TechSpot

XP supposedly infected with System Check

By evtoma
Jan 21, 2012
  1. Malwarebytes Anti-Malware (Proba) 1.60.0.1800
    www.malwarebytes.org

    Versiunea bazei de date: v2012.01.21.01

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 7.0.5730.13
    maman :: HOME-9390AD840C [administrator]

    Protectie: Activat

    21.01.2012 10:42:39
    mbam-log-2012-01-21 (10-42-39).txt

    Modul de scanare: Scanare rapida
    Optiuni de scanare activate: Memorie | Pornire | Registru | Sistemul fisierelor | Euristica/Extra | Euristica/Shuriken | PUP | PUM
    Optiuni de scanare dezactivate: P2P
    Obiecte scanate: 257401
    Timp trecut: 36 minute, 39 secunde

    Procese din Memorie detectate: 1
    C:\Documents and Settings\All Users\Application Data\FpNsnrTURn.exe (Rogue.FakeHDD) -> 3840 -> Va fi inlaturat dupa o repornire.

    Module de Memorie detectate: 0
    (Nu au fost detectate obiecte malicioase)

    Chei de Registru detectate: 7
    HKCR\AppID\{D3A39EAC-36F5-4FB6-BDD4-9908F6C4CFFF} (Adware.K.GoodJoy) -> Pus in carantina si inlaturat cu succes.
    HKCR\CLSID\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Pus in carantina si inlaturat cu succes.
    HKCR\TypeLib\{A1A1E70D-58C5-4349-83B6-BE9682B9874D} (Redir.GSearch) -> Pus in carantina si inlaturat cu succes.
    HKCR\Interface\{4BF423F5-1689-4003-8A05-829048C7D869} (Redir.GSearch) -> Pus in carantina si inlaturat cu succes.
    HKCR\SearchBHO.CSearchBHO.1 (Redir.GSearch) -> Pus in carantina si inlaturat cu succes.
    HKCR\SearchBHO.CSearchBHO (Redir.GSearch) -> Pus in carantina si inlaturat cu succes.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Pus in carantina si inlaturat cu succes.

    Valori de Registru detectate: 3
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|FpNsnrTURn.exe (Rogue.FakeHDD) -> Date: C:\Documents and Settings\All Users\Application Data\FpNsnrTURn.exe -> Pus in carantina si inlaturat cu succes.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Date: -> Pus in carantina si inlaturat cu succes.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{D7BE8ED1-B138-48FD-BB22-9779A39130B1} (Redir.GSearch) -> Date: -> Pus in carantina si inlaturat cu succes.

    Date din Registru detectate: 7
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Daunator: (0) Bun: (1) -> Pus in carantina si reparat cu succes.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Daunator: (0) Bun: (1) -> Pus in carantina si reparat cu succes.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Daunator: (0) Bun: (1) -> Pus in carantina si reparat cu succes.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Daunator: (0) Bun: (1) -> Pus in carantina si reparat cu succes.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Daunator: (0) Bun: (1) -> Pus in carantina si reparat cu succes.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Daunator: (0) Bun: (1) -> Pus in carantina si reparat cu succes.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Daunator: (1) Bun: (0) -> Pus in carantina si reparat cu succes.

    Foldere detectate: 0
    (Nu au fost detectate obiecte malicioase)

    Fisiere detectate: 3
    C:\Documents and Settings\All Users\Application Data\FpNsnrTURn.exe (Rogue.FakeHDD) -> Va fi inlaturat dupa o repornire.
    C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\w1jqubi7.default\extensions\SearchHelper\SearchBHO.dll (Redir.GSearch) -> Pus in carantina si inlaturat cu succes.
    C:\Documents and Settings\All Users\Application Data\GpqRwrYgl5BpWB.exe (Rogue.FakeAlert) -> Pus in carantina si inlaturat cu succes.

    (sfarsit)
     
  2. evtoma

    evtoma TS Rookie Topic Starter

    gmer

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-21 13:42:33
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0 Hitachi_ rev.ST2O
    Running: orowvxjp.exe; Driver: C:\DOCUME~1\maman\LOCALS~1\Temp\pgxyqkoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAF67AF74]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAF67B00C]

    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

    ---- EOF - GMER 1.0.15 ----
     
  3. evtoma

    evtoma TS Rookie Topic Starter

    dds report

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_29
    Run by maman at 13:46:03 on 2012-01-21
    Microsoft Windows XP Professional 5.1.2600.2.1250.40.1033.18.1791.1019 [GMT 2:00]
    .
    AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\TeamViewer\Version4\TeamViewer.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
    C:\Program Files\FreePDF_XP\fpassist.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\VM_STI.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\CNAB4RPK.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\Secunia\PSI\PSI_TRAY.exe
    C:\Program Files\Secunia\PSI\psi.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\maman\My Documents\Descărcări\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    mStart Page = hxxp://start.allgameshome.com/
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
    BHO: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSof1.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll
    BHO: MyPlayCity Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: {EEE6C35C-6118-11DC-9C72-001320C79847} - No File
    BHO: TBSB00808 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\allgameshome toolbar\tbcore3.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    BHO: BS Player Toolbar: {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - c:\program files\bs_player\prxtbBS_0.dll
    TB: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSof1.dll
    TB: Subtitles.com.br FileBulldog Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\subtitles.com.br filebulldog toolbar\tbcore3.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
    TB: MyPlayCity Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: AllGamesHome Toolbar: {5fc86fb3-a8b1-400b-8be7-0eaf0d857f5d} - c:\program files\allgameshome toolbar\tbcore3.dll
    TB: BS Player Toolbar: {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - c:\program files\bs_player\prxtbBS_0.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
    mRun: [FreePDF Assