TechSpot

Crypt.AQLW infection

By bobobill
Apr 11, 2012
  1. it seems every ten minutes or so avg pops up with this Crypt.AQLW and it says it removed it but it keeps popping up, and every time i search with google i get redirected. can someone help me remove this once and for all. thanks

    edit i forgot to mention i am running xp
     
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    malwarebytes log

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.11.06

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 6.0.2900.2180
    ecp :: CNCS-AC20E5539A [administrator]

    Protection: Enabled

    4/11/2012 5:02:52 PM
    mbam-log-2012-04-11 (17-02-52).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 170355
    Time elapsed: 3 minute(s), 28 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 4
    HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

    Registry Values Detected: 5
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: sp -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\ecp\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^^ -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\ecp\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    gmer log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-11 17:53:04
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST380819AS rev.3.04
    Running: 2fvtlgue.exe; Driver: C:\DOCUME~1\ecp\LOCALS~1\Temp\kfddiaob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
     
  4. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    dds.txt log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 10.2.0
    Run by ecp at 17:59:33 on 2012-04-11
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2551.2097 [GMT -7:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\ExpressFiles\EFupdater.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Program Files\AVG\AVG2012\avgidsagent.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\ExpressFiles\ExpressFiles.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\WINDOWS\system32\BelkinMonitor.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: AVG Do-Not-Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Billeo: {6adb0f93-1aa5-4bcf-9df4-cea689a3c111} - c:\program files\billeo\billeo.dll
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [ExpressFiles] "c:\program files\expressfiles\ExpressFiles.exe" -tray
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\windows\system32\BelkinMonitor.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billeo.lnk - c:\qoobox\quarantine\c\program files\billeo\billeo.exe.vir
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\trojan~1.lnk - c:\program files\trojan guarder gold version\Trojan Guarder.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DA58ACA7-18A6-403A-93DA-6E4172D43709} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Hosts: 94.63.147.16 www.google.com
    Hosts: 94.63.147.17 www.bing.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\ecp\application data\mozilla\firefox\profiles\war018ks.default\
    FF - prefs.js: browser.startup.homepage - hxxp://forums.prowrestling.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110910&q=
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidsehx.sys [2011-12-23 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-2-22 299472]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-2-14 5104992]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-11 654408]
    R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [2012-2-4 32896]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
    R3 BEL6001P;Belkin 11Mbps Wireless Desktop Adapter (F5D6001 V.2);c:\windows\system32\drivers\BEL6001P.sys [2011-8-30 78720]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-11 22344]
    R3 pcand5bk;PCAND5BK PCANDIS5 Protocol Driver;c:\windows\system32\PCAND5BK.SYS [2011-8-30 15104]
    S2 DivisCTS;Sleepy;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
    S2 mfesmfk;Axsnmsvc;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
    S2 pavagente;Ha10kx2k;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
    S2 savrt;Tmesrv3;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
    S2 vet-filt;Slssvc;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 253600]
    .
    =============== Created Last 30 ================
    .
    2012-04-11 23:59:32 -------- d-----w- c:\documents and settings\ecp\application data\Malwarebytes
    2012-04-11 23:58:58 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-11 23:58:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 23:58:58 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-04-11 18:36:59 -------- d-sha-r- C:\cmdcons
    2012-04-11 18:35:38 -------- d-s---w- C:\ComboFix
    2012-04-11 18:29:27 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-07 13:01:21 -------- d-----w- c:\windows\system32\drivers\AVG
    2012-04-07 12:17:14 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2012-04-07 12:14:17 98816 ----a-w- c:\windows\sed.exe
    2012-04-07 12:14:17 518144 ----a-w- c:\windows\SWREG.exe
    2012-04-07 12:14:17 256000 ----a-w- c:\windows\PEV.exe
    2012-04-07 12:14:17 208896 ----a-w- c:\windows\MBR.exe
    2012-04-06 14:40:28 -------- d-----w- c:\program files\Trojan Guarder Gold Version
    2012-04-05 13:22:34 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-18 12:19:18 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-18 12:19:18 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    .
    ==================== Find3M ====================
    .
    2012-04-11 18:30:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2012-04-05 13:22:34 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-22 12:25:52 299472 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-02-22 12:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2012-02-04 14:35:03 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-02-04 14:35:03 567184 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-04 14:35:03 141312 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-31 11:46:50 31952 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    .
    ============= FINISH: 18:00:14.21 ===============
     
