TechSpot

My computer sends too much packets to the Internet

By Eksplorer
Nov 2, 2011
  1. I've been having this problem for last 4 or 5 days, or anyway I didn't notice it before. Since last time I've reinstalled my WinXP (SP3), almost 3 years, i've been using Avira for protection. But last three months automatic updating Avira was disabled by some proxy settings, and I didn't notice it. But I'm pretty sure that this problem I have now is not older than several days. Number of sent packets is almost equal to the number of received packets (or sometimes even higher than it), which I think is not normal, since I'm not uploading anything. Even when I download (after fresh restart of the connection) a file, say 75MB, number of sent packets counts about 25000, and 50000 received. I know that before this problem occured number of sent packets on my computer was always at least about 10 times less than number of received packets.
    Since I noticed this problem, I instaled new version of Avira Free, updated and performed system scan. But problem persisted, even though Avira cleared about 30 suspicious entries. I also tried to solve this by reinstalling my network adapter card, but nothing. My web browser, Mozilla Firefox 3.6.23, opens new pages much slower than before, though Speedtest.net results are good, more or less like before, ~2 Mbps down, and ~0.2 Mbps up, ping 80ms.
    Then I found this forum. I followed 5 steps that you recommend.
    NOTE. After I performed step 2, I've tried to run GMER, but it wasn't possible, because every time I tried to run it, my computer crashed. I think I've tried for at least 20 times. Finally, I managed to run it, but only by running it before any of the programs from my notification area appeared, meaning I've run GMER just after Windows start up and my log on.
    Here are the logs of Malwarebytes, GMER and DDS respectively

    ============Malwarebytes log==============:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8054

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    31.10.2011 22:38:40
    mbam-log-2011-10-31 (22-38-40).txt

    Scan type: Quick scan
    Objects scanned: 199990
    Time elapsed: 5 minute(s), 57 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 3
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 25

    Memory Processes Infected:
    c:\WINDOWS\system32\wmpdnc32.exe (Trojan.Agent) -> 1764 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Data Network (Trojan.Agent) -> Value: Windows Data Network -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig (Trojan.Agent) -> Value: MSConfig -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Value: Taskman -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.

    Files Infected:
    c:\WINDOWS\system32\wmpdnc32.exe (Trojan.Agent) -> Delete on reboot.
    c:\documents and settings\miljan\local settings\Temp\tmp19.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\Temp\tmp21.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\tmp106.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\tmp107.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\tmp23.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\2EFBKVDR\5x2[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\OJH9S89G\2vs[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\OJH9S89G\tn[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\OJH9S89G\pq[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\OXQJGLM7\pq[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\SH2Z4XER\pq[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\SH2Z4XER\2vs[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\miljan\local settings\temporary internet files\Content.IE5\SH2Z4XER\2vs[2].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\45EFCXMF\mg2[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\45EFCXMF\tn[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\CDE34HUJ\pq[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\K167CLEZ\5x2[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\K167CLEZ\68[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\K167CLEZ\80[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\K167CLEZ\80[2].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\K167CLEZ\80[3].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\WL6BGTUB\2vs[1].zip (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.


    =================GMER log:===================

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-02 04:56:29
    Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19 ST3120827AS rev.3.42
    Running: pnzzye30.exe; Driver: C:\DOCUME~1\miljan\LOCALS~1\Temp\ugddypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7F0DA7C ZwClose
    SSDT F7F0DA36 ZwCreateKey
    SSDT F7F0DA86 ZwCreateSection
    SSDT F7F0DA2C ZwCreateThread
    SSDT F7F0DA3B ZwDeleteKey
    SSDT F7F0DA45 ZwDeleteValueKey
    SSDT F7F0DA77 ZwDuplicateObject
    SSDT F7F0DA4A ZwLoadKey
    SSDT F7F0DA18 ZwOpenProcess
    SSDT F7F0DA1D ZwOpenThread
    SSDT F7F0DA9F ZwQueryValueKey
    SSDT F7F0DA54 ZwReplaceKey
    SSDT F7F0DA90 ZwRequestWaitReplyPort
    SSDT F7F0DA4F ZwRestoreKey
    SSDT F7F0DA8B ZwSetContextThread
    SSDT F7F0DA95 ZwSetSecurityObject
    SSDT F7F0DA40 ZwSetValueKey
    SSDT F7F0DA9A ZwSystemDebugControl
    SSDT F7F0DA27 ZwTerminateProcess

