TechSpot

Heavy trojan infection

By SCMc
Dec 21, 2011
  1. My other computer was hit with something that blocked internet access, so I have to use an old laptop a friend gave me. Before getting started on my desktop, I scanned the laptop with Malwarebytes. It found over 80 problems, mostly trojans, so I am starting with cleaning up the laptop:

    Here is the Malwarebytes log:
    ********************************************************************************
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8399

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    12/19/2011 3:14:18 PM
    mbam-log-2011-12-19 (15-14-18).txt

    Scan type: Quick scan
    Objects scanned: 150359
    Time elapsed: 8 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 46
    Registry Values Infected: 9
    Registry Data Items Infected: 1
    Folders Infected: 15
    Files Infected: 17

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{314F88D6-80CE-408a-9E8F-B2389B81E8B8} (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{F7FA36A4-3177-4B57-B9C1-E9C5B2E0D3A9} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{FF46F4AB-A85F-487E-B399-3F191AC0FE23} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11A69AE4-FBED-4832-A2BF-45AF82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421B84-3488-49A7-AD18-CBF84A3EFAF6} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B221E01-F517-4959-8C41-81948E7F2F17} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A7F202E-AF91-4889-9DD5-2FE241085CC1} (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A95B2816-1D7E-4561-A202-68C0DE02353A} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D88E1558-7C2D-407A-953A-C044F5607CEA} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAAD2038-C371-473D-86F1-5B11D39C3775} (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920} (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AVIEBHO.IEFW (Rogue.Menace.Rescue) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AVIEBHO.IEFW.2 (Rogue.Menace.Rescue) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\BHO_MyJavaCore.Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\BHO_MyJavaCore.Mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\GPBlocker.IEPBlocker (Rogue.Menace.Rescue) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\GPBlocker.IEPBlocker.1 (Rogue.Menace.Rescue) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\OINCS.OINAnalytics (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\OINCS.OINAnalytics.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\testCPV6.BHO (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\testCPV6.BHO.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\OINAnalytics.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\PG.DLL (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\WebBuying (Adware.WebBuying) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\ugcw (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11A69AE4-FBED-4832-A2BF-45AF82825583} (Trojan.Vundo) -> Value: {11A69AE4-FBED-4832-A2BF-45AF82825583} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11A69AE4-FBED-4832-A2BF-45AF82825583} (Trojan.Vundo) -> Value: {11A69AE4-FBED-4832-A2BF-45AF82825583} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59A40AC9-E67D-4155-B31D-4B7330FCD2D6} (Trojan.Agent) -> Value: {59A40AC9-E67D-4155-B31D-4B7330FCD2D6} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59A40AC9-E67D-4155-B31D-4B7330FCD2D6} (Trojan.Agent) -> Value: {59A40AC9-E67D-4155-B31D-4B7330FCD2D6} -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} (Trojan.Vundo) -> Value: {178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} (Trojan.Vundo) -> Value: {178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Products\rdomain (Rogue.PCVirusless) -> Value: rdomain -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Products\prodname (Rogue.PCVirusless) -> Value: prodname -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Products\compname (Rogue.SpyGuard) -> Value: compname -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\localservice\application data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\salesmonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\salesmonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\documents and settings\Hadrian\application data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    c:\documents and settings\Hadrian\application data\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.
    c:\program files\outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
    c:\program files\outerinfo\FF (Adware.PurityScan) -> Quarantined and deleted successfully.
    c:\program files\outerinfo\FF\components (Adware.PurityScan) -> Quarantined and deleted successfully.
    c:\documents and settings\Hadrian\start menu\Programs\outerinfo (Malware.Trace) -> Quarantined and deleted successfully.
    c:\UGA6P (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\UGA6P\Quar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\a8 (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\comms2 (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\ipd2 (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\que1 (Trojan.Downloader) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\all users\start menu\online security guide.lnk (Rogue.Link) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\atmtd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\bmd3d4612f.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
    c:\WINDOWS\bmd3d4612f.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    c:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    c:\documents and settings\localservice\application data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
    c:\documents and settings\localservice\application data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
    c:\documents and settings\Hadrian\application data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    c:\program files\outerinfo\Terms.rtf (Adware.PurityScan) -> Quarantined and deleted successfully.
    c:\program files\outerinfo\FF\chrome.manifest (Adware.PurityScan) -> Quarantined and deleted successfully.
    c:\program files\outerinfo\FF\install.rdf (Adware.PurityScan) -> Quarantined and deleted successfully.
    c:\program files\outerinfo\FF\components\outerinfoads.xpt (Adware.PurityScan) -> Quarantined and deleted successfully.
    c:\documents and settings\Hadrian\start menu\Programs\outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.


