TechSpot

Need help with Conflicker virus

By al davis
Nov 11, 2010
  1. It seem I have the conflicker virus. I've used avast and Malwarebytes to detect and remove it but a couple of days later it's back. I have a small network (varies from 5 to 10 pc's XP & win 2000). Please help.

    Al
     
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    You already had a topic in malware forum, so you should know what to do...

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.


    Please, observe following rules:

    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    Broni

    Thanks for your help. As I mentioned I have a number of machines on this small network. On some I have seen the virus and on others not. Given the time delays and the amount of work required to identify and remove viruses this could take a very long time. Can I attack some of these machines in parallel or will the all need to be done serially ? How do you recommend I proceed ?
     
  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Every computer is unique, so unfortunately, we can't cure them in bunches.
     
  5. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    NLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows 2000 Professional
    Boot Device: \Device\Harddisk0\Partition1
    Install Date:
    System Uptime: 11/12/2010 12:46:55 PM (5 hours ago)

    Motherboard: To be filled by O.E.M. | | To be filled by O.E.M.
    Processor: Intel(R) Pentium(R) M processor 1.80GHz | CPU 1 | 1800/100mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 14 GiB total, 10.956 GiB free.
    D: is FIXED (NTFS) - 1 GiB total, 0.472 GiB free.
    E: is FIXED (NTFS) - 75 GiB total, 74.456 GiB free.
    F: is Removable
    Z: RAMDisk FAT 0 GiB total, 0.03 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&322E6CAA&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&322E6CAA&0
    Service: i8042prt

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Acronis*True*Image
    avast! Antivirus
    DiskSpeed32
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PROSafe for Wired Connections
    Malwarebytes' Anti-Malware
    Microsoft Office 97, Professional Edition
    Microsoft Visual C++ 6.0 Professional Edition
    MSDN Library - Visual Studio 6.0a
    PCI-417Wins
    VNC Free Edition 4.1.2
    WebFldrs
    Windows 2000 Hotfix - KB917953

    ==== End Of File ===========================
     
  6. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Administrator at 17:47:12.54 on Fri 11/12/2010
    Internet Explorer: 5.00.3700.1000
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2039.1648 [GMT 0:00]


    ============== Running Processes ===============

    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\igfxtray.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Documents and Settings\Administrator\Desktop\virus_et_al\bco3fvo5.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Documents and Settings\Administrator\Desktop\virus_et_al\dds.scr

    ============== Pseudo HJT Report ===============

    mDefault_Page_URL = hxxp://www.msn.com
    mRun: [Synchronization Manager] mobsync.exe /logon
    mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimage\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\argon st\tftpd32.exe
    IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
    Notify: igfxcui - igfxsrvc.dll
    LSA: Authentication Packages = msv1_0 relog_ap

    ============= SERVICES / DRIVERS ===============

    R?2 jqzhcxpgv;Driver Center;c:\winnt\system32\svchost.exe -k netsvcs [2001-5-8 7952]
    R?2 kgavbgjan;Microsoft Driver;c:\winnt\system32\svchost.exe -k netsvcs [2001-5-8 7952]
    R?2 ugsau;Microsoft Boot;c:\winnt\system32\svchost.exe -k netsvcs [2001-5-8 7952]
    R0 Ramdisk;Ramdisk Driver;c:\winnt\system32\drivers\ramdisk.sys [2006-5-15 6995]
    R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2010-11-12 78416]
    R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [2010-11-12 93264]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-11-12 144760]
    R2 DriverX;DriverX;c:\winnt\system32\drivers\driverx.sys [2006-5-15 52512]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-11-12 247160]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-11-12 349560]
    R3 dtl5933w;dtl5933w;c:\winnt\system32\drivers\dtl5933w.sys [2006-4-6 18176]
    R3 E100E;E100E;c:\winnt\system32\drivers\E100ENT.sys [1999-5-27 25360]
    R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-6-5 49776]
    S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [2006-5-16 243840]

    =============== Created Last 30 ================

    2010-11-12 17:47:13 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_34c.dat
    2010-11-12 12:50:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_268.dat
    2010-11-11 16:08:21 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2010-11-11 16:08:08 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
    2010-11-11 16:08:07 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
    2010-11-11 16:08:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-11 16:08:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

    ==================== Find3M ====================

    2010-08-17 17:06:50 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_274.dat
    2010-08-17 14:07:58 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_278.dat
    2006-04-06 17:40:44 271 ---h--w- c:\program files\desktop.ini
    2006-04-06 17:40:44 21952 -c-h--w- c:\program files\folder.htt
    2001-05-08 12:00:00 32528 -c--a-w- c:\winnt\inf\wbfirdma.sys

    ============= FINISH: 17:47:43.04 ===============
     
  7. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-11-12 17:46:12
    Windows 5.0.2195 Service Pack 4
    Running: bco3fvo5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB75671C2]
    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB75670AE]
    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB7566184]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB78FB444]
    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateProcess [0xB7565A36]
    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateSection [0xB7566B4C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB78FB922]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB78FB01C]
    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB75666AA]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB78FB51E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB78FAF5C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB78FAFC0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB78FB63E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB78FB5FE]
    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB7566ED8]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB78FB77E]
    SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB7566E10]

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINNT\System32\Drivers\driverx.sys entry point in "init" section [0xB775D6FE]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- Services - GMER 1.0.15 ----

    Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] jqzhcxpgv <-- ROOTKIT !!!
    Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] kgavbgjan <-- ROOTKIT !!!
    Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] ugsau <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@DisplayName Driver Center
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@Type 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@Start 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@ObjectName LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@Description Enables starting processes under alternate credentials
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@DisplayName Microsoft Driver
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@Type 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@Start 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@ObjectName LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@Description Enables starting processes under alternate credentials
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@DisplayName Microsoft Boot
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@Type 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@Start 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@ObjectName LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@Description Provides RPC support and file, print, and named pipe sharing.
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@DisplayName Driver Center
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@Type 32
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@Start 2
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@ObjectName LocalSystem
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@Description Enables starting processes under alternate credentials
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv\Parameters (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@DisplayName Microsoft Driver
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@Type 32
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@Start 2
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@ObjectName LocalSystem
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@Description Enables starting processes under alternate credentials
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan\Parameters (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@DisplayName Microsoft Boot
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@Type 32
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@Start 2
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@ObjectName LocalSystem
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@Description Provides RPC support and file, print, and named pipe sharing.
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau\Parameters (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\ugsau\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll

    ---- EOF - GMER 1.0.15 ----
     
  8. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5099

    Windows 5.0.2195 Service Pack 4
    Internet Explorer 5.00.3700.1000

    11/12/2010 5:27:14 PM
    mbam-log-2010-11-12 (17-27-14).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Objects scanned: 114769
    Time elapsed: 3 hour(s), 47 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  9. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    Here are all the files from the first set of instruction. The computer apers to be running normally with one exceptions. Immediately after booting the system is very slow to respond it takes 2-3 minutes for a program to start that normally takes 30 seconds.

    Al
     
  10. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    You're infected with a rootkit, so far...