    ---- User code sections - GMER 1.0.15 ----

    .text C:\program files\real\realplayer\update\realsched.exe[712] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\intelppm.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\system32\drivers\STREAM.SYS[NTOSKRNL.EXE!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\system32\drivers\ks.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\Modem.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\system32\DRIVERS\point32.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\mouclass.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\serial.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\serenum.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\fdc.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\parport.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\imapi.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\redbook.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\system32\drivers\portcls.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\audstub.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\ndistapi.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\msgpc.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\rdpdr.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\termdd.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\swenum.sys[NTOSKRNL.EXE!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\update.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\mssmbios.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\wdf01000.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\usbhub.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\system32\drivers\MODEMCSA.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\flpydisk.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\Fs_Rec.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\Null.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\Msfs.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\Drivers\Npfs.SYS[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\rasacd.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\ipsec.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F7D685FE] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F7D68D56] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)
    IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F7D68D56] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 US30Kbd2K.sys
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 US30Kbd2K.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.sys (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

    ---- EOF - GMER 1.0.15 ----


    ============DDS log:===========

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
    Run by miljan at 5:31:15 on 2011-11-02
    Microsoft Windows XP Professional 5.1.2600.3.1251.381.1033.18.1023.488 [GMT 1:00]
    .
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\svchost -k DcomLaunch
    svchost.exe
    C:\windows\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\ASTSRV.EXE
    C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe
    C:\windows\system32\FsUsbExService.Exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\Anvshell.exe
    C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\T-Mobile\InternetManager_H\DataCardMonitor.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system32\ctfmon.exe
    C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
    C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
    C:\windows\system32\nvsvc32.exe
    C:\windows\system32\HPZipm12.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Documents and Settings\miljan\Application Data\T-Mobile Internet Manager\ouc.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\windows\System32\svchost.exe -k imgsvc
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\windows\system32\wscntfy.exe
    C:\windows\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = 193.200.150.82:1010
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\idm\quickf~1\plugins\IEHelp.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
    uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
    uRun: [HW_OPENEYE_OUC_T-Mobile Internet Manager] "c:\program files\t-mobile\internetmanager_h\updatedog\ouc.exe"
    mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
    mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
    mRun: [Anvshell] c:\windows\Anvshell.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [WinFast Schedule] c:\program files\winfast\wftvfm\WFWIZ.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [<NO NAME>]
    mRun: [SmartSync - ScheduleSync] c:\progra~1\mobile~1\smarts~1\SCHEDU~1.EXE
    mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
    mRun: [NPSStartup]
    mRun: [DataCardMonitor] c:\program files\t-mobile\internetmanager_h\DataCardMonitor.exe
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    dRun: [MSConfig] c:\documents and settings\networkservice\ibqhp.exe \u
    StartupFolder: c:\docume~1\miljan\startm~1\programs\startup\hddlife.lnk - c:\program files\binarysense\hddlife 3\HDDlifePro.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    SSODL: UpdateCheck - {A918EE38-F8AA-4E18-B98D-C9CB68CA6358} - c:\windows\system32\mspatuha.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\miljan\application data\mozilla\firefox\profiles\nxkho5rr.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.b92.net/sport/
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\program files\t-mobile\internetmanager_h\ocx32\addon\components\bmboc_addon3.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Bytemobile Optimization Client: ff-bmboc@bytemobile.com - c:\program files\t-mobile\internetmanager_h\ocx32\addon
    FF - Ext: EPUBReader: {5384767E-00D9-40E9-B72F-9CC39D655D6F} - %profile%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.proxy.type - 0
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 BMLoad;Bytemobile Boot Time Load Driver;c:\windows\system32\drivers\BMLoad.sys [2011-4-27 13184]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-29 36000]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-29 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-29 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-29 74640]
    R2 DCService.exe;DCService.exe;c:\documents and settings\all users\application data\datacardservice\DCService.exe [2010-8-19 229376]
    R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-3-20 238952]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-31 366152]
    R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-6-15 188736]
    R2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [2009-8-15 208851]
    R2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [2009-8-15 10324]
    R2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [2009-8-15 34789]
    R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-3-20 36608]
    R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2011-4-27 63616]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-31 22216]
    R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [2005-3-31 10464]
    R3 WFIOCTL;WFIOCTL;c:\program files\winfast\wftvfm\WFIOCTL.sys [2009-8-15 9510]
    S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2011-4-27 101504]
    S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys [2011-4-27 7552]
    S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\drivers\ew_jucdcacm.sys [2011-4-27 69504]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-10-31 21:29:52 -------- d-----w- c:\documents and settings\miljan\application data\Malwarebytes
    2011-10-31 21:29:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-10-31 21:29:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-31 21:29:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-31 19:51:22 65173 ----a-r- c:\windows\system32\TDInst2K.exe
    2011-10-31 12:38:49 -------- d-----w- c:\windows\system32\NtmsData
    2011-10-31 11:29:17 -------- d-----w- c:\program files\PrintFolder
    2011-10-29 23:52:29 -------- d-----w- c:\program files\Tesseract-OCR
    2011-10-29 17:05:57 -------- d-----w- c:\documents and settings\miljan\application data\Avira
    2011-10-29 17:04:46 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-10-29 17:04:45 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-10-29 17:04:44 -------- d-----w- c:\program files\Avira
    2011-10-29 17:04:44 -------- d-----w- c:\documents and settings\all users\application data\Avira
    .
    ==================== Find3M ====================
    .
    2011-10-24 17:41:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ============= FINISH: 5:32:13,50 ===============
     
