Please help me clean out trojan horse crypt aqlw

Inactive
By daps
Apr 3, 2012
Topic Status:
Not open for further replies.
  1. Avg keeps popping up... i have been running super anti spy, malwarebites , spybot,
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
  3. daps

    daps Newcomer, in training Topic Starter

    thank you.... here it is

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.04.03.11

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    COREY [administrator]

    Protection: Enabled

    4/3/2012 3:06:47 PM
    mbam-log-2012-04-03 (15-06-47).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 208345
    Time elapsed: 37 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-03 16:51:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-75GVC0 rev.08.02D08
    Running: 53qi0z0g.exe; Driver: C:\DOCUME~1\COREYS~1\LOCALS~1\Temp\fxtdqpow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- Processes - GMER 1.0.15 ----

    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 2224
    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3044

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Run by Corey at 16:03:24 on 2012-04-03
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Verizon\McciTrayApp.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Freecorder\FLVSrvc.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Nexon\Mabinogi\npkcmsvc.exe
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\notepad.exe
    C:\Program Files\AVG\AVG2012\avgui.exe
    C:\WINDOWS\system32\notepad.exe
    \\.\globalroot\SystemRoot\system32\svchost.exe
    \??\C:\Program Files\AVG\AVG2012\avgrsx.exe
    \??\C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Documents and Settings\corey sousa\My Documents\Downloads\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uDefault_Page_URL = hxxp://www.dell4me.com/myway
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    mURLSearchHooks: H - No File
    BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
    mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: mswsock.dll
    Trusted Zone: pearsoned.com\myitlab
    DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148952974625
    DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v46/wof/wof.cab
    DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://pay.smartbuslive.com/cab/OCXChecker_8000.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
    DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.18.39/ttinst.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.arcadetown.com/swf/feedingfrenzy/SproutLauncher.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
    DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5253/mcfscan.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\corey sousa\application data\mozilla\firefox\profiles\v58hfcua.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=386496&p=
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R? AVG Security Toolbar Service;AVG Security Toolbar Service
    R? CCCP106;CIF USB Camera (2110A)
    R? KLIF;Kaspersky Lab Driver
    R? Lbd;Lbd
    R? MAC607;MAC607 Filter
    R? MR97310_VGA_DUAL_CAMERA;VGA Dual Camera
    R? NAVENG;NAVENG
    R? NAVEX15;NAVEX15
    R? NielGfx;Nielsen USB GFX
    R? nielprt;Nielsen Patch Service
    R? RAPIProtocol;Imonitor
    R? samhid;samhid
    R? SAVRT;SAVRT
    R? SAVRTPEL;SAVRTPEL
    R? SCREAMINGBDRIVER;Screaming Bee Audio
    S? AVGIDSAgent;AVGIDSAgent
    S? AVGIDSDriver;AVGIDSDriver
    S? AVGIDSEH;AVGIDSEH
    S? AVGIDSFilter;AVGIDSFilter
    S? AVGIDSShim;AVGIDSShim
    S? Avgldx86;AVG AVI Loader Driver
    S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
    S? Avgrkx86;AVG Anti-Rootkit Driver
    S? Avgtdix;AVG TDI Driver
    S? avgwd;AVG WatchDog
    S? kl1;kl1
    S? MBAMProtector;MBAMProtector
    S? MBAMService;MBAMService
    S? vToolbarUpdater10.2.0;vToolbarUpdater10.2.0
    .
    =============== Created Last 30 ================
    .
    2012-04-03 19:03:59 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-03 19:03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-03 03:26:29 -------- d-----w- c:\documents and settings\corey\application data\Malwarebytes
    2012-04-03 03:26:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-04-02 19:12:32 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-04-01 06:48:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-03-31 21:43:48 -------- d-----w- c:\documents and settings\corey\local settings\application data\MSRebar
    2012-03-24 17:49:36 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-24 17:49:36 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    2012-03-13 16:51:31 -------- d-----w- c:\documents and settings\all users\application data\FreeRIP
    .
    ==================== Find3M ====================
    .
    2012-04-03 18:39:04 256 ----a-w- c:\windows\system32\MSIevent.bat
    2012-04-03 18:39:03 260 ----a-w- c:\windows\system32\cmdVBS.vbs
    2012-03-21 17:07:41 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2012-03-21 17:07:41 104 --sh--r- c:\windows\system32\D60E6D8FB6.sys
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 16:07:22.67 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/22/2005 6:29:09 PM
    System Uptime: 4/3/2012 2:55:03 PM (2 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0TC666
    Processor: Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 146 GiB total, 79.332 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP556: 1/4/2012 4:25:24 PM - System Checkpoint
    RP557: 1/5/2012 4:41:18 PM - System Checkpoint
    RP558: 1/6/2012 7:14:18 PM - System Checkpoint
    RP559: 1/7/2012 8:36:20 PM - System Checkpoint
    RP560: 1/9/2012 9:56:06 PM - System Checkpoint
    RP561: 1/10/2012 10:14:02 PM - Software Distribution Service 3.0
    RP562: 1/13/2012 5:01:26 PM - System Checkpoint
    RP563: 1/15/2012 9:50:20 PM - System Checkpoint
    RP564: 1/19/2012 8:49:14 PM - Software Distribution Service 3.0
    RP565: 1/20/2012 9:12:53 PM - System Checkpoint
    RP566: 1/22/2012 6:06:12 PM - System Checkpoint
    RP567: 1/23/2012 9:02:10 PM - System Checkpoint
    RP568: 1/24/2012 12:49:17 AM - Software Distribution Service 3.0
    RP569: 1/27/2012 4:02:30 PM - System Checkpoint
    RP570: 1/28/2012 6:51:08 PM - System Checkpoint
    RP571: 2/1/2012 2:04:07 PM - System Checkpoint
    RP572: 2/3/2012 1:08:27 PM - System Checkpoint
    RP573: 2/6/2012 5:27:44 PM - System Checkpoint
    RP574: 2/8/2012 3:00:32 PM - System Checkpoint
    RP575: 2/10/2012 3:36:32 PM - System Checkpoint
    RP576: 2/12/2012 2:54:02 PM - System Checkpoint
    RP577: 2/15/2012 12:42:26 AM - System Checkpoint
    RP578: 2/16/2012 3:00:22 PM - Software Distribution Service 3.0
    RP579: 2/18/2012 7:12:50 PM - System Checkpoint
    RP580: 2/19/2012 7:43:42 PM - System Checkpoint
    RP581: 2/20/2012 9:10:42 PM - System Checkpoint
    RP582: 2/22/2012 2:10:50 PM - System Checkpoint
    RP583: 2/24/2012 9:32:45 PM - System Checkpoint
    RP584: 2/26/2012 9:04:29 PM - System Checkpoint
    RP585: 2/28/2012 5:39:27 PM - System Checkpoint
    RP586: 3/1/2012 4:39:39 PM - System Checkpoint
    RP587: 3/2/2012 9:24:49 PM - System Checkpoint
    RP588: 3/4/2012 7:26:49 PM - System Checkpoint
    RP589: 3/5/2012 9:44:23 PM - System Checkpoint
    RP590: 3/7/2012 12:35:05 AM - System Checkpoint
    RP591: 3/9/2012 3:47:02 PM - System Checkpoint
    RP592: 3/10/2012 4:43:37 PM - System Checkpoint