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  11. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    2010/11/13 10:55:29.0218 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
    2010/11/13 10:55:29.0218 ================================================================================
    2010/11/13 10:55:29.0218 SystemInfo:
    2010/11/13 10:55:29.0218
    2010/11/13 10:55:29.0218 OS Version: 5.0.2195 ServicePack: 4.0
    2010/11/13 10:55:29.0218 Product type: Workstation
    2010/11/13 10:55:29.0218 ComputerName: RTM-II
    2010/11/13 10:55:29.0218 UserName: Administrator
    2010/11/13 10:55:29.0218 Windows directory: C:\WINNT
    2010/11/13 10:55:29.0218 System windows directory: C:\WINNT
    2010/11/13 10:55:29.0218 Processor architecture: Intel x86
    2010/11/13 10:55:29.0218 Number of processors: 1
    2010/11/13 10:55:29.0218 Page size: 0x1000
    2010/11/13 10:55:29.0218 Boot type: Normal boot
    2010/11/13 10:55:29.0218 ================================================================================
    2010/11/13 10:55:29.0328 Initialize success
    2010/11/13 10:55:33.0046 ================================================================================
    2010/11/13 10:55:33.0046 Scan started
    2010/11/13 10:55:33.0046 Mode: Manual;
    2010/11/13 10:55:33.0046 ================================================================================
    2010/11/13 10:55:34.0062 Aavmker4 (2073f856019a2bb1f774f73b34dc2944) C:\WINNT\system32\drivers\Aavmker4.sys
    2010/11/13 10:55:34.0140 ACPI (083049d5dc3f32d17c2edfb732c78a09) C:\WINNT\system32\DRIVERS\ACPI.sys
    2010/11/13 10:55:34.0171 ACPIEC (4b10b4db777ee2ef8e755e7f3d7c4fe8) C:\WINNT\system32\drivers\ACPIEC.sys
    2010/11/13 10:55:34.0203 adpu160m (31b7c8770fda8a3a44bca9dcfe2d1e8b) C:\WINNT\system32\DRIVERS\adpu160m.sys
    2010/11/13 10:55:34.0281 AFD (320cac00366bb4d5684b46928cee5adf) C:\WINNT\System32\drivers\afd.sys
    2010/11/13 10:55:34.0703 aswMon (6addf942d7099629c7467d6a81ea7912) C:\WINNT\system32\drivers\aswMon.sys
    2010/11/13 10:55:34.0718 aswRdr (52e2059219aadf5c896ff2364b88b4bd) C:\WINNT\system32\drivers\aswRdr.sys
    2010/11/13 10:55:34.0750 aswSP (96b9eaca31846be3b780b19024dcebcf) C:\WINNT\system32\drivers\aswSP.sys
    2010/11/13 10:55:34.0781 aswTdi (37edfcce12c2b46e11c9f98f36564981) C:\WINNT\system32\drivers\aswTdi.sys
    2010/11/13 10:55:34.0796 AsyncMac (5d3d77c9eb3a8e6a14cc8e1252b6cc5c) C:\WINNT\system32\DRIVERS\asyncmac.sys
    2010/11/13 10:55:34.0828 atapi (8c718aa8c77041b3285d55a0ce980867) C:\WINNT\system32\DRIVERS\atapi.sys
    2010/11/13 10:55:34.0875 Atmarpc (3e348b3313ea633d45caf59da0d631ba) C:\WINNT\system32\DRIVERS\atmarpc.sys
    2010/11/13 10:55:34.0906 audstub (39d57104a45270f0d376e9ddb484ebbd) C:\WINNT\system32\DRIVERS\audstub.sys
    2010/11/13 10:55:34.0937 Beep (df012c2853281ce2bf536e8de871c8c1) C:\WINNT\system32\drivers\Beep.sys
    2010/11/13 10:55:35.0000 Cdaudio (b101e013d810d6125e17125e324fcd2c) C:\WINNT\system32\drivers\Cdaudio.sys
    2010/11/13 10:55:35.0031 Cdfs (378bbf444d7232e74c74dfae04d4ded0) C:\WINNT\system32\drivers\Cdfs.sys
    2010/11/13 10:55:35.0062 Cdrom (4b86a90a7f0095d514d22a9083826488) C:\WINNT\system32\DRIVERS\cdrom.sys
    2010/11/13 10:55:35.0250 Disk (322b9a3774dbf119f6635a476b0eb058) C:\WINNT\system32\DRIVERS\disk.sys
    2010/11/13 10:55:35.0281 Diskperf (fd94497dd145b3920f5c393eab50ee3a) C:\WINNT\system32\drivers\Diskperf.sys
    2010/11/13 10:55:35.0312 dmboot (0b91c63540682bc3c826fc6d8b3ecb7b) C:\WINNT\system32\drivers\dmboot.sys
    2010/11/13 10:55:35.0359 dmio (6b35bfdbdbc247113852f18bf0f10e3c) C:\WINNT\system32\drivers\dmio.sys
    2010/11/13 10:55:35.0390 dmload (3f1701ffa97ab012685abc8a2d6fce22) C:\WINNT\system32\drivers\dmload.sys
    2010/11/13 10:55:35.0437 DriverX (5418c3432fa9c4ebc477cd4dddccd704) C:\WINNT\System32\Drivers\driverx.sys
    2010/11/13 10:55:35.0453 dtl5933w (e7cd797400d82c5a9fc42506fc65e8be) C:\WINNT\system32\drivers\dtl5933w.sys
    2010/11/13 10:55:35.0484 E1000 (ade967991cda5b5fbe02fae2f5fd62bb) C:\WINNT\system32\DRIVERS\e10002ke.sys
    2010/11/13 10:55:35.0515 E100E (be041649cafaf1119ac23929bf90a230) C:\WINNT\system32\DRIVERS\e100ent.sys
    2010/11/13 10:55:35.0531 EFS (b2916926428c0410fc1a26da0b650e41) C:\WINNT\system32\drivers\EFS.sys
    2010/11/13 10:55:35.0578 Fastfat (556a224f0bd4b0221fa08feca793cd05) C:\WINNT\system32\drivers\Fastfat.sys
    2010/11/13 10:55:35.0625 Fdc (233e2c4dae9c84cef241f0ea30619629) C:\WINNT\system32\DRIVERS\fdc.sys
    2010/11/13 10:55:35.0640 Fips (b27a36d4725a362a13d0c52ad6c7175b) C:\WINNT\system32\drivers\Fips.sys
    2010/11/13 10:55:35.0718 Flpydisk (6ca845333da54f27a8657be7ee0b600d) C:\WINNT\system32\DRIVERS\flpydisk.sys
    2010/11/13 10:55:35.0734 Fs_Rec (405f231ad65c03dac70992a2aba759a5) C:\WINNT\system32\drivers\Fs_Rec.sys
    2010/11/13 10:55:35.0765 Ftdisk (9b73c6887c9e7aecaaca2a71363548e9) C:\WINNT\system32\DRIVERS\ftdisk.sys
    2010/11/13 10:55:35.0796 Gpc (6667d07854a3ae7715d22b82761cf0e7) C:\WINNT\system32\DRIVERS\msgpc.sys
    2010/11/13 10:55:35.0828 hidusb (ff2ca3c8d0193800e4fa510ffde0960e) C:\WINNT\system32\DRIVERS\hidusb.sys
    2010/11/13 10:55:35.0843 i8042prt (3b538e8a6b5e078406159edfe09a5e53) C:\WINNT\system32\DRIVERS\i8042prt.sys
    2010/11/13 10:55:35.0906 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINNT\system32\DRIVERS\ialmnt5.sys
    2010/11/13 10:55:36.0015 IpFilterDriver (09a604211e2b2334fc023a41337e3165) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
    2010/11/13 10:55:36.0046 IpInIp (dbc1437b56eea1af02cd39c011904491) C:\WINNT\system32\DRIVERS\ipinip.sys
    2010/11/13 10:55:36.0062 IpNat (3509e9c33281f4343d2da5650039f59d) C:\WINNT\system32\DRIVERS\ipnat.sys
    2010/11/13 10:55:36.0093 IPSEC (6bf394c7987fbc91b047eb0a8efb2aa5) C:\WINNT\system32\DRIVERS\ipsec.sys
    2010/11/13 10:55:36.0140 IRENUM (7f5315e32be0632f680b30e03a2ca809) C:\WINNT\system32\DRIVERS\irenum.sys
    2010/11/13 10:55:36.0171 isapnp (b630369ca276fd208c1b5146920b5f2e) C:\WINNT\system32\DRIVERS\isapnp.sys
    2010/11/13 10:55:36.0187 Suspicious service (NoAccess): jqzhcxpgv
    2010/11/13 10:55:36.0203 Kbdclass (399055f5c4a98f39b47d26888a72145d) C:\WINNT\system32\DRIVERS\kbdclass.sys
    2010/11/13 10:55:36.0234 kbdhid (5afd9413400ffb2b57e9be900a12b160) C:\WINNT\system32\DRIVERS\kbdhid.sys
    2010/11/13 10:55:36.0234 Suspicious service (NoAccess): kgavbgjan
    2010/11/13 10:55:36.0265 KSecDD (74937a7d0c4354c025ba182aca00e41a) C:\WINNT\system32\drivers\KSecDD.sys
    2010/11/13 10:55:36.0343 mnmdd (f9a1ccc84d1c8b392d67bf2e661ed334) C:\WINNT\system32\drivers\mnmdd.sys
    2010/11/13 10:55:36.0375 Modem (37478d40030b15ca3860509d4f5d39d8) C:\WINNT\system32\drivers\Modem.sys