  2. Eksplorer

    Eksplorer TS Rookie Topic Starter

    ============DDS Attached================
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume6
    Install Date: 8/15/2009 9:28:49 PM
    System Uptime: 11/2/2011 12:38:03 AM (5 hours ago)
    .
    Motherboard: ASUSTeK Computer Inc. | | P4P800
    Processor: Intel(R) Celeron(R) CPU 2.40GHz | CPU 1 | 2398/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 26 GiB total, 6.531 GiB free.
    D: is FIXED (NTFS) - 71 GiB total, 55.563 GiB free.
    E: is FIXED (NTFS) - 14 GiB total, 2.782 GiB free.
    F: is FIXED (NTFS) - 34 GiB total, 11.548 GiB free.
    G: is FIXED (NTFS) - 15 GiB total, 14.581 GiB free.
    H: is FIXED (NTFS) - 59 GiB total, 19.482 GiB free.
    I: is CDROM ()
    J: is CDROM ()
    K: is FIXED (NTFS) - 29 GiB total, 17.483 GiB free.
    L: is FIXED (NTFS) - 96 GiB total, 12.978 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\3A7EE6E01800
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\3A7EE6E01800
    Service: NIC1394
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: RAID Controller
    Device ID: PCI\VEN_1106&DEV_3164&SUBSYS_80F41043&REV_06\4&2E98101C&0&20F0
    Manufacturer:
    Name: RAID Controller
    PNP Device ID: PCI\VEN_1106&DEV_3164&SUBSYS_80F41043&REV_06\4&2E98101C&0&20F0
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&2E98101C&0&58F0
    Manufacturer: Realtek
    Name: Realtek RTL8139 Family PCI Fast Ethernet NIC #3
    PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&2E98101C&0&58F0
    Service: rtl8139
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: VgaSave
    Device ID: ROOT\LEGACY_VGASAVE\0000
    Manufacturer:
    Name: VgaSave
    PNP Device ID: ROOT\LEGACY_VGASAVE\0000
    Service: VgaSave
    .
    ==== System Restore Points ===================
    .
    RP521: 9/4/2011 8:04:00 PM - System Checkpoint
    RP522: 9/9/2011 10:56:05 AM - System Checkpoint
    RP523: 9/20/2011 8:38:47 AM - System Checkpoint
    RP524: 10/13/2011 7:00:23 PM - System Checkpoint
    RP525: 10/19/2011 9:08:20 PM - System Checkpoint
    RP526: 10/21/2011 3:46:51 PM - System Checkpoint
    RP527: 10/25/2011 5:21:19 PM - System Checkpoint
    RP528: 10/26/2011 5:21:54 PM - System Checkpoint
    RP529: 10/27/2011 9:32:47 AM - Avira AntiVir Personal - 27.10.2011 9:32
    RP530: 10/28/2011 4:46:18 PM - System Checkpoint
    RP531: 10/29/2011 6:47:05 PM - System Checkpoint
    RP532: 10/30/2011 1:47:59 AM - Anti reCAPTCHA v2.06 eliminado.
    RP533: 10/30/2011 1:52:26 AM - Anti-reCAPTCHA v3.01 JD instalado.
    RP534: 10/31/2011 8:21:09 AM - System Checkpoint
    RP535: 10/31/2011 8:41:47 PM - Unsigned driver install
    RP536: 10/31/2011 9:05:51 PM - Unsigned driver install
    RP537: 11/2/2011 4:05:18 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.64
    A-PDF Image Downsample 1.7
    ABC Amber Palm Converter
    Adobe Acrobat 7.0 Professional
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.2.0
    Anti-reCAPTCHA v3.01 JD
    ArcExplorer Java Edition
    ArcGIS Explorer
    ArduoPdfMerger
    AudioCatalyst
    Auto Gordian Knot 2.45
    Avira Free Antivirus
    AviSynth 2.5
    Brew Mobile Commander 1.2
    BS.Player FREE
    BufferChm
    calibre
    Comical 0.8
    Compatibility Pack for the 2007 Office system
    Coojah6
    Crystal Reports Basic for Visual Studio 2008
    CustomerResearchQFolder
    DeviceManagementQFolder
    Dolet Light for Finale 2004
    DVD Decrypter (Remove Only)
    Easy Video Splitter 1.28
    ESRI ArcExplorer 2.0
    eSupportQFolder
    FBReader for Windows
    Finale 2004
    FlashPeak SlimBrowser
    foobar2000 v1.1.6
    GPL Ghostscript 8.64
    GSpot Codec Information Appliance
    Haali Reader 2.0 (remove only)
    HI-TECH C PRO for the PIC10/12/16 MCU Family V9.65PL1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB954550-v5)
    HP Customer Participation Program 7.0
    HP Imaging Device Functions 7.0
    HP Photo and Imaging 1.0 - Scanjet 3500c Series
    HP Photosmart and Deskjet 7.0 Software
    HP Photosmart Essential
    HP Software Update
    HP Solution Center 7.0
    hph_readme
    hph_software
    hph_software_req
    HPPhotoSmartExpress
    HPProductAssistant
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 7
    JDownloader
    K-Lite Codec Pack 5.4.4 (Full)
    Malwarebytes' Anti-Malware version 1.51.2.1300
    MarketResearch
    Microsoft .NET Compact Framework 2.0 SP2
    Microsoft .NET Compact Framework 3.5
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Device Emulator version 3.0 - ENU
    Microsoft Document Explorer 2008
    Microsoft FrontPage Client - English
    Microsoft IntelliPoint 7.0
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Professional Edition 2003
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visual Web Developer 2007
    Microsoft Office Visual Web Developer MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Compact 3.5 Design Tools ENU
    Microsoft SQL Server Compact 3.5 ENU
    Microsoft SQL Server Compact 3.5 for Devices ENU
    Microsoft SQL Server Database Publishing Wizard 1.2
    Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Sync Framework 2.0 Core Components (x86) ENU
    Microsoft Sync Framework 2.0 Provider Services (x86) ENU
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft Visual Studio 2008 Professional Edition - ENU
    Microsoft Visual Studio Web Authoring Component
    Microsoft Windows Media Video 9 VCM
    Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
    Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
    Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
    Microsoft Windows SDK for Visual Studio 2008 Tools
    Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
    Mobile Modem Assistant
    Mobile Phone Manager
    Mozilla Firefox (3.6.23)
    MPLAB Tools v8.40
    MSDN Library for Visual Studio 2008 - ENU
    MSXML 6.0 Parser
    Nero 7 Demo
    Nitro PDF Professional
    NVIDIA Windows 2000/XP Display Drivers
    PC Wizard 2008.1.871
    PDFCreator
    PDFill PDF Editor with FREE Writer and Free Tools
    Pegasus Imaging's PICVideo 3
    PrintFolder 1.3
    QUICKfind server v1.1
    RapidShare Manager 2
    RAR Password Cracker 4.12
    RasterStitch 2.30
    Readiris Pro 12
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Replay Media Catcher 3.01
    Russian Phonetic YaZHert - RusWin.net - Custom - Custom - Custom
    Samsung New PC Studio
    SAMSUNG USB Driver for Mobile Phones
    ShareIns
    SmartSync
    SolutionCenter
    Sony Media Manager 2.0
    Sony Noise Reduction Plug-In 2.0e
    Sony Sound Forge 9.0
    Sony Vegas 6.0c
    SopCast 3.0.3
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    SQL Editor for Oracle
    Srpski elektronski recnik
    Status
    STDU Viewer version 1.5.635.0
    Subtitle Workshop
    SyncToy 2.1 (x86)
    T-Mobile Internet Manager
    TatukGIS Viewer 2.8.0.5031
    TDSL Personal Edition 1.1
    The KMPlayer (remove only)
    Toolbox
    TrayApp
    Ulead Straight-to-Disc SDK
    Ultrafunk Sonitus FX Pack R3a
    Universal SQL Editor 1.2.4
    Unload
    Visual Studio 2005 Tools for Office Second Edition Runtime
