:03 AM - System Checkpoint
    RP62: 2/16/2012 9:26:04 AM - System Checkpoint
    RP63: 2/20/2012 11:27:07 AM - System Checkpoint
    RP64: 2/20/2012 3:09:20 PM - Unsigned driver install
    RP65: 2/20/2012 3:11:50 PM - Unsigned driver install
    RP66: 2/20/2012 3:35:17 PM - Unsigned driver install
    RP67: 2/22/2012 2:52:25 PM - System Checkpoint
    RP68: 2/24/2012 11:18:38 AM - System Checkpoint
    RP69: 2/26/2012 6:03:04 PM - System Checkpoint
    RP70: 3/2/2012 6:46:15 PM - System Checkpoint
    RP71: 3/6/2012 10:31:34 AM - System Checkpoint
    RP72: 3/9/2012 9:57:28 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    CCleaner
    Document Express DjVu Plug-in (autoinstall)
    Foxit Reader 5.1
    GIMP 2.6.11
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 24
    Lenovo Bluetooth with Enhanced Data Rate Software
    Malwarebytes Anti-Malware version 1.60.1.1000
    MSN
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB941569)
    Sereby's Updatepack - IE8 Addon Version 1.0.7
    USB2.0 Card Reader Software
    VLC media player 1.1.9
    WebFldrs XP
    Windows Driver Package - Intel (NETw5x32) net (11/17/2008 12.2.0.11)
    Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/8/2012 9:05:12 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.7 with the system having network hardware address 78:A3:E4:C1:B6:57. Network operations on this system may be disrupted as a result.
    3/6/2012 2:16:23 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    3/5/2012 9:32:51 AM, error: Service Control Manager [7023] - The Time Shell service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
    3/5/2012 9:32:51 AM, error: Service Control Manager [7023] - The Task Universal service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
    3/5/2012 9:32:51 AM, error: Service Control Manager [7023] - The Config System service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
    3/5/2012 9:32:51 AM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    3/11/2012 12:51:16 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    3/11/2012 12:50:07 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/11/2012 12:36:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    3/10/2012 11:55:19 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    I cant access that website, I guess because its kaspersky.
    Correction I got there in safe mode will post soon.
     
  4. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    TDSS Report

    Completed in safe mode, is that ok?