    2010/11/13 10:55:36.0406 Mouclass (8d038dde3f19b88427968e99a6216766) C:\WINNT\system32\DRIVERS\mouclass.sys
    2010/11/13 10:55:36.0421 mouhid (80d48f52414f7798432a4764beccbcec) C:\WINNT\system32\DRIVERS\mouhid.sys
    2010/11/13 10:55:36.0453 MountMgr (5fe612cea2236543ed416de8554c3047) C:\WINNT\system32\drivers\MountMgr.sys
    2010/11/13 10:55:36.0515 MRxSmb (e0836182d738ebe0e958ee641fdfa597) C:\WINNT\system32\DRIVERS\mrxsmb.sys
    2010/11/13 10:55:36.0562 Msfs (8840bc3953d2c0bbb104932cab848a27) C:\WINNT\system32\drivers\Msfs.sys
    2010/11/13 10:55:36.0578 MSKSSRV (883385dc3eca3cf7c2d7efcf644ca5ae) C:\WINNT\system32\drivers\MSKSSRV.sys
    2010/11/13 10:55:36.0609 MSPCLOCK (4d0e25cb6bfd5bedd546501faf69b3f7) C:\WINNT\system32\drivers\MSPCLOCK.sys
    2010/11/13 10:55:36.0640 MSPQM (bb041315c9930063e5eab0bee90acff6) C:\WINNT\system32\drivers\MSPQM.sys
    2010/11/13 10:55:36.0656 Mup (73aec5477e873efc74d0dfc37c695b6f) C:\WINNT\system32\drivers\Mup.sys
    2010/11/13 10:55:36.0718 NDIS (fb4f2d0595bd3546a4dd915e4a9b4809) C:\WINNT\system32\drivers\NDIS.sys
    2010/11/13 10:55:36.0750 NdisTapi (e6f675c75c53887c58b98d6db356b153) C:\WINNT\system32\DRIVERS\ndistapi.sys
    2010/11/13 10:55:36.0781 Ndisuio (69ecae880bdac3c288f0508df9cdeef0) C:\WINNT\system32\DRIVERS\ndisuio.sys
    2010/11/13 10:55:36.0796 NdisWan (b86a37aa73868343a9eee148fdfce1e0) C:\WINNT\system32\DRIVERS\ndiswan.sys
    2010/11/13 10:55:36.0828 NDProxy (1f426863d87bdf75aec76584223cd0c7) C:\WINNT\system32\drivers\NDProxy.sys
    2010/11/13 10:55:36.0859 NetBIOS (5151e6020a26bf7bc21c18fd612506bd) C:\WINNT\system32\DRIVERS\netbios.sys
    2010/11/13 10:55:36.0890 NetBT (e854473d50e5f7917767a7c10e08e5f8) C:\WINNT\system32\DRIVERS\netbt.sys
    2010/11/13 10:55:36.0921 NetDetect (9b2a6147a22f7e696cc7538283de6346) C:\WINNT\system32\drivers\netdtect.sys
    2010/11/13 10:55:36.0953 Npfs (e85a77dfcb8f1088f85120ca123ce191) C:\WINNT\system32\drivers\Npfs.sys
    2010/11/13 10:55:37.0000 Ntfs (f6ab0e765d5b80443b93c52c42f2602a) C:\WINNT\system32\drivers\Ntfs.sys
    2010/11/13 10:55:37.0062 Null (280209cde798720a24d232bf9cfda8e9) C:\WINNT\system32\drivers\Null.sys
    2010/11/13 10:55:37.0093 NwlnkFlt (9b0d6fb5c5d6a7571aedb0c1a7a9c1b6) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
    2010/11/13 10:55:37.0109 NwlnkFwd (09fa39e4812fdd042834650df09675a0) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
    2010/11/13 10:55:37.0140 Parallel (ea27799907eabdb66d2d56af68cd4f06) C:\WINNT\system32\DRIVERS\parallel.sys
    2010/11/13 10:55:37.0171 Parport (69b713583d6e063ac487e2da30c04289) C:\WINNT\system32\DRIVERS\parport.sys
    2010/11/13 10:55:37.0187 PartMgr (f9e922dbe9f3719ce8376cc7ed18cb8d) C:\WINNT\system32\drivers\PartMgr.sys
    2010/11/13 10:55:37.0218 ParVdm (888f6a6ad5810f5828de594e17fe8f3b) C:\WINNT\system32\drivers\ParVdm.sys
    2010/11/13 10:55:37.0250 PCI (f0791b1f424f8d84a81d9ae6cfadf089) C:\WINNT\system32\DRIVERS\pci.sys
    2010/11/13 10:55:37.0296 PCIIde (7d0bcb325d29d15024d6a572044e410b) C:\WINNT\system32\DRIVERS\pciide.sys
    2010/11/13 10:55:37.0328 Pcmcia (b737c89d439b771d92d7c5e8b8d3917c) C:\WINNT\system32\drivers\Pcmcia.sys
    2010/11/13 10:55:37.0375 PptpMiniport (0e0212bbbf15800f1536cbfa157dddd6) C:\WINNT\system32\DRIVERS\raspptp.sys
    2010/11/13 10:55:37.0406 Ptilink (b78775f217255f786c2e8dbe4334e413) C:\WINNT\system32\DRIVERS\ptilink.sys
    2010/11/13 10:55:37.0515 Ramdisk (df45ad8ee9b2f33c1cfa52ba0a687307) C:\WINNT\system32\DRIVERS\ramdisk.sys
    2010/11/13 10:55:37.0546 RasAcd (63051b814e005dc62c7a0971668c52b4) C:\WINNT\system32\DRIVERS\rasacd.sys
    2010/11/13 10:55:37.0578 Rasl2tp (ec6037c594f20adedea65f0d809493d2) C:\WINNT\system32\DRIVERS\rasl2tp.sys
    2010/11/13 10:55:37.0609 Raspti (cb09a98e97e52c389ab17b1e003c9566) C:\WINNT\system32\DRIVERS\raspti.sys
    2010/11/13 10:55:37.0625 RCA (afce1f733a6aa3a90ac60794dfb26104) C:\WINNT\system32\drivers\RCA.sys
    2010/11/13 10:55:37.0656 Rdbss (d3cb7a695a43a287979c03db94227d05) C:\WINNT\system32\DRIVERS\rdbss.sys
    2010/11/13 10:55:37.0687 redbook (b5120cb5081865b0c7d93c305c7da939) C:\WINNT\system32\DRIVERS\redbook.sys
    2010/11/13 10:55:37.0750 serenum (6db5fdf67486679da3149ef212374861) C:\WINNT\system32\DRIVERS\serenum.sys
    2010/11/13 10:55:37.0781 Serial (80f28698f48e298d278057f23206133b) C:\WINNT\system32\DRIVERS\serial.sys
    2010/11/13 10:55:37.0812 Sfloppy (96b8aae4f799e81a23aeda935e14f768) C:\WINNT\system32\drivers\Sfloppy.sys
    2010/11/13 10:55:37.0875 snapman (5052dbafc8f4e4507e6ad0d467dd3529) C:\WINNT\system32\DRIVERS\snapman.sys
    2010/11/13 10:55:37.0937 Srv (42306c014d9e4d285eb5f49fe1178373) C:\WINNT\system32\DRIVERS\srv.sys
    2010/11/13 10:55:37.0968 swenum (a151f2d55ebf635550709c48fce564aa) C:\WINNT\system32\DRIVERS\swenum.sys
    2010/11/13 10:55:38.0078 Tcpip (0f62ffcd1c136103d7ea57e5b2b30994) C:\WINNT\system32\DRIVERS\tcpip.sys
    2010/11/13 10:55:38.0125 tifsfilter (304e188496ec723c369e3b27da82f992) C:\WINNT\system32\DRIVERS\tifsfilt.sys
    2010/11/13 10:55:38.0171 timounter (ac0a6126138403b5913a6d819343034b) C:\WINNT\system32\DRIVERS\timntr.sys
    2010/11/13 10:55:38.0218 Udfs (248a63ca8075bdf40bb56ce34cdaf332) C:\WINNT\system32\drivers\Udfs.sys
    2010/11/13 10:55:38.0218 Suspicious service (NoAccess): ugsau
    2010/11/13 10:55:38.0250 uhcd (376fb5e14b9d375db3536ba563eae97a) C:\WINNT\system32\DRIVERS\uhcd.sys
    2010/11/13 10:55:38.0296 Update (7a77f319935328cf30945fe0f3c69c9a) C:\WINNT\system32\DRIVERS\update.sys
    2010/11/13 10:55:38.0328 usbehci (86c71ce544358d3227206a894ae04443) C:\WINNT\system32\DRIVERS\usbehci.sys
    2010/11/13 10:55:38.0359 usbhub (5c202078f5d500786a1f3279fac3aa64) C:\WINNT\system32\DRIVERS\usbhub.sys
    2010/11/13 10:55:38.0390 usbhub20 (b0205d19ba25ca654810d0aed04496a8) C:\WINNT\system32\DRIVERS\usbhub20.sys
    2010/11/13 10:55:38.0406 USBSTOR (13eba8a2da3447fe7f217e34210ac554) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
    2010/11/13 10:55:38.0437 VgaSave (1b0040415ba34497a8d76a553aee88aa) C:\WINNT\System32\drivers\vga.sys
    2010/11/13 10:55:38.0468 Wanarp (aa8c76dfc4afa72f09fdbc6621b7d38d) C:\WINNT\system32\DRIVERS\wanarp.sys
    2010/11/13 10:55:38.0515 WinDriver6 (d7352795d80e3bbc19aeb8d3361f4135) C:\WINNT\system32\drivers\windrvr6.sys
    2010/11/13 10:55:38.0593 yukonw2k (bf6c24ba6cea8c3e4a77cd964f93d207) C:\WINNT\system32\DRIVERS\yk50x86.sys
    2010/11/13 10:55:38.0687 ================================================================================
    2010/11/13 10:55:38.0687 Scan finished
    2010/11/13 10:55:38.0687 ================================================================================