    Visual Studio Tools for the Office system 3.0 Runtime
    Visual Studio.NET Baseline - English
    VobSub v2.23 (Remove Only)
    Vuze
    WebFldrs XP
    WebReg
    WhereIsIt? 3.57
    Winamp
    Winamp Detector Plug-in
    WinDjView 1.0.3
    Windows Live Messenger
    Windows Media Format Runtime
    Windows Mobile 5.0 SDK R2 for Pocket PC
    Windows Mobile 5.0 SDK R2 for Smartphone
    Windows XP Service Pack 3
    WinFast Entertainment Center(WDM Driver)
    WinFast PVR
    WinRAR archiver
    WinZip
    XML Paper Specification Shared Components Pack 1.0
    XnView 1.93.6
    XviD MPEG4 Video Codec (remove only)
    YouTube Downloader 3.3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/2/2011 12:20:17 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr Fips intelppm ssmdrv
    11/1/2011 8:19:12 PM, error: System Error [1003] - Error code 10000050, parameter1 8ccc12dc, parameter2 00000001, parameter3 86352def, parameter4 00000000.
    10/31/2011 9:03:22 PM, error: System Error [1003] - Error code 100000d1, parameter1 00720066, parameter2 00000002, parameter3 00000000, parameter4 eca3b981.
    10/31/2011 8:57:25 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    10/31/2011 8:57:25 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    10/31/2011 8:56:41 AM, error: System Error [1003] - Error code 100000d1, parameter1 0074006d, parameter2 00000002, parameter3 00000000, parameter4 ec9ef979.
    10/31/2011 8:56:38 PM, error: Print [19] - Sharing printer failed + 1722, Printer PDFill PDF&Image Writer share name Printer2.
    10/31/2011 12:48:52 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 ec9ef9ae.
    10/31/2011 11:23:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip tcpipBM
    10/31/2011 11:23:07 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    10/31/2011 11:23:07 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/31/2011 11:23:07 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/31/2011 11:23:07 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    10/31/2011 11:10:47 PM, error: System Error [1003] - Error code 0000001a, parameter1 00003451, parameter2 c0218128, parameter3 85db5c00, parameter4 00000000.
    10/31/2011 11:06:45 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 85bf8000, parameter3 85bf8828, parameter4 1b050000.
    10/31/2011 10:55:14 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 85bce000, parameter3 85bce828, parameter4 1b050000.
    10/31/2011 10:03:45 PM, error: PlugPlayManager [11] - The device Root\LEGACY_US30SYS\0000 disappeared from the system without first being prepared for removal.
    10/29/2011 7:41:40 PM, error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 307 (0x133).
    10/26/2011 2:41:31 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 000C6ED707AE has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! As you may have seen in Mbam, there were many files infected by Trojans. We will have to see what additional entries mat be present.
    ------------------------------------------
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    There are a few installed programs or apps I will ask you to translate them and tell me if you intentionally installed them.
    =====================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ============================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Please leave the 3 logs in your next reply.
    ===============================================
    Please update Java to v6u29: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..