    RP593: 3/10/2012 6:55:41 PM - Removed AOLIcon
    RP594: 3/12/2012 7:34:51 PM - System Checkpoint
    RP595: 3/14/2012 12:37:17 PM - Software Distribution Service 3.0
    RP596: 3/16/2012 9:47:18 AM - System Checkpoint
    RP597: 3/17/2012 1:28:33 PM - System Checkpoint
    RP598: 3/18/2012 6:43:54 PM - System Checkpoint
    RP599: 3/20/2012 3:18:51 PM - System Checkpoint
    RP600: 3/21/2012 10:19:07 PM - System Checkpoint
    RP601: 3/23/2012 6:01:51 PM - System Checkpoint
    RP602: 3/25/2012 12:22:07 PM - System Checkpoint
    RP603: 3/27/2012 12:07:36 AM - System Checkpoint
    RP604: 3/28/2012 9:13:01 AM - System Checkpoint
    RP605: 3/29/2012 10:17:31 PM - System Checkpoint
    RP606: 3/31/2012 11:23:01 AM - System Checkpoint
    RP607: 4/2/2012 1:43:00 AM - System Checkpoint
    RP608: 4/3/2012 1:47:07 AM - System Checkpoint
    RP609: 4/3/2012 2:34:24 PM - Removed FreeRIP Toolbar v5.1.
    RP610: 4/3/2012 2:40:52 PM - Removed IHA_MessageCenter
    .
    ==== Installed Programs ======================
    .
    $APPNAME> 2.31
    µTorrent
    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.5.0
    Adobe Shockwave Player 11.5
    AIM 7
    Aimersoft DVD Copy(Build 2.5.0.3)
    Any Video Converter 3.2.2
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Software Update
    ArcSoft PhotoImpression
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    ArcSoft VideoImpression 1.6
    AVG 2012
    AviSynth 2.5
    Bonjour
    BufferChm
    CCScore
    CDBurnerXP
    Conexant D850 56K V.9x DFVc Modem
    Convert MP4 to MP3 1.5
    Copy
    Dell Digital Jukebox Driver
    DellSupport
    Destinations
    DeviceDiscovery
    Digital Content Portal
    Digital Line Detect
    DJ_AIO_05_F4400_Software_Min
    EasyRECORD EasyRECORDPlay 1.67.00.00
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    F4400
    fflink
    FL Studio 9
    Freecorder 5
    GameRanger
    GGE909 PC Recoil Pad
    Glary Utilities 2.39.0.1310
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB2633952)
    HP Imaging Device Functions 13.0
    HP Smart Web Printing 4.60
    HP Update
    HP USB Disk Storage Format Tool
    hpPrintProjects
    hpWLPGInstaller
    IL Download Manager
    ImgBurn
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    iPod for Windows 2006-01-10
    iPod for Windows 2006-06-28
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) SE Runtime Environment 6 Update 1
    K-Lite Mega Codec Pack 6.9.0
    kgcbaby
    kgchday
    kgchlwn
    kgcinvt
    kgckids
    kgcmove
    kgcvday
    Kodak EasyShare software
    LockHunter version 1.0 beta 3, 32 bit edition
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Age of Empires II
    Microsoft Age of Empires II: The Conquerors Expansion
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Morpheus Photo Morpher v3.00
    Mozilla Firefox 11.0 (x86 en-US)
    MRU-Blaster v1.5 (Database 3/28/2004)
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    netbrdg
    OfficeSharedAddInSetup
    OfotoXMI
    OpenOffice.org 2.3
    PeerBlock 1.1 (r518)
    PoiZone
    PokerStars
    PowerDVD 5.5
    QuickTime
    Replay Media Catcher
    Ringtonesia HTC Touch Pro2 Maker 3
    Sakura
    Sawer
    Scan
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2660465)
    SFR
    SHASTA
    skin0001
    SKINXSDK
    Smart PDF Converter 6.3.0.467
    SmartWebPrinting
    SnctionedMed
    SpywareBlaster 4.5
    staticcr
    Status
    Toolbox
    TrayApp
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2641690)
    VC 9.0 Runtime
    VC80CRTRedist - 8.0.50727.4053
    Verizon Help and Support Tool
    VGA Dual Camera
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VPRINTOL
    Vz In Home Agent
    WebFldrs XP
    WebReg
    Windows Defender Signatures
    Windows Genuine Advantage v1.3.0254.0
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    WinRAR archiver
    WIRELESS
    WordPerfect Office 12
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/3/2012 4:01:31 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    4/3/2012 3:39:22 PM, error: Service Control Manager [7023] - The SrvcEKIOMngr service terminated with the following error: Access is denied.
    4/3/2012 3:24:11 PM, error: Service Control Manager [7023] - The Btwaudio service terminated with the following error: Access is denied.
    4/3/2012 3:09:11 PM, error: Service Control Manager [7023] - The MxlW2k service terminated with the following error: Access is denied.
    4/3/2012 3:08:18 PM, error: Service Control Manager [7023] - The Imonitor service terminated with the following error: Access is denied.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde KLIF Lbd SYMTDI szkg
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The ZuneWlanCfgSvc service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Wmconnectcds service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Vpcnfltr service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Vaiomediaplatform-musicserver-appserver service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The TcUsb service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The SRS_SSCFilter service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The S3psddr service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Rslinxng service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Rollbackclientservice service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Pivotmou service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Pdlnctdl service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Oraclexeclragent service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The NWSNS service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Mnsframework service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Iksyssec service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Gameenum service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Fingrd32 service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Commserver service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Clisvc service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Amsmpu4p service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Aexnsclienttransport service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7023] - The Acprfmgrsvc service terminated with the following error: The specified module could not be found.
    4/3/2012 2:57:13 PM, error: Service Control Manager [7000] - The SAVRTPEL service failed to start due to the following error: The system cannot find the file specified.
    4/3/2012 2:39:32 PM, error: Service Control Manager [7023] - The Gameenum service terminated with the following error: Access is denied.
    4/3/2012 2:36:53 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    4/3/2012 2:25:35 PM, error: Service Control Manager [7023] - The Vpcnfltr service terminated with the following error: Access is denied.
    4/3/2012 11:50:48 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    4/3/2012 11:13:32 AM, error: Service Control Manager [7023] - The Iksyssec service terminated with the following error: Access is denied.
    4/3/2012 10:58:24 AM, error: Service Control Manager [7023] - The Pdlnctdl service terminated with the following error: Access is denied.
    4/3/2012 10:43:27 AM, error: Service Control Manager [7023] - The Pivotmou service terminated with the following error: Access is denied.
    .
    ==== End Of File ===========================
  4. daps