    GMER Log
    ************************************************************************************
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-12-20 20:30:17
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC25N040ATMR04-0 rev.MO2OAD1A
    Running: sv3gqsr4.exe; Driver: C:\DOCUME~1\Hadrian\LOCALS~1\Temp\kgkdqpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEE973BDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEE973A45]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEE9F07A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----


    DDS Log:
    *******************************************************************************
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Hadrian at 20:34:43 on 2011-12-20
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.222 [GMT -8:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
    uSearch Bar = hxxp://start.earthlink.net/AL/Search
    uDefault_Page_URL = hxxp://my.earthlink.net
    uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://start.earthlink.net/AL/Search
    uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
    uURLSearchHooks: H - No File
    mWinlogon: SFCDisable=4 (0x4)
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Google Update] "c:\documents and settings\hadrian\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [EarthLink Installer] "f:\windows\access\program files\earthlink totalaccess\_setup.exe" /sf:\Windows
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
    DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: Interfaces\{E4F93558-F62E-4862-B14D-AE0414151EEB} : DhcpNameServer = 192.168.1.1
    LSA: Authentication Packages = msv1_0 c:\windows\system32\khhfc.dll
    LSA: Notification Packages = cli c:\windows\system32\dubunide.dll
    Hosts: 82.98.231.89 browser-security.microsoft.com
    Hosts: 82.98.231.89 best-click-scanner.info
    Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
    Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
    Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\hadrian\application data\mozilla\firefox\profiles\craoxl7k.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - plugin: c:\documents and settings\hadrian\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\j2re1.4.0_03\bin\NPJPI140_03.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-19 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-25 314456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-25 20568]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-25 44768]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-17 136176]
    S2 mrtRate;mrtRate; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-17 136176]
    S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\drivers\i2220ntx.sys [2004-1-5 117248]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-19 23:01:49 -------- d-----w- c:\documents and settings\hadrian\application data\Malwarebytes
    2011-12-19 23:01:36 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-12-19 23:01:31 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-19 23:01:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-19 21:44:19 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    ==================== Find3M ====================
    .
    2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
    .
    ============= FINISH: 20:35:55.03 ===============

    Thanks in advance for your help

    Steve
     
  2. SCMc

    SCMc TS Rookie Topic Starter Posts: 36

    I forgot to paste attach.txt, so here it is:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/2/2007 1:30:59 PM
    System Uptime: 12/20/2011 7:52:30 PM (1 hours ago)
    .
    Motherboard: Sony Corporation | | Q-Project
    Processor: Intel(R) Celeron(R) CPU 2.40GHz | N/A | 2392/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 14 GiB total, 6.473 GiB free.
    D: is FIXED (NTFS) - 18 GiB total, 14.184 GiB free.
    E: is Removable
    F: is CDROM ()
    G: is FIXED (NTFS) - 5 GiB total, 1.431 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP64: 12/19/2011 4:45:36 PM - System Checkpoint
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 82.98.231.89 browser-security.microsoft.com
    Hosts: 82.98.231.89 best-click-scanner.info
    Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
    Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
    Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
    Hosts: 82.98.231.89 onlinenotifyq.net
    Hosts: 82.98.231.89 antivirusxp-pro-2009.com
    Hosts: 82.98.231.89 microsoft.browser-security-center.com
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.4
    ATI Control Panel
    ATI Display Driver
    avast! Free Antivirus
    Canon PIXMA iP4000
    Deal Info
    EarthLink Software
    EMS Magic 2.1
    Fraqtive 0.4.5
    Glary Utilities 2.27.0.982
    Google Chrome
    Google Update Helper
    HotKey Utility
    Java 2 Runtime Environment, SE v1.4.0_03
    Java Web Start
    M&Ms The Lost Formulas (Demo)
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Memory Stick Formatter
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft XML Parser
    Mozilla Firefox (3.6.8)
    MSXML 4.0 SP2 Parser and SDK
    Music Visualizer Library 1.4.00
    Netscape (7.02)
    OpenMG Limited Patch 3.2-03-02-21-08
    OpenMG Limited Patch 3.2-03-03-18-01
    OpenMG Limited Patch 3.2-03-04-14-02
    OpenMG Secure Module 3.2
    Quicken 2003 New User Edition
    QuickTime
    Redistributed Files
    Shockwave
    SoftK56 Data Fax CARP
    SonicStage 1.6.00
    Sony Certificate PCH
    Sony Notebook Setup
    Sony USB Mouse
    Sony Utilities DLL
    Sony Video Shared Library
    SoundMAX
    TotalAccess Core Applications
    Turbo Tax Offer
    VAIO BrightColor Wallpaper
    VAIO Help and Support
    VAIO Media 2.6
    VAIO Media Integrated Server 2.6
    VAIO Media Redistribution 2.6
    VAIO Registration
    VAIO Support
    VAIO Survey Standalone
    VDMSound
    Viewpoint Media Player (Remove Only)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows XP Service Pack 2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/20/2011 8:28:27 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    12/19/2011 1:30:16 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================

    Thanks again,

    Steve
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Steve, have you considered reformatting and reinstalling?

    ==============================================
    Please do the following to help you run other programs:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    To end the processes that belong to the rogue program:
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    You will run another scan with Mbam, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    Reboot into Normal Mode
    ======================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    Please leave the logs for the following in your next reply:
    TDSSKiller
    RKill
    New Malwarebytes
    Combofix
    ================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  4. SCMc

    SCMc TS Rookie Topic Starter Posts: 36

    Hi Bobbye,

    Thanks for taking the time to look through my posts.

    I think there may have been some confusion. I posted two threads. This one is about a laptop that had a heavy trojan infection, but can still access the internet. The other thread is about my desktop computer that is blocked from internet access.

    Judging from your response, I am guessing that your instructions apply to the desktop that can't access the web. Is this correct?

    Thanks again,

    Steve
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
    -----------------------------------------------
    I sent Broni a PM and asked him to reopen your other thread and help you with that machine.
    The instructions I left here are based on the logs you posted on this thread. Neither Broni understood that your had 2 active threads going about 2 different machines- this one is the system with a gazillion malware entries> I was also serious when I asked if you had considered a reformat/reinstall.
    =========================================
    This one has infections from Vundo, Rogue.PCVirusless),Rogue.SpyGuard and assorted other Trojans.Please go ahead and run the scans I set up for you. I am trying to address as many of them as I can!
     