    I'd like to start work on another computer. Would you like me to start another thread ?
     
  12. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    You surely can :)

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  13. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 2000 Professional
    Windows Information: Service Pack 4 (build 2195)
    Logical Drives Mask: 0x0200003c

    Kernel Drivers (total 101):
    0x80400000 \WINNT\System32\ntoskrnl.exe
    0x80062000 \WINNT\System32\hal.dll
    0xF6810000 \WINNT\System32\BOOTVID.DLL
    0xBFFD8000 ACPI.sys
    0xF69C8000 \WINNT\System32\DRIVERS\WMILIB.SYS
    0xF6400000 pci.sys
    0xF6410000 isapnp.sys
    0xF69C9000 pciide.sys
    0xF6680000 \WINNT\System32\DRIVERS\PCIIDEX.SYS
    0xF6688000 MountMgr.sys
    0xBFFBB000 ftdisk.sys
    0xF6900000 Diskperf.sys
    0xF6902000 dmload.sys
    0xBFF99000 dmio.sys
    0xF6814000 PartMgr.sys
    0xBFF83000 atapi.sys
    0xF6420000 adpu160m.sys
    0xBFF70000 \WINNT\System32\DRIVERS\SCSIPORT.SYS
    0xF6690000 disk.sys
    0xF6430000 \WINNT\System32\DRIVERS\CLASSPNP.SYS
    0xBFF5E000 KSecDD.sys
    0xBFEDB000 Ntfs.sys
    0xBFEB1000 NDIS.sys
    0xBFE52000 timntr.sys
    0xBFE39000 snapman.sys
    0xF6904000 ramdisk.sys
    0xBFE23000 Mup.sys
    0xF6460000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xBFC95000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
    0xF66B0000 \SystemRoot\system32\drivers\dtl5933w.sys
    0xF66D0000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF66B8000 \SystemRoot\System32\DRIVERS\uhcd.sys
    0xBFC73000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF66E0000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xF66F0000 \SystemRoot\system32\DRIVERS\e100ent.sys
    0xF6700000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF6470000 \SystemRoot\System32\DRIVERS\serial.sys
    0xBFDE3000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF6718000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF6728000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF69D8000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF6490000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xBFDC6000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xBFC5C000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xBFDB6000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF64A0000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF6748000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF6758000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF64B0000 \SystemRoot\System32\DRIVERS\parallel.sys
    0xBFC40000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF69D9000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xBFC15000 \SystemRoot\System32\DRIVERS\update.sys
    0xBFBE9000 \SystemRoot\system32\drivers\windrvr6.sys
    0xF64D0000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF64E0000 \SystemRoot\System32\DRIVERS\usbhub20.sys
    0xF6500000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF6780000 \SystemRoot\System32\Drivers\EFS.SYS
    0xF6912000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF69DE000 \SystemRoot\System32\Drivers\Null.SYS
    0xF69DF000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF6510000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF66A8000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xF66C8000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xBFD7E000 \SystemRoot\System32\drivers\vga.sys
    0xF69E0000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF66E8000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF6520000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF691A000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xB79D8000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF6530000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF6720000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xF6540000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xB79AE000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF6550000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xB7983000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB790A000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xB78F3000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF6750000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF6768000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xBFD56000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xBFDB2000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xBFDAE000 \SystemRoot\System32\DRIVERS\kbdhid.sys
    0xF69E1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xB78B5000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xA0000000 \??\C:\WINNT\system32\win32k.sys
    0xB786E000 \SystemRoot\System32\ialmdnt5.dll
    0xF6590000 \SystemRoot\System32\ialmrnt5.dll
    0xB7845000 \SystemRoot\System32\ialmdev5.DLL
    0xB7777000 \SystemRoot\System32\ialmdd5.DLL
    0xF6770000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
    0xB7641000 \SystemRoot\System32\drivers\afd.sys
    0xF6972000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB753C000 \SystemRoot\System32\Drivers\aswMon.SYS
    0xB7757000 \SystemRoot\System32\Drivers\driverx.sys
    0xB7737000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB7410000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB6FF8000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xB7100000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xF6710000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
    0xB6E11000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0x77F80000 \WINNT\system32\NTDLL.DLL

    Processes (total 28):
    0 System Idle Process
    8 System
    248 \SystemRoot\System32\smss.exe
    272 CSRSS.EXE
    292 \??\C:\WINNT\system32\winlogon.exe
    320 C:\WINNT\system32\services.exe
    332 C:\WINNT\system32\lsass.exe
    508 C:\WINNT\system32\svchost.exe
    532 C:\WINNT\system32\spoolsv.exe
    560 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    604 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    620 C:\Program Files\Alwil Software\Avast4\ashServ.exe
    648 C:\WINNT\System32\svchost.exe
    664 C:\WINNT\system32\hidserv.exe
    724 C:\WINNT\system32\regsvc.exe
    744 C:\WINNT\system32\MSTask.exe
    960 C:\WINNT\System32\WBEM\WinMgmt.exe
    972 C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    1072 C:\WINNT\Explorer.EXE
    1140 C:\WINNT\system32\igfxtray.exe
    1144 C:\WINNT\system32\hkcmd.exe
    1160 C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    1176 C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
    1184 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    1192 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    1208 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    1332 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    872 C:\Documents and Settings\Administrator\Desktop\virus_et_al\MBRCheck.exe

    WARNING: Unsupported Windows version! Results may not be accurate!
    \\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000003`8420d600 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive1 Model Number: MTRONMSP-SATA7525, Rev: 0.20R1H1
    PhysicalDrive0 Model Number: INTELSSDSA2M080G2GC, Rev: 2CV102HD

    Size Device Name MBR Status
    --------------------------------------------
    14 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  14. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Looks good :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  15. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    I haven't taken the latest action yet.

    Overnight I realized i may have done somethng stupid. All along this computer has been directly connected to another computer that has also tested positive, via MalwareBytes, for the conficker virus. How would you like to proceed ?
     
  16. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Just make sure, you don't exchange any files between both computers and you'll be fine.
    Go ahead with Combofix.
     
  17. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    ComboFix 10-11-14.02 - Administrator 11/15/2010 12:12:58.1.1 - x86
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2039.1701 [GMT 0:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    .
    /wow section - STAGE 10


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Thumbs.db
    c:\winnt\Web\default.htt

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
    .

    2010-11-12 12:45 . 2008-05-15 23:15 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
    2010-11-12 12:45 . 2008-05-15 23:14 42912 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
    2010-11-12 12:45 . 2008-05-15 23:13 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
    2010-11-12 12:45 . 2008-05-15 23:20 78416 ----a-w- c:\winnt\system32\drivers\aswSP.sys
    2010-11-12 12:45 . 2008-05-15 23:18 94416 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
    2010-11-12 12:45 . 2008-05-15 23:12 95608 ----a-w- c:\winnt\system32\AvastSS.scr
    2010-11-12 12:45 . 2008-01-17 17:34 93264 ----a-w- c:\winnt\system32\drivers\aswmon.sys
    2010-11-12 12:45 . 2008-05-15 23:24 1152888 ----a-w- c:\winnt\system32\aswBoot.exe
    2010-11-12 12:45 . 2004-01-09 10:13 380928 ----a-w- c:\winnt\system32\actskin4.ocx
    2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-11 16:08 . 2010-04-29 15:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
    2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-11 16:08 . 2010-04-29 15:39 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
    "IgfxTray"="c:\winnt\system32\igfxtray.exe" [2004-11-02 155648]
    "HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2004-11-02 126976]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2006-06-01 1106562]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2006-06-01 1827640]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-01 126976]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Shortcut to begininstr.bat.lnk - c:\documents and settings\Administrator\Desktop\begininstr.bat [2006-4-7 84]
    Shortcut to tftpd32.exe.lnk - c:\program files\Argon ST\tftpd32.exe [2010-2-12 57344]

    R?2 jqzhcxpgv;Driver Center;c:\winnt\system32\svchost.exe -k netsvcs [5/8/2001 12:00 PM 7952]
    R?2 kgavbgjan;Microsoft Driver;c:\winnt\system32\svchost.exe -k netsvcs [5/8/2001 12:00 PM 7952]
    R?2 ugsau;Microsoft Boot;c:\winnt\system32\svchost.exe -k netsvcs [5/8/2001 12:00 PM 7952]
    R0 Ramdisk;Ramdisk Driver;c:\winnt\system32\drivers\ramdisk.sys [5/15/2006 1:06 PM 6995]
    R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [11/12/2010 12:45 PM 78416]
    R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [11/12/2010 12:45 PM 93264]
    R2 DriverX;DriverX;c:\winnt\system32\drivers\driverx.sys [5/15/2006 12:09 PM 52512]
    R3 dtl5933w;dtl5933w;c:\winnt\system32\drivers\dtl5933w.sys [4/6/2006 6:33 PM 18176]
    R3 E100E;E100E;c:\winnt\system32\drivers\E100ENT.sys [5/27/1999 4:13 PM 25360]
    R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [6/5/2006 1:24 PM 49776]
    S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [5/16/2006 8:53 AM 243840]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - IPNAT
    *NewlyCreated* - SHAREDACCESS

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ugsau
    jqzhcxpgv
    kgavbgjan
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    LSP: %SystemRoot%\system32\msafd.dll
    DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
    .
    .
    ------- File Associations -------
    .
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-AtiExtEvent - (no file)
    AddRemove-WinZip - f:\winzip\WINZIP32.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-15 12:21
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jqzhcxpgv]
    "ServiceDll"="c:\winnt\system32\bjmnq.dll"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kgavbgjan]
    "ServiceDll"="c:\winnt\system32\bjmnq.dll"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugsau]
    "ServiceDll"="c:\winnt\system32\bjmnq.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(292)
    c:\winnt\system32\wzcdlg.dll
    c:\winnt\system32\WZCSAPI.DLL

    - - - - - - - > 'explorer.exe'(1156)
    c:\winnt\AppPatch\AcLayers.DLL
    c:\winnt\system32\msi.dll
    c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\winnt\system32\hidserv.exe
    c:\winnt\system32\regsvc.exe
    c:\winnt\system32\MSTask.exe
    c:\winnt\System32\WBEM\WinMgmt.exe
    c:\program files\RealVNC\VNC4\WinVNC4.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\winnt\system32\NOTEPAD.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-11-15 12:23:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-15 12:23

    Pre-Run: 11,729,080,320 bytes free
    Post-Run: 11,678,371,840 bytes free

    - - End Of File - - 793079199734CD4DB17DBD46FFCC04A4



    Note that on restart a program that is normally started by 'startup' ran while combofix was generating its report
     
  18. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Driver::
    jqzhcxpgv
    kgavbgjan
    ugsau
    
    NetSvc::
    ugsau
    jqzhcxpgv
    kgavbgjan
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugsau]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kgavbgjan]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jqzhcxpgv]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  19. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    ComboFix 10-11-14.02 - Administrator 11/16/2010 8:46.2.1 - x86
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2039.1788 [GMT 0:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
    .
    /wow section - STAGE 10


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_JQZHCXPGV
    -------\Legacy_KGAVBGJAN
    -------\Legacy_UGSAU
    -------\Service_jqzhcxpgv
    -------\Service_kgavbgjan
    -------\Service_ugsau


    ((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 )))))))))))))))))))))))))))))))
    .

    2010-11-12 12:45 . 2008-05-15 23:15 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
    2010-11-12 12:45 . 2008-05-15 23:14 42912 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
    2010-11-12 12:45 . 2008-05-15 23:13 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
    2010-11-12 12:45 . 2008-05-15 23:20 78416 ----a-w- c:\winnt\system32\drivers\aswSP.sys
    2010-11-12 12:45 . 2008-05-15 23:18 94416 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
    2010-11-12 12:45 . 2008-05-15 23:12 95608 ----a-w- c:\winnt\system32\AvastSS.scr
    2010-11-12 12:45 . 2008-01-17 17:34 93264 ----a-w- c:\winnt\system32\drivers\aswmon.sys
    2010-11-12 12:45 . 2008-05-15 23:24 1152888 ----a-w- c:\winnt\system32\aswBoot.exe
    2010-11-12 12:45 . 2004-01-09 10:13 380928 ----a-w- c:\winnt\system32\actskin4.ocx
    2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-11 16:08 . 2010-04-29 15:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
    2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-11 16:08 . 2010-04-29 15:39 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-11-15_12.20.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-16 08:53 . 2010-11-16 08:53 16384 c:\winnt\system32\Perflib_Perfdata_268.dat
    - 2010-11-15 12:19 . 2010-11-15 12:19 16384 c:\winnt\system32\Perflib_Perfdata_268.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
    "IgfxTray"="c:\winnt\system32\igfxtray.exe" [2004-11-02 155648]
    "HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2004-11-02 126976]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2006-06-01 1106562]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2006-06-01 1827640]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-01 126976]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

    R0 Ramdisk;Ramdisk Driver;c:\winnt\system32\drivers\ramdisk.sys [5/15/2006 1:06 PM 6995]
    R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [11/12/2010 12:45 PM 78416]
    R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [11/12/2010 12:45 PM 93264]
    R2 DriverX;DriverX;c:\winnt\system32\drivers\driverx.sys [5/15/2006 12:09 PM 52512]
    R3 dtl5933w;dtl5933w;c:\winnt\system32\drivers\dtl5933w.sys [4/6/2006 6:33 PM 18176]
    R3 E100E;E100E;c:\winnt\system32\drivers\E100ENT.sys [5/27/1999 4:13 PM 25360]
    R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [6/5/2006 1:24 PM 49776]
    S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [5/16/2006 8:53 AM 243840]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    LSP: %SystemRoot%\system32\msafd.dll
    DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-16 08:53
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(292)
    c:\winnt\system32\wzcdlg.dll
    c:\winnt\system32\WZCSAPI.DLL