    daps Newcomer, in training Topic Starter

    i also uninstalled everything mentioned up top before doing the removal process
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    What did you uninstall "up top"?

    This malware is one of the newer variants of ZeroAccess. Please follow the scans below in the order I've given them:
    -------------------
    Download aswMBR to your desktop.
    • Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan:
    • On completion of the scan click "Save log", save it to your desktop
    • Post in your next reply:
    Note: NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
    ========================================
    Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract (unzip) the file
    2. Double-click on the boot cleaner.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =================================================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ============================================
    Please read all of the directions carefully. If you have any problem, STOP and tell me about it. DO NOT do a System Restore if you can't make something work!!
  6. daps

    daps Newcomer, in training Topic Starter

    super anti spy, malwarebites , spybot, were the programs i uninstalled before beginning the cleaning process i have one question after the "aswmbr" scan am i clicking fix after scan completion?
  7. daps

    daps Newcomer, in training Topic Starter

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-04 11:56:16
    -----------------------------
    11:56:16.046 OS Version: Windows 5.1.2600 Service Pack 3
    11:56:16.046 Number of processors: 1 586 0x401
    11:56:16.046 ComputerName: COREY UserName:
    11:56:16.593 Initialize success
    11:57:37.437 AVAST engine defs: 12040400
    11:57:50.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    11:57:51.000 Disk 0 Vendor: WDC_WD1600JB-75GVC0 08.02D08 Size: 152587MB BusType: 3
    11:57:51.046 Disk 0 MBR read successfully
    11:57:51.062 Disk 0 MBR scan
    11:57:51.109 Disk 0 unknown MBR code
    11:57:51.125 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
    11:57:51.156 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 149134 MB offset 80325
    11:57:51.203 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3412 MB offset 305508105
    11:57:51.218 Disk 0 scanning sectors +312496380
    11:57:51.312 Disk 0 scanning C:\WINDOWS\system32\drivers
    11:58:05.781 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Rootkit-gen [Rtk]
    11:58:13.734 Disk 0 trace - called modules:
    11:58:13.796 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86d55fd0]<<
    11:58:13.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f99ab8]
    11:58:13.890 3 CLASSPNP.SYS[f7666fd7] -> nt!IofCallDriver -> [0x86f73f08]
    11:58:13.921 \Driver\00000593[0x86df9788] -> IRP_MJ_CREATE -> 0x86d55fd0
    11:58:14.500 AVAST engine scan C:\WINDOWS
    11:58:24.640 AVAST engine scan C:\WINDOWS\system32
    11:58:26.859 File: C:\WINDOWS\system32\adminserver.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:58:28.656 File: C:\WINDOWS\system32\asyncmac.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:58:39.328 File: C:\WINDOWS\system32\cmuda3.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:58:42.203 File: C:\WINDOWS\system32\coste.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:58:43.984 File: C:\WINDOWS\system32\cwafreportscheduler.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:59:09.546 File: C:\WINDOWS\system32\dvpapi.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:59:12.062 File: C:\WINDOWS\system32\elosystemservice.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:59:37.406 File: C:\WINDOWS\system32\issvc.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:59:37.890 File: C:\WINDOWS\system32\iwebcal.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:59:46.687 File: C:\WINDOWS\system32\LHidUsbK.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:59:50.437 File: C:\WINDOWS\system32\lvmvdrv.dll **INFECTED** Win32:Sirefef-SM [Trj]
    11:59:57.609 File: C:\WINDOWS\system32\mouclass.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:00:11.531 File: C:\WINDOWS\system32\mssql$microsoftbcm.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:00:23.343 File: C:\WINDOWS\system32\nmwcd.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:00:27.500 File: C:\WINDOWS\system32\nwrdr.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:00:32.281 File: C:\WINDOWS\system32\pdlnemsg.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:00:46.046 File: C:\WINDOWS\system32\rspndr.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:00:52.312 File: C:\WINDOWS\system32\shellhwdetection.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:01:07.031 File: C:\WINDOWS\system32\usbaudio.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:01:09.187 File: C:\WINDOWS\system32\v2imount.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:01:11.125 File: C:\WINDOWS\system32\viairda.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:01:11.515 File: C:\WINDOWS\system32\vmnetdhcp.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:01:20.250 File: C:\WINDOWS\system32\wmiaprpl.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:01:35.515 File: C:\WINDOWS\system32\zntport.dll **INFECTED** Win32:Sirefef-SM [Trj]
    12:03:01.296 AVAST engine scan C:\WINDOWS\system32\drivers
    12:03:17.265 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Rootkit-gen [Rtk]
    12:03:38.796 AVAST engine scan C:\Documents and Settings\corey
    12:29:07.437 AVAST engine scan C:\Documents and Settings\All Users
    12:38:57.921 Scan finished successfully
    12:53:15.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\corey\Desktop\MBR.dat"
    12:53:15.093 The log file has been saved successfully to "C:\Documents and Settings\corey\Desktop\aswMBR.txt"



    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00
    Boot sector MD5 is: e7e6f498a5aad54bc8d066e2192a8456