  6. SCMc

    SCMc TS Rookie Topic Starter Posts: 36

    Hi Bobbye,

    Reformatting the laptop would be tempting, since I have only occasionally used this computer as a backup, and don't have much valuable data on it, but the most recent operating system disk I have is Win 98.

    I won't be back home until late on the 23rd, or the 24th. I will get started following your recommendations then. I appreciate you volunteering your time, and can wait until next week for you to check the results.

    Enjoy the next couple of days off.

    Steve
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, but please observe the following:

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
     
  8. SCMc

    SCMc TS Rookie Topic Starter Posts: 36

    Hi Bobbye,

    I hope you had a good holiday. Here are the requested logs:

    TDSSkiller
    ************************************************
    06:02:39.0647 0648 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
    06:02:40.0198 0648 ============================================================
    06:02:40.0198 0648 Current date / time: 2011/12/26 06:02:40.0198
    06:02:40.0198 0648 SystemInfo:
    06:02:40.0198 0648
    06:02:40.0198 0648 OS Version: 5.1.2600 ServicePack: 2.0
    06:02:40.0198 0648 Product type: Workstation
    06:02:40.0198 0648 ComputerName: VALUED-65BAD02C
    06:02:40.0208 0648 UserName: Hadrian
    06:02:40.0208 0648 Windows directory: C:\WINDOWS
    06:02:40.0208 0648 System windows directory: C:\WINDOWS
    06:02:40.0208 0648 Processor architecture: Intel x86
    06:02:40.0208 0648 Number of processors: 1
    06:02:40.0208 0648 Page size: 0x1000
    06:02:40.0208 0648 Boot type: Safe boot with network
    06:02:40.0208 0648 ============================================================
    06:02:42.0712 0648 Initialize success
    06:02:55.0951 0760 ============================================================
    06:02:55.0951 0760 Scan started
    06:02:55.0951 0760 Mode: Manual;
    06:02:55.0951 0760 ============================================================
    06:02:57.0303 0760 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
    06:02:57.0313 0760 Aavmker4 - ok
    06:02:57.0493 0760 Abiosdsk - ok
    06:02:57.0603 0760 abp480n5 - ok
    06:02:57.0743 0760 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    06:02:57.0763 0760 ACPI - ok
    06:02:57.0974 0760 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    06:02:57.0974 0760 ACPIEC - ok
    06:02:58.0134 0760 adpu160m - ok
    06:02:58.0274 0760 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
    06:02:58.0274 0760 aeaudio - ok
    06:02:58.0464 0760 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    06:02:58.0474 0760 aec - ok
    06:02:58.0685 0760 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
    06:02:58.0695 0760 AFD - ok
    06:02:58.0895 0760 Aha154x - ok
    06:02:59.0025 0760 aic78u2 - ok
    06:02:59.0125 0760 aic78xx - ok
    06:02:59.0386 0760 aliadwdm (065a6d38a79216592de03f3525d6296e) C:\WINDOWS\system32\drivers\ac97ali.sys
    06:02:59.0396 0760 aliadwdm - ok
    06:02:59.0536 0760 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    06:02:59.0546 0760 AliIde - ok
    06:02:59.0706 0760 amsint - ok
    06:02:59.0856 0760 ApfiltrService (c804fbe1248cfb9bb19e9274ff30f7e3) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
    06:02:59.0876 0760 ApfiltrService - ok
    06:03:00.0127 0760 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    06:03:00.0137 0760 Arp1394 - ok
    06:03:00.0287 0760 asc - ok
    06:03:00.0347 0760 asc3350p - ok
    06:03:00.0417 0760 asc3550 - ok
    06:03:00.0778 0760 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    06:03:00.0788 0760 aswFsBlk - ok
    06:03:00.0968 0760 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
    06:03:00.0978 0760 aswMon2 - ok
    06:03:01.0138 0760 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
    06:03:01.0138 0760 aswRdr - ok
    06:03:01.0459 0760 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
    06:03:01.0529 0760 aswSnx - ok
    06:03:01.0769 0760 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
    06:03:01.0799 0760 aswSP - ok
    06:03:01.0979 0760 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
    06:03:01.0979 0760 aswTdi - ok
    06:03:02.0180 0760 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    06:03:02.0190 0760 AsyncMac - ok
    06:03:02.0410 0760 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    06:03:02.0410 0760 atapi - ok
    06:03:02.0610 0760 Atdisk - ok
    06:03:02.0841 0760 ati2mtag (6dea83088c7a8b0e6257a2c105040e51) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    06:03:02.0931 0760 ati2mtag - ok
    06:03:03.0151 0760 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    06:03:03.0151 0760 Atmarpc - ok
    06:03:03.0391 0760 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    06:03:03.0391 0760 audstub - ok
    06:03:03.0802 0760 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    06:03:03.0812 0760 Beep - ok
    06:03:04.0283 0760 caboagp (e3d35fe1ed9ace83b7728040cd634aa3) C:\WINDOWS\system32\DRIVERS\atisgkaf.sys
    06:03:04.0293 0760 caboagp - ok