    - - - - - - - > 'explorer.exe'(1136)
    c:\winnt\AppPatch\AcLayers.DLL
    c:\winnt\system32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\winnt\system32\hidserv.exe
    c:\winnt\system32\regsvc.exe
    c:\winnt\system32\MSTask.exe
    c:\winnt\System32\WBEM\WinMgmt.exe
    c:\program files\RealVNC\VNC4\WinVNC4.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-16 08:55:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-16 08:55

    Pre-Run: 11,685,998,592 bytes free
    Post-Run: 11,678,023,680 bytes free

    - - End Of File - - CDE83B91F406CF526E1EC3350A98A231
     
  20. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    This computer seems to be back to normal with the exception of a Tcp/Ip issue
     
  21. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Very good :)

    You didn't mention anything earlier, so you have to explain.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  22. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    OTL logfile created on: 11/17/2010 2:56:39 PM - Run 1
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop\virus_et_al
    Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
    Internet Explorer (Version = 5.00.3700.1000)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
    Drive C: | 14.06 Gb Total Space | 10.89 Gb Free Space | 77.46% Space Free | Partition Type: NTFS
    Drive D: | 854.99 Mb Total Space | 483.45 Mb Free Space | 56.54% Space Free | Partition Type: NTFS
    Drive E: | 74.53 Gb Total Space | 73.12 Gb Free Space | 98.11% Space Free | Partition Type: NTFS
    Drive F: | 1.86 Gb Total Space | 1.50 Gb Free Space | 80.77% Space Free | Partition Type: FAT32
    Drive Z: | 30.92 Mb Total Space | 30.92 Mb Free Space | 100.00% Space Free | Partition Type: FAT

    Computer Name: RTM-II | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/17 09:51:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\virus_et_al\OTL.exe
    PRC - [2008/05/15 23:19:31 | 000,079,224 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    PRC - [2008/05/15 23:19:24 | 000,144,760 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
    PRC - [2008/05/15 23:19:00 | 000,247,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    PRC - [2008/05/15 23:16:59 | 000,349,560 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    PRC - [2008/05/15 23:06:57 | 000,017,272 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    PRC - [2006/06/01 11:14:16 | 001,827,640 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
    PRC - [2006/06/01 11:08:28 | 000,126,976 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    PRC - [2006/06/01 11:08:26 | 000,204,800 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    PRC - [2006/06/01 11:06:42 | 001,106,562 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    PRC - [2006/05/12 15:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
    PRC - [2003/06/19 16:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
    PRC - [2003/06/19 16:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
    PRC - [2003/06/19 16:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
    PRC - [2003/06/19 16:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
    PRC - [2003/06/19 16:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\hidserv.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/11/17 09:51:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\virus_et_al\OTL.exe
    MOD - [2003/06/19 16:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
    MOD - [2003/06/19 16:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
    MOD - [2001/05/08 12:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2008/05/15 23:19:24 | 000,144,760 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
    SRV - [2008/05/15 23:19:00 | 000,247,160 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
    SRV - [2008/05/15 23:16:59 | 000,349,560 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
    SRV - [2008/05/15 23:06:57 | 000,017,272 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
    SRV - [2006/06/01 11:08:26 | 000,204,800 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
    SRV - [2006/05/12 15:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
    SRV - [2003/06/19 16:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
    SRV - [2003/06/19 16:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
    SRV - [2003/06/19 16:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
    SRV - [2003/06/19 16:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
    SRV - [2003/06/19 16:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
    SRV - [2003/06/19 16:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
    SRV - [2003/06/19 16:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\hidserv.exe -- (HidServ)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\DMusic.sys -- (DMusic)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2008/05/15 23:20:32 | 000,078,416 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2008/05/15 23:15:29 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2008/05/15 23:14:11 | 000,042,912 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2008/05/15 23:13:26 | 000,026,944 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2008/01/17 17:34:01 | 000,093,264 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINNT\System32\drivers\aswmon.sys -- (aswMon)
    DRV - [2007/08/06 19:38:11 | 000,387,520 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\timntr.sys -- (timounter)
    DRV - [2007/08/06 19:38:11 | 000,032,224 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINNT\system32\drivers\tifsfilt.sys -- (tifsfilter)
    DRV - [2007/08/06 19:38:08 | 000,099,776 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\snapman.sys -- (snapman)
    DRV - [2006/05/16 08:53:00 | 000,243,840 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\yk50x86.sys -- (yukonw2k)
    DRV - [2005/02/09 14:11:14 | 000,316,040 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\windrvr6.sys -- (WinDriver6)
    DRV - [2003/09/18 16:50:02 | 000,129,904 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\e10002ke.sys -- (E1000) Intel(R)
    DRV - [2003/09/12 13:41:20 | 000,018,176 | R--- | M] (Datel, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\dtl5933w.sys -- (dtl5933w)
    DRV - [2003/06/19 16:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
    DRV - [2003/06/19 16:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
    DRV - [2003/06/19 16:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
    DRV - [2003/06/19 16:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
    DRV - [2003/06/19 16:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
    DRV - [2003/06/19 16:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
    DRV - [2003/06/19 16:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
    DRV - [2003/06/19 16:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
    DRV - [2001/06/12 02:01:10 | 000,052,512 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINNT\System32\Drivers\driverx.sys -- (DriverX)
    DRV - [2001/05/08 12:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
    DRV - [2001/05/08 12:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
    DRV - [2000/04/20 03:00:02 | 000,006,995 | ---- | M] () [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\ramdisk.sys -- (Ramdisk)
    DRV - [1999/05/27 16:13:40 | 000,025,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\E100ENT.sys -- (E100E)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    O1 HOSTS File: ([2010/11/16 08:53:33 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
    O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
    O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe (Acronis)
    O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
    O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to begininstr.bat.lnk = C:\Documents and Settings\Administrator\Desktop\begininstr.bat ()
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to scanner.exe.lnk = D:\ahs\GUI_AMS_03\debug\scanner.exe ()
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to tftpd32.exe.lnk = C:\Program Files\Argon ST\tftpd32.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
    O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
    O18 - Protocol\Filter\Class Install Handler - No CLSID value found
    O18 - Protocol\Filter\deflate - No CLSID value found
    O18 - Protocol\Filter\gzip - No CLSID value found
    O18 - Protocol\Filter\lzdhtml - No CLSID value found
    O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINNT\System32\igfxsrvc.dll (Intel Corporation)
    O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/04/06 17:41:49 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Nwsapagent - File not found

    Drivers32: aux - C:\WINNT\System32\mmdrv.dll (Microsoft Corporation)
    Drivers32: aux1 - File not found
    Drivers32: aux2 - File not found
    Drivers32: aux3 - File not found
    Drivers32: aux4 - File not found
    Drivers32: aux5 - File not found
    Drivers32: aux6 - File not found
    Drivers32: aux7 - File not found
    Drivers32: aux8 - File not found
    Drivers32: aux9 - File not found
    Drivers32: midi1 - File not found
    Drivers32: midi2 - File not found
    Drivers32: midi3 - File not found
    Drivers32: midi4 - File not found
    Drivers32: midi5 - File not found
    Drivers32: midi6 - File not found
    Drivers32: midi7 - File not found
    Drivers32: midi8 - File not found
    Drivers32: midi9 - File not found
    Drivers32: mixer1 - File not found
    Drivers32: mixer2 - File not found
    Drivers32: mixer3 - File not found
    Drivers32: mixer4 - File not found
    Drivers32: mixer5 - File not found
    Drivers32: mixer6 - File not found
    Drivers32: mixer7 - File not found
    Drivers32: mixer8 - File not found
    Drivers32: mixer9 - File not found
    Drivers32: msacm.iac2 - C:\WINNT\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.lhacm - C:\WINNT\System32\lhacm.acm (Microsoft Corporation)
    Drivers32: msacm.trspch - C:\WINNT\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINNT\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINNT\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINNT\System32\ir32_32.dll ()
    Drivers32: vidc.iv50 - C:\WINNT\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.UYVY - msyuv.dll File not found
    Drivers32: wave1 - File not found
    Drivers32: wave2 - File not found
    Drivers32: wave3 - File not found
    Drivers32: wave4 - File not found
    Drivers32: wave5 - File not found
    Drivers32: wave6 - File not found
    Drivers32: wave7 - File not found
    Drivers32: wave8 - File not found
    Drivers32: wave9 - File not found
    Drivers32: wdmaud.drv - wdmaud.drv File not found
    SystemRestore not available.