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
  8. daps

    daps Newcomer, in training Topic Starter

    ComboFix 12-04-04.02 - corey sousa 04/04/2012 15:41:08.1.1 - x86
    Running from: c:\documents and settings\corey\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll
    c:\documents and settings\All Users\Application Data\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\corey\Application Data\PriceGong
    c:\documents and settings\corey\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\corey\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\corey\WINDOWS
    c:\program files\Common
    c:\windows\$NtUninstallKB14989$
    c:\windows\$NtUninstallKB14989$\1495557033\@
    c:\windows\$NtUninstallKB14989$\1495557033\cfg.ini
    c:\windows\$NtUninstallKB14989$\1495557033\Desktop.ini
    c:\windows\$NtUninstallKB14989$\1495557033\L\odetmngk
    c:\windows\$NtUninstallKB14989$\1495557033\oemid
    c:\windows\$NtUninstallKB14989$\1495557033\U\00000001.@
    c:\windows\$NtUninstallKB14989$\1495557033\U\00000002.@
    c:\windows\$NtUninstallKB14989$\1495557033\U\00000004.@
    c:\windows\$NtUninstallKB14989$\1495557033\U\80000000.@
    c:\windows\$NtUninstallKB14989$\1495557033\U\80000004.@
    c:\windows\$NtUninstallKB14989$\1495557033\U\80000032.@
    c:\windows\$NtUninstallKB14989$\1495557033\version
    c:\windows\$NtUninstallKB14989$\2439194020
    c:\windows\desktop
    c:\windows\Fonts\acrsec.fon
    c:\windows\system32\bcftdi.dll
    c:\windows\system32\Cache
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\6dd70b72bd506f5a.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\aea1533be4eeba5c.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    c:\windows\system32\Cache\f87fe2a78c3a640c.fb
    c:\windows\system32\cache329
    c:\windows\system32\cache329\B_329_0_0_106800.htm
    c:\windows\system32\cache329\B_329_0_0_107400.htm
    c:\windows\system32\cache329\B_329_1_0_449200.htm
    c:\windows\system32\cache329\B_329_1_0_449600.htm
    c:\windows\system32\cache329\B_329_1_0_454300.htm
    c:\windows\system32\cache329\B_329_2_0_105300.htm
    c:\windows\system32\cache329\B_329_2_0_106800.htm
    c:\windows\system32\cache329\B_329_2_0_107400.htm
    c:\windows\system32\cache329\B_329_3_0_106800.htm
    c:\windows\system32\cache329\B_329_3_0_107400.htm
    c:\windows\system32\cache329\B_329_4_0_111600.htm
    c:\windows\system32\cache329\B_329_4_0_155300.htm
    c:\windows\system32\cache329\t_B_329_0_0_106800.htm
    c:\windows\system32\cache329\t_B_329_0_0_107400.htm
    c:\windows\system32\cache329\t_B_329_1_0_449200.htm
    c:\windows\system32\cache329\t_B_329_1_0_449600.htm
    c:\windows\system32\cache329\t_B_329_1_0_454300.htm
    c:\windows\system32\cache329\t_B_329_2_0_105300.htm
    c:\windows\system32\cache329\t_B_329_2_0_106800.htm
    c:\windows\system32\cache329\t_B_329_2_0_107400.htm
    c:\windows\system32\cache329\t_B_329_3_0_106800.htm
    c:\windows\system32\cache329\t_B_329_3_0_107400.htm
    c:\windows\system32\cache329\t_B_329_4_0_111600.htm
    c:\windows\system32\cache329\t_B_329_4_0_155300.htm
    c:\windows\system32\cpqalert.dll
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\FVNETusb.dll
    c:\windows\system32\mysql.dll
    c:\windows\system32\se58unic.dll
    c:\windows\system32\termdd.dll
    c:\windows\system32\tunmp.dll
    c:\windows\system32\vcsw.dll
    .
    Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
    Restored copy from - The cat found it :)
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NETWORKLOG
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-04 19:35 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-04-04 19:35 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
    2012-04-04 18:17 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-04 18:17 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-04 18:16 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-04 18:16 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-04 18:16 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-04 18:16 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-04 18:16 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-04 18:16 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-04 18:15 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-04 18:15 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-04 18:14 . 2012-04-04 18:14 -------- d-----w- c:\program files\AVAST Software
    2012-04-04 18:14 . 2012-04-04 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-04-03 19:03 . 2012-04-03 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-03 19:03 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-03 03:26 . 2012-04-03 03:26 -------- d-----w- c:\documents and settings\corey sousa\Application Data\Malwarebytes
    2012-04-03 03:26 . 2012-04-03 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-02 19:12 . 2012-04-02 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-04-01 09:26 . 2012-04-01 09:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2012-03-31 21:43 . 2012-03-31 21:43 -------- d-----w- c:\documents and settings\corey sousa\Local Settings\Application Data\MSRebar
    2012-03-24 17:49 . 2012-03-24 17:49 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-24 17:49 . 2012-03-24 17:49 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    2012-03-13 16:51 . 2012-03-13 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