    06:03:04.0513 0760 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    06:03:04.0523 0760 cbidf2k - ok
    06:03:04.0733 0760 cd20xrnt - ok
    06:03:04.0944 0760 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    06:03:04.0944 0760 Cdaudio - ok
    06:03:05.0164 0760 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    06:03:05.0164 0760 Cdfs - ok
    06:03:05.0374 0760 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    06:03:05.0384 0760 Cdrom - ok
    06:03:05.0574 0760 Changer - ok
    06:03:05.0895 0760 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    06:03:05.0895 0760 CmBatt - ok
    06:03:06.0105 0760 CmdIde - ok
    06:03:06.0215 0760 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    06:03:06.0215 0760 Compbatt - ok
    06:03:06.0456 0760 Cpqarray - ok
    06:03:06.0596 0760 dac2w2k - ok
    06:03:06.0706 0760 dac960nt - ok
    06:03:06.0986 0760 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    06:03:07.0027 0760 Disk - ok
    06:03:07.0437 0760 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    06:03:07.0537 0760 dmboot - ok
    06:03:07.0758 0760 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
    06:03:07.0758 0760 DMICall - ok
    06:03:07.0948 0760 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    06:03:07.0958 0760 dmio - ok
    06:03:08.0118 0760 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    06:03:08.0128 0760 dmload - ok
    06:03:08.0378 0760 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    06:03:08.0389 0760 DMusic - ok
    06:03:08.0629 0760 dpti2o - ok
    06:03:08.0749 0760 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    06:03:08.0759 0760 drmkaud - ok
    06:03:09.0190 0760 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    06:03:09.0210 0760 Fastfat - ok
    06:03:09.0460 0760 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    06:03:09.0460 0760 Fdc - ok
    06:03:09.0620 0760 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    06:03:09.0680 0760 Fips - ok
    06:03:09.0851 0760 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    06:03:09.0861 0760 Flpydisk - ok
    06:03:10.0091 0760 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
    06:03:10.0101 0760 FltMgr - ok
    06:03:10.0281 0760 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    06:03:10.0291 0760 Fs_Rec - ok
    06:03:10.0411 0760 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    06:03:10.0421 0760 Ftdisk - ok
    06:03:10.0592 0760 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    06:03:10.0602 0760 Gpc - ok
    06:03:11.0012 0760 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    06:03:11.0022 0760 HidUsb - ok
    06:03:11.0193 0760 hpn - ok
    06:03:11.0323 0760 HSFHWALI (54c71b1f503152b762ee79361c2d4f7f) C:\WINDOWS\system32\DRIVERS\HSFHWALI.sys
    06:03:11.0343 0760 HSFHWALI - ok
    06:03:11.0593 0760 HSF_DP (a09c357e2f1412c8f01bc132d07cf644) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    06:03:11.0653 0760 HSF_DP - ok
    06:03:11.0934 0760 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
    06:03:11.0964 0760 HTTP - ok
    06:03:12.0134 0760 i2omgmt - ok
    06:03:12.0244 0760 i2omp - ok
    06:03:12.0424 0760 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    06:03:12.0424 0760 i8042prt - ok
    06:03:12.0665 0760 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    06:03:12.0665 0760 Imapi - ok
    06:03:13.0055 0760 ini910u - ok
    06:03:13.0185 0760 IntelIde - ok
    06:03:13.0316 0760 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    06:03:13.0326 0760 intelppm - ok
    06:03:13.0546 0760 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    06:03:13.0556 0760 ip6fw - ok
    06:03:13.0726 0760 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    06:03:13.0736 0760 IpFilterDriver - ok
    06:03:13.0946 0760 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    06:03:13.0967 0760 IpInIp - ok
    06:03:14.0307 0760 IPN2220 (b0ccbe80f02701930bb74ffa277c7892) C:\WINDOWS\system32\DRIVERS\i2220ntx.sys
    06:03:14.0317 0760 IPN2220 - ok
    06:03:14.0547 0760 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    06:03:14.0557 0760 IpNat - ok
    06:03:14.0768 0760 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    06:03:14.0768 0760 IPSec - ok
    06:03:14.0978 0760 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    06:03:14.0988 0760 IRENUM - ok
    06:03:15.0198 0760 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    06:03:15.0208 0760 isapnp - ok
    06:03:15.0389 0760 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    06:03:15.0399 0760 Kbdclass - ok
    06:03:15.0649 0760 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    06:03:15.0669 0760 kmixer - ok
    06:03:15.0889 0760 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    06:03:15.0899 0760 KSecDD - ok
    06:03:16.0150 0760 lbrtfdc - ok
    06:03:16.0440 0760 MBAMSwissArmy - ok
    06:03:16.0560 0760 mdmxsdk (b72d7ea394d5f1c5053368783ad7f7ed) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    06:03:16.0570 0760 mdmxsdk - ok
    06:03:16.0851 0760 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    06:03:16.0861 0760 mnmdd - ok
    06:03:17.0111 0760 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    06:03:17.0121 0760 Modem - ok
