TechSpot

XP Antivirus 2012: 12/18/2011

By Hurriken
Dec 18, 2011
  1. I picked up a nasty Malware on my PC again. It won't let me do anything. I tried to run Malwarebytes and GMER in both normal and safe mode but no joy. Malwarebytes won't even open and GMER gets kicked to the curb by the virus. Please Help.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll be glad to try and help you, but understand this:
    Telling me you tried to run a program but "no joy" tells me nothing.
    Telling me a program "got kicked to the curb" by a program tells me nothing.

    You need to tell me what happens when you try to run a scan so I can determine the best way to help you accomplish it.

    Please also give me a description of what this malware is causing on your system. You have named it, so something must have indicated this malware.
    ---------------------------------------------
    Description of thi malware with the following sequence for XP Antivirus 2012:
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    -------------------------------------
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ================================
    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ==============================
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ========================================
    • Download DDS by sUBs and save it to your desktop.

      After downloading the tool, disconnect from the internet and disable all antivirus protection.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • When done, DDS will open two (2) logs: Please paste both in your next reply.
      [o]DDS.txt
      [o]Attach.txt
    • Close the program window, and delete the program from your desktop.
    • Enable your Antivirus protection and reconnect to the internet.
    Please note: You may have to disable any script protection running if the scan fails to run.
    ======================================
    If you cannot run a program following each direction in the order I have given it, tell me what happens when you try
     
  3. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    Sorry, I'll answer below.


    Should I run the fix for #5 after this?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Run the entire sequence- important that you run programs in order given.

    For the next time you have a problem and need help, although your frustrations may be great, what you need to tell us is similar to the lists of questions, which carry a description of the malware problems.

    Chuck the panic and the frustration under the kitchen sink. Cleaning is orderly and specific.

    I don't want you to try and 'trick it into running a scan properly. Although what I am having you do running RKill could be considered 'tricking' the program into running, it is an organized and accepted way of doing it. So follow what I set up and come to me for suggestions if something doesn''t work
     
  5. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    Ok, I will do exactly what you say. I have to go out of town tomorrow and I may or may not be back until Thursday night. This is on my home PC so of course I can't work on it while I'm gone. But I promise I will be back until this 100% finished and cleaned.
     
  6. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    Just to be clear, since I was able to start malwarebytes I let it run. When it is finished should I go back and run FixNCR.reg and Rkill?
     
  7. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    I should be home Thursday.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem. Go ahead when you can.
     
  9. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    Because I was struggling to get anything to work I ran malwarebytes first without updating it.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8060

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 7.0.5730.13

    12/19/2011 5:29:47 AM
    mbam-log-2011-12-19 (05-29-47).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 409572
    Time elapsed: 3 hour(s), 20 minute(s), 34 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 6
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    c:\documents and settings\Ken\local settings\application data\qna.exe (Trojan.ExeShell.Gen) -> 1308 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Ken\Local Settings\Application Data\qna.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Ken\Local Settings\Application Data\qna.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Ken\Local Settings\Application Data\qna.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Ken\local settings\application data\qna.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
     
  10. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    I started completely over after that. I ran FixNCR and Rkill as per your instructions. Rkill gave me a log.

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 12/22/2011 at 0:40:48.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\Documents and Settings\Ken\My Documents\My Pictures\PictureProject\NkbMonitor.exe


    Rkill completed on 12/22/2011 at 0:40:54.
     
  11. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    After that I updated Malwarebytes and ran it again.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122201

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    12/22/2011 8:11:39 AM
    mbam-log-2011-12-22 (08-11-39).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 414045
    Time elapsed: 1 hour(s), 39 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Ken\application data\Sun\Java\deployment\cache\6.0\42\2935fea-4e79c2ae (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{cfcf99c9-62d4-4095-ba35-c03dcecbccc5}\RP254\A0075954.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  12. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    The Esetscan log is as follows:

    C:\Documents and Settings\Ken\Application Data\Sun\Java\Deployment\cache\6.0\39\2452a8e7-402863d3 multiple threats
    C:\Documents and Settings\Ken\Application Data\Sun\Java\Deployment\cache\6.0\55\51d1c3f7-14a1c623 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
     