    2012-03-13 16:51 . 2012-03-13 16:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-03 18:39 . 2011-11-30 18:54 256 ----a-w- c:\windows\system32\MSIevent.bat
    2012-04-03 18:39 . 2011-11-30 18:54 260 ----a-w- c:\windows\system32\cmdVBS.vbs
    2012-02-03 09:22 . 2004-08-10 18:51 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-09 16:20 . 2004-08-10 19:01 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-24 17:49 . 2011-04-07 02:26 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-03-13 16:42 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-13 1869152]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
    "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
    "ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-24 928096]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe"
    "matrsd"=rundll32.exe "c:\docume~1\COREYS~1\LOCALS~1\Temp\matrsd.dll",CreateTextureFromFileInMemoryEx
    "vProt"="c:\program files\AVG Secure Search\vprot.exe"
    "igfxhkcmd"=c:\windows\system32\hkcmd.exe
    "igfxpers"=c:\windows\system32\igfxpers.exe
    "igfxtray"=c:\windows\system32\igfxtray.exe
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\AIM7\\aim.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Documents and Settings\\corey sousa\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/4/2012 2:16 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/4/2012 2:17 PM 337880]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2012 2:17 PM 20696]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/3/2012 3:03 PM 20464]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
    S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\DRIVERS\cccp106.sys --> c:\windows\system32\DRIVERS\cccp106.sys [?]
    S3 MAC607;MAC607 Filter; [x]
    S3 MR97310_VGA_DUAL_CAMERA;VGA Dual Camera;c:\windows\system32\drivers\mr97310v.sys [6/14/2005 11:11 AM 116247]
    S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - PBFILTER
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    MSFWHLPR
    servicelayer
    epsonbidirectionalagent
    atimtag
    Jukebox
    array_utility_service4,0,1,3
    ELmon
    ATKGFNEXSrv
    EMSCR
    SbieDrv
    LoopBeMidi1
    acdservice
    egathdrv
    toshidpt
    avgems
    symwsc
    XilinxPC4Driver
    olcamsrv
    Mtlstrm
    SQLWriter
    omniusb
    ofcservice
    logmein
    snpstd2
    enxpsvr
    Airgo
    s716unic
    quickhealfirewall
    SE26mdfl
    dtsrvc
    actser
    VMAUDIO
    dnsexit
    rslinxng
    sony_ssm.sys
    cpuidlep
    CX23880
    xnacc
    bantext
    ZTEusbmdm6k
    bltrust
    cccredmgr
    ESDCR
    W700mdfl
    WinFl32
    NEOFLTR_600_13319
    pgfilter
    oracleformsserver-forms60server-oraform
    sandradatasrv
    ps2
    rimusb
    lirsgt
    aswmon2
    trackcam4
    {834170a7-af3b-4d34-a757-e05eb29ee96d}
    isamsmt
    NetTcpActivator
    smartwiservice
    mgabg
    w29n51
    ARCSOFTVIRTUALCAPTURE
    BCMWLNPF
    ssoftservice
    addfiltr
    d-link_st3402
    nvax
    w300mdfl
    eabusb
    basic2
    NxSysMon
    RAPIProtocol
    pctavsvc
    TMMEmu
    BLKWGU(Belkin)
    websenserealtimeanalyzer
    aiclient
    nscservice
    smstsmgr
    nsengine
    snapman380
    UpdateCenterService
    dlaudf_m
    SE2Cbus
    omci
    wlankeeper
    HBtnKey
    sdhelper
    websensecamserver
    Packet
    mxnic
    vwd
    centennialclientagent
    DumaNT
    tphdexlgsvc
    tifm21
    w810mdfl
    L8042mou
    lxrjd31d
    gtndis5
    Rasman
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    napagent
    hkmsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2012-03-24 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
    .
    2012-04-04 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2011-09-23 18:08]
    .
    2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-04 18:17]
    .
    2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-04 18:17]
    .
    2009-12-09 c:\windows\Tasks\NSSstub.job
    - c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-12-08 18:10]
    .
    2012-04-04 c:\windows\Tasks\User_Feed_Synchronization-{96756161-EF71-44D0-ACCD-74F90450BE23}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    Trusted Zone: pearsoned.com\myitlab
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
    FF - ProfilePath - c:\documents and settings\corey sousa\Application Data\Mozilla\Firefox\Profiles\v58hfcua.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=386496&p=
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    SafeBoot-Wdf01000.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-04 16:06
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3876)
    c:\windows\system32\WININET.dll
    c:\documents and settings\corey sousa\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\brsvc01a.exe
    c:\windows\system32\brss01a.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\nexon\Mabinogi\npkcmsvc.exe
    c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
    c:\windows\system32\rundll32.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\progra~1\MI3AA1~1\rapimgr.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-04 16:25:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-04 20:25
    .
    Pre-Run: 84,701,974,528 bytes free
    Post-Run: 84,810,153,984 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 2D629B783F92D811D9659D6E9A01E6C6
  9. daps