    06:03:17.0291 0760 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    06:03:17.0301 0760 Mouclass - ok
    06:03:17.0582 0760 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    06:03:17.0592 0760 mouhid - ok
    06:03:17.0862 0760 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    06:03:17.0872 0760 MountMgr - ok
    06:03:18.0082 0760 mraid35x - ok
    06:03:18.0173 0760 mrtRate - ok
    06:03:18.0343 0760 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    06:03:18.0353 0760 MRxDAV - ok
    06:03:18.0613 0760 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    06:03:18.0683 0760 MRxSmb - ok
    06:03:18.0944 0760 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    06:03:18.0994 0760 Msfs - ok
    06:03:19.0344 0760 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    06:03:19.0354 0760 MSKSSRV - ok
    06:03:19.0515 0760 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    06:03:19.0525 0760 MSPCLOCK - ok
    06:03:19.0625 0760 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    06:03:19.0645 0760 MSPQM - ok
    06:03:19.0765 0760 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    06:03:19.0775 0760 mssmbios - ok
    06:03:19.0985 0760 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    06:03:19.0995 0760 Mup - ok
    06:03:20.0205 0760 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    06:03:20.0266 0760 NDIS - ok
    06:03:20.0456 0760 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    06:03:20.0456 0760 NdisTapi - ok
    06:03:20.0666 0760 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    06:03:20.0676 0760 Ndisuio - ok
    06:03:20.0886 0760 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    06:03:20.0917 0760 NdisWan - ok
    06:03:21.0067 0760 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    06:03:21.0067 0760 NDProxy - ok
    06:03:21.0167 0760 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    06:03:21.0177 0760 NetBIOS - ok
    06:03:21.0397 0760 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    06:03:21.0407 0760 NetBT - ok
    06:03:21.0908 0760 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    06:03:21.0918 0760 NIC1394 - ok
    06:03:22.0178 0760 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    06:03:22.0188 0760 Npfs - ok
    06:03:22.0399 0760 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    06:03:22.0439 0760 Ntfs - ok
    06:03:22.0759 0760 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    06:03:22.0769 0760 Null - ok
    06:03:23.0000 0760 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    06:03:23.0000 0760 NwlnkFlt - ok
    06:03:23.0230 0760 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    06:03:23.0230 0760 NwlnkFwd - ok
    06:03:23.0430 0760 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    06:03:23.0440 0760 ohci1394 - ok
    06:03:23.0640 0760 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    06:03:23.0650 0760 Parport - ok
    06:03:23.0901 0760 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    06:03:23.0911 0760 PartMgr - ok
    06:03:24.0151 0760 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    06:03:24.0161 0760 ParVdm - ok
    06:03:24.0371 0760 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    06:03:24.0382 0760 PCI - ok
    06:03:24.0572 0760 PCIDump - ok
    06:03:24.0682 0760 PCIIde - ok
    06:03:24.0882 0760 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    06:03:24.0892 0760 Pcmcia - ok
    06:03:25.0062 0760 PDCOMP - ok
    06:03:25.0233 0760 PDFRAME - ok
    06:03:25.0313 0760 PDRELI - ok
    06:03:25.0423 0760 PDRFRAME - ok
    06:03:25.0533 0760 perc2 - ok
    06:03:25.0643 0760 perc2hib - ok
    06:03:26.0014 0760 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    06:03:26.0024 0760 PptpMiniport - ok
    06:03:26.0254 0760 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
    06:03:26.0264 0760 Processor - ok
    06:03:26.0525 0760 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    06:03:26.0525 0760 PSched - ok
    06:03:26.0725 0760 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    06:03:26.0725 0760 Ptilink - ok
    06:03:26.0905 0760 PxHelp20 (fd9d44ec6d99edfa3782f870b7e00682) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
    06:03:26.0905 0760 PxHelp20 - ok
    06:03:27.0095 0760 ql1080 - ok
    06:03:27.0206 0760 Ql10wnt - ok
    06:03:27.0316 0760 ql12160 - ok
    06:03:27.0426 0760 ql1240 - ok
    06:03:27.0536 0760 ql1280 - ok
    06:03:27.0666 0760 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    06:03:27.0666 0760 RasAcd - ok
    06:03:27.0907 0760 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    06:03:27.0917 0760 Rasl2tp - ok
    06:03:28.0157 0760 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    06:03:28.0157 0760 RasPppoe - ok
    06:03:28.0377 0760 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    06:03:28.0377 0760 Raspti - ok
    06:03:28.0648 0760 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    06:03:28.0658 0760 Rdbss - ok
    06:03:28.0888 0760 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    06:03:28.0898 0760 RDPCDD - ok
    06:03:29.0208 0760 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    06:03:29.0228 0760 RDPWD - ok
    06:03:29.0509 0760 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    06:03:29.0519 0760 redbook - ok
    06:03:29.0950 0760 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
    06:03:29.0960 0760 rtl8139 - ok
    06:03:30.0410 0760 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    06:03:30.0440 0760 Secdrv - ok
    06:03:30.0881 0760 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    06:03:30.0891 0760 Serial - ok
    06:03:31.0141 0760 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    06:03:31.0151 0760 Sfloppy - ok
    06:03:31.0452 0760 Simbad - ok
    06:03:31.0632 0760 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
    06:03:31.0672 0760 smwdm - ok
    06:03:31.0912 0760 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys
    06:03:31.0922 0760 SNC - ok
    06:03:32.0113 0760 SONYWBMS (e6320f02dc53402bbff34f0d0a5fee51) C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
    06:03:32.0123 0760 SONYWBMS - ok
    06:03:32.0303 0760 Sparrow - ok
    06:03:32.0483 0760 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    06:03:32.0493 0760 splitter - ok
    06:03:32.0814 0760 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    06:03:32.0824 0760 sr - ok
    06:03:33.0094 0760 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
    06:03:33.0114 0760 Srv - ok
    06:03:33.0555 0760 StreamDispatcher (20cbedf1964b87bec9f819ab6a4800cc) C:\WINDOWS\system32\DRIVERS\strmdisp.sys
    06:03:33.0565 0760 StreamDispatcher - ok
    06:03:33.0755 0760 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    06:03:33.0765 0760 swenum - ok
    06:03:33.0965 0760 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    06:03:33.0965 0760 swmidi - ok
    06:03:34.0266 0760 symc810 - ok
    06:03:34.0426 0760 symc8xx - ok
    06:03:34.0496 0760 sym_hi - ok
    06:03:34.0606 0760 sym_u3 - ok
    06:03:34.0736 0760 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    06:03:34.0776 0760 sysaudio - ok
    06:03:35.0187 0760 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    06:03:35.0207 0760 Tcpip - ok
    06:03:35.0487 0760 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    06:03:35.0497 0760 TDPIPE - ok
    06:03:35.0718 0760 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    06:03:35.0718 0760 TDTCP - ok
    06:03:35.0928 0760 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    06:03:35.0928 0760 TermDD - ok
    06:03:36.0219 0760 TosIde - ok
    06:03:36.0429 0760 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    06:03:36.0439 0760 Udfs - ok
    06:03:36.0619 0760 ultra - ok
    06:03:36.0809 0760 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    06:03:36.0829 0760 Update - ok
    06:03:37.0270 0760 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    06:03:37.0270 0760 usbccgp - ok
    06:03:37.0480 0760 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    06:03:37.0490 0760 usbehci - ok
    06:03:37.0721 0760 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    06:03:37.0731 0760 usbhub - ok
    06:03:37.0941 0760 USBIO (f90d8f845095fcd6924e3d751c04e442) C:\WINDOWS\system32\Drivers\usbio.sys
    06:03:37.0951 0760 USBIO - ok
    06:03:38.0221 0760 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    06:03:38.0221 0760 usbprint - ok
    06:03:38.0472 0760 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    06:03:38.0472 0760 usbscan - ok
    06:03:38.0702 0760 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    06:03:38.0712 0760 usbstor - ok
    06:03:38.0882 0760 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    06:03:38.0892 0760 usbuhci - ok
    06:03:39.0533 0760 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    06:03:39.0533 0760 VgaSave - ok
    06:03:39.0784 0760 ViaIde - ok
    06:03:39.0984 0760 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    06:03:39.0994 0760 VolSnap - ok
    06:03:40.0425 0760 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    06:03:40.0435 0760 Wanarp - ok
    06:03:40.0605 0760 WDICA - ok
    06:03:40.0855 0760 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    06:03:40.0875 0760 wdmaud - ok
    06:03:41.0156 0760 winachsf (fce68b254a8e04cf269c5255575b7e3c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    06:03:41.0196 0760 winachsf - ok
    06:03:42.0157 0760 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    06:03:42.0638 0760 \Device\Harddisk0\DR0 - ok
    06:03:42.0748 0760 Boot (0x1200) (ac10de3ec031690bcf0b5c3f9da72a2a) \Device\Harddisk0\DR0\Partition0
    06:03:42.0748 0760 \Device\Harddisk0\DR0\Partition0 - ok
    06:03:42.0848 0760 Boot (0x1200) (a5338b88363bab417484a9723a37a632) \Device\Harddisk0\DR0\Partition1
    06:03:42.0888 0760 \Device\Harddisk0\DR0\Partition1 - ok
    06:03:43.0018 0760 Boot (0x1200) (1b78e0b2aec37a30f469becd4b1f028b) \Device\Harddisk0\DR0\Partition2
    06:03:43.0028 0760 \Device\Harddisk0\DR0\Partition2 - ok
    06:03:43.0038 0760 ============================================================
    06:03:43.0038 0760 Scan finished
    06:03:43.0038 0760 ============================================================
    06:03:43.0219 0752 Detected object count: 0
    06:03:43.0219 0752 Actual detected object count: 0


    rkill
    *******************************************

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 12/26/2011 at 6:10:36.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 12/26/2011 at 6:11:21.


    Mbam
    *********************************
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8399

    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    12/26/2011 6:47:12 AM
    mbam-log-2011-12-26 (06-47-12).txt

    Scan type: Full scan (C:\|D:\|G:\|)
    Objects scanned: 184183
    Time elapsed: 26 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ComboFix
    *****************************************

    ComboFix 11-12-25.03 - Hadrian 12/26/2011 7:10.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.226 [GMT -8:00]
    Running from: c:\documents and settings\Hadrian\Desktop\Security2\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
    c:\documents and settings\hadrian\favorites\Online Security Guide.lnk
    c:\documents and settings\Hadrian\Local Settings\Temporary Internet Files\bestwiner.stt
    c:\documents and settings\Hadrian\Local Settings\Temporary Internet Files\CPV.stt
    c:\documents and settings\Hadrian\ResErrors.log
    c:\program files\Common Files\dobe~1
    c:\program files\Common Files\ecurit~1
    c:\windows\help\wmplayer.bak
    c:\windows\system32\adinozuv.ini
    c:\windows\system32\bcehyvcf.ini
    c:\windows\system32\cdblrdlj.ini
    c:\windows\system32\cfhhk.bak1
    c:\windows\system32\cfhhk.bak2
    c:\windows\system32\cfhhk.ini
    c:\windows\system32\cfhhk.ini2
    c:\windows\system32\cfhhk.tmp
    c:\windows\system32\eeulwlki.dllbox
    c:\windows\system32\gdgnfqjf.ini
    c:\windows\system32\gwvdpcno.ini
    c:\windows\system32\hkfcyolj.ini
    c:\windows\system32\ksohkqbd.ini
    c:\windows\system32\kutesmui.ini
    c:\windows\system32\lcpiqtou.ini
    c:\windows\system32\smadsyyu.ini
    c:\windows\system32\ssembl~1
    c:\windows\system32\sudodrly.ini
    c:\windows\system32\ubwfbrgu.ini
    c:\windows\system32\uotspnor.ini
    c:\windows\windowsxp-kb823559-x86-enu.exe
    c:\windows\windowsxp-kb823980-x86-enu.exe
    G:\autorun.inf
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_DOMAINSERVICE
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-26 to 2011-12-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-19 23:01 . 2011-12-19 23:01 -------- d-----w- c:\documents and settings\Hadrian\Application Data\Malwarebytes
    2011-12-19 23:01 . 2011-12-19 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-12-19 23:01 . 2011-12-19 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-19 23:01 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-19 21:44 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-19 21:34 . 2011-12-19 21:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-28 18:01 . 2010-08-26 07:06 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-28 18:01 . 2010-08-26 07:06 199816 ----a-w- c:\windows\system32\aswBoot.exe
    2011-11-28 17:53 . 2010-08-26 07:08 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-11-28 17:52 . 2010-08-26 07:08 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-11-28 17:52 . 2010-08-26 07:08 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-11-28 17:52 . 2010-08-26 07:08 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-11-28 17:51 . 2010-08-26 07:08 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-11-28 17:51 . 2010-08-26 07:08 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-11-28 17:48 . 2010-08-26 07:08 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-22 323584]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    backup=c:\windows\pss\Billminder.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Internet Security.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton Internet Security.lnk
    backup=c:\windows\pss\Norton Internet Security.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ARStartup]
    2002-11-18 19:55 192512 ----a-w- c:\windows\SONYSYS\VAIO Recovery\arinit.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    2002-08-29 00:17 28672 ----a-w- c:\windows\system32\Ati2mdxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
    2003-03-18 22:49 4608 ----a-w- c:\windows\system32\carpserv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
    2003-04-18 00:51 53248 ----a-w- c:\windows\SONYSYS\VAIO Recovery\Reminder.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    2002-08-20 17:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKSERV.EXE]
    2003-04-01 17:00 81920 ----a-w- c:\program files\Sony\HotKey Utility\HKServ.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2003-08-01 19:44 77824 ----a-w- c:\program files\QuickTime\qttask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
    2003-03-17 18:52 1056768 ----a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
    2003-06-24 00:32 1409024 ----a-w- c:\program files\support.com\client\bin\tgcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
    2003-04-10 21:22 111144 ----a-w- c:\windows\SONYSYS\Eflyer\SubFlyer.EXE
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\wscntfy.exe"=
    "c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/19/2011 1:44 PM 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/25/2010 11:08 PM 314456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/25/2010 11:08 PM 20568]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/17/2010 4:44 PM 136176]
    S2 mrtRate;mrtRate; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/17/2010 4:44 PM 136176]
    S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\drivers\i2220ntx.sys [1/5/2004 9:25 AM 117248]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-26 c:\windows\Tasks\GlaryInitialize.job
    - d:\program files\Glary Utilities\initialize.exe [2010-09-04 18:21]
    .
    2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-18 00:44]
    .
    2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-18 00:44]
    .
    2011-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2726173248-2460536438-4105870884-1005Core.job
    - c:\documents and settings\Hadrian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-22 00:44]
    .
    2011-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2726173248-2460536438-4105870884-1005UA.job
    - c:\documents and settings\Hadrian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-22 00:44]
    .
    2007-09-02 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\System32\OOBE\oobebaln.exe [2003-07-31 08:56]
    .
    2007-09-02 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\System32\OOBE\oobebaln.exe [2003-07-31 08:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: DhcpNameServer = 192.168.1.1
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Hadrian\Application Data\Mozilla\Firefox\Profiles\craoxl7k.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    HKLM-Run-EarthLink Installer - f:\windows\access\program files\EarthLink TotalAccess\_Setup.exe
    MSConfigStartUp-Mouse Suite 98 Daemon - ICO.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-26 07:43
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3732)
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\System32\Ati2evxx.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-26 07:55:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-26 15:55
    .
    Pre-Run: 6,522,703,872 bytes free
    Post-Run: 6,447,497,216 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
    .
    - - End Of File - - 76D40CC7B0C2292C027980C39B1ABB1F

    Thank you again for your time,

    Steve
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you- I did have a nice holiday.

    When you said "heavy trojan infection", you were not underestimating the extent. I don''t know that the malware is all trojans, but the system has a big share!

    Unless I tell you differently, run the scans in Normal Mode

    Your host files have been hijacked and are going through a site in Germany:

    Please go ahead and run HijackThis:
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ================================
    Noting the Combofix removal of G:\autorun.inf indicates that you may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Please consider stopping these 3 Scheduled Tasks:

    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

    • To change the settings for a task: right-click the Task> click Properties> do any of the following:
      1. To change the schedule for the task, click the Schedule tab.
      2. To customize the settings for the task,such as run time,idle time, power management options, click the Settings tab.
      3. To delete a task> right-click the task> click Delete.
        [o] c:\windows\Tasks\GlaryInitialize.job
        (This one is confusing> Task is on C Drive, Program is on D Drive.
        d:\program files\Glary Utilities\initialize.exe)
        [o] c:\windows\Tasks\Registration reminder 2.job
        [o] c:\windows\Tasks\Registration reminder 3.job
        Last 2 may show as c:\windows\System32\OOBE\oobebaln.exe
      4. To prevent task from running until you run again>
        [o] right-click the task> Properties> On the General tab>
        [o] clear the Enabled check box> Select the check box again when you are ready to run it again.
      ===============================================
      Please give me an update on how the system is running now. There has been a significant number of removals. I need to know if there is a specific problem we need to work on.
     