    This will include opening Firefox> Addons and removing all other version of Java. You do not have to install a separate Java update in Firefox.
    --------------------------------------------------
    There will be malware in the Java cache due to the outdated programs so is needs to be cleaned:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com

    There is no log to leave for Java.
     
  4. Eksplorer

    Eksplorer TS Rookie Topic Starter

    Hi, Bobbye! Thanks for deciding to help me! I'm afraid it won't go as smooth as I hoped it would.
    There is a problem on the first step: when I tried to run Combofix, it wasn't possible to install Microsoft Windows Recovery Console. When I clicked "Yes" to download and install, the prompt popped with something like "boot partition cannot be correctly enumerated". I clicked "OK", and Combofix continued it's work, without MWRC. After it "completed stage_50", and after about a minute of waiting a message in the Combofix console appeared "Deleting files:", and the very next moment the system crashed! After the system recovered, I did all this over again, and the same thing happened. Combofix didn't produce any log, or I was not able to find it. To follow the order of the tasks you asked, after this I didn't do anything. Please, have you any idea what can I do now?
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Folders Infected:
    c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.

    Almost got by me- haven't seen this in a while. This appears to be a Conficker malware infection. It copies itself to the Recycler.

    What you need to know: Confiker is spreaad through the local network, mapped network drives and found in P2P progrms and files. It makes use of Auto-Play.
    --------------------------------
    Please run this Removal Tool from Sophos

    Follow any on screen prompts.
    ================================================
    1. Change all of your passwords.
    2. Disinfect all removable drives (flash drive etc.)
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    3. Check all other computers on the network.
    4. If you are using any file sharing programs, stop.
    ===============================================
    To help prevent infection or it's spread:
    • Apply this MS08-67 patch
    • Disable file and print sharing
    • Strengthen your password
    • Turn off autorun for USB devices
    • Apply a device control policy
    • Use network access control (NAC) to check that patches, antivirus and firewall are installed, running and up to date. Check this Wiki page that begins with In Plain English

    See how this removal goes.
    Then go back and see if you can pick up the scans that did not run.
     
  6. Eksplorer

    Eksplorer TS Rookie Topic Starter

    OK, I ran Sophos, changed my passwords (I couldn't find a secure computer, so I installed WinXP on my other HDD, just to change passwords), and disinfected all my drives using Flash Disinfector. I applied the patch you gave me, and disabled File and Print Sharing.