  5. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/29/2008 11:26:03 AM
    System Uptime: 4/11/2012 5:37:38 PM (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 097Ch
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2793/800mhz
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2793/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 0.83 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Video Controller (VGA Compatible)
    Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_3006103C&REV_04\3&B1BFB68&0&10
    Manufacturer:
    Name: Video Controller (VGA Compatible)
    PNP Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_3006103C&REV_04\3&B1BFB68&0&10
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Video Controller
    Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_3006103C&REV_04\3&B1BFB68&0&11
    Manufacturer:
    Name: Video Controller
    PNP Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_3006103C&REV_04\3&B1BFB68&0&11
    Service:
    .
    Class GUID:
    Description: Ethernet Controller
    Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3006103C&REV_01\4&1886B119&0&00E1
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_3006103C&REV_01\4&1886B119&0&00E1
    Service:
    .
    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&1117367&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\4&1117367&0
    Service: i8042prt
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_BEEP\XX_A88XENC_XX
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_BEEP\XX_A88XENC_XX
    Service: A88xEnc
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_BEEP\XX_DNWHODISP_XX
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_BEEP\XX_DNWHODISP_XX
    Service: dnwhodisp
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_BEEP\XX_IAIMTV0_XX
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_BEEP\XX_IAIMTV0_XX
    Service: iaimtv0
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_BEEP\XX_SPSERVICE_XX
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_BEEP\XX_SPSERVICE_XX
    Service: SPService
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_BEEP\XX_ZTEUSBMDM6K_XX
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_BEEP\XX_ZTEUSBMDM6K_XX
    Service: ZTEusbmdm6k
    .
    ==== System Restore Points ===================
    .
    RP431: 3/18/2012 8:41:40 AM - System Checkpoint
    RP432: 3/20/2012 8:33:21 AM - System Checkpoint
    RP433: 3/21/2012 9:07:10 AM - System Checkpoint
    RP434: 3/22/2012 12:48:03 PM - System Checkpoint
    RP435: 3/23/2012 1:02:44 PM - System Checkpoint
    RP436: 3/24/2012 1:26:44 PM - System Checkpoint
    RP437: 3/25/2012 1:26:56 PM - System Checkpoint
    RP438: 3/27/2012 5:58:11 AM - System Checkpoint
    RP439: 3/28/2012 8:45:41 AM - System Checkpoint
    RP440: 3/29/2012 11:31:11 AM - System Checkpoint
    RP441: 3/30/2012 9:53:21 PM - System Checkpoint
    RP442: 3/31/2012 10:59:28 PM - System Checkpoint
    RP443: 4/2/2012 9:13:16 AM - System Checkpoint
    RP444: 4/3/2012 12:30:56 PM - System Checkpoint
    RP445: 4/4/2012 9:34:08 AM - Removed AVG 2012
    RP446: 4/7/2012 5:07:06 AM - Removed AVG 2012
    RP447: 4/7/2012 5:07:56 AM - Removed AVG 2012
    RP448: 4/7/2012 6:00:31 AM - Installed AVG 2012
    RP449: 4/7/2012 6:00:57 AM - Installed AVG 2012
    RP450: 4/8/2012 8:14:01 AM - Removed AVG 2012
    RP451: 4/9/2012 8:27:18 AM - System Checkpoint
    RP452: 4/10/2012 9:04:07 AM - System Checkpoint
    RP453: 4/11/2012 2:17:01 PM - OTL Restore Point - 4/11/2012 2:16:59 PM
    .
    ==== Installed Programs ======================
    .
    ĀµTorrent
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Any Video Converter 3.3.5
    Any Video Converter Ultimate 4.3.3
    AVG 2012
    Belkin 11Mbps Wireless Desktop Network Card
    BS.Player FREE
    BSPlayer
    DivX Setup
    Dream Video Converter Ultimate 3.8.5
    FLV Player
    Foxit Reader 5.1
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 29
    Java(TM) 7 Update 2
    JumpStart PreSchool v1.4
    K-Lite Mega Codec Pack 7.7.0
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox 11.0 (x86 en-US)
    PicPerk 7.0
    PS3 Media Server
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    Trojan Guarder Gold Version 8.22
    Update for Windows XP (KB898461)
    Update for Windows XP (KB911164)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.6195
    VLC media player 1.1.11
    WebFldrs XP
    Windows Installer 3.1 (KB893803)
    WinRAR 4.01 (32-bit)
    Xross Media Simulator 1.0
    Xvid MPEG-4 Video Codec
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/7/2012 5:10:50 AM, error: Service Control Manager [7023] - The Xcomm service terminated with the following error: The specified module could not be found.
    4/7/2012 5:10:50 AM, error: Service Control Manager [7023] - The Tavsvc service terminated with the following error: The specified module could not be found.
    4/7/2012 4:53:43 AM, error: Service Control Manager [7023] - The Tavsvc service terminated with the following error: Access is denied.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The Xcomm service terminated with the following error: Access is denied.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The Useraccess service terminated with the following error: The specified module could not be found.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The S616mgmt service terminated with the following error: The specified module could not be found.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The Rpaservice service terminated with the following error: The specified module could not be found.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The Pdiddcci service terminated with the following error: The specified module could not be found.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The OdysseyIM3 service terminated with the following error: The specified module could not be found.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The Netsvc service terminated with the following error: The specified module could not be found.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The Lirsgt service terminated with the following error: The specified module could not be found.
    4/7/2012 4:52:08 AM, error: Service Control Manager [7023] - The Gearaspiwdm service terminated with the following error: The specified module could not be found.
    4/7/2012 4:35:59 AM, error: Service Control Manager [7023] - The Lirsgt service terminated with the following error: Access is denied.
    4/7/2012 4:20:59 AM, error: Service Control Manager [7023] - The Useraccess service terminated with the following error: Access is denied.
    4/7/2012 4:06:02 AM, error: Service Control Manager [7023] - The Netsvc service terminated with the following error: Access is denied.
    4/7/2012 3:50:59 AM, error: Service Control Manager [7023] - The OdysseyIM3 service terminated with the following error: Access is denied.
    4/7/2012 3:35:59 AM, error: Service Control Manager [7023] - The Gearaspiwdm service terminated with the following error: Access is denied.
    4/7/2012 3:20:58 AM, error: Service Control Manager [7023] - The Pdiddcci service terminated with the following error: Access is denied.
    4/7/2012 3:05:58 AM, error: Service Control Manager [7023] - The Rpaservice service terminated with the following error: Access is denied.
    4/7/2012 3:05:22 AM, error: Service Control Manager [7023] - The Sandradatasrv service terminated with the following error: The specified module could not be found.
    4/7/2012 3:05:22 AM, error: Service Control Manager [7023] - The S616mgmt service terminated with the following error: Access is denied.
    4/7/2012 3:05:22 AM, error: Service Control Manager [7023] - The Pserve service terminated with the following error: The specified module could not be found.
    4/7/2012 3:05:22 AM, error: Service Control Manager [7023] - The Lmab_device service terminated with the following error: The specified module could not be found.
    4/7/2012 3:05:22 AM, error: Service Control Manager [7023] - The Dnserver32 service terminated with the following error: The specified module could not be found.
    4/6/2012 9:52:33 AM, error: Service Control Manager [7023] - The Msvad_simple service terminated with the following error: Access is denied.
    4/6/2012 9:49:58 AM, error: Service Control Manager [7023] - The Slssvc service terminated with the following error: Access is denied.
    4/6/2012 9:33:52 AM, error: Service Control Manager [7023] - The Wdm_au8820 service terminated with the following error: Access is denied.