    13:54:36.0281 1540 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
    13:54:37.0218 1540 ============================================================
    13:54:37.0218 1540 Current date / time: 2012/03/11 13:54:37.0218
    13:54:37.0218 1540 SystemInfo:
    13:54:37.0218 1540
    13:54:37.0218 1540 OS Version: 5.1.2600 ServicePack: 3.0
    13:54:37.0218 1540 Product type: Workstation
    13:54:37.0218 1540 ComputerName: CHANGEME1
    13:54:37.0218 1540 UserName: Ali
    13:54:37.0218 1540 Windows directory: C:\WINDOWS
    13:54:37.0218 1540 System windows directory: C:\WINDOWS
    13:54:37.0218 1540 Processor architecture: Intel x86
    13:54:37.0218 1540 Number of processors: 2
    13:54:37.0218 1540 Page size: 0x1000
    13:54:37.0218 1540 Boot type: Safe boot with network
    13:54:37.0218 1540 ============================================================
    13:54:41.0609 1540 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    13:54:41.0609 1540 \Device\Harddisk0\DR0:
    13:54:41.0609 1540 MBR used
    13:54:41.0609 1540 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
    13:54:41.0703 1540 Initialize success
    13:54:41.0703 1540 ============================================================
    13:55:09.0921 1564 ============================================================
    13:55:09.0921 1564 Scan started
    13:55:09.0921 1564 Mode: Manual;
    13:55:09.0921 1564 ============================================================
    13:55:11.0093 1564 Abiosdsk - ok
    13:55:11.0140 1564 abp480n5 - ok
    13:55:11.0234 1564 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    13:55:11.0250 1564 ACPI - ok
    13:55:11.0328 1564 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    13:55:11.0328 1564 ACPIEC - ok
    13:55:11.0343 1564 adpu160m - ok
    13:55:11.0406 1564 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    13:55:11.0421 1564 aec - ok
    13:55:11.0437 1564 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    13:55:11.0437 1564 AFD - ok
    13:55:11.0453 1564 Aha154x - ok
    13:55:11.0484 1564 aic78u2 - ok
    13:55:11.0515 1564 aic78xx - ok
    13:55:11.0562 1564 AliIde - ok
    13:55:11.0687 1564 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
    13:55:11.0765 1564 Ambfilt - ok
    13:55:11.0796 1564 amsint - ok
    13:55:11.0828 1564 Suspicious service (NoAccess): apxqn
    13:55:11.0875 1564 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    13:55:11.0875 1564 Arp1394 - ok
    13:55:11.0890 1564 asc - ok
    13:55:11.0921 1564 asc3350p - ok
    13:55:11.0953 1564 asc3550 - ok
    13:55:11.0968 1564 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    13:55:11.0968 1564 AsyncMac - ok
    13:55:12.0031 1564 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    13:55:12.0046 1564 atapi - ok
    13:55:12.0062 1564 Atdisk - ok
    13:55:12.0078 1564 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    13:55:12.0093 1564 Atmarpc - ok
    13:55:12.0140 1564 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    13:55:12.0140 1564 audstub - ok
    13:55:12.0203 1564 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    13:55:12.0203 1564 Beep - ok
    13:55:12.0218 1564 Suspicious service (NoAccess): blzjtmx
    13:55:12.0296 1564 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
    13:55:12.0312 1564 btaudio - ok
    13:55:12.0390 1564 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
    13:55:12.0390 1564 BTDriver - ok
    13:55:12.0468 1564 BTKRNL (cf47c53d294abcb5159b02b68b37ba89) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
    13:55:12.0500 1564 BTKRNL - ok
    13:55:12.0609 1564 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
    13:55:12.0609 1564 BTWDNDIS - ok
    13:55:12.0640 1564 BTWUSB (6b622612fe21b59faee2ca4385959778) C:\WINDOWS\system32\Drivers\btwusb.sys
    13:55:12.0640 1564 BTWUSB - ok
    13:55:12.0687 1564 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    13:55:12.0687 1564 cbidf2k - ok
    13:55:12.0703 1564 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    13:55:12.0703 1564 CCDECODE - ok
    13:55:12.0734 1564 cd20xrnt - ok
    13:55:12.0765 1564 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    13:55:12.0781 1564 Cdaudio - ok
    13:55:12.0828 1564 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    13:55:12.0843 1564 Cdfs - ok
    13:55:12.0859 1564 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    13:55:12.0859 1564 Cdrom - ok
    13:55:12.0875 1564 Changer - ok
    13:55:12.0968 1564 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    13:55:12.0968 1564 CmBatt - ok
    13:55:12.0984 1564 CmdIde - ok
    13:55:13.0031 1564 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    13:55:13.0046 1564 Compbatt - ok
    13:55:13.0093 1564 Cpqarray - ok
    13:55:13.0125 1564 dac2w2k - ok
    13:55:13.0156 1564 dac960nt - ok
    13:55:13.0250 1564 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    13:55:13.0250 1564 Disk - ok
    13:55:13.0343 1564 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    13:55:13.0359 1564 dmboot - ok
    13:55:13.0375 1564 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    13:55:13.0390 1564 dmio - ok
    13:55:13.0421 1564 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    13:55:13.0421 1564 dmload - ok
    13:55:13.0484 1564 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    13:55:13.0484 1564 DMusic - ok
    13:55:13.0531 1564 dpti2o - ok
    13:55:13.0562 1564 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    13:55:13.0562 1564 drmkaud - ok
    13:55:13.0640 1564 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    13:55:13.0640 1564 Fastfat - ok
    13:55:13.0687 1564 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    13:55:13.0687 1564 Fdc - ok
    13:55:13.0734 1564 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    13:55:13.0734 1564 Fips - ok
    13:55:13.0765 1564 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    13:55:13.0765 1564 Flpydisk - ok
    13:55:13.0796 1564 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    13:55:13.0796 1564 FltMgr - ok
    13:55:13.0843 1564 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    13:55:13.0843 1564 Fs_Rec - ok
    13:55:13.0859 1564 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    13:55:13.0875 1564 Ftdisk - ok
    13:55:13.0890 1564 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    13:55:13.0906 1564 Gpc - ok
    13:55:14.0031 1564 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
    13:55:14.0031 1564 hamachi - ok
    13:55:14.0078 1564 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    13:55:14.0078 1564 HDAudBus - ok
    13:55:14.0156 1564 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    13:55:14.0156 1564 hidusb - ok
    13:55:14.0187 1564 hpn - ok
    13:55:14.0234 1564 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
    13:55:14.0234 1564 HTTP - ok
    13:55:14.0265 1564 i2omgmt - ok
    13:55:14.0296 1564 i2omp - ok
    13:55:14.0359 1564 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    13:55:14.0359 1564 i8042prt - ok
    13:55:14.0625 1564 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    13:55:14.0843 1564 ialm - ok
    13:55:14.0875 1564 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    13:55:14.0875 1564 Imapi - ok
    13:55:14.0921 1564 ini910u - ok
    13:55:15.0203 1564 IntcAzAudAddService (f1f02e3a61342d7159c7efd22564ee93) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    13:55:15.0421 1564 IntcAzAudAddService - ok
    13:55:15.0437 1564 IntelIde - ok
    13:55:15.0484 1564 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    13:55:15.0484 1564 intelppm - ok
    13:55:15.0531 1564 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    13:55:15.0531 1564 Ip6Fw - ok
    13:55:15.0562 1564 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    13:55:15.0562 1564 IpFilterDriver - ok
    13:55:15.0578 1564 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    13:55:15.0578 1564 IpInIp - ok
    13:55:15.0625 1564 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    13:55:15.0625 1564 IpNat - ok
    13:55:15.0656 1564 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    13:55:15.0656 1564 IPSec - ok
    13:55:15.0718 1564 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    13:55:15.0718 1564 IRENUM - ok
    13:55:15.0750 1564 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    13:55:15.0750 1564 isapnp - ok
    13:55:15.0812 1564 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    13:55:15.0812 1564 Kbdclass - ok
    13:55:15.0875 1564 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    13:55:15.0875 1564 kmixer - ok
    13:55:15.0921 1564 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    13:55:15.0921 1564 KSecDD - ok
    13:55:15.0968 1564 lbrtfdc - ok
    13:55:16.0078 1564 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
    13:55:16.0093 1564 MBAMProtector - ok
    13:55:16.0187 1564 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    13:55:16.0187 1564 mnmdd - ok
    13:55:16.0250 1564 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    13:55:16.0250 1564 Modem - ok
    13:55:16.0343 1564 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
    13:55:16.0390 1564 Monfilt - ok
    13:55:16.0453 1564 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    13:55:16.0453 1564 Mouclass - ok
    13:55:16.0484 1564 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    13:55:16.0484 1564 mouhid - ok
    13:55:16.0515 1564 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    13:55:16.0515 1564 MountMgr - ok
    13:55:16.0531 1564 mraid35x - ok
    13:55:16.0562 1564 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    13:55:16.0562 1564 MRxDAV - ok
    13:55:16.0625 1564 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    13:55:16.0640 1564 MRxSmb - ok
    13:55:16.0671 1564 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    13:55:16.0687 1564 Msfs - ok
    13:55:16.0734 1564 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    13:55:16.0750 1564 MSKSSRV - ok
    13:55:16.0765 1564 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    13:55:16.0765 1564 MSPCLOCK - ok
    13:55:16.0812 1564 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    13:55:16.0812 1564 MSPQM - ok
    13:55:16.0859 1564 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    13:55:16.0859 1564 mssmbios - ok
    13:55:16.0906 1564 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    13:55:16.0906 1564 MSTEE - ok
    13:55:16.0953 1564 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    13:55:16.0953 1564 Mup - ok
    13:55:17.0000 1564 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    13:55:17.0000 1564 NABTSFEC - ok
    13:55:17.0046 1564 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    13:55:17.0046 1564 NDIS - ok
    13:55:17.0109 1564 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    13:55:17.0109 1564 NdisIP - ok
    13:55:17.0140 1564 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    13:55:17.0140 1564 NdisTapi - ok
    13:55:17.0171 1564 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    13:55:17.0187 1564 Ndisuio - ok
    13:55:17.0203 1564 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    13:55:17.0203 1564 NdisWan - ok
    13:55:17.0218 1564 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    13:55:17.0234 1564 NDProxy - ok
    13:55:17.0265 1564 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    13:55:17.0265 1564 NetBIOS - ok
    13:55:17.0296 1564 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    13:55:17.0296 1564 NetBT - ok
    13:55:17.0531 1564 NETw5x32 (05743fffc2bc88cc8e426321bc6a762e) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
    13:55:17.0671 1564 NETw5x32 - ok
    13:55:17.0703 1564 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    13:55:17.0718 1564 NIC1394 - ok
    13:55:17.0765 1564 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    13:55:17.0765 1564 Npfs - ok
    13:55:17.0828 1564 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    13:55:17.0859 1564 Ntfs - ok
    13:55:17.0906 1564 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    13:55:17.0906 1564 Null - ok
    13:55:17.0953 1564 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    13:55:17.0953 1564 NwlnkFlt - ok
    13:55:17.0968 1564 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    13:55:17.0968 1564 NwlnkFwd - ok
    13:55:18.0015 1564 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    13:55:18.0015 1564 ohci1394 - ok
    13:55:18.0078 1564 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    13:55:18.0093 1564 Parport - ok
    13:55:18.0109 1564 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    13:55:18.0109 1564 PartMgr - ok
    13:55:18.0171 1564 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    13:55:18.0187 1564 ParVdm - ok
    13:55:18.0234 1564 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    13:55:18.0234 1564 PCI - ok
    13:55:18.0250 1564 PCIDump - ok
    13:55:18.0312 1564 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    13:55:18.0312 1564 PCIIde - ok
    13:55:18.0359 1564 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    13:55:18.0359 1564 Pcmcia - ok
    13:55:18.0375 1564 PDCOMP - ok
    13:55:18.0406 1564 PDFRAME - ok
    13:55:18.0437 1564 PDRELI - ok
    13:55:18.0453 1564 PDRFRAME - ok
    13:55:18.0484 1564 perc2 - ok
    13:55:18.0515 1564 perc2hib - ok
    13:55:18.0640 1564 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    13:55:18.0640 1564 PptpMiniport - ok
    13:55:18.0656 1564 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    13:55:18.0656 1564 Processor - ok
    13:55:18.0703 1564 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    13:55:18.0703 1564 PSched - ok
    13:55:18.0750 1564 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    13:55:18.0750 1564 Ptilink - ok
    13:55:18.0765 1564 ql1080 - ok
    13:55:18.0796 1564 Ql10wnt - ok
    13:55:18.0828 1564 ql12160 - ok
    13:55:18.0843 1564 ql1240 - ok
    13:55:18.0875 1564 ql1280 - ok
    13:55:18.0906 1564 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    13:55:18.0921 1564 RasAcd - ok
    13:55:18.0984 1564 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    13:55:18.0984 1564 Rasl2tp - ok
    13:55:19.0015 1564 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    13:55:19.0015 1564 RasPppoe - ok
    13:55:19.0078 1564 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    13:55:19.0078 1564 Raspti - ok
    13:55:19.0109 1564 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    13:55:19.0109 1564 Rdbss - ok
    13:55:19.0125 1564 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    13:55:19.0125 1564 RDPCDD - ok
    13:55:19.0203 1564 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    13:55:19.0218 1564 rdpdr - ok
    13:55:19.0265 1564 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    13:55:19.0265 1564 RDPWD - ok
    13:55:19.0328 1564 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    13:55:19.0328 1564 redbook - ok
    13:55:19.0421 1564 RSUSBSTOR - ok
    13:55:19.0500 1564 RTLE8023xp (832f27e6962a14ebf3b09af0e65fd7b4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    13:55:19.0500 1564 RTLE8023xp - ok
    13:55:19.0515 1564 RtsUIR - ok
    13:55:19.0593 1564 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    13:55:19.0593 1564 Secdrv - ok
    13:55:19.0640 1564 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    13:55:19.0640 1564 serenum - ok
    13:55:19.0703 1564 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    13:55:19.0703 1564 Serial - ok
    13:55:19.0765 1564 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    13:55:19.0765 1564 Sfloppy - ok
    13:55:19.0796 1564 Simbad - ok
    13:55:19.0875 1564 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    13:55:19.0890 1564 SLIP - ok
    13:55:19.0890 1564 Sparrow - ok
    13:55:19.0953 1564 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    13:55:19.0953 1564 splitter - ok
    13:55:20.0015 1564 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    13:55:20.0031 1564 sr - ok
    13:55:20.0078 1564 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
    13:55:20.0093 1564 Srv - ok
    13:55:20.0140 1564 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    13:55:20.0140 1564 streamip - ok
    13:55:20.0156 1564 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    13:55:20.0156 1564 swenum - ok
    13:55:20.0203 1564 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    13:55:20.0203 1564 swmidi - ok
    13:55:20.0234 1564 symc810 - ok
    13:55:20.0265 1564 symc8xx - ok
    13:55:20.0281 1564 sym_hi - ok
    13:55:20.0312 1564 sym_u3 - ok
    13:55:20.0343 1564 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    13:55:20.0343 1564 sysaudio - ok
    13:55:20.0437 1564 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    13:55:20.0437 1564 Tcpip - ok
    13:55:20.0515 1564 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    13:55:20.0515 1564 TDPIPE - ok
    13:55:20.0546 1564 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    13:55:20.0546 1564 TDTCP - ok
    13:55:20.0593 1564 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    13:55:20.0593 1564 TermDD - ok
    13:55:20.0656 1564 TosIde - ok
    13:55:20.0718 1564 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    13:55:20.0718 1564 Udfs - ok
    13:55:20.0734 1564 ultra - ok
    13:55:20.0812 1564 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    13:55:20.0812 1564 Update - ok
    13:55:20.0906 1564 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    13:55:20.0906 1564 usbccgp - ok
    13:55:20.0921 1564 USBCCID - ok
    13:55:20.0984 1564 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    13:55:20.0984 1564 usbehci - ok
    13:55:21.0015 1564 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    13:55:21.0031 1564 usbhub - ok
    13:55:21.0062 1564 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    13:55:21.0062 1564 usbohci - ok
    13:55:21.0140 1564 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    13:55:21.0140 1564 usbscan - ok
    13:55:21.0187 1564 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    13:55:21.0187 1564 USBSTOR - ok
    13:55:21.0234 1564 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    13:55:21.0234 1564 usbuhci - ok
    13:55:21.0296 1564 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    13:55:21.0312 1564 usbvideo - ok
    13:55:21.0343 1564 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    13:55:21.0359 1564 VgaSave - ok
    13:55:21.0359 1564 ViaIde - ok
    13:55:21.0437 1564 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    13:55:21.0453 1564 VolSnap - ok
    13:55:21.0500 1564 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    13:55:21.0500 1564 Wanarp - ok
    13:55:21.0531 1564 WDICA - ok
    13:55:21.0593 1564 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    13:55:21.0593 1564 wdmaud - ok
    13:55:21.0734 1564 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    13:55:21.0734 1564 WmiAcpi - ok
    13:55:21.0781 1564 Suspicious service (NoAccess): wofflzn
    13:55:21.0859 1564 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    13:55:21.0859 1564 WSTCODEC - ok
    13:55:21.0921 1564 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    13:55:21.0937 1564 WudfPf - ok
    13:55:21.0953 1564 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    13:55:21.0953 1564 WudfRd - ok
    13:55:22.0078 1564 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    13:55:22.0281 1564 \Device\Harddisk0\DR0 - ok
    13:55:22.0296 1564 Boot (0x1200) (1e442660cef99b8c28f9cbfd3969c8bc) \Device\Harddisk0\DR0\Partition0
    13:55:22.0296 1564 \Device\Harddisk0\DR0\Partition0 - ok
    13:55:22.0312 1564 ============================================================
    13:55:22.0312 1564 Scan finished
    13:55:22.0312 1564 ============================================================
    13:55:22.0343 1556 Detected object count: 0
    13:55:22.0343 1556 Actual detected object count: 0
     
  5. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  6. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-11 14:59:03
    -----------------------------
    14:59:03.718 OS Version: Windows 5.1.2600 Service Pack 3
    14:59:03.718 Number of processors: 2 586 0x1C02
    14:59:03.718 ComputerName: CHANGEME1 UserName: Ali
    14:59:04.328 Initialize success
    14:59:12.015 AVAST engine download error: 0
    14:59:49.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    14:59:49.109 Disk 0 Vendor: WDC_WD1600BEVT-24A23T0 01.01A02 Size: 152627MB BusType: 3
    14:59:49.125 Disk 0 MBR read successfully
    14:59:49.140 Disk 0 MBR scan
    14:59:49.140 Disk 0 Windows XP default MBR code
    14:59:49.140 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
    14:59:49.140 Disk 0 scanning sectors +312560640
    14:59:49.234 Disk 0 scanning C:\WINDOWS\system32\drivers
    14:59:55.890 Service scanning
    15:00:10.218 Modules scanning
    15:00:17.468 Disk 0 trace - called modules:
    15:00:17.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    15:00:17.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d36ab8]
    15:00:17.515 3 CLASSPNP.SYS[f750efd7] -> nt!IofCallDriver -> \Device\00000065[0x86dcab10]
    15:00:17.531 5 ACPI.sys[f7385620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d34940]
    15:00:17.531 Scan finished successfully
    15:00:55.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ali\Desktop\MBR.dat"
    15:00:55.687 The log file has been saved successfully to "C:\Documents and Settings\Ali\Desktop\aswMBR.txt"


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  7. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    ComboFix 12-03-10.02 - Ali 03/11/2012 15:52:42.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.488 [GMT 13:00]
    Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\BetterCareerSearch_2bEI
    c:\program files\TelevisionFanaticEI
    c:\program files\TotalRecipeSearch_14EI
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-26 20:52 . 2012-03-10 11:36 -------- d--h--w- c:\windows\system32\A58227
    2012-02-26 20:52 . 2012-03-10 11:36 -------- d--h--w- c:\windows\system32\216C96
    2012-02-26 20:52 . 2012-02-29 00:51 -------- d--h--w- c:\windows\system32\18CB3B
    2012-02-26 20:52 . 2012-02-26 20:52 -------- d--h--w- c:\windows\system32\CF6B60
    2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
    2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
    2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
    2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"="shell32" [X]
    "IE8"="advpack.dll" [2009-11-05 128512]
    .
    c:\documents and settings\Ali\Start Menu\Programs\Startup\
    E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1992:TCP"= 1992:TCP:mgkavm
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
    S2 apxqn;Time Shell;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 14336]
    S2 blzjtmx;Config System;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 14336]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S2 wofflzn;Task Universal;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 14336]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
    S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWMBR
    *Deregistered* - aswMBR
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    apxqn
    blzjtmx
    wofflzn
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.1.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-TelevisionFanatic Browser Plugin Loader - c:\progra~1\TELEVI~2\bar\1.bin\64brmon.exe
    MSConfigStartUp-TotalRecipeSearch_14 Browser Plugin Loader - c:\progra~1\TOTALR~2\bar\1.bin\14brmon.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-11 15:58
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\apxqn]
    "ServiceDll"="c:\windows\system32\teqbzgu.dll"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blzjtmx]
    "ServiceDll"="c:\windows\system32\teqbzgu.dll"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wofflzn]
    "ServiceDll"="c:\windows\system32\teqbzgu.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2932)
    c:\windows\system32\WININET.dll
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    Completion time: 2012-03-11 16:00:36
    ComboFix-quarantined-files.txt 2012-03-11 03:00
    .
    Pre-Run: 137,309,818,880 bytes free
    Post-Run: 137,277,984,768 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 4BE099375C335E7E76386BAC414D9E3A
     
  9. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk
    c:\windows\system32\A58227\E54A4C.EXE
    c:\windows\system32\teqbzgu.dll
    
    Folder::
    c:\windows\system32\A58227
    c:\windows\system32\216C96
    c:\windows\system32\18CB3B
    c:\windows\system32\CF6B60
    
    Driver::
    apxqn
    blzjtmx
    wofflzn
    
    NetSvc::
    apxqn
    blzjtmx
    wofflzn
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\apxqn]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blzjtmx]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wofflzn]
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  10. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    This is the log that has popped up after it rebooted



    ComboFix 12-03-10.02 - Ali 03/11/2012 16:19:11.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.507 [GMT 13:00]
    Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
    .
    FILE ::
    "c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk"
    "c:\windows\system32\A58227\E54A4C.EXE"
    "c:\windows\system32\teqbzgu.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\18CB3B
    c:\windows\system32\18CB3B\405806.txt
    c:\windows\system32\18CB3B\d02bd6.txt
    c:\windows\system32\216C96
    c:\windows\system32\216C96\cnvpe.fne
    c:\windows\system32\216C96\HtmlView.fne
    c:\windows\system32\216C96\internet.fne
    c:\windows\system32\216C96\RegEx.fnr
    c:\windows\system32\216C96\shell.fne
    c:\windows\system32\216C96\spec.fne
    c:\windows\system32\216C96\ZW7N.EXE
    c:\windows\system32\A58227
    c:\windows\system32\CF6B60
    c:\windows\system32\CF6B60\9ab99d31.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_APXQN
    -------\Legacy_BLZJTMX
    -------\Legacy_WOFFLZN
    -------\Service_apxqn
    -------\Service_blzjtmx
    -------\Service_wofflzn
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
    2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
    2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
    2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-11_02.58.36 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-03-11 03:26 . 2012-03-11 03:26 16384 c:\windows\Temp\Perflib_Perfdata_248.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"="shell32" [X]
    "IE8"="advpack.dll" [2009-11-05 128512]
    .
    c:\documents and settings\Ali\Start Menu\Programs\Startup\
    E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1992:TCP"= 1992:TCP:mgkavm
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
    S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.1.254
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-11 16:26
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1876)
    c:\windows\system32\WININET.dll
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\progra~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
    c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-11 16:29:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-11 03:29
    ComboFix2.txt 2012-03-11 03:00
    .
    Pre-Run: 137,294,725,120 bytes free
    Post-Run: 137,214,205,952 bytes free
    .
    - - End Of File - - B0446CE1F6AAAD5E33221F98DEFB041B
     
  11. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    Something has changed because computer is wanting me to do windows updates, although I wont until you tell me to!
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Good news :)

    At this point your computer should be fairly clean so you can allow updates to run.

    When done.....

    Install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
    Update, run full scan, report on any findings.

    Next...

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  13. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    Avast found 31 problems I don't know the difference with the options Repair, put in chest or delete. Can you advise me on this?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Put in the chest is the best option.
     
  15. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    Avast moved 32 win32:Malware-gen threats to chest, but...

    C:\WINDOWS\system32\teqbzgu.dll Threat: Win32:Rootkin-gen [Rtk] Error: Access denied

    Should I proceed with OTL?
    Should I stop Avast and Malwarebytes while scanning with OTL?
     
  16. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk
    c:\windows\system32\A58227\E54A4C.EXE
    C:\WINDOWS\system32\teqbzgu.dll
    
    Folder::
    c:\windows\system32\A58227
    
    Rootkit::
    C:\WINDOWS\system32\teqbzgu.dll
    
    Registry::
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  17. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    avast and malware kicked in when the computer rebooted and stopped everything. What should I do?
     
  18. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    What do you mean by stopped everything?

    With Avast you should have selected "Disable permanently" so it doesn't kick in after restart.

    If needed re-run Combofix fix.
     
  19. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    Thank you for your patience,


    ComboFix 12-03-10.02 - Ali 03/12/2012 11:18:06.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.542 [GMT 13:00]
    Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk"
    "c:\windows\system32\A58227\E54A4C.EXE"
    "c:\windows\system32\teqbzgu.dll"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-11 04:46 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-03-11 04:46 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-03-11 04:46 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-03-11 04:46 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-03-11 04:46 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-11 04:46 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-03-11 04:46 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-03-11 04:46 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-03-11 04:45 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-11 04:45 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\program files\AVAST Software
    2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-03-11 04:33 . 2008-04-14 11:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2012-03-11 04:33 . 2011-08-12 00:51 26488 ----a-w- c:\windows\system32\spupdsvc.exe
    2012-03-11 04:24 . 2012-03-11 04:24 -------- d-----w- c:\windows\ie8updates
    2012-03-11 04:23 . 2012-03-11 04:37 -------- d--h--w- c:\windows\$hf_mig$
    2012-03-11 03:34 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
    2012-03-11 03:33 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
    2012-03-11 03:33 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
    2012-03-11 03:33 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2012-03-11 03:32 . 2011-10-25 13:37 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2012-03-11 03:32 . 2011-10-25 13:33 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2012-03-11 03:32 . 2011-10-25 12:52 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2012-03-11 03:32 . 2011-10-25 12:52 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2012-03-11 03:32 . 2011-12-17 19:45 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2012-03-11 03:32 . 2011-12-17 19:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2012-03-11 03:32 . 2011-12-17 19:45 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2012-03-11 03:32 . 2011-12-17 19:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2012-03-11 03:32 . 2011-12-17 19:45 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2012-03-11 03:32 . 2011-12-17 19:45 2001408 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2012-03-11 03:32 . 2011-12-17 19:45 11085312 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2012-03-11 03:31 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-03-11 03:31 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    2012-03-11 03:27 . 2009-08-06 06:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
    2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
    2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
    2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-12 16:54 . 2009-11-10 16:54 1869056 ----a-w- c:\windows\system32\win32k.sys
    2011-12-17 19:45 . 2009-12-08 17:07 919552 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:45 . 2009-12-08 17:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-17 19:45 . 2009-11-05 12:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-16 12:32 . 2009-11-05 12:53 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-11_02.58.36 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 11:02 . 2009-07-11 11:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 11:05 . 2009-07-11 11:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 11:05 . 2009-07-11 11:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2012-03-11 22:34 . 2012-03-11 22:34 16384 c:\windows\Temp\Perflib_Perfdata_80.dat
    + 2008-11-09 20:20 . 2009-08-06 06:24 44768 c:\windows\system32\wups2.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 35552 c:\windows\system32\wups.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 53472 c:\windows\system32\wuauclt.exe
    + 2009-10-28 14:07 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
    - 2009-10-28 14:07 . 2009-10-28 14:07 46080 c:\windows\system32\tzchange.exe
    + 2008-04-14 11:00 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll
    + 2008-04-14 11:00 . 2010-08-17 13:17 58880 c:\windows\system32\spoolsv.exe
    - 2011-03-20 19:09 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
    + 2011-03-20 19:09 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
    + 2012-03-11 03:27 . 2009-08-06 06:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
    + 2012-03-11 03:27 . 2009-08-06 06:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
    + 2008-04-14 11:00 . 2011-11-18 12:35 60416 c:\windows\system32\packager.exe
    + 2008-04-14 11:00 . 2011-09-25 22:41 20480 c:\windows\system32\oleaccrc.dll
    + 2008-04-14 04:42 . 2009-11-27 17:11 17920 c:\windows\system32\msyuv.dll
    + 2008-04-14 11:00 . 2009-11-27 16:07 28672 c:\windows\system32\msvidc32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 11264 c:\windows\system32\msrle32.dll
    + 2008-04-14 11:00 . 2009-11-27 16:07 11264 c:\windows\system32\msrle32.dll
    + 2009-11-05 12:54 . 2011-12-17 19:45 66560 c:\windows\system32\mshtmled.dll
    - 2009-11-05 12:54 . 2009-11-05 12:54 66560 c:\windows\system32\mshtmled.dll
    - 2009-12-08 17:06 . 2009-12-08 17:06 55296 c:\windows\system32\msfeedsbs.dll
    + 2009-12-08 17:06 . 2011-12-17 19:45 55296 c:\windows\system32\msfeedsbs.dll
    + 2008-04-14 11:00 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 23040 c:\windows\system32\mciseq.dll
    - 2009-12-08 17:06 . 2009-12-08 17:06 25600 c:\windows\system32\jsproxy.dll
    + 2009-12-08 17:06 . 2011-12-17 19:45 25600 c:\windows\system32\jsproxy.dll
    + 2008-04-14 04:41 . 2009-11-27 16:07 48128 c:\windows\system32\iyuv_32.dll
    - 2011-03-20 19:06 . 2008-04-14 11:00 81920 c:\windows\system32\isign32.dll
    + 2011-03-20 19:06 . 2010-11-18 18:12 81920 c:\windows\system32\isign32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 80384 c:\windows\system32\iccvid.dll
    + 2008-04-14 11:00 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll
    + 2009-11-05 12:53 . 2009-10-15 16:28 81920 c:\windows\system32\fontsub.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 81920 c:\windows\system32\fontsub.dll
    + 2011-03-20 19:56 . 2012-03-11 04:38 95072 c:\windows\system32\FNTCACHE.DAT
    - 2011-03-20 19:56 . 2011-03-22 07:19 95072 c:\windows\system32\FNTCACHE.DAT
    + 2008-04-14 11:00 . 2010-11-02 15:17 40960 c:\windows\system32\drivers\ndproxy.sys
    + 2008-04-14 11:00 . 2011-07-08 14:02 10496 c:\windows\system32\drivers\ndistapi.sys
    + 2008-04-14 11:00 . 2009-04-20 17:17 45568 c:\windows\system32\dnsrslvr.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 45568 c:\windows\system32\dnsrslvr.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 35552 c:\windows\system32\dllcache\wups.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 53472 c:\windows\system32\dllcache\wuauclt.exe
    + 2011-03-20 19:06 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
    + 2008-04-14 11:00 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
    + 2008-04-14 11:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
    + 2008-04-14 11:00 . 2011-11-18 12:35 60416 c:\windows\system32\dllcache\packager.exe
    + 2008-04-14 11:00 . 2011-09-25 22:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
    + 2008-04-14 11:00 . 2010-11-02 15:17 40960 c:\windows\system32\dllcache\ndproxy.sys
    + 2008-04-14 11:00 . 2011-07-08 14:02 10496 c:\windows\system32\dllcache\ndistapi.sys
    + 2008-04-14 11:00 . 2009-11-27 16:07 28672 c:\windows\system32\dllcache\msvidc32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 11264 c:\windows\system32\dllcache\msrle32.dll
    + 2008-04-14 11:00 . 2009-11-27 16:07 11264 c:\windows\system32\dllcache\msrle32.dll
    - 2009-11-05 12:54 . 2009-11-05 12:54 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2009-11-05 12:54 . 2011-12-17 19:45 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2008-04-14 11:00 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 23040 c:\windows\system32\dllcache\mciseq.dll
    + 2009-11-05 12:53 . 2011-12-17 19:45 43520 c:\windows\system32\dllcache\licmgr10.dll
    + 2009-12-08 17:06 . 2011-12-17 19:45 25600 c:\windows\system32\dllcache\jsproxy.dll
    - 2009-12-08 17:06 . 2009-12-08 17:06 25600 c:\windows\system32\dllcache\jsproxy.dll
    - 2011-03-20 19:06 . 2008-04-14 11:00 81920 c:\windows\system32\dllcache\isign32.dll
    + 2011-03-20 19:06 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 81920 c:\windows\system32\dllcache\fontsub.dll
    + 2009-11-05 12:53 . 2009-10-15 16:28 81920 c:\windows\system32\dllcache\fontsub.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 45568 c:\windows\system32\dllcache\dnsrslvr.dll
    + 2008-04-14 11:00 . 2009-04-20 17:17 45568 c:\windows\system32\dllcache\dnsrslvr.dll
    + 2008-04-14 11:00 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll
    + 2008-11-09 20:20 . 2009-08-06 06:24 96480 c:\windows\system32\dllcache\cdm.dll
    + 2008-04-14 11:00 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
    + 2009-11-05 12:52 . 2009-11-27 16:07 84992 c:\windows\system32\dllcache\avifil32.dll
    - 2009-11-05 12:52 . 2009-11-05 12:52 84992 c:\windows\system32\dllcache\avifil32.dll
    + 2008-04-14 11:00 . 2010-03-05 14:37 65536 c:\windows\system32\dllcache\asycfilt.dll
    + 2008-04-14 11:00 . 2011-10-28 05:31 33280 c:\windows\system32\csrsrv.dll
    + 2008-11-09 20:20 . 2009-08-06 06:24 96480 c:\windows\system32\cdm.dll
    + 2008-04-14 11:00 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
    - 2009-11-05 12:52 . 2009-11-05 12:52 84992 c:\windows\system32\avifil32.dll
    + 2009-11-05 12:52 . 2009-11-27 16:07 84992 c:\windows\system32\avifil32.dll
    + 2008-04-14 11:00 . 2010-03-05 14:37 65536 c:\windows\system32\asycfilt.dll
    + 2012-03-11 04:29 . 2009-12-08 17:07 12800 c:\windows\ie8updates\KB2647516-IE8\xpshims.dll
    + 2012-03-11 04:29 . 2009-11-05 12:54 66560 c:\windows\ie8updates\KB2647516-IE8\mshtmled.dll
    + 2012-03-11 04:29 . 2009-12-08 17:06 55296 c:\windows\ie8updates\KB2647516-IE8\msfeedsbs.dll
    + 2012-03-11 04:29 . 2009-11-05 12:53 43008 c:\windows\ie8updates\KB2647516-IE8\licmgr10.dll
    + 2012-03-11 04:29 . 2009-12-08 17:06 25600 c:\windows\ie8updates\KB2647516-IE8\jsproxy.dll
    + 2012-03-11 03:34 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
    + 2012-03-11 03:33 . 2009-11-27 16:07 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
    + 2009-11-05 12:53 . 2011-02-17 12:32 5120 c:\windows\system32\xpsp4res.dll
    + 2001-08-17 21:36 . 2009-11-27 16:07 8704 c:\windows\system32\tsbyuv.dll
    + 2012-03-11 03:33 . 2009-11-27 16:07 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    + 2009-07-11 11:05 . 2009-07-11 11:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 209632 c:\windows\system32\wuweb.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 327896 c:\windows\system32\wucltui.dll
    + 2011-03-20 19:07 . 2009-08-06 06:23 575704 c:\windows\system32\wuapi.dll
    + 2008-04-14 11:00 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
    + 2008-04-14 11:00 . 2011-11-25 21:57 293376 c:\windows\system32\winsrv.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 293376 c:\windows\system32\winsrv.dll
    + 2008-04-14 11:00 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 176128 c:\windows\system32\winmm.dll
    + 2009-12-08 17:11 . 2011-11-16 14:20 354816 c:\windows\system32\winhttp.dll
    - 2009-12-08 17:11 . 2009-12-08 17:11 354816 c:\windows\system32\winhttp.dll
    + 2009-11-05 12:54 . 2011-03-04 06:35 420864 c:\windows\system32\vbscript.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 406016 c:\windows\system32\usp10.dll
    + 2008-04-14 11:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
    - 2009-11-05 12:54 . 2009-11-05 12:54 105984 c:\windows\system32\url.dll
    + 2009-11-05 12:54 . 2011-12-17 19:45 105984 c:\windows\system32\url.dll
    + 2011-09-25 22:41 . 2011-09-25 22:41 611328 c:\windows\system32\uiautomationcore.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 119808 c:\windows\system32\t2embed.dll
    + 2009-11-05 12:53 . 2010-08-27 08:02 119808 c:\windows\system32\t2embed.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 135168 c:\windows\system32\shsvcs.dll
    + 2008-04-14 11:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
    + 2008-04-14 11:00 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 474112 c:\windows\system32\shlwapi.dll
    + 2008-04-14 11:00 . 2011-01-21 14:44 439296 c:\windows\system32\shimgvw.dll
    + 2009-11-05 12:53 . 2011-11-16 14:20 152064 c:\windows\system32\schannel.dll
    + 2008-04-14 11:00 . 2011-02-09 13:53 270848 c:\windows\system32\sbe.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 270848 c:\windows\system32\sbe.dll
    + 2009-11-05 12:53 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
    + 2008-04-14 11:00 . 2011-11-03 15:28 386048 c:\windows\system32\qdvd.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 386048 c:\windows\system32\qdvd.dll
    + 2008-04-14 11:00 . 2010-12-20 17:32 551936 c:\windows\system32\oleaut32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 551936 c:\windows\system32\oleaut32.dll
    + 2008-04-14 11:00 . 2011-09-25 22:41 220160 c:\windows\system32\oleacc.dll
    + 2008-04-14 11:00 . 2010-11-09 14:52 249856 c:\windows\system32\odbc32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 249856 c:\windows\system32\odbc32.dll
    - 2009-12-08 17:07 . 2009-12-08 17:07 206848 c:\windows\system32\occache.dll
    + 2009-12-08 17:07 . 2011-12-17 19:45 206848 c:\windows\system32\occache.dll
    + 2009-02-09 11:10 . 2010-12-09 15:15 718336 c:\windows\system32\ntdll.dll
    + 2008-12-06 12:14 . 2009-08-06 06:23 215920 c:\windows\system32\muweb.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 245248 c:\windows\system32\mswsock.dll
    + 2009-11-05 12:53 . 2008-06-20 16:02 245248 c:\windows\system32\mswsock.dll
    + 2011-03-20 19:04 . 2011-01-27 11:57 677888 c:\windows\system32\mstsc.exe
    - 2011-03-20 19:04 . 2008-04-14 11:00 677888 c:\windows\system32\mstsc.exe
    - 2009-11-05 12:54 . 2009-11-05 12:54 611840 c:\windows\system32\mstime.dll
    + 2009-11-05 12:54 . 2011-12-17 19:45 611840 c:\windows\system32\mstime.dll
    + 2011-03-20 19:04 . 2009-12-16 18:43 343040 c:\windows\system32\mspaint.exe
    - 2011-03-20 19:04 . 2008-04-14 11:00 343040 c:\windows\system32\mspaint.exe
    + 2009-12-08 17:06 . 2011-12-17 19:45 602112 c:\windows\system32\msfeeds.dll
    - 2009-11-05 13:34 . 2009-11-05 13:34 317440 c:\windows\system32\mp4sdecd.dll
    + 2009-11-05 13:34 . 2010-03-29 23:24 317440 c:\windows\system32\mp4sdecd.dll
    + 2008-04-14 11:00 . 2011-02-08 06:03 974848 c:\windows\system32\mfc42u.dll
    + 2008-04-14 11:00 . 2011-02-08 13:33 978944 c:\windows\system32\mfc42.dll
    + 2008-04-14 11:00 . 2010-09-18 06:53 953856 c:\windows\system32\mfc40u.dll
    + 2008-04-14 11:00 . 2010-09-18 06:53 954368 c:\windows\system32\mfc40.dll
    + 2009-11-05 12:53 . 2010-12-20 17:26 730112 c:\windows\system32\lsasrv.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 730112 c:\windows\system32\lsasrv.dll
    + 2009-11-05 12:53 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 301568 c:\windows\system32\kerberos.dll
    - 2009-11-05 12:54 . 2009-11-05 12:54 726528 c:\windows\system32\jscript.dll
    + 2009-11-05 12:54 . 2011-03-04 06:35 726528 c:\windows\system32\jscript.dll
    + 2011-03-20 19:06 . 2011-10-10 14:22 692736 c:\windows\system32\inetcomm.dll
    - 2009-12-08 17:06 . 2009-12-08 17:06 184320 c:\windows\system32\iepeers.dll
    + 2009-12-08 17:06 . 2011-12-17 19:45 184320 c:\windows\system32\iepeers.dll
    + 2009-12-08 17:05 . 2011-12-17 19:45 387584 c:\windows\system32\iedkcs32.dll
    - 2009-12-08 17:05 . 2009-12-08 17:05 387584 c:\windows\system32\iedkcs32.dll
    + 2009-12-08 17:05 . 2011-12-16 12:33 174080 c:\windows\system32\ie4uinit.exe
    + 2008-04-14 11:00 . 2011-10-18 11:13 186880 c:\windows\system32\encdec.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 186880 c:\windows\system32\encdec.dll
    + 2009-11-05 12:53 . 2010-02-11 12:02 226880 c:\windows\system32\drivers\tcpip6.sys
    + 2009-11-05 12:53 . 2011-02-17 13:18 357888 c:\windows\system32\drivers\srv.sys
    + 2011-03-20 19:04 . 2011-06-24 14:10 139656 c:\windows\system32\drivers\rdpwd.sys
    - 2011-03-20 19:04 . 2008-04-14 11:00 139656 c:\windows\system32\drivers\rdpwd.sys
    + 2008-04-14 11:00 . 2011-04-21 13:37 105472 c:\windows\system32\drivers\mup.sys
    + 2009-11-05 12:53 . 2011-07-15 13:29 456320 c:\windows\system32\drivers\mrxsmb.sys
    + 2009-11-05 12:52 . 2011-08-17 13:49 138496 c:\windows\system32\drivers\afd.sys
    - 2009-11-05 12:52 . 2009-11-05 12:52 138496 c:\windows\system32\drivers\afd.sys
    + 2009-11-05 12:53 . 2011-03-03 06:55 149504 c:\windows\system32\dnsapi.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 209632 c:\windows\system32\dllcache\wuweb.dll
    + 2011-03-20 19:07 . 2009-08-06 06:24 327896 c:\windows\system32\dllcache\wucltui.dll
    + 2011-03-20 19:07 . 2009-08-06 06:23 575704 c:\windows\system32\dllcache\wuapi.dll
    + 2011-03-20 19:04 . 2010-07-12 12:55 218112 c:\windows\system32\dllcache\wordpad.exe
    + 2008-04-14 11:00 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 293376 c:\windows\system32\dllcache\winsrv.dll
    + 2008-04-14 11:00 . 2011-11-25 21:57 293376 c:\windows\system32\dllcache\winsrv.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 176128 c:\windows\system32\dllcache\winmm.dll
    + 2008-04-14 11:00 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
    + 2009-12-08 17:07 . 2011-12-17 19:45 919552 c:\windows\system32\dllcache\wininet.dll
    - 2009-12-08 17:11 . 2009-12-08 17:11 354816 c:\windows\system32\dllcache\winhttp.dll
    + 2009-12-08 17:11 . 2011-11-16 14:20 354816 c:\windows\system32\dllcache\winhttp.dll
    + 2011-03-20 19:07 . 2011-04-30 03:01 758784 c:\windows\system32\dllcache\vgx.dll
    + 2009-11-05 12:54 . 2011-03-04 06:35 420864 c:\windows\system32\dllcache\vbscript.dll
    + 2008-04-14 11:00 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 406016 c:\windows\system32\dllcache\usp10.dll
    + 2009-11-05 12:54 . 2011-12-17 19:45 105984 c:\windows\system32\dllcache\url.dll
    - 2009-11-05 12:54 . 2009-11-05 12:54 105984 c:\windows\system32\dllcache\url.dll
    + 2009-11-05 12:53 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
    + 2009-11-05 12:53 . 2010-08-27 08:02 119808 c:\windows\system32\dllcache\t2embed.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 119808 c:\windows\system32\dllcache\t2embed.dll
    + 2009-11-05 12:53 . 2011-02-17 13:18 357888 c:\windows\system32\dllcache\srv.sys
    - 2008-04-14 11:00 . 2008-04-14 11:00 135168 c:\windows\system32\dllcache\shsvcs.dll
    + 2008-04-14 11:00 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
    + 2008-04-14 11:00 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 474112 c:\windows\system32\dllcache\shlwapi.dll
    + 2008-04-14 11:00 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
    + 2009-11-05 12:53 . 2011-11-16 14:20 152064 c:\windows\system32\dllcache\schannel.dll
    + 2008-04-14 11:00 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 270848 c:\windows\system32\dllcache\sbe.dll
    + 2009-11-05 12:53 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
    - 2011-03-20 19:04 . 2008-04-14 11:00 139656 c:\windows\system32\dllcache\rdpwd.sys
    + 2011-03-20 19:04 . 2011-06-24 14:10 139656 c:\windows\system32\dllcache\rdpwd.sys
    + 2008-04-14 11:00 . 2011-11-03 15:28 386048 c:\windows\system32\dllcache\qdvd.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 386048 c:\windows\system32\dllcache\qdvd.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 551936 c:\windows\system32\dllcache\oleaut32.dll
    + 2008-04-14 11:00 . 2010-12-20 17:32 551936 c:\windows\system32\dllcache\oleaut32.dll
    + 2008-04-14 11:00 . 2011-09-25 22:41 220160 c:\windows\system32\dllcache\oleacc.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 249856 c:\windows\system32\dllcache\odbc32.dll
    + 2008-04-14 11:00 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll
    - 2009-12-08 17:07 . 2009-12-08 17:07 206848 c:\windows\system32\dllcache\occache.dll
    + 2009-12-08 17:07 . 2011-12-17 19:45 206848 c:\windows\system32\dllcache\occache.dll
    + 2009-02-09 11:10 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
    + 2008-04-14 11:00 . 2011-04-21 13:37 105472 c:\windows\system32\dllcache\mup.sys
    - 2009-11-05 12:53 . 2009-11-05 12:53 245248 c:\windows\system32\dllcache\mswsock.dll
    + 2009-11-05 12:53 . 2008-06-20 16:02 245248 c:\windows\system32\dllcache\mswsock.dll
    + 2009-11-05 12:54 . 2011-12-17 19:45 611840 c:\windows\system32\dllcache\mstime.dll
    - 2009-11-05 12:54 . 2009-11-05 12:54 611840 c:\windows\system32\dllcache\mstime.dll
    - 2011-03-20 19:04 . 2008-04-14 11:00 343040 c:\windows\system32\dllcache\mspaint.exe
    + 2011-03-20 19:04 . 2009-12-16 18:43 343040 c:\windows\system32\dllcache\mspaint.exe
    - 2011-03-20 19:06 . 2008-04-14 11:00 102400 c:\windows\system32\dllcache\msjro.dll
    + 2011-03-20 19:06 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll
    + 2011-03-20 19:06 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll
    - 2011-03-20 19:06 . 2008-04-14 11:00 200704 c:\windows\system32\dllcache\msadox.dll
    - 2011-03-20 19:06 . 2008-04-14 11:00 180224 c:\windows\system32\dllcache\msadomd.dll
    + 2011-03-20 19:06 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll
    - 2011-03-20 19:06 . 2008-04-14 11:00 536576 c:\windows\system32\dllcache\msado15.dll
    + 2011-03-20 19:06 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
    + 2011-03-20 19:06 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll
    - 2011-03-20 19:06 . 2008-04-14 11:00 143360 c:\windows\system32\dllcache\msadco.dll
    + 2010-03-29 23:24 . 2010-03-29 23:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll
    + 2008-04-14 11:00 . 2011-02-08 06:03 974848 c:\windows\system32\dllcache\mfc42u.dll
    + 2008-04-14 11:00 . 2011-02-08 13:33 978944 c:\windows\system32\dllcache\mfc42.dll
    + 2008-04-14 11:00 . 2010-09-18 06:53 953856 c:\windows\system32\dllcache\mfc40u.dll
    + 2008-04-14 11:00 . 2010-09-18 06:53 954368 c:\windows\system32\dllcache\mfc40.dll
    + 2009-11-05 12:53 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 730112 c:\windows\system32\dllcache\lsasrv.dll
    + 2011-03-20 19:04 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
    - 2011-03-20 19:04 . 2008-04-14 11:00 677888 c:\windows\system32\dllcache\lhmstsc.exe
    + 2009-11-05 12:53 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
    - 2009-11-05 12:53 . 2009-11-05 12:53 301568 c:\windows\system32\dllcache\kerberos.dll
    + 2009-11-05 12:54 . 2011-03-04 06:35 726528 c:\windows\system32\dllcache\jscript.dll
    - 2009-11-05 12:54 . 2009-11-05 12:54 726528 c:\windows\system32\dllcache\jscript.dll
    + 2011-03-20 19:06 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
    - 2009-12-08 17:06 . 2009-12-08 17:06 184320 c:\windows\system32\dllcache\iepeers.dll
    + 2009-12-08 17:06 . 2011-12-17 19:45 184320 c:\windows\system32\dllcache\iepeers.dll
    - 2009-12-08 17:05 . 2009-12-08 17:05 387584 c:\windows\system32\dllcache\iedkcs32.dll
    + 2009-12-08 17:05 . 2011-12-17 19:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
    + 2009-12-08 17:05 . 2011-12-16 12:33 174080 c:\windows\system32\dllcache\ie4uinit.exe
    + 2011-03-20 19:06 . 2010-06-14 14:31 744448 c:\windows\system32\dllcache\helpsvc.exe
    - 2011-03-20 19:06 . 2008-04-14 11:00 744448 c:\windows\system32\dllcache\helpsvc.exe
    - 2008-04-14 11:00 . 2008-04-14 11:00 186880 c:\windows\system32\dllcache\encdec.dll
    + 2008-04-14 11:00 . 2011-10-18 11:13 186880 c:\windows\system32\dllcache\encdec.dll
    + 2009-11-05 12:53 . 2011-03-03 06:55 149504 c:\windows\system32\dllcache\dnsapi.dll
    + 2008-04-14 11:00 . 2011-09-28 07:06 599040 c:\windows\system32\dllcache\crypt32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 599040 c:\windows\system32\dllcache\crypt32.dll
    + 2008-04-14 11:00 . 2010-08-23 16:12 617472 c:\windows\system32\dllcache\comctl32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 617472 c:\windows\system32\dllcache\comctl32.dll
    + 2008-04-14 11:00 . 2011-02-15 12:56 290432 c:\windows\system32\dllcache\atmfd.dll
    - 2009-11-05 12:52 . 2009-11-05 12:52 138496 c:\windows\system32\dllcache\afd.sys
    + 2009-11-05 12:52 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
    + 2008-04-14 11:00 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
    + 2008-04-14 11:00 . 2011-09-28 07:06 599040 c:\windows\system32\crypt32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 599040 c:\windows\system32\crypt32.dll
    - 2008-04-14 11:00 . 2008-04-14 11:00 617472 c:\windows\system32\comctl32.dll
    + 2008-04-14 11:00 . 2010-08-23 16:12 617472 c:\windows\system32\comctl32.dll
    + 2008-04-14 11:00 . 2011-02-15 12:56 290432 c:\windows\system32\atmfd.dll
    + 2008-04-14 11:00 . 2010-02-12 04:33 100864 c:\windows\system32\6to4svc.dll
    - 2011-03-20 19:06 . 2008-04-14 11:00 744448 c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    + 2011-03-20 19:06 . 2010-06-14 14:31 744448 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    + 2012-03-11 04:46 . 2012-03-11 04:46 219648 c:\windows\Installer\71b2b.msi
    + 2012-03-11 04:29 . 2009-12-08 17:07 916480 c:\windows\ie8updates\KB2647516-IE8\wininet.dll
    + 2012-03-11 04:29 . 2009-11-05 12:54 105984 c:\windows\ie8updates\KB2647516-IE8\url.dll
    + 2012-03-11 04:29 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2647516-IE8\spuninst\updspapi.dll
    + 2012-03-11 04:29 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2647516-IE8\spuninst\spuninst.exe
    + 2012-03-11 04:29 . 2009-12-08 17:07 206848 c:\windows\ie8updates\KB2647516-IE8\occache.dll
    + 2012-03-11 04:29 . 2009-11-05 12:54 611840 c:\windows\ie8updates\KB2647516-IE8\mstime.dll
    + 2012-03-11 04:29 . 2009-12-08 17:06 594432 c:\windows\ie8updates\KB2647516-IE8\msfeeds.dll
    + 2012-03-11 04:29 . 2009-12-08 17:06 246272 c:\windows\ie8updates\KB2647516-IE8\ieproxy.dll
    + 2012-03-11 04:29 . 2009-12-08 17:06 184320 c:\windows\ie8updates\KB2647516-IE8\iepeers.dll
    + 2012-03-11 04:29 . 2009-03-08 03:35 742912 c:\windows\ie8updates\KB2647516-IE8\iedvtool.dll
    + 2012-03-11 04:29 . 2009-12-08 17:05 387584 c:\windows\ie8updates\KB2647516-IE8\iedkcs32.dll
    + 2012-03-11 04:29 . 2009-12-08 17:05 173056 c:\windows\ie8updates\KB2647516-IE8\ie4uinit.exe
    + 2012-03-11 04:24 . 2009-11-05 12:54 759296 c:\windows\ie8updates\KB2544521-IE8\vgx.dll
    + 2012-03-11 04:24 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2544521-IE8\spuninst\updspapi.dll
    + 2012-03-11 04:24 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2544521-IE8\spuninst\spuninst.exe
    + 2012-03-11 04:25 . 2009-11-05 12:54 420352 c:\windows\ie8updates\KB2510531-IE8\vbscript.dll
    + 2012-03-11 04:25 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2510531-IE8\spuninst\updspapi.dll
    + 2012-03-11 04:25 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2510531-IE8\spuninst\spuninst.exe
    + 2012-03-11 04:25 . 2009-11-05 12:54 726528 c:\windows\ie8updates\KB2510531-IE8\jscript.dll
    + 2012-03-11 03:33 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
    + 2012-03-11 03:32 . 2010-10-23 00:51 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\GdiPlus.dll
    + 2012-03-11 03:33 . 2010-08-23 16:12 1054208 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 11:02 . 2009-07-11 11:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    + 2011-03-20 19:07 . 2009-08-06 06:23 1929952 c:\windows\system32\wuaueng.dll
    + 2009-11-05 13:35 . 2010-04-05 15:52 2462720 c:\windows\system32\WMVCore.dll
    + 2009-12-08 17:07 . 2011-12-17 19:45 1214464 c:\windows\system32\urlmon.dll
    + 2009-11-05 12:53 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
    + 2009-11-05 12:53 . 2011-11-03 15:28 1292288 c:\windows\system32\quartz.dll
    + 2008-04-14 11:00 . 2011-11-01 16:07 1288704 c:\windows\system32\ole32.dll
    + 2009-11-05 12:53 . 2011-10-25 13:37 2148864 c:\windows\system32\ntoskrnl.exe
    + 2009-08-04 14:20 . 2011-10-25 12:52 2027008 c:\windows\system32\ntkrnlpa.exe
    - 2009-12-08 16:32 . 2009-12-08 16:32 1172480 c:\windows\system32\msxml3.dll
    + 2009-12-08 16:32 . 2010-06-14 07:39 1172480 c:\windows\system32\msxml3.dll
    + 2011-03-20 19:04 . 2011-02-02 07:58 2067456 c:\windows\system32\mstscax.dll
    + 2009-12-08 17:07 . 2011-12-17 19:45 5980160 c:\windows\system32\mshtml.dll
    + 2009-12-08 17:06 . 2011-12-17 19:45 2001408 c:\windows\system32\iertutil.dll
    + 2011-03-20 19:07 . 2009-08-06 06:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
    + 2009-11-05 13:35 . 2010-04-05 15:52 2462720 c:\windows\system32\dllcache\WMVCore.dll
    + 2009-11-10 16:54 . 2012-01-12 16:54 1869056 c:\windows\system32\dllcache\win32k.sys
    + 2009-12-08 17:07 . 2011-12-17 19:45 1214464 c:\windows\system32\dllcache\urlmon.dll
    + 2009-11-05 12:53 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
    + 2009-11-05 12:53 . 2011-11-03 15:28 1292288 c:\windows\system32\dllcache\quartz.dll
    + 2008-04-14 11:00 . 2011-11-01 16:07 1288704 c:\windows\system32\dllcache\ole32.dll
    + 2009-12-08 16:32 . 2010-06-14 07:39 1172480 c:\windows\system32\dllcache\msxml3.dll
    - 2009-12-08 16:32 . 2009-12-08 16:32 1172480 c:\windows\system32\dllcache\msxml3.dll
    - 2011-03-20 19:06 . 2009-11-05 12:53 1315328 c:\windows\system32\dllcache\msoe.dll
    + 2011-03-20 19:06 . 2010-01-29 07:31 1315328 c:\windows\system32\dllcache\msoe.dll
    + 2009-12-08 17:07 . 2011-12-17 19:45 5980160 c:\windows\system32\dllcache\mshtml.dll
    + 2011-03-20 19:07 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
    - 2011-03-20 19:07 . 2008-04-14 11:00 3558912 c:\windows\system32\dllcache\moviemk.exe
    + 2011-03-20 19:04 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
    + 2012-03-11 04:29 . 2009-12-08 17:07 1209344 c:\windows\ie8updates\KB2647516-IE8\urlmon.dll
    + 2012-03-11 04:29 . 2009-12-08 17:07 5944320 c:\windows\ie8updates\KB2647516-IE8\mshtml.dll
    + 2012-03-11 04:29 . 2009-12-08 17:06 1986048 c:\windows\ie8updates\KB2647516-IE8\iertutil.dll
    + 2012-03-11 03:32 . 2011-10-25 13:33 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
    + 2012-03-11 03:32 . 2011-10-25 12:52 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
    + 2012-03-11 03:32 . 2011-10-25 12:52 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
    + 2012-03-11 03:32 . 2011-10-25 13:37 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
    + 2009-11-05 13:34 . 2010-08-25 10:36 10841088 c:\windows\system32\wmp.dll
    - 2009-11-05 13:34 . 2009-11-05 13:34 10841088 c:\windows\system32\wmp.dll
    + 2011-03-20 19:09 . 2012-01-26 10:20 52550552 c:\windows\system32\MRT.exe
    + 2009-12-08 17:06 . 2011-12-17 19:45 11085312 c:\windows\system32\ieframe.dll
    - 2009-11-05 13:34 . 2009-11-05 13:34 10841088 c:\windows\system32\dllcache\wmp.dll
    + 2009-11-05 13:34 . 2010-08-25 10:36 10841088 c:\windows\system32\dllcache\wmp.dll
    + 2012-03-11 04:29 . 2009-12-08 17:06 11070464 c:\windows\ie8updates\KB2647516-IE8\ieframe.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"="shell32" [X]
    "IE8"="advpack.dll" [2009-11-05 128512]
    .
    c:\documents and settings\Ali\Start Menu\Programs\Startup\
    E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1992:TCP"= 1992:TCP:mgkavm
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/11/2012 5:46 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/11/2012 5:46 PM 337880]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/11/2012 5:46 PM 20696]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
    S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-12 11:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3988)
    c:\windows\system32\WININET.dll
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
    c:\progra~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-12 11:40:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-11 22:40
    ComboFix2.txt 2012-03-11 03:29
    ComboFix3.txt 2012-03-11 03:00
    .
    Pre-Run: 135,429,967,872 bytes free
    Post-Run: 135,380,049,920 bytes free
    .
    - - End Of File - - FEC1F31B0C23274634A6F66CB8711A3B
     