  13. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    ...and here are both DDS logs. I will await your reply.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_25
    Run by Ken at 11:17:36 on 2011-12-22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3198.2340 [GMT -6:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Steam\steam.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
    C:\Program Files\Content Manager\CmTray.exe
    C:\Documents and Settings\Ken\My Documents\My Pictures\PictureProject\NkbMonitor.exe
    C:\Program Files\Logitech\SetPoint II\SetpointII.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://my.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
    uRun: [CmTray] "c:\program files\content manager\launchCM.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [<NO NAME>]
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\ken\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000003}\_SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\documents and settings\ken\my documents\my pictures\pictureproject\NkbMonitor.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetpointII.exe
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://sslvpn.demo.sonicwall.com/NELX.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\ken\application data\mozilla\firefox\profiles\jyan8p1f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/1.html
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-27 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-10 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-10 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-10 42184]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-3-13 10384]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-6-29 2255464]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
    R3 npusbio;npusbio;c:\windows\system32\drivers\npusbio.sys [2011-3-10 36384]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-3-10 119528]
    R3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [2010-11-9 22600]
    S3 ALSysIO;ALSysIO;\??\c:\docume~1\ken\locals~1\temp\alsysio.sys --> c:\docume~1\ken\locals~1\temp\ALSysIO.sys [?]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-3-10 79360]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-25 22216]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-25 366152]
    .
    =============== Created Last 30 ================
    .
    2011-12-22 14:21:04 -------- d-----w- c:\program files\ESET
    2011-12-18 17:42:42 -------- d-----w- c:\documents and settings\ken\application data\mm
    2011-12-14 17:28:05 -------- d-----w- c:\program files\iPod
    2011-12-14 17:28:02 -------- d-----w- c:\program files\iTunes
    2011-12-09 23:25:05 -------- d-----w- c:\program files\Content Manager
    2011-12-09 23:25:00 -------- d-----w- c:\documents and settings\ken\application data\ContentMgr_backup
    .
    ==================== Find3M ====================
    .
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 16:57:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-10-31 23:43:21 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-10-31 23:43:21 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2011-10-31 23:43:20 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    ============= FINISH: 11:18:36.84 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/10/2011 8:45:45 AM
    System Uptime: 12/22/2011 8:13:14 AM (3 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA790X-DS4
    Processor: AMD Phenom(tm) II X4 955 Processor | Socket M2 | 3214/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 596 GiB total, 381.927 GiB free.
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMTSSTCORP_CD/DVDW_TS-H652L_______________0603____\5&B6F7694&0&0.0.0
    Manufacturer: (Standard CD-ROM drives)
    Name: TSSTcorp CD/DVDW TS-H652L
    PNP Device ID: IDE\CDROMTSSTCORP_CD/DVDW_TS-H652L_______________0603____\5&B6F7694&0&0.0.0
    Service: cdrom
    .
    ==== System Restore Points ===================
    .
    RP196: 9/24/2011 9:10:55 AM - System Checkpoint
    RP197: 9/24/2011 1:40:24 PM - Installed Comcast Desktop Software (v1.2.0.9)
    RP198: 9/25/2011 1:59:14 PM - System Checkpoint
    RP199: 9/26/2011 2:04:28 PM - System Checkpoint
    RP200: 9/27/2011 2:36:34 PM - System Checkpoint
    RP201: 9/28/2011 4:31:56 PM - System Checkpoint
    RP202: 9/29/2011 12:10:26 AM - Software Distribution Service 3.0
    RP203: 9/30/2011 8:53:44 AM - System Checkpoint
    RP204: 10/1/2011 8:26:55 PM - System Checkpoint
    RP205: 10/3/2011 7:25:27 AM - System Checkpoint
    RP206: 10/7/2011 8:14:31 PM - System Checkpoint
    RP207: 10/10/2011 1:44:51 AM - System Checkpoint
    RP208: 10/11/2011 2:29:02 AM - System Checkpoint
    RP209: 10/15/2011 1:19:22 AM - Software Distribution Service 3.0
    RP210: 10/16/2011 8:55:18 AM - System Checkpoint
    RP211: 10/17/2011 9:23:32 AM - System Checkpoint
    RP212: 10/21/2011 2:44:01 PM - System Checkpoint
    RP213: 10/22/2011 2:54:10 PM - System Checkpoint
    RP214: 10/23/2011 3:53:52 PM - System Checkpoint
    RP215: 10/24/2011 6:19:46 PM - System Checkpoint
    RP216: 10/25/2011 7:36:52 PM - System Checkpoint
    RP217: 10/28/2011 9:37:24 AM - System Checkpoint
    RP218: 10/29/2011 10:19:58 AM - System Checkpoint
    RP219: 10/30/2011 12:59:33 PM - System Checkpoint
    RP220: 10/31/2011 1:41:53 PM - System Checkpoint
    RP221: 11/1/2011 4:46:21 PM - System Checkpoint
    RP222: 11/6/2011 2:01:00 PM - System Checkpoint
    RP223: 11/7/2011 2:39:48 PM - System Checkpoint
    RP224: 11/10/2011 1:29:27 AM - Software Distribution Service 3.0
    RP225: 11/11/2011 12:03:56 AM - Software Distribution Service 3.0
    RP226: 11/12/2011 10:10:26 AM - System Checkpoint
    RP227: 11/13/2011 1:01:09 PM - System Checkpoint
    RP228: 11/14/2011 2:23:39 PM - System Checkpoint
    RP229: 11/15/2011 11:43:37 PM - System Checkpoint
    RP230: 11/17/2011 11:23:34 PM - System Checkpoint
    RP231: 11/19/2011 1:45:30 PM - System Checkpoint
    RP232: 11/20/2011 5:07:27 PM - System Checkpoint
    RP233: 11/21/2011 6:01:49 PM - System Checkpoint
    RP234: 11/22/2011 7:06:36 PM - System Checkpoint
    RP235: 11/24/2011 11:40:45 AM - System Checkpoint
    RP236: 11/25/2011 12:09:09 PM - System Checkpoint
    RP237: 11/26/2011 2:58:49 PM - System Checkpoint
    RP238: 11/27/2011 3:01:09 PM - System Checkpoint
    RP239: 11/28/2011 4:10:13 PM - System Checkpoint
    RP240: 11/29/2011 6:10:31 PM - System Checkpoint
    RP241: 12/2/2011 4:08:35 PM - System Checkpoint
    RP242: 12/3/2011 4:25:12 PM - System Checkpoint
    RP243: 12/4/2011 6:57:49 PM - System Checkpoint
    RP244: 12/7/2011 12:47:59 AM - System Checkpoint
    RP245: 12/9/2011 5:14:51 PM - System Checkpoint
    RP246: 12/9/2011 5:25:05 PM - Configured Content Manager
    RP247: 12/10/2011 6:58:49 PM - System Checkpoint
    RP248: 12/11/2011 9:52:25 PM - System Checkpoint
    RP249: 12/13/2011 9:22:44 PM - System Checkpoint
    RP250: 12/14/2011 3:00:21 AM - Software Distribution Service 3.0
    RP251: 12/15/2011 3:36:13 AM - System Checkpoint
    RP252: 12/16/2011 11:19:12 AM - System Checkpoint
    RP253: 12/17/2011 11:35:41 AM - System Checkpoint
    RP254: 12/18/2011 2:55:56 PM - System Checkpoint
    RP255: 12/22/2011 1:07:58 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    µTorrent
    Adobe Acrobat 8 Standard
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ARMA 2 Operation Arrowhead Uninstall
    ArmA 2 Uninstall
    ATI - Software Uninstall Utility
    avast! Free Antivirus
    BattlEye for OA Uninstall
    BattlEye Uninstall
    Bonjour
    Canon Easy-WebPrint EX
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MP Navigator EX 3.1
    Canon MX340 series MP Drivers
    Canon MX340 series User Registration
    Canon Speed Dial Utility
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    Comcast Desktop Software (v1.2.0.9)
    Company of Heroes
    Company of Heroes Retail Beta
    Company of Heroes: Opposing Fronts
    Company of Heroes: Tales of Valor
    ContentManager
    Core Temp version 0.99.8
    Creative Audio Control Panel
    Creative Software AutoUpdate
    Darkest Hour: Europe '44-'45
    Day of Defeat: Source
    Draft Predictor 2011
    erLT
    FileMaker Pro 11
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    HyperLobby client
    IL-2 Sturmovik 1946
    Insurgency
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 25
    Killing Floor
    Logitech SetPoint 5.20
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Medieval II: Total War
    Memoir '44 Online
    Men of War
    Men of War: Red Tide
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office Live Meeting 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 8.0 (x86 en-US)
    MSI Afterburner 1.5.1
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Nikon Message Center
    NVIDIA Control Panel 280.26
    NVIDIA Graphics Driver 280.26
    NVIDIA HD Audio Driver 1.2.23.3
    NVIDIA Install Application
    NVIDIA nView 135.94
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.10.0514
    NVIDIA Update 1.4.28
    NVIDIA Update Components
    OpenAL
    PictureProject
    PictureProject In Touch Downloader 1.0
    QuickTime
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    Red Orchestra: Ostfront 41-45
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB2497640)
    Security Update for Windows Internet Explorer 7 (KB2530548)
    Security Update for Windows Internet Explorer 7 (KB2544521)
    Security Update for Windows Internet Explorer 7 (KB2559049)
    Security Update for Windows Internet Explorer 7 (KB2586448)
    Security Update for Windows Internet Explorer 7 (KB2618444)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2482017)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Silent Hunter III
    Skype Click to Call
    Skype™ 5.5
    SonicWALL SSL-VPN NetExtender
    Steam
    Team Fortress 2
    TeamSpeak 3 Client
    Theatre of War
    Theatre of War 2: Africa 1943
    Theatre of War 2: Kursk 1943
    TrackIR4
    TurboTax 2010
    TurboTax 2010 wiliper
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    User's Guides
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR 4.01 (32-bit)
    WinZip 15.5
    World of Tanks closed Beta v.0.6.3.8
    Xfire (remove only)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/18/2011 7:58:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/18/2011 7:50:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    12/18/2011 7:50:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/18/2011 7:50:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswRdr aswSnx aswSP aswTdi Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
    12/18/2011 7:50:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/18/2011 7:50:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/18/2011 7:50:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/18/2011 7:50:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    12/18/2011 7:50:01 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/18/2011 7:50:01 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    .
    ==== End Of File ===========================
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
    ------------------------------------------------------
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    The malware is in the Java cache so we need to clear it:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =====================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =======================================
    Let me know specifically what problems remain after you run Combofix.
     
  15. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    ComboFix 11-12-23.01 - Ken 12/23/2011 14:33:06.1.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3198.2775 [GMT -6:00]
    Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
    c:\documents and settings\Ken\Application Data\mm
    C:\Install.exe
    c:\windows\$NtUninstallKB56583$
    c:\windows\$NtUninstallKB56583$\2552748841
    c:\windows\system32\oobe\isperror
    c:\windows\system32\oobe\isperror\ispcnerr.htm
    c:\windows\system32\oobe\isperror\ispdtone.htm
    c:\windows\system32\oobe\isperror\isphdshk.htm
    c:\windows\system32\oobe\isperror\ispins.htm
    c:\windows\system32\oobe\isperror\ispnoanw.htm
    c:\windows\system32\oobe\isperror\isppberr.htm
    c:\windows\system32\oobe\isperror\ispphbsy.htm
    c:\windows\system32\oobe\isperror\ispsbusy.htm
    c:\windows\system32\SET1C7.tmp
    c:\windows\system32\SET1CC.tmp
    c:\windows\system32\SET281.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_.redbook
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-23 19:31 . 2011-12-23 19:31 -------- d-----w- c:\program files\Common Files\Java
    2011-12-23 19:31 . 2011-12-23 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-12-20 00:56 . 2011-12-20 00:56 -------- d-----w- c:\documents and settings\Sigrid\Application Data\Malwarebytes
    2011-12-14 17:28 . 2011-12-14 17:28 -------- d-----w- c:\program files\iPod
    2011-12-14 17:28 . 2011-12-14 17:28 -------- d-----w- c:\program files\iTunes
    2011-12-09 23:25 . 2011-12-10 03:41 -------- d-----w- c:\program files\Content Manager
    2011-12-09 23:25 . 2011-12-09 23:25 -------- d-----w- c:\documents and settings\Ken\Application Data\ContentMgr_backup
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-23 19:31 . 2011-05-09 01:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 16:57 . 2011-05-19 13:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-31 23:43 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-10-31 23:43 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-10-31 23:43 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2011-10-31 23:43 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2005-03-30 01:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 11:13 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2011-03-10 14:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-11-11 20:06 . 2011-03-10 17:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    "CmTray"="c:\program files\Content Manager\launchCM.exe" [2011-08-19 94208]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
    "SoundMan"="SOUNDMAN.EXE" [2008-06-19 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
    "CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-11-10 1095552]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
    "NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\documents and settings\Sigrid\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\Ken\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000003}\_SC_Acrobat.exe [2011-3-11 295606]
    Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
    SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Xfire\\Xfire.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bohemia Interactive\\ArmA 2\\arma2.exe"=
    "c:\\Program Files\\Bohemia Interactive\\ArmA 2\\arma2OA.exe"=
    "c:\\Program Files\\FileMaker\\FileMaker Pro 11\\FileMaker Pro.exe"=
    "c:\\Games\\World_of_Tanks_closed_Beta\\WOTLauncher.exe"=
    "c:\\Games\\World_of_Tanks_closed_Beta\\WorldOfTanks.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\Steam\\steamapps\\hurriken42\\insurgency\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\Editor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\MissionGen.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\men of war red tide\\redtide.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\medieval ii total war\\Launcher.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\men of war\\mow.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\men of war\\mow_editor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\silent hunter 3\\sh3.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\tow.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\towsetup.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\Africa1943.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\options.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war ii kursk 1943\\Kursk1943.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\company of heroes beta\\RelicCOH.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\memoir '44 online\\Memoir'44 Online.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/27/2011 7:19 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/10/2011 10:33 AM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/10/2011 10:33 AM 19544]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/13/2011 11:34 AM 10384]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/29/2011 6:52 PM 2255464]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 171032]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1324056]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 72728]
    R3 npusbio;npusbio;c:\windows\system32\drivers\npusbio.sys [3/10/2011 11:23 PM 36384]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [3/10/2011 9:48 PM 119528]
    R3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [11/9/2010 6:51 PM 22600]
    S3 ALSysIO;ALSysIO;\??\c:\docume~1\Ken\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Ken\LOCALS~1\Temp\ALSysIO.sys [?]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/10/2011 10:27 PM 79360]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 171032]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1324056]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 72728]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/25/2011 3:58 PM 22216]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/25/2011 3:58 PM 366152]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\jyan8p1f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/1.html
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-BattlEye - c:\program files\Bohemia Interactive\ArmA 2BattlEye\UnInstallBE.exe
    AddRemove-BattlEye for A2 - c:\program files\Bohemia Interactive\ArmA 2BattlEye\UnInstallBE.exe
    AddRemove-BattlEye for OA - c:\program files\Bohemia Interactive\ArmA 2Expansion\BattlEye\UnInstallBE.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-23 15:06
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTxfiHlp = CTXFIHLP.EXE?
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1715567821-484061587-839522115-1003\Software\SecuROM\License information*]
    "datasecu"=hex:7c,03,ab,7d,bf,bc,e2,fd,12,ce,0a,a1,8d,0b,0a,bc,02,ca,3a,94,9c,
    b4,0e,b7,23,82,1a,53,d0,c1,70,62,a7,e0,99,a7,f7,95,2c,4b,38,cd,e4,a1,ff,5d,\
    "rkeysecu"=hex:48,c0,e1,8f,45,0d,6b,e4,b2,c8,72,63,af,a2,b4,6b
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3164)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Creative\Shared Files\CTAudSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Canon\IJPLM\IJPLMSVC.EXE
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\system32\RunDLL32.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Content Manager\CmTray.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-23 15:13:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-23 21:13
    .
    Pre-Run: 409,901,191,168 bytes free
    Post-Run: 417,468,833,792 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - FE61336C10F6C0774F114C0F4411958C
     