    4/6/2012 9:18:53 AM, error: Service Control Manager [7023] - The OneCareMP service terminated with the following error: Access is denied.
    4/6/2012 9:03:52 AM, error: Service Control Manager [7023] - The Cmigameport service terminated with the following error: Access is denied.
    4/6/2012 8:48:52 AM, error: Service Control Manager [7023] - The Ktp service terminated with the following error: Access is denied.
    4/6/2012 8:33:52 AM, error: Service Control Manager [7023] - The Nvmd service terminated with the following error: Access is denied.
    4/6/2012 8:18:52 AM, error: Service Control Manager [7023] - The Om518p service terminated with the following error: Access is denied.
    4/6/2012 8:03:52 AM, error: Service Control Manager [7023] - The Procmon10 service terminated with the following error: Access is denied.
    4/6/2012 7:48:52 AM, error: Service Control Manager [7023] - The S716obex service terminated with the following error: Access is denied.
    4/6/2012 7:33:52 AM, error: Service Control Manager [7023] - The TMBUS service terminated with the following error: Access is denied.
    4/6/2012 7:18:52 AM, error: Service Control Manager [7023] - The Oracleoradb10g_home1isql*plus service terminated with the following error: Access is denied.
    4/6/2012 7:03:52 AM, error: Service Control Manager [7023] - The Iolo_srv service terminated with the following error: Access is denied.
    4/6/2012 6:48:53 AM, error: Service Control Manager [7023] - The Soma service terminated with the following error: Access is denied.
    4/6/2012 6:33:54 AM, error: Service Control Manager [7023] - The Ccalib8 service terminated with the following error: Access is denied.
    4/6/2012 6:20:35 PM, error: Service Control Manager [7023] - The Lmab_device service terminated with the following error: Access is denied.
    4/6/2012 6:18:51 AM, error: Service Control Manager [7023] - The WBHWDOCT service terminated with the following error: Access is denied.
    4/6/2012 6:17:15 AM, error: Service Control Manager [7023] - The Profos service terminated with the following error: Access is denied.
    4/6/2012 6:05:35 PM, error: Service Control Manager [7023] - The Sandradatasrv service terminated with the following error: Access is denied.
    4/6/2012 5:50:35 PM, error: Service Control Manager [7023] - The Pserve service terminated with the following error: Access is denied.
    4/6/2012 5:49:36 PM, error: Service Control Manager [7023] - The Dnserver32 service terminated with the following error: Access is denied.
    4/6/2012 5:39:00 PM, error: Service Control Manager [7023] - The InterBaseServer service terminated with the following error: The specified module could not be found.
    4/6/2012 5:39:00 PM, error: Service Control Manager [7023] - The Houdiniserver service terminated with the following error: The specified module could not be found.
    4/6/2012 5:39:00 PM, error: Service Control Manager [7023] - The Ghostsec service terminated with the following error: The specified module could not be found.
    4/6/2012 5:39:00 PM, error: Service Control Manager [7023] - The AtcL002 service terminated with the following error: The specified module could not be found.
    4/6/2012 5:36:06 PM, error: Service Control Manager [7023] - The Houdiniserver service terminated with the following error: Access is denied.
    4/6/2012 5:21:06 PM, error: Service Control Manager [7023] - The Ghostsec service terminated with the following error: Access is denied.
    4/6/2012 5:06:06 PM, error: Service Control Manager [7023] - The AtcL002 service terminated with the following error: Access is denied.
    4/6/2012 5:05:06 PM, error: Service Control Manager [7023] - The InterBaseServer service terminated with the following error: Access is denied.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The XDva004 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Wsearch service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Wdm_au8820 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The WBHWDOCT service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Vetfddnt service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Tmesrv3 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Tme3srv service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Tmcomm service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Tdsmapi service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Tappsrv service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Ssfs0509 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The SlWdmSup service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Slssvc service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Sleepy service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Sigfilt service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Se58mdm service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The SANDRA service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The ROB_A service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Rdpdd service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Profos service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Pnmsrv service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Plsremotesvc service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Pdlncfwk service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The P2pimsvc service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Oracleoradb10g_home1isql*plus service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The N3900 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Msvad_simple service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Msdv service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Modemcsa service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Mksupdateint service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Mctskshd.exe service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Mcafeeframework service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The MaRdPnp service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Lyncusbserv service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Lxcr_device service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The License service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Lfsfilt service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The KMWDFilter service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Isdrv120 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Iolo_srv service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The IntelC53 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Inotask service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The HSFHWICH service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Ha10kx2k service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Gtndis5 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The EhttpSrv service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Dvd43llh service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The DcFpoint service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Dbustrcm service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Db2governor service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Ctxcpuusync service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Ccalib8 service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Btwdndis service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The BASFND service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Axsnmsvc service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The ATMsrvc service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Aracpi service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The Adiusbaw service terminated with the following error: The specified module could not be found.
    4/6/2012 4:54:47 PM, error: Service Control Manager [7023] - The {834170a7-af3b-4d34-a757-e05eb29ee96d} service terminated with the following error: The specified module could not be found.
    4/6/2012 4:51:35 PM, error: Service Control Manager [7023] - The EhttpSrv service terminated with the following error: Access is denied.
    4/6/2012 4:36:35 PM, error: Service Control Manager [7023] - The Mcafeeframework service terminated with the following error: Access is denied.
    4/6/2012 4:26:34 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    4/6/2012 4:21:35 PM, error: Service Control Manager [7023] - The SlWdmSup service terminated with the following error: Access is denied.