  10. SCMc

    SCMc TS Rookie Topic Starter Posts: 36

    Hi Bobbye,

    The computer is running okay. It is a bit slow, but it is an older computer, so I don't expect too much. It might be a bit faster than it was before. I don't know if it is anything, but a couple of times recently the text I have been typing has been scrambled beyond what I would expect for a usual typo. For example when I started this post, I got something like:
    Hye,
    i Bobb

    G:\ is a hard drive partition, that appears to be set aside for Sony files (the computer is a VAIO laptop). I ran Flash Disinfector anyway for all my flash drives. There was no indication of any problems.

    Here is the HijackThis log:
    *********************************

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:30:44 PM, on 12/26/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -update plugin
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

    --
    End of file - 5293 bytes

    Steve
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, so you have an old laptop: Install Date: 9/2/2007 1:30:59 PM
    It was full of infected files.

    It's not enough to just get rid of the malware:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    Do a Disc Cleanup
    Do an Error Check
    Do a defrag.
    Remove any program you aren't using. The use Windows Explorer to access My Computer> Local Drive> Programs> do a right click> Delete on program folder for any program you uninstalled.
    =======================================
    HijackThis is okay
    =====================================
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
    ----------------------------
    Please particularly note this link Replace the Host Files in #1 above.
    ======================================
    Please update and run one more Eset scan.
     
  12. SCMc

    SCMc TS Rookie Topic Starter Posts: 36

    Hi Bobbye,

    I cleared out some programs that I don't use, and cleaned and defragged C:\ and D:\.

    Before that I ran an ESET scan and let it remove what it found. It found a lot of items, but it looks like they were just quarantined items from ComboFix or restore points.

    C:\Documents and Settings\Hadrian\desktop\Maintainance\Live Safety Center.lnk Win32/Adware.SecToolbar application cleaned by deleting - quarantined
    C:\Documents and Settings\Hadrian\desktop\Maintainance\Online Security Guide.lnk Win32/Adware.SecToolbar application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Documents and Settings\Hadrian\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\adinozuv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\bcehyvcf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cdblrdlj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cfhhk.bak1.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cfhhk.bak2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cfhhk.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cfhhk.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\gdgnfqjf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\gwvdpcno.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\hkfcyolj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ksohkqbd.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\kutesmui.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\lcpiqtou.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\smadsyyu.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\sudodrly.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ubwfbrgu.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\WINDOWS\system32\uotspnor.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038432.lnk Win32/Adware.SecToolbar application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038433.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038434.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038435.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038436.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038437.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038438.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038439.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038440.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038441.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038442.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038443.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038444.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038445.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP66\A0038446.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP67\A0038620.lnk Win32/Adware.SecToolbar application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B174B497-93F1-4175-AF50-95254415EC7E}\RP67\A0038621.lnk Win32/Adware.SecToolbar application cleaned by deleting - quarantined
    D:\BSINSTALL.exe Win32/Adware.SaveNow application deleted - quarantined

    I will take care of your other maintenance recommendations later. I am going to be away again for a few days.

    Thanks again for all of your time and the help you have provided,

    Steve
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Steve, you are still getting active malware. The source is C:\Documents and Settings\Hadrian\desktop\Maintainance. It appears to be shortcuts for the following:
    Live Safety Center
    Online Security Guide

    The malware is W32/Adware.SecToolbar We previously removed entries for these- you can see them in both the Qoobox and System Volume also. The entries in those 2 locations aren't active, but the new ones are from same source.

    "Adware Software that is displaying pop-up/pop-under windows containing advertisements when the primary user interface is not visible or displayed advertisements are not related to the product."

    I can't find the file in your logs, but you need to remove the source manually. Let me know when you get back and I'll have to do a System Look for the files. If you have this set up on the desktop in a 'Maintenance' folder, it needs to be open and these files deleted.. They are most likely hidden files
     
  14. SCMc

    SCMc TS Rookie Topic Starter Posts: 36

    HI Bobbye,

    I have Folder Options set to display hidden files and folders. The only files in Desktop\Maintenance are shortcuts to Avast and VAIO setup.

    Enjoy new year's eve and day. I can wait until next week for a response.

    Thanks again,

    Steve
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Happy New Year. What do you think of this?

    Steve, a suggestion. Do a right click on empty area of desktop? New> Folder> Name folder Shortcuts. Keep any shortcuts you want directly in this folder. Delete the Avast shortcut- use the icon in the Notification area to access Avast. What is VAIO setup for? If you did the setup, you don't need a shortcut.

    If you want to have some fun: Right click on the new Shortcut folder> Properties> Choose Customize tab> Press change icon/b] button at bottom> scroll through the icons and choose this one [​IMG] then click on OK.

    Or, if you prefer, choose another one. Now you have a visual of the shortcut folder!

    (Done in my 'spare' time!)
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let me know when you return so we can finish up.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...