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/16 09:01:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/11/16 08:51:58 | 000,000,000 | ---D | C] -- C:\WINNT\temp
    [2010/11/15 12:12:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
    [2010/11/15 12:12:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
    [2010/11/15 12:12:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
    [2010/11/15 12:12:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
    [2010/11/15 12:12:30 | 000,000,000 | ---D | C] -- C:\WINNT\ERDNT
    [2010/11/15 12:12:12 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/11/12 12:45:30 | 000,023,152 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswRdr.sys
    [2010/11/12 12:45:29 | 000,042,912 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswTdi.sys
    [2010/11/12 12:45:28 | 000,026,944 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aavmker4.sys
    [2010/11/12 12:45:25 | 000,095,608 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\AvastSS.scr
    [2010/11/12 12:45:25 | 000,094,416 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswmon2.sys
    [2010/11/12 12:45:25 | 000,093,264 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswmon.sys
    [2010/11/12 12:45:25 | 000,078,416 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswSP.sys
    [2010/11/12 12:45:12 | 001,152,888 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\aswBoot.exe
    [2010/11/12 12:41:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\AvastInstall
    [2010/11/12 12:32:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Desktop\virus_et_al
    [2010/11/11 16:08:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    [2010/11/11 16:08:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
    [2010/11/11 16:08:07 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
    [2010/11/11 16:08:07 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/11/11 16:08:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

    ========== Files - Modified Within 30 Days ==========

    [2010/11/17 14:54:21 | 000,000,383 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to virus_et_al.lnk
    [2010/11/17 14:42:56 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_268.dat
    [2010/11/17 13:15:17 | 000,922,094 | -H-- | M] () -- C:\WINNT\ShellIconCache
    [2010/11/17 12:53:34 | 000,000,498 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to scanner.exe.lnk
    [2010/11/17 12:52:12 | 000,000,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to acquire.exe.lnk
    [2010/11/16 18:52:33 | 000,000,539 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to weekly.lnk
    [2010/11/16 08:53:33 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
    [2010/11/15 06:39:50 | 003,910,027 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2010/11/13 13:58:02 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Startup.lnk
    [2010/11/13 10:53:59 | 000,000,382 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
    [2010/11/12 12:45:30 | 000,001,584 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
    [2010/11/12 12:45:28 | 000,002,626 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
    [2010/11/11 16:08:10 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/11/11 15:28:07 | 000,000,428 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to inst.exe.lnk
    [2010/11/11 15:26:02 | 000,000,439 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut (2) to acquire.dsw.lnk
    [2010/11/11 12:59:23 | 000,000,498 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to scanner.exe.lnk
    [2010/11/09 20:31:44 | 000,000,525 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to begininstr.bat.lnk
    [2010/11/09 20:31:44 | 000,000,525 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to begininstr.bat.lnk
    [2010/11/09 15:25:03 | 000,000,459 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to scanner.dsw.lnk
    [2010/11/09 15:22:48 | 000,000,084 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\begininstr.bat
    [2010/11/09 15:19:59 | 000,000,339 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ahs.lnk
    [2010/11/09 14:32:31 | 000,000,421 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to inst.dsw.lnk
    [2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINNT\MBR.exe

    ========== Files Created - No Company Name ==========

    [2010/11/17 14:42:56 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_268.dat
    [2010/11/17 12:53:34 | 000,000,498 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to scanner.exe.lnk
    [2010/11/16 09:23:40 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to tftpd32.exe.lnk
    [2010/11/16 09:23:37 | 000,000,525 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to begininstr.bat.lnk
    [2010/11/15 12:12:34 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
    [2010/11/15 12:12:34 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
    [2010/11/15 12:12:34 | 000,089,088 | ---- | C] () -- C:\WINNT\MBR.exe
    [2010/11/15 12:12:34 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
    [2010/11/15 12:12:34 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
    [2010/11/15 11:54:41 | 003,910,027 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2010/11/13 13:58:02 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Startup.lnk
    [2010/11/13 10:53:59 | 000,000,382 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
    [2010/11/12 17:46:21 | 000,000,383 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to virus_et_al.lnk
    [2010/11/12 12:45:30 | 000,001,584 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
    [2010/11/12 12:45:12 | 000,380,928 | ---- | C] () -- C:\WINNT\System32\actskin4.ocx
    [2010/11/11 16:08:10 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/11/11 15:26:02 | 000,000,439 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut (2) to acquire.dsw.lnk
    [2006/06/05 12:22:05 | 000,000,010 | ---- | C] () -- C:\WINNT\WININIT.INI
    [2006/05/15 13:06:52 | 000,006,995 | ---- | C] () -- C:\WINNT\System32\drivers\ramdisk.sys
    [2006/04/06 18:19:48 | 000,000,000 | ---- | C] () -- C:\WINNT\Devcon.INI
    [2006/04/06 18:01:02 | 000,053,248 | ---- | C] () -- C:\WINNT\System32\AISS44AO4 Driver C.dll
    [2006/04/06 18:01:01 | 000,057,344 | ---- | C] () -- C:\WINNT\System32\GSApi.dll
    [2006/04/06 17:40:44 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
    [2006/04/06 13:26:54 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
    [2001/05/08 12:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
    [2001/05/08 12:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
    [2001/05/08 12:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
    [2001/05/08 12:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
    [2001/05/08 12:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
    [1999/09/25 10:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
    [1999/09/25 10:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
    [1997/07/11 04:00:00 | 000,031,232 | ---- | C] () -- C:\WINNT\System32\XLREC.DLL
    [1997/07/11 04:00:00 | 000,025,600 | ---- | C] () -- C:\WINNT\System32\RECNCL.DLL
    [1997/07/11 04:00:00 | 000,022,016 | ---- | C] () -- C:\WINNT\System32\DOCOBJ.DLL
    [1997/07/11 04:00:00 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\HLINKPRX.DLL

    ========== LOP Check ==========

    [2006/09/07 01:26:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/05/06 12:11:00 | 000,581,814 | ---- | M] () -- C:\5_6_9_2nd.bmp
    [2003/06/19 16:05:04 | 000,150,528 | RHS- | M] () -- C:\arcldr.exe
    [2003/06/19 16:05:04 | 000,163,840 | RHS- | M] () -- C:\arcsetup.exe
    [2006/04/06 17:41:49 | 000,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT
    [2009/11/18 14:23:45 | 000,921,654 | ---- | M] () -- C:\bit.bmp
    [2006/04/06 13:36:58 | 000,000,192 | -HS- | M] () -- C:\boot.ini
    [2009/10/28 14:56:12 | 000,635,238 | ---- | M] () -- C:\cheat_dbr.bmp
    [2010/11/16 08:55:58 | 000,006,335 | ---- | M] () -- C:\ComboFix.txt
    [2006/04/06 17:41:49 | 000,000,000 | -H-- | M] () -- C:\CONFIG.SYS
    [2009/04/10 18:17:07 | 000,581,814 | ---- | M] () -- C:\ehternet_1.bmp
    [2009/04/10 18:17:43 | 000,581,814 | ---- | M] () -- C:\ehternet_2.bmp
    [2009/05/06 12:07:46 | 000,581,814 | ---- | M] () -- C:\enet_5_6_9.bmp
    [2010/08/17 12:02:24 | 001,825,086 | ---- | M] () -- C:\full.bmp
    [2009/11/18 14:25:21 | 000,921,654 | ---- | M] () -- C:\gui.bmp
    [2006/04/06 17:41:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/08/12 17:43:46 | 000,587,910 | ---- | M] () -- C:\ipconfig_8_12_10.bmp
    [2006/04/06 17:41:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2006/05/10 16:27:46 | 000,034,724 | RHS- | M] () -- C:\NTDETECT.COM
    [2006/05/10 16:27:46 | 000,214,432 | RHS- | M] () -- C:\ntldr
    [2010/11/17 14:42:45 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
    [2007/11/27 20:11:00 | 000,000,420 | ---- | M] () -- C:\pipe.txt
    [2009/05/07 16:47:46 | 001,810,614 | ---- | M] () -- C:\railed_1.bmp
    [2010/11/13 10:57:28 | 000,027,638 | ---- | M] () -- C:\TDSSKiller.2.4.7.0_13.11.2010_10.55.29_log.txt
    [2008/10/07 13:44:46 | 000,714,544 | ---- | M] () -- C:\vnc-4_1_2-x86_win32.zip