    4/6/2012 4:06:35 PM, error: Service Control Manager [7023] - The Db2governor service terminated with the following error: Access is denied.
    4/6/2012 3:51:35 PM, error: Service Control Manager [7023] - The Sleepy service terminated with the following error: Access is denied.
    4/6/2012 3:36:35 PM, error: Service Control Manager [7023] - The Inotask service terminated with the following error: Access is denied.
    4/6/2012 3:35:35 PM, error: Service Control Manager [7023] - The Dbustrcm service terminated with the following error: Access is denied.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The Tosrfec service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The TMBUS service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The Tfsnopio service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The Soma service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The Servicelayer service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The PCASp50 service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The O2flash service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The NOWMEMDF service terminated with the following error: The specified module could not be found.
    4/6/2012 3:27:32 PM, error: Service Control Manager [7023] - The Acprfmgrsvc service terminated with the following error: The specified module could not be found.
    4/6/2012 3:22:06 PM, error: Service Control Manager [7023] - The Sigfilt service terminated with the following error: Access is denied.
    4/6/2012 3:07:04 PM, error: Service Control Manager [7023] - The Adiusbaw service terminated with the following error: Access is denied.
    4/6/2012 2:52:04 PM, error: Service Control Manager [7023] - The Pdlncfwk service terminated with the following error: Access is denied.
    4/6/2012 2:37:04 PM, error: Service Control Manager [7023] - The IntelC53 service terminated with the following error: Access is denied.
    4/6/2012 2:22:04 PM, error: Service Control Manager [7023] - The HSFHWICH service terminated with the following error: Access is denied.
    4/6/2012 2:07:04 PM, error: Service Control Manager [7023] - The Msdv service terminated with the following error: Access is denied.
    4/6/2012 12:52:04 PM, error: Service Control Manager [7023] - The Tfsnopio service terminated with the following error: Access is denied.
    4/6/2012 12:37:04 PM, error: Service Control Manager [7023] - The ATMsrvc service terminated with the following error: Access is denied.
    4/6/2012 12:22:04 PM, error: Service Control Manager [7023] - The Tosrfec service terminated with the following error: Access is denied.
    4/6/2012 12:07:04 PM, error: Service Control Manager [7023] - The XDva004 service terminated with the following error: Access is denied.
    4/6/2012 11:52:04 AM, error: Service Control Manager [7023] - The Acprfmgrsvc service terminated with the following error: Access is denied.
    4/6/2012 11:37:03 AM, error: Service Control Manager [7023] - The Wsearch service terminated with the following error: Access is denied.
    4/6/2012 11:22:04 AM, error: Service Control Manager [7023] - The NOWMEMDF service terminated with the following error: Access is denied.
    4/6/2012 11:07:03 AM, error: Service Control Manager [7023] - The PCASp50 service terminated with the following error: Access is denied.
    4/6/2012 10:52:04 AM, error: Service Control Manager [7023] - The O2flash service terminated with the following error: Access is denied.
    4/6/2012 10:51:04 AM, error: Service Control Manager [7023] - The Modemcsa service terminated with the following error: Access is denied.
    4/6/2012 10:37:34 AM, error: Service Control Manager [7023] - The N3900 service terminated with the following error: Access is denied.
    4/6/2012 10:22:33 AM, error: Service Control Manager [7023] - The ROB_A service terminated with the following error: Access is denied.
    4/6/2012 10:07:33 AM, error: Service Control Manager [7023] - The Mksupdateint service terminated with the following error: Access is denied.
    4/6/2012 1:52:04 PM, error: Service Control Manager [7023] - The Servicelayer service terminated with the following error: Access is denied.
    4/6/2012 1:37:04 PM, error: Service Control Manager [7023] - The Se58mdm service terminated with the following error: Access is denied.
    4/6/2012 1:22:04 PM, error: Service Control Manager [7023] - The Rdpdd service terminated with the following error: Access is denied.
    4/6/2012 1:07:04 PM, error: Service Control Manager [7023] - The Lyncusbserv service terminated with the following error: Access is denied.
    4/5/2012 5:50:50 AM, error: Service Control Manager [7023] - The Pnmsrv service terminated with the following error: Access is denied.
    4/5/2012 5:39:15 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    4/5/2012 5:21:20 AM, error: Service Control Manager [7023] - The KMWDFilter service terminated with the following error: Access is denied.
    4/5/2012 5:06:20 AM, error: Service Control Manager [7023] - The Aracpi service terminated with the following error: Access is denied.
    4/5/2012 5:05:20 AM, error: Service Control Manager [7023] - The Tdsmapi service terminated with the following error: Access is denied.
    4/5/2012 4:22:49 AM, error: Service Control Manager [7023] - The Tmcomm service terminated with the following error: Access is denied.
    4/5/2012 4:21:49 AM, error: Service Control Manager [7023] - The BASFND service terminated with the following error: Access is denied.
    4/5/2012 4:17:49 AM, error: Service Control Manager [7023] - The Lfsfilt service terminated with the following error: Access is denied.
    4/5/2012 2:25:25 PM, error: Service Control Manager [7023] - The Btwdndis service terminated with the following error: Access is denied.
    4/5/2012 2:10:25 PM, error: Service Control Manager [7023] - The Plsremotesvc service terminated with the following error: Access is denied.
    4/5/2012 12:54:23 PM, error: Service Control Manager [7023] - The Gtndis5 service terminated with the following error: Access is denied.
    4/5/2012 12:39:23 PM, error: Service Control Manager [7023] - The License service terminated with the following error: Access is denied.
    4/5/2012 12:24:23 PM, error: Service Control Manager [7023] - The Axsnmsvc service terminated with the following error: Access is denied.
    4/5/2012 12:09:23 PM, error: Service Control Manager [7023] - The Mctskshd.exe service terminated with the following error: Access is denied.
    4/5/2012 11:54:23 AM, error: Service Control Manager [7023] - The Lxcr_device service terminated with the following error: Access is denied.
    4/5/2012 11:39:23 AM, error: Service Control Manager [7023] - The Ssfs0509 service terminated with the following error: Access is denied.
    4/5/2012 11:24:23 AM, error: Service Control Manager [7023] - The MaRdPnp service terminated with the following error: Access is denied.
    4/5/2012 11:09:23 AM, error: Service Control Manager [7023] - The {834170a7-af3b-4d34-a757-e05eb29ee96d} service terminated with the following error: Access is denied.
    4/5/2012 10:54:22 AM, error: Service Control Manager [7023] - The Dvd43llh service terminated with the following error: Access is denied.
    4/5/2012 10:39:22 AM, error: Service Control Manager [7023] - The Tme3srv service terminated with the following error: Access is denied.
    4/5/2012 10:24:21 AM, error: Service Control Manager [7023] - The Ha10kx2k service terminated with the following error: Access is denied.
    4/5/2012 10:23:22 AM, error: Service Control Manager [7023] - The Isdrv120 service terminated with the following error: Access is denied.
    4/5/2012 1:55:25 PM, error: Service Control Manager [7023] - The Tmesrv3 service terminated with the following error: Access is denied.
    4/5/2012 1:54:25 PM, error: Service Control Manager [7023] - The SANDRA service terminated with the following error: Access is denied.
    4/5/2012 1:40:54 PM, error: Service Control Manager [7023] - The P2pimsvc service terminated with the following error: Access is denied.
    4/5/2012 1:23:53 PM, error: Service Control Manager [7023] - The Ctxcpuusync service terminated with the following error: Access is denied.
    4/5/2012 1:22:55 PM, error: Service Control Manager [7023] - The Tappsrv service terminated with the following error: Access is denied.
    4/5/2012 1:09:23 PM, error: Service Control Manager [7023] - The DcFpoint service terminated with the following error: Access is denied.
    .
    ==== End Of File ===========================
     
  6. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    so far everything seems to be running fine AVG is not popping up and i'm not getting redirected when i use google.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good, but we need to make sure nothing is hiding...

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  8. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    aswMBR

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-11 23:50:51
    -----------------------------
    23:50:51.187 OS Version: Windows 5.1.2600 Service Pack 2
    23:50:51.187 Number of processors: 2 586 0x409
    23:50:51.187 ComputerName: CNCS-AC20E5539A UserName: ecp
    23:50:51.546 Initialize success
    23:56:55.859 AVAST engine defs: 12041101
    23:57:14.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    23:57:14.593 Disk 0 Vendor: ST380819AS 3.04 Size: 76319MB BusType: 3
    23:57:14.703 Disk 0 MBR read successfully
    23:57:14.718 Disk 0 MBR scan
    23:57:14.781 Disk 0 Windows XP default MBR code
    23:57:14.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
    23:57:14.843 Disk 0 scanning sectors +156280320
    23:57:14.953 Disk 0 scanning C:\WINDOWS\system32\drivers
    23:57:23.843 Service scanning
    23:57:37.125 Modules scanning
    23:57:41.640 Disk 0 trace - called modules:
    23:57:41.703 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
    23:57:41.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89effab8]
    23:57:41.734 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\0000006b[0x89f033b8]
    23:57:41.781 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x89f01940]
    23:57:42.234 AVAST engine scan C:\WINDOWS
    23:57:48.781 AVAST engine scan C:\WINDOWS\system32
    23:59:35.000 AVAST engine scan C:\WINDOWS\system32\drivers
    23:59:47.078 AVAST engine scan C:\Documents and Settings\ecp
    00:07:55.031 AVAST engine scan C:\Documents and Settings\All Users
    00:08:35.984 Scan finished successfully
    00:09:38.375 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ecp\Desktop\MBR.dat"
    00:09:38.390 The log file has been saved successfully to "C:\Documents and Settings\ecp\Desktop\aswMBR.txt"


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  9. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    so far pc runs good but i'm still gwtting redirected on google
     
  10. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    i uninstalled avg it before i ran combodfix and it still says it was running here is the log if i need to do it again let me know

    ComboFix 12-04-13.01 - ecp 04/13/2012 10:13:54.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2551.2276 [GMT -7:00]
    Running from: c:\documents and settings\ecp\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\ipconfig.txt
    .
    ---- Previous Run -------
    .
    c:\documents and settings\ecp\Application Data\dplaysvr.exe
    c:\documents and settings\NetworkService\Application Data\Adobe\sp.DLL
    C:\ipconfig.txt
    c:\windows\system32\ccflic0.dll
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\roxmediadb9.dll
    c:\windows\system32\se45mdfl.dll
    c:\windows\system32\sisagp.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_A88XENC
    -------\Legacy_DNWHODISP
    -------\Legacy_IAIMTV0
    -------\Legacy_ZTEUSBMDM6K
    -------\Service_A88xEnc
    -------\Service_dnwhodisp
    -------\Service_iaimtv0
    -------\Service_SPService
    -------\Service_ZTEusbmdm6k
    -------\Legacy_A88XENC
    -------\Legacy_DNWHODISP
    -------\Legacy_IAIMTV0
    -------\Legacy_ZTEUSBMDM6K
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-11 23:59 . 2012-04-11 23:59 -------- d-----w- c:\documents and settings\ecp\Application Data\Malwarebytes
    2012-04-11 23:58 . 2012-04-11 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 23:58 . 2012-04-11 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-11 23:58 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-11 18:29 . 2012-04-11 18:29 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-07 12:17 . 2006-02-28 12:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2012-04-06 14:40 . 2012-04-12 00:23 -------- d-----w- c:\program files\Trojan Guarder Gold Version
    2012-04-05 13:22 . 2012-04-05 13:22 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-05 13:03 . 2012-04-05 13:03 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2012-04-05 12:59 . 2012-04-05 12:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
    2012-03-18 12:19 . 2012-03-18 12:19 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-18 12:19 . 2012-03-18 12:19 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 18:30 . 2006-02-28 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2012-04-05 13:22 . 2011-08-31 02:16 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-04 14:35 . 2012-02-04 14:35 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-02-04 14:35 . 2011-10-26 12:01 567184 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-04 14:35 . 2011-10-26 12:01 141312 ----a-w- c:\windows\system32\javacpl.cpl
    2012-03-18 12:19 . 2011-08-31 02:50 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-07_12.32.39 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-13 17:20 . 2012-04-13 17:20 16384 c:\windows\Temp\Perflib_Perfdata_70c.dat
    + 2006-02-28 12:00 . 2012-04-13 17:22 39992 c:\windows\system32\perfc009.dat
    - 2006-02-28 12:00 . 2012-04-07 12:22 39992 c:\windows\system32\perfc009.dat
    + 2006-02-28 12:00 . 2012-04-13 17:22 311604 c:\windows\system32\perfh009.dat
    - 2006-02-28 12:00 . 2012-04-07 12:22 311604 c:\windows\system32\perfh009.dat
    + 2012-04-11 16:17 . 2012-04-11 16:17 5138944 c:\windows\Installer\52324c.msi
    + 2012-04-07 13:02 . 2012-04-07 13:02 5136896 c:\windows\Installer\1a2713.msi
    + 2012-04-08 15:13 . 2012-04-08 15:13 2208768 c:\windows\Installer\107140b.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-03-03 740216]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
    "ExpressFiles"="c:\program files\ExpressFiles\ExpressFiles.exe" [2012-02-06 424568]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-02-28 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin 11Mbps Wireless Desktop Network Card Monitor.lnk - c:\windows\system32\BelkinMonitor.exe [2011-8-30 372736]
    Billeo.lnk - c:\qoobox\Quarantine\C\Program Files\Billeo\billeo.exe.vir [2011-10-19 1490768]
    Trojan Guarder Gold Version.lnk - c:\program files\Trojan Guarder Gold Version\Trojan Guarder.exe [2012-4-6 713728]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
    "c:\\Program Files\\ExpressFiles\\ExpressFiles.exe"=
    "c:\\Program Files\\ExpressFiles\\ExpressDL.exe"=
    "c:\\Documents and Settings\\ecp\\My Documents\\Downloads\\uTorrent(1).exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/11/2012 4:58 PM 654408]
    R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [2/4/2012 7:17 AM 32896]
    R3 BEL6001P;Belkin 11Mbps Wireless Desktop Adapter (F5D6001 V.2);c:\windows\system32\drivers\BEL6001P.sys [8/30/2011 7:22 PM 78720]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/11/2012 4:58 PM 22344]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 6:22 AM 253600]
    S3 pcand5bk;PCAND5BK PCANDIS5 Protocol Driver;c:\windows\system32\PCAND5BK.SYS [8/30/2011 7:22 PM 15104]
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    oracleorahome92pagingserver
    iAimFP5
    AN983
    hmonitor
    aamqdispatcher
    patrol_scheduler
    tnbrlds
    rwbackupsrv
    ipsraidn
    SED133x
    p17
    unrealircd
    NIPALK
    se44nd5
    RTL8023xp
    dktknsrv
    mscsptisrv
    w800mgmt
    citrixxteserver
    dkeysync
    se2Bnd5
    dot4ufd
    mgisvr
    co_mon
    w22n51
    ypcservice
    atinrvxx
    psasrv
    issvc
    G400DH
    NetMsmqActivator
    appnnode
    AmdIde
    qcmerced
    aclient
    DivisCTS
    w550bus
    es1371
    incdfs
    win32sl
    amfilter
    bthidenum
    backupexecnamingservice
    pnmsrv
    sonicatheaterinstallerservice
    SymIM
    dtscsi
    ageremodemaudio
    ZDPSp50
    W8100PCI
    DSI_SiUSBXp_3_1
    ql2100
    kbfiltr
    db2remotecmd
    nvlddmkm
    zntport
    TOSHIBASoftModem
    ATNT40K
    ksthunk
    guardian2
    pinnaclesys.mediaserver
    CAM1210
    L6POD
    nvnetbus
    z525mgmt
    se58bus
    rpcnet
    s117nd5
    MXOFX
    mod7700
    arc
    wdm_au8820
    NxFsMon
    websensecamreportserver
    wusb54gv2svc
    wpdusb
    ZD1211BU(ZyDAS)
    w810mdm
    pdlndint
    sandboxu
    vet-filt
    USBModem
    pptchpad
    ha10kx2k
    MSW_USB
    EL90X
    w800mdfl
    sifilter
    s117bus
    savrt
    adpu320
    AVerTV
    BVRPMPR5
    mfesmfk
    nsm1serd
    tcpip6
    jsdaemon
    pavagente
    omniserv
    comhost
    toscosrv
    sysmgmthp
    Rasauto
    Rasman
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:22]
    .
    2012-04-13 c:\windows\Tasks\Express Files Updater.job
    - c:\program files\ExpressFiles\EFupdater.exe [2012-02-06 10:37]
    .
    2012-04-13 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2011-09-01 05:18]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.2.1
    FF - ProfilePath - c:\documents and settings\ecp\Application Data\Mozilla\Firefox\Profiles\war018ks.default\
    FF - prefs.js: browser.startup.homepage - hxxp://forums.prowrestling.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110910&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-84839861.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-13 10:21
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\SOUNDMAN.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-04-13 10:23:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-13 17:23
    ComboFix2.txt 2012-04-11 14:17
    ComboFix3.txt 2012-04-07 12:35
    .
    Pre-Run: 905,519,104 bytes free
    Post-Run: 1,038,659,584 bytes free
    .
    - - End Of File - - 48AAE9D98294C758C4D745CD85E8FE6A
     
  12. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

  13. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    If your desktop is still empty....
    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.

    Then re-run aswMBR, Bootkit Remover and Combofix.
     
  14. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    unhide worked

    after the smarthdd problem i downloaded avast antivirus I am unable to connect to the internet, i have since uninstalled and am still unable to connect. i was able to connect before getting avast.

    aswMBR, will not run
     
  15. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Go ahead with Bootkit Remover.
    Do NOT run Combofix yet.
     
  16. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    ran bootkit this is what i got

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  17. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  18. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    it won't run either
     
  19. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
     
  20. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    infected MBR detected

    repair succeeded
     
  21. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good :)

    See if TDSSKiller and aswMBR will run now.
    Run TDSSKiller first.
     
  22. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    tdsskiller worked didn't find anything

    gonna try aswMBR
     
  23. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-13 20:58:28
    -----------------------------
    20:58:28.171 OS Version: Windows 5.1.2600 Service Pack 2
    20:58:28.171 Number of processors: 2 586 0x409
    20:58:28.171 ComputerName: CNCS-AC20E5539A UserName: ecp
    20:58:28.515 Initialize success
    20:58:30.906 AVAST engine download error: 0
    20:58:36.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    20:58:36.734 Disk 0 Vendor: ST380819AS 3.04 Size: 76319MB BusType: 3
    20:58:36.750 Disk 0 MBR read successfully
    20:58:36.765 Disk 0 MBR scan
    20:58:36.781 Disk 0 Windows XP default MBR code
    20:58:36.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
    20:58:36.812 Disk 0 scanning sectors +156280320
    20:58:36.875 Disk 0 scanning C:\WINDOWS\system32\drivers
    20:58:41.984 Service scanning
    20:58:51.437 Modules scanning
    20:58:55.578 Disk 0 trace - called modules:
    20:58:55.640 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
    20:58:55.656 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89eb6ab8]
    20:58:55.671 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\00000060[0x89eb89e8]
    20:58:55.718 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x89e68d98]
    20:58:55.765 Scan finished successfully
    20:59:16.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ecp\Desktop\MBR.dat"
    20:59:16.718 The log file has been saved successfully to "C:\Documents and Settings\ecp\Desktop\aswMBR.txt"
     
  24. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Very good :)

    Delete your Combofix file, download new one and post fresh log.
     
  25. bobobill

    bobobill TS Rookie Topic Starter Posts: 28

    ComboFix 12-04-13.01 - ecp 04/13/2012 21:10:32.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2551.2277 [GMT -7:00]
    Running from: c:\documents and settings\ecp\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\245UINHfH2bdtE
    C:\ipconfig.txt
    c:\windows\system32\dds_trash_log.cmd
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-14 03:12 . 2012-04-14 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-04-14 03:12 . 2012-04-14 03:12 -------- d-----w- c:\program files\AVAST Software
    2012-04-14 02:21 . 2002-11-13 00:26 110592 ----a-w- c:\windows\system32\BelkinRes.dll
    2012-04-14 02:21 . 2002-11-12 23:46 372736 ----a-w- c:\windows\system32\BelkinMonitor.exe
    2012-04-14 02:21 . 2002-11-07 12:43 78720 ----a-w- c:\windows\system32\drivers\BEL6001P.sys
    2012-04-14 02:21 . 2002-11-02 01:32 81920 ----a-w- c:\windows\system32\install.dll
    2012-04-14 02:21 . 2002-09-20 06:34 15104 ----a-w- c:\windows\system32\PCAND5BK.SYS
    2012-04-14 02:21 . 2002-09-20 06:11 61440 ----a-w- c:\windows\system32\bkw32n50.DLL
    2012-04-14 02:21 . 2012-04-14 03:13 -------- d--h--w- c:\program files\InstallShield Installation Information
    2012-04-14 01:50 . 2012-04-14 03:09 -------- d-----w- c:\documents and settings\F5D6001
    2012-04-14 01:50 . 2012-04-14 03:09 -------- d-----w- c:\documents and settings\DATA
    2012-04-14 01:18 . 2012-04-14 03:10 -------- d-----w- C:\Belkin
    2012-04-11 23:59 . 2012-04-11 23:59 -------- d-----w- c:\documents and settings\ecp\Application Data\Malwarebytes
    2012-04-11 23:58 . 2012-04-11 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-11 23:58 . 2012-04-11 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-11 23:58 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-11 18:29 . 2012-04-11 18:29 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-07 12:17 . 2006-02-28 12:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2012-04-06 14:40 . 2012-04-12 00:23 -------- d-----w- c:\program files\Trojan Guarder Gold Version
    2012-04-05 13:22 . 2012-04-05 13:22 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-05 13:03 . 2012-04-05 13:03 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2012-04-05 12:59 . 2012-04-05 12:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
    2012-03-18 12:19 . 2012-03-18 12:19 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-18 12:19 . 2012-03-18 12:19 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 18:30 . 2006-02-28 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2012-04-05 13:22 . 2011-08-31 02:16 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-04 14:35 . 2012-02-04 14:35 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-02-04 14:35 . 2011-10-26 12:01 567184 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-04 14:35 . 2011-10-26 12:01 141312 ----a-w- c:\windows\system32\javacpl.cpl
    2012-03-18 12:19 . 2011-08-31 02:50 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-07_12.32.39 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-14 04:09 . 2012-04-14 04:09 16384 c:\windows\Temp\Perflib_Perfdata_7cc.dat
    + 2006-02-28 12:00 . 2012-04-14 04:13 40108 c:\windows\system32\perfc009.dat
    + 2006-02-28 12:00 . 2012-04-14 04:13 311912 c:\windows\system32\perfh009.dat
    + 2012-04-14 02:16 . 2012-04-14 02:16 262144 c:\windows\system32\config\systemprofile\NtUser.dat
    + 2012-04-14 03:07 . 2012-04-14 03:13 6061720 c:\windows\system32\Restore\rstrlog.dat
    + 2012-04-11 16:17 . 2012-04-11 16:17 5138944 c:\windows\Installer\52324c.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-03-03 740216]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-02-28 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin 11Mbps Wireless Desktop Network Card Monitor.lnk - c:\windows\system32\BelkinMonitor.exe [2012-4-13 372736]
    Billeo.lnk - c:\qoobox\Quarantine\C\Program Files\Billeo\billeo.exe.vir [2011-10-19 1490768]
    Trojan Guarder Gold Version.lnk - c:\program files\Trojan Guarder Gold Version\Trojan Guarder.exe [2012-4-6 713728]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
    "c:\\Program Files\\ExpressFiles\\ExpressFiles.exe"=
    "c:\\Program Files\\ExpressFiles\\ExpressDL.exe"=
    "c:\\Documents and Settings\\ecp\\My Documents\\Downloads\\uTorrent(1).exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/11/2012 4:58 PM 654408]
    R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [2/4/2012 7:17 AM 32896]
    R3 BEL6001P;Belkin 11Mbps Wireless Desktop Adapter (F5D6001 V.2);c:\windows\system32\drivers\BEL6001P.sys [4/13/2012 7:21 PM 78720]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/11/2012 4:58 PM 22344]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 6:22 AM 253600]
    S3 pcand5bk;PCAND5BK PCANDIS5 Protocol Driver;c:\windows\system32\PCAND5BK.SYS [4/13/2012 7:21 PM 15104]
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    oracleorahome92pagingserver
    iAimFP5
    AN983
    hmonitor
    aamqdispatcher
    patrol_scheduler
    tnbrlds
    rwbackupsrv
    ipsraidn
    SED133x
    p17
    unrealircd
    NIPALK
    se44nd5
    RTL8023xp
    dktknsrv
    mscsptisrv
    w800mgmt
    citrixxteserver
    dkeysync
    se2Bnd5
    dot4ufd
    mgisvr
    co_mon
    w22n51
    ypcservice
    atinrvxx
    psasrv
    issvc
    G400DH
    NetMsmqActivator
    appnnode
    AmdIde
    qcmerced
    aclient
    DivisCTS
    w550bus
    es1371
    incdfs
    win32sl
    amfilter
    bthidenum
    backupexecnamingservice
    pnmsrv
    sonicatheaterinstallerservice
    SymIM
    dtscsi
    ageremodemaudio
    ZDPSp50
    W8100PCI
    DSI_SiUSBXp_3_1
    TPM
    smartlinkservice
    se45unic
    PhilCam8116_XP
    cccredmgr
    ql2100
    kbfiltr
    db2remotecmd
    nvlddmkm
    zntport
    TOSHIBASoftModem
    ATNT40K
    ksthunk
    guardian2
    pinnaclesys.mediaserver
    CAM1210
    L6POD
    nvnetbus
    z525mgmt
    se58bus
    rpcnet
    s117nd5
    MXOFX
    mod7700
    arc
    wdm_au8820
    NxFsMon
    websensecamreportserver
    wusb54gv2svc
    wpdusb
    ZD1211BU(ZyDAS)
    w810mdm
    pdlndint
    sandboxu
    vet-filt
    USBModem
    pptchpad
    ha10kx2k
    MSW_USB
    EL90X
    w800mdfl
    sifilter
    s117bus
    savrt
    adpu320
    AVerTV
    BVRPMPR5
    mfesmfk
    nsm1serd
    tcpip6
    jsdaemon
    pavagente
    omniserv
    comhost
    toscosrv
    sysmgmthp
    Rasauto
    Rasman
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:22]
    .
    2012-04-14 c:\windows\Tasks\Express Files Updater.job
    - c:\program files\ExpressFiles\EFupdater.exe [2012-02-06 10:37]
    .
    2012-04-14 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2011-09-01 05:18]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.2.1
    FF - ProfilePath - c:\documents and settings\ecp\Application Data\Mozilla\Firefox\Profiles\war018ks.default\
    FF - prefs.js: browser.startup.homepage - hxxp://forums.prowrestling.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110910&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-13 21:15
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(680)
    c:\windows\system32\cryptdll.dll
    .
    Completion time: 2012-04-13 21:16:48
    ComboFix-quarantined-files.txt 2012-04-14 04:16
    ComboFix2.txt 2012-04-13 17:23
    ComboFix3.txt 2012-04-11 14:17
    ComboFix4.txt 2012-04-07 12:35
    .
    Pre-Run: 2,369,503,232 bytes free
    Post-Run: 2,460,839,936 bytes free
    .
    - - End Of File - - 636DD05A6AD65EA8800085B0E8822A0D
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...