    daps Newcomer, in training Topic Starter

    scan results

    C:\Documents and Settings\corey\Local Settings\Application Data\MSRebar\SysVer\SysVer.exe a variant of MSIL/Adware.SanctionedMedia.A application
    C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    NO
    =============================
    Please uninstall the Uniblue Registry Booster Not only is it infected, but we do not recommend that anyone use a registry Cleaner. After it's uninstalled, use Windows Explorer to access Computer> Local Drive(C)> Programs> find the program folder and do a right click> Delete
    ================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe 
      
      :Files 
       C:\Documents and Settings\corey\Local Settings\Application Data\MSRebar\SysVer\SysVer.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START boot cleaner.exe fix \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run bootkit.exe again and post its output.
    ====================================================
    You may have noticed this warning in ComboFix: NETSVCS REQUIRES REPAIRS - current entries shown. Please download and run MS Fix-it to resolve this.
    =================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    c:\documents and settings\corey sousa\Local Settings\Application Data\MSRebar
    Extra::
    File::
    c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    Firefox::
    Firefox-: - Profile - c:\documents and settings\corey sousa\application data\mozilla\firefox\profiles\v58hfcua.default\ 
    Firefox-: prefs.js - Search.DefaultURL 
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "SearchSettings"=-
    "matrsd"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please update an rerun the Eset scan.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    NO
    =============================
    Please uninstall the Uniblue Registry Booster Not only is it infected, but we do not recommend that anyone use a registry Cleaner. After it's uninstalled, use Windows Explorer to access Computer> Local Drive(C)> Programs> find the program folder and do a right click> Delete
    ================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe 
      
      :Files 
       C:\Documents and Settings\corey\Local Settings\Application Data\MSRebar\SysVer\SysVer.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START boot cleaner.exe fix  \ \.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run bootkit.exe again and post its output.
    ====================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    c:\documents and settings\corey sousa\Local Settings\Application Data\MSRebar
    Extra::
    File::
    c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    Firefox::
    Firefox-: - Profile - c:\documents and settings\corey sousa\application data\mozilla\firefox\profiles\v58hfcua.default\ 
    Firefox-: prefs.js - Search.DefaultURL 
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "SearchSettings"=-
    "matrsd"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
     
  12. daps

    daps Newcomer, in training Topic Starter

    when running OTMovit by Old Timer it freezes
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Uninstall the OTM you now have.

    Update and rescan with Eset. Let me see the log.
  14. daps

    daps Newcomer, in training Topic Starter

    C:\Documents and Settings\corey sousa\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000089 a variant of Win32/InstallCore.D application
    C:\Documents and Settings\corey sousa\Local Settings\temp\ICReinstall\cnet2_CheetahDVDBurner_exe.exe a variant of Win32/InstallCore.D application
    C:\Documents and Settings\corey sousa\Local Settings\temp\ICReinstall\cnet2_dvdmaker_zip (1).exe a variant of Win32/InstallCore.D application
    C:\Documents and Settings\corey sousa\Local Settings\temp\ICReinstall\cnet2_dvdmaker_zip.exe a variant of Win32/InstallCore.D application
    C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
    C:\Qoobox\Quarantine\C\Documents and Settings\corey sousa\Local Settings\Application Data\MSRebar\SysVer\SysVer.exe.vir a variant of MSIL/Adware.SanctionedMedia.A application
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP601\A0086013.dll a variant of Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0094143.exe a variant of Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP609\A0097237.rbf a variant of Win32/Adware.Toolbar.Dealio application
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP616\A0105034.exe a variant of MSIL/Adware.SanctionedMedia.A application
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Let's try it again:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\corey sousa\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000089 
      C:\Documents and Settings\corey sousa\Local Settings\temp\ICReinstall\cnet2_CheetahDVDBurner_exe.exe a 
      C:\Documents and Settings\corey sousa\Local Settings\temp\ICReinstall\cnet2_dvdmaker_zip (1).exe 
      C:\Documents and Settings\corey sousa\Local Settings\temp\ICReinstall\cnet2_dvdmaker_zip.exe 
      C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===========================================
    Again, recommend you uninstall the Uniblue RegistryBooster.

    The remaining entries from the Eset scan are for the Active X Object that is required when you download from CNet. You may want to consider downloading from the software home site.
    The System Volume processes are restore points. They are no longer active in the system and will be removed when we finish.

    The Qoobox is where Combofix sends the quarantined files. They are no longer active in the system and will be removed when Combofix is uninstalled.
    ==============================================
    Did you run the script in Combofix? Log?
  16. daps

    daps Newcomer, in training Topic Starter

    sorry here is the combofix

    ComboFix 12-04-16.02 - corey sousa 04/16/2012 23:28:57.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.499 [GMT -4:00]
    Running from: c:\documents and settings\corey sousa\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\corey sousa\Desktop\cfscript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    FILE ::
    "c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-07 18:19 . 2012-04-07 20:08 -------- d-----w- c:\documents and settings\corey sousa\Local Settings\Application Data\Nero
    2012-04-07 17:53 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2012-04-07 17:53 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2012-04-07 17:53 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2012-04-07 17:53 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2012-04-07 17:53 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2012-04-07 17:53 . 2009-09-04 21:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
    2012-04-07 17:52 . 2009-09-04 21:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
    2012-04-07 02:39 . 2008-06-09 02:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
    2012-04-07 02:39 . 2012-04-07 02:39 -------- d-----w- c:\program files\ffdshow
    2012-04-07 02:14 . 2012-04-07 02:14 -------- d-----w- c:\documents and settings\corey sousa\Local Settings\Application Data\Xilisoft
    2012-04-07 02:14 . 2012-04-07 02:14 -------- d-----w- c:\documents and settings\corey sousa\Application Data\Xilisoft
    2012-04-07 00:53 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
    2012-04-07 00:53 . 2012-04-07 00:53 -------- d-----w- c:\program files\VirtualDJ
    2012-04-07 00:52 . 2012-04-07 00:52 -------- d-----w- c:\program files\Cheetah Burner
    2012-04-06 19:25 . 2012-04-06 19:25 -------- d-----w- c:\documents and settings\corey sousa\Application Data\ElevatedDiagnostics
    2012-04-06 17:36 . 2012-04-06 17:36 -------- d-----w- C:\_OTM
    2012-04-05 21:11 . 2012-04-05 21:11 -------- d-----w- c:\documents and settings\corey sousa\Application Data\AVG2012
    2012-04-05 21:07 . 2012-04-07 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
    2012-04-05 21:06 . 2012-04-05 21:06 -------- d-----w- c:\program files\AVG
    2012-04-04 20:31 . 2012-04-04 20:31 -------- d-----w- c:\program files\ESET
    2012-04-04 19:35 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-04-04 19:35 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
    2012-04-04 18:17 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-04 18:17 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-04 18:16 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-04 18:16 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-04 18:16 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-04 18:16 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-04 18:16 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-04 18:16 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-04 18:15 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-04 18:15 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-04 18:14 . 2012-04-04 18:14 -------- d-----w- c:\program files\AVAST Software
    2012-04-04 18:14 . 2012-04-04 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-04-03 19:03 . 2012-04-03 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-03 19:03 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-03 03:26 . 2012-04-03 03:26 -------- d-----w- c:\documents and settings\corey sousa\Application Data\Malwarebytes
    2012-04-03 03:26 . 2012-04-03 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-02 19:12 . 2012-04-02 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-04-01 09:26 . 2012-04-01 09:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2012-03-24 17:49 . 2012-03-24 17:49 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-24 17:49 . 2012-03-24 17:49 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-07 18:08 . 2011-05-19 01:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-05 20:21 . 2011-11-30 18:54 256 ----a-w- c:\windows\system32\MSIevent.bat
    2012-04-05 20:21 . 2011-11-30 18:54 260 ----a-w- c:\windows\system32\cmdVBS.vbs
    2012-04-05 05:35 . 2010-05-08 23:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-04-05 05:35 . 2007-05-04 02:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-03-01 11:01 . 2004-08-10 18:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2004-08-10 18:51 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2004-08-10 18:51 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-03 09:22 . 2004-08-10 18:51 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-03-24 17:49 . 2011-04-07 02:26 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-03-13 16:42 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-13 1869152]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
    "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
    "ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-24 928096]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "vProt"="c:\program files\AVG Secure Search\vprot.exe"
    "igfxhkcmd"=c:\windows\system32\hkcmd.exe
    "igfxpers"=c:\windows\system32\igfxpers.exe
    "igfxtray"=c:\windows\system32\igfxtray.exe
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\AIM7\\aim.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Documents and Settings\\corey sousa\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "50000:UDP"= 50000:UDP:IHA_MessageCenter