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/04/06 17:41:11 | 000,000,067 | -HS- | M] () -- C:\WINNT\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2003/06/19 16:05:04 | 000,006,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\spool\prtprocs\w32x86\sfmpsprt.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2006/04/06 17:40:44 | 000,000,271 | -H-- | M] () -- C:\Program Files\desktop.ini
    [2006/04/06 17:40:44 | 000,021,952 | -H-- | M] () -- C:\Program Files\folder.htt

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006/04/06 13:23:38 | 000,081,920 | ---- | M] () -- C:\WINNT\system32\config\default.sav
    [2006/04/06 13:23:38 | 000,540,672 | ---- | M] () -- C:\WINNT\system32\config\software.sav
    [2006/04/06 13:23:38 | 000,393,216 | ---- | M] () -- C:\WINNT\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2006/05/10 16:37:09 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/11/15 06:39:50 | 003,910,027 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2004/10/12 18:58:32 | 000,126,976 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DrxPortIo.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2001/05/08 12:00:00 | 000,000,777 | ---- | M] () -- C:\WINNT\addins\faxext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >
    [2001/05/08 12:00:00 | 000,000,654 | ---- | M] () -- C:\WINNT\Config\general.idf
    [2001/05/08 12:00:00 | 000,000,658 | ---- | M] () -- C:\WINNT\Config\hindered.idf
    [2001/05/08 12:00:00 | 000,000,302 | ---- | M] () -- C:\WINNT\Config\msadlib.idf

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2006/05/10 16:37:09 | 000,000,083 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini
    [2006/04/06 19:15:39 | 000,000,571 | ---- | M] () -- C:\Documents and Settings\Administrator\Favorites\My Documents.lnk

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2006/05/10 16:36:56 | 000,002,370 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/11/17 14:57:29 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2003/06/19 16:05:04 | 000,221,184 | ---- | M] () -- C:\WINNT\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
  23. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    OTL Extras logfile created on: 11/17/2010 2:56:39 PM - Run 1
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop\virus_et_al
    Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
    Internet Explorer (Version = 5.00.3700.1000)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
    Drive C: | 14.06 Gb Total Space | 10.89 Gb Free Space | 77.46% Space Free | Partition Type: NTFS
    Drive D: | 854.99 Mb Total Space | 483.45 Mb Free Space | 56.54% Space Free | Partition Type: NTFS
    Drive E: | 74.53 Gb Total Space | 73.12 Gb Free Space | 98.11% Space Free | Partition Type: NTFS
    Drive F: | 1.86 Gb Total Space | 1.50 Gb Free Space | 80.77% Space Free | Partition Type: FAT32
    Drive Z: | 30.92 Mb Total Space | 30.92 Mb Free Space | 100.00% Space Free | Partition Type: FAT

    Computer Name: RTM-II | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- %1
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{36BD0774-6CD6-4FF9-A148-83CA09AC123E}" = Intel(R) PROSafe for Wired Connections
    "{403EF592-953B-4794-BCEF-ECAB835C2095}" = Intel(R) PROSafe for Wired Connections
    "{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
    "{7F129516-73AD-4232-8FD0-C7BC2508B274}" = Acronis*True*Image
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
    "{9E8D3DE4-63B4-4BFC-80DA-9426D7A9789A}" = PCI-417Wins
    "avast!" = avast! Antivirus
    "DiskSpeed32" = DiskSpeed32
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft Developer Network - Visual Studio 6.0a" = MSDN Library - Visual Studio 6.0a
    "Office8.0" = Microsoft Office 97, Professional Edition
    "RealVNC_is1" = VNC Free Edition 4.1.2
    "Visual C++ 6.0 Professional Edition" = Microsoft Visual C++ 6.0 Professional Edition

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 2/11/2010 7:33:39 AM | Computer Name = RTM-II | Source = rasctrs | ID = 2001
    Description =

    Error - 2/11/2010 7:45:37 AM | Computer Name = RTM-II | Source = Userenv | ID = 1000
    Description = Windows cannot unload your registry class file. If you have a roaming
    profile, your settings are not replicated. Contact your administrator. DETAIL
    Access is denied. , Build number ((2195)).

    Error - 2/11/2010 7:21:05 AM | Computer Name = RTM-II | Source = PerfDisk | ID = 1000
    Description = Unable to open the Disk performance object. Status code returned is
    data
    DWORD 0.

    Error - 2/11/2010 7:21:05 AM | Computer Name = RTM-II | Source = rasctrs | ID = 2001
    Description =

    Error - 2/11/2010 7:56:02 AM | Computer Name = RTM-II | Source = PerfDisk | ID = 1000
    Description = Unable to open the Disk performance object. Status code returned is
    data
    DWORD 0.

    Error - 2/11/2010 7:56:02 AM | Computer Name = RTM-II | Source = PerfNet | ID = 2004
    Description = Unable to open the Server service. Server performance data will not
    be returned. Error code returned is in data DWORD 0.

    Error - 2/11/2010 7:56:02 AM | Computer Name = RTM-II | Source = PerfNet | ID = 2002
    Description = Unable to open the Redirector service. Redirector performance data
    will not be returned. Error code returned is in data DWORD 0.

    Error - 2/11/2010 7:56:03 AM | Computer Name = RTM-II | Source = rasctrs | ID = 2001
    Description =

    Error - 8/12/2010 3:26:29 PM | Computer Name = RTM-II | Source = Userenv | ID = 1000
    Description = Windows cannot unload your registry file. If you have a roaming profile,
    your settings are not replicated. Contact your administrator. DETAIL - Access
    is denied. , Build number ((2195)).

    Error - 8/18/2010 3:35:54 PM | Computer Name = RTM-II | Source = Userenv | ID = 1000
    Description = Windows cannot unload your registry file. If you have a roaming profile,
    your settings are not replicated. Contact your administrator. DETAIL - Access
    is denied. , Build number ((2195)).

    [ System Events ]
    Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the avast! Mail Scanner service
    to connect.

    Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
    Description = The avast! Mail Scanner service failed to start due to the following
    error: %%1053

    Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
    to connect.

    Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
    Description = The avast! Web Scanner service failed to start due to the following
    error: %%1053

    Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the avast! Mail Scanner service
    to connect.

    Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
    Description = The avast! Mail Scanner service failed to start due to the following
    error: %%1053

    Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
    to connect.

    Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
    Description = The avast! Web Scanner service failed to start due to the following
    error: %%1053

    Error - 11/13/2010 10:01:43 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
    to connect.

    Error - 11/13/2010 10:01:43 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
    Description = The avast! Web Scanner service failed to start due to the following
    error: %%1053


    < End of report >
     
  24. al davis

    al davis TS Enthusiast Topic Starter Posts: 185

    The tcp/ip issue seems to have cleared itself. There is a TFTP (tiny ftp) program that loads a script file. Up until this morning it wasn't loading the script file. Suddenly it began working correctly and has been through several boot cycles.
     
  25. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good news :)

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ===================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...