  20. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    For x86 bit systems please download GrantPerms.zip and save it to your desktop.
    For x64 bit systems please download GrantPerms64.zip and save it to your desktop.
    Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
    Copy and paste the following in the edit box:

    Code:
    c:\windows\system32\teqbzgu.dll
    c:\windows\system32\a58227\E54A4C.EXE
    c:\docume~1\ali\startm~1\programs\startup\e54a4c.lnk
    
    Click Unlock. When it is done click "OK".
    Click List Permissions and post the result of Perms.txt file that pops up.
    A copy of Perms.txt will be saved in the same directory the tool is run.

    ======================================================================

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk
    c:\windows\system32\A58227\E54A4C.EXE
    C:\WINDOWS\system32\teqbzgu.dll
    
    Folder::
    c:\windows\system32\A58227
    
    Rootkit::
    C:\WINDOWS\system32\teqbzgu.dll
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  21. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    I'm running xp pro V. 2002 sp3 I believe that means I'm 32bit so which GrantPerms do I use?

    In the post you've got
    For x86 bit systems please download GrantPerms.zip and save it to your desktop.
    For x64 bit systems please download GrantPerms64.zip and save it to your desktop.

    Any chance that was meant to be x32 bit or is there another version?
     
  22. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Yes.............
     
  23. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    GrantPerms by Farbar
    Ran by Ali (administrator) at 2012-03-13 18:19:58

    ===============================================
    ERROR: Parsing the SD of <\\?\c:\windows\system32\teqbzgu.dll> failed with: The system cannot find the file specified.


    Operating system error message: The system cannot find the file specified.
    ERROR: Parsing the SD of <\\?\c:\windows\system32\a58227\E54A4C.EXE> failed with: The system cannot find the path specified.


    Operating system error message: The system cannot find the path specified.
    \\?\c:\docume~1\ali\startm~1\programs\startup\e54a4c.lnk

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Users READ/EXECUTE ALLOW (NI)
    CHANGEME1\Ali FULL ALLOW (I)
    NT AUTHORITY\SYSTEM FULL ALLOW (I)
    BUILTIN\Administrators FULL ALLOW (I)
     
  24. TheRealTimWells

    TheRealTimWells TS Rookie Topic Starter Posts: 24

    ComboFix 12-03-10.02 - Ali 03/13/2012 18:27:46.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.520 [GMT 13:00]
    Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk"
    "c:\windows\system32\A58227\E54A4C.EXE"
    "c:\windows\system32\teqbzgu.dll"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-11 04:46 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-03-11 04:46 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-03-11 04:46 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-03-11 04:46 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-03-11 04:46 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-11 04:46 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-03-11 04:46 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-03-11 04:46 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-03-11 04:45 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-11 04:45 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\program files\AVAST Software
    2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-03-11 04:33 . 2008-04-14 11:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2012-03-11 04:33 . 2011-08-12 00:51 26488 ----a-w- c:\windows\system32\spupdsvc.exe
    2012-03-11 04:24 . 2012-03-11 04:24 -------- d-----w- c:\windows\ie8updates
    2012-03-11 04:23 . 2012-03-11 04:37 -------- d--h--w- c:\windows\$hf_mig$
    2012-03-11 03:34 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
    2012-03-11 03:33 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
    2012-03-11 03:33 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
    2012-03-11 03:33 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2012-03-11 03:32 . 2011-10-25 13:37 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2012-03-11 03:32 . 2011-10-25 13:33 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2012-03-11 03:32 . 2011-10-25 12:52 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2012-03-11 03:32 . 2011-10-25 12:52 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2012-03-11 03:32 . 2011-12-17 19:45 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2012-03-11 03:32 . 2011-12-17 19:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2012-03-11 03:32 . 2011-12-17 19:45 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2012-03-11 03:32 . 2011-12-17 19:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2012-03-11 03:32 . 2011-12-17 19:45 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2012-03-11 03:32 . 2011-12-17 19:45 2001408 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2012-03-11 03:32 . 2011-12-17 19:45 11085312 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2012-03-11 03:31 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-03-11 03:31 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    2012-03-11 03:27 . 2009-08-06 06:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
    2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
    2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
    2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-12 16:54 . 2009-11-10 16:54 1869056 ----a-w- c:\windows\system32\win32k.sys
    2011-12-17 19:45 . 2009-12-08 17:07 919552 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:45 . 2009-12-08 17:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-17 19:45 . 2009-11-05 12:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-16 12:32 . 2009-11-05 12:53 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-03-11_22.34.54 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-18 09:51 . 2011-04-18 09:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll
    + 2012-03-13 05:43 . 2012-03-13 05:43 16384 c:\windows\Temp\Perflib_Perfdata_7fc.dat
    + 2011-04-18 09:51 . 2011-04-18 09:51 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcm90.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7\atl90.dll
    + 2012-03-12 07:49 . 2012-03-12 07:49 223744 c:\windows\Installer\153df2.msi
    + 2011-04-18 09:51 . 2011-04-18 09:51 3781960 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90u.dll
    + 2011-04-18 09:51 . 2011-04-18 09:51 3766600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"="shell32" [X]
    "IE8"="advpack.dll" [2009-11-05 128512]
    .
    c:\documents and settings\Ali\Start Menu\Programs\Startup\
    E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1992:TCP"= 1992:TCP:mgkavm
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/11/2012 5:46 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/11/2012 5:46 PM 337880]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/11/2012 5:46 PM 20696]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
    S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
    .
    2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    2012-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
    - c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-13 18:44
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2720)
    c:\windows\system32\WININET.dll
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\RTHDCPL.EXE
    c:\progra~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
    c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-13 18:50:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-13 05:49
    ComboFix2.txt 2012-03-11 22:40
    ComboFix3.txt 2012-03-11 03:29
    ComboFix4.txt 2012-03-11 03:00
    .
    Pre-Run: 135,119,998,976 bytes free
    Post-Run: 135,096,565,760 bytes free
    .
    - - End Of File - - 37E925A801EF6E3AA04633C5388E8C6D
     
  25. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.