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/4/2012 2:16 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/4/2012 2:17 PM 337880]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2012 2:17 PM 20696]
    R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 290832]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/3/2012 3:04 PM 652360]
    R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [3/13/2012 12:42 PM 918880]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/3/2012 3:03 PM 20464]
    R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/25/2011 11:28 PM 19056]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2012 2:17 PM 136176]
    S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\DRIVERS\cccp106.sys --> c:\windows\system32\DRIVERS\cccp106.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2012 2:17 PM 136176]
    S3 MAC607;MAC607 Filter; [x]
    S3 MR97310_VGA_DUAL_CAMERA;VGA Dual Camera;c:\windows\system32\drivers\mr97310v.sys [6/14/2005 11:11 AM 116247]
    S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
    S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [7/18/2009 12:50 PM 7548]
    S3 SCREAMINGBDRIVER;Screaming Bee Audio; [x]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - PBFILTER
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    MSFWHLPR
    servicelayer
    epsonbidirectionalagent
    atimtag
    Jukebox
    array_utility_service4,0,1,3
    ELmon
    ATKGFNEXSrv
    EMSCR
    SbieDrv
    LoopBeMidi1
    acdservice
    egathdrv
    toshidpt
    avgems
    symwsc
    XilinxPC4Driver
    olcamsrv
    Mtlstrm
    SQLWriter
    omniusb
    ofcservice
    logmein
    snpstd2
    enxpsvr
    Airgo
    s716unic
    quickhealfirewall
    SE26mdfl
    dtsrvc
    actser
    VMAUDIO
    dnsexit
    rslinxng
    sony_ssm.sys
    cpuidlep
    CX23880
    xnacc
    bantext
    ZTEusbmdm6k
    bltrust
    cccredmgr
    ESDCR
    W700mdfl
    WinFl32
    NEOFLTR_600_13319
    pgfilter
    oracleformsserver-forms60server-oraform
    sandradatasrv
    ps2
    rimusb
    lirsgt
    aswmon2
    trackcam4
    {834170a7-af3b-4d34-a757-e05eb29ee96d}
    isamsmt
    NetTcpActivator
    smartwiservice
    mgabg
    w29n51
    ARCSOFTVIRTUALCAPTURE
    BCMWLNPF
    ssoftservice
    addfiltr
    d-link_st3402
    nvax
    w300mdfl
    eabusb
    basic2
    NxSysMon
    RAPIProtocol
    pctavsvc
    TMMEmu
    BLKWGU(Belkin)
    websenserealtimeanalyzer
    aiclient
    nscservice
    smstsmgr
    nsengine
    snapman380
    UpdateCenterService
    dlaudf_m
    SE2Cbus
    omci
    wlankeeper
    HBtnKey
    sdhelper
    websensecamserver
    Packet
    mxnic
    vwd
    centennialclientagent
    DumaNT
    tphdexlgsvc
    tifm21
    w810mdfl
    L8042mou
    lxrjd31d
    gtndis5
    Rasman
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    napagent
    hkmsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2012-04-14 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
    .
    2012-04-13 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2011-09-23 18:08]
    .
    2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-04 18:17]
    .
    2012-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-04 18:17]
    .
    2012-04-17 c:\windows\Tasks\User_Feed_Synchronization-{96756161-EF71-44D0-ACCD-74F90450BE23}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    Trusted Zone: pearsoned.com\myitlab
    TCP: DhcpNameServer = 192.168.1.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
    FF - ProfilePath - c:\documents and settings\corey sousa\Application Data\Mozilla\Firefox\Profiles\v58hfcua.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=386496&p=
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-16 23:47
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(660)
    c:\windows\system32\igfxdev.dll
    .
    - - - - - - - > 'explorer.exe'(1296)
    c:\windows\system32\WININET.dll
    c:\documents and settings\corey sousa\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2012-04-16 23:53:13
    ComboFix-quarantined-files.txt 2012-04-17 03:53
    ComboFix2.txt 2012-04-17 03:23
    ComboFix3.txt 2012-04-06 20:05
    ComboFix4.txt 2012-04-05 15:16
    ComboFix5.txt 2012-04-17 03:26
    .
    Pre-Run: 73,043,238,912 bytes free
    Post-Run: 73,028,001,792 bytes free
    .
    - - End Of File - - DE69134FF6CEC75F3B4466B2DA324908
  17. daps

    daps Newcomer, in training Topic Starter

    unable to find uniblue on my computer to uninstall, and otm did it again i left my computer on while i slept at 12 a.m overnight to see if it would work i woke up today the computer clock still said 12am (frooze computer unaccesable) and the otm results empty
  18. daps

    daps Newcomer, in training Topic Starter

    if you are unable to help me just let me know....
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please accept my apology for lack of reply. I've been checking threads and have found several that stopped sending feedback after the site upgrade.

    If you are still having the problems, I'd like to get some current information. We need to handle this first:

    The current Combofix logs shows: NETSVCS REQUIRES REPAIRS.


    1. You will need to Uninstall ComboFix and all Backups of the files it deleted

    • [*] Click START> then RUN
      [*] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    2. Please download and extract the following file: XPSP3 netsvcs
    Then double click on it to merge it into the Registry.

    3. Download and run Combofix again. The NETSVCS should be repired and I can review the log for new entries. Please use the link and follow the previous directions I gave for the initia; scan.

    4. Let's get an online AV scan:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Please leave the two new logs in your next reply, along with any new information.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I explained the delay to you. Do you plan to continue?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.