  16. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    So far everything seems to be fine.
     
  17. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    By the way Merry Christmas to you also and thanks for all your help .
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you. I had a very nice holiday. And you're welcome for the help.
    Please run the following 2 scans. Leave the logs in your next reply. We are almost finished, so be sure and let me know if any of the problems remain.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    DDS::
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    RegNull::
    [HKEY_USERS\S-1-5-21-1715567821-484061587-839522115-1003\Software\SecuROM\License information*]
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  19. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    ComboFix 11-12-25.03 - Ken 12/26/2011 10:29:38.2.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3198.2527 [GMT -6:00]
    Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ken\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-26 to 2011-12-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-24 15:21 . 2011-12-24 15:21 -------- d-----w- c:\program files\Content Manager
    2011-12-23 19:31 . 2011-12-23 19:31 -------- d-----w- c:\program files\Common Files\Java
    2011-12-23 19:31 . 2011-12-23 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-12-20 00:56 . 2011-12-20 00:56 -------- d-----w- c:\documents and settings\Sigrid\Application Data\Malwarebytes
    2011-12-14 17:28 . 2011-12-14 17:28 -------- d-----w- c:\program files\iPod
    2011-12-14 17:28 . 2011-12-14 17:28 -------- d-----w- c:\program files\iTunes
    2011-12-09 23:25 . 2011-12-09 23:25 -------- d-----w- c:\documents and settings\Ken\Application Data\ContentMgr_backup
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-23 19:31 . 2011-05-09 01:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 16:57 . 2011-05-19 13:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-31 23:43 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-10-31 23:43 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-10-31 23:43 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2011-10-31 23:43 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2005-03-30 01:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 11:13 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2011-03-10 14:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-11-11 20:06 . 2011-03-10 17:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-23_21.07.12 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-12-26 15:52 . 2011-12-26 15:52 16384 c:\windows\Temp\Perflib_Perfdata_4c0.dat
    + 2004-08-04 10:00 . 2011-12-26 15:56 67740 c:\windows\system32\perfc009.dat
    - 2004-08-04 10:00 . 2011-12-23 21:10 67740 c:\windows\system32\perfc009.dat
    + 2004-08-04 10:00 . 2011-12-26 15:56 432784 c:\windows\system32\perfh009.dat
    - 2004-08-04 10:00 . 2011-12-23 21:10 432784 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    "CmTray"="c:\program files\Content Manager\launchCM.exe" [2011-08-19 94208]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
    "SoundMan"="SOUNDMAN.EXE" [2008-06-19 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
    "CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-11-10 1095552]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
    "NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\documents and settings\Sigrid\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\Ken\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000003}\_SC_Acrobat.exe [2011-3-11 295606]
    Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
    SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Xfire\\Xfire.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bohemia Interactive\\ArmA 2\\arma2.exe"=
    "c:\\Program Files\\Bohemia Interactive\\ArmA 2\\arma2OA.exe"=
    "c:\\Program Files\\FileMaker\\FileMaker Pro 11\\FileMaker Pro.exe"=
    "c:\\Games\\World_of_Tanks_closed_Beta\\WOTLauncher.exe"=
    "c:\\Games\\World_of_Tanks_closed_Beta\\WorldOfTanks.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\Steam\\steamapps\\hurriken42\\insurgency\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\Editor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\MissionGen.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\men of war red tide\\redtide.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\medieval ii total war\\Launcher.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\men of war\\mow.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\men of war\\mow_editor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\silent hunter 3\\sh3.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\tow.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\towsetup.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\Africa1943.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\options.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\theatre of war ii kursk 1943\\Kursk1943.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\company of heroes beta\\RelicCOH.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\memoir '44 online\\Memoir'44 Online.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/27/2011 7:19 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/10/2011 10:33 AM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/10/2011 10:33 AM 19544]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/13/2011 11:34 AM 10384]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/29/2011 6:52 PM 2255464]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 171032]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1324056]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 72728]
    R3 npusbio;npusbio;c:\windows\system32\drivers\npusbio.sys [3/10/2011 11:23 PM 36384]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [3/10/2011 9:48 PM 119528]
    R3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [11/9/2010 6:51 PM 22600]
    S3 ALSysIO;ALSysIO;\??\c:\docume~1\Ken\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Ken\LOCALS~1\Temp\ALSysIO.sys [?]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/10/2011 10:27 PM 79360]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 171032]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1324056]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 72728]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/25/2011 3:58 PM 22216]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/25/2011 3:58 PM 366152]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\jyan8p1f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/1.html
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-26 10:41
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTxfiHlp = CTXFIHLP.EXE?
    .
    scanning hidden files ...
    .
    .
    c:\docume~1\Ken\LOCALS~1\Temp\catchme.dll 53248 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3168)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-12-26 10:45:18
    ComboFix-quarantined-files.txt 2011-12-26 16:45
    ComboFix2.txt 2011-12-23 21:13
    .
    Pre-Run: 417,765,789,696 bytes free
    Post-Run: 417,774,223,360 bytes free
    .
    - - End Of File - - 916C8378D8537454C9FACF4D64C80EEF



    I ran Eset and it tried to reboot the computer. It got hung up during shut down...(I can see my background but everything else is gone)...I ended up hitting the power button after an hour.Not sure if Eset worked or not.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm not clear on what happened with Eset. Since you have rebooted, please update Eset and try the scan again. Please be sure to make note of the different directions depending on which browser you're using.
     
  21. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    I ran it again and it ran perfect. No infected files found so no log produced. I think running it again was the right thing to do, better to be sure.

    Whats next?
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, what problem remain?
     
  23. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    I have not seen any problems since before Christmas. It seems to be running great.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That is very good to hear. Let's clean up the tools:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any questions.
     
  25. Hurriken

    Hurriken TS Booster Topic Starter Posts: 231

    I ran all of the above with no issues.

    The only thing I see now that I'm unsure about is the Avast Icon that is always in the start up near the clock is not there. However if access Avast through the start menu it seems to be running. I'm not sure if that is an issue.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...