    After all this i ran ComboFix again, but exactly the same thing happened like before ( "Error: the Boot Partition couldn't be enumerated correctly" while trying to download and install MWRC, and system crash after the "Deleting files: " message). What should I do now?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Upon reviewing the logs you have left so far, it appears that you are using programs with express purpose of defeating the digital rights management.It is possible that some of this is legal in your country, however it is not legal here.

    There are also many processes that have no English sites for identification.
    The system does not show any SP, Windows or Security updates. This usually points to an invalid operating system. You are also using file sharing. Please run the following scans for my review:
    =============================
    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
    ====================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
     
  8. Eksplorer

    Eksplorer TS Rookie Topic Starter

    Yes, I am using some those, I'm afraid there is nothing unusual about that in the part of the world where I live, except for the professionals and legal subjects. Thought this doesn't mean that it is legal even in my country.

    If some of them are suspicious to you, maybe I can explain their purpose, just name them.
    It is Win XP Pro with SP1, I got it from the seller where I bought my computer, but I got only the Product Key with it, i have nothing about COA. Obviously, an illegal copy I've got. It was usual practice then (year 2003.) for some sellers to sell computers with non genuine software, and it was not a big concern for buyers either.

    The logs you asked:

    ===MGA diagnostic tool===
    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Blocked VLK
    Validation Code: 3
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-WRKJB-YKRFQ-XVK98
    Windows Product Key Hash: p3JYo49I4HFumf8jBg8no8xdXJY=
    Windows Product ID: 55274-648-8637434-23940
    Windows Product ID Type: 1
    Windows License Type: Volume
    Windows OS version: 5.1.2600.2.00010100.3.0.pro
    ID: {40AC4759-DF88-498C-83EC-9627FA4F2A3C}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 114 Blocked VLK 2
    Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{40AC4759-DF88-498C-83EC-9627FA4F2A3C}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-XVK98</PKey><PID>55274-648-8637434-23940</PID><PIDType>1</PIDType><SID>S-1-5-21-1417001333-220523388-725345543</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>080009 </Version><SMBIOSVersion major="2" minor="3"/><Date>20040223000000.000000+000</Date></BIOS><HWID>B2BD3D6F01848063</HWID><UserLCID>081A</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57240</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults>

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 1C021:GENUINE C&C INC
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->
    N/A

    ======CKScanner======

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\miljan\start menu\programs\rar password cracker\license agreement.lnk
    c:\documents and settings\miljan\start menu\programs\rar password cracker\rar password cracker registration.lnk
    c:\documents and settings\miljan\start menu\programs\rar password cracker\rar password cracker wizard.lnk
    c:\documents and settings\miljan\start menu\programs\rar password cracker\rar password cracker.lnk
    c:\documents and settings\miljan\start menu\programs\rar password cracker\readme.lnk
    c:\documents and settings\miljan\start menu\programs\rar password cracker\uninstall.lnk
    c:\documents and settings\miljan\start menu\programs\rar password cracker\Для русских.lnk
    c:\program files\jdownloader\jd\plugins\hoster\crackedcom.class
    c:\program files\morton benson\crack.exe
    c:\program files\rar password cracker\example.rpc
    c:\program files\rar password cracker\example1.rar
    c:\program files\rar password cracker\example2.rar
    c:\program files\rar password cracker\license.txt
    c:\program files\rar password cracker\readme.txt
    c:\program files\rar password cracker\rpc.exe
    c:\program files\rar password cracker\special.chr
    c:\program files\rar password cracker\uninstall.exe
    c:\program files\rar password cracker\Для русских.txt
    c:\program files\rasterstitch 2.30\crack.exe
    scanner sequence 3.IJ.11.NSAPMX
    ----- EOF -----
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No matter where you live in the world, stealing software programs is illegal. You've come to my world for help and I don't support piracy.

    This thread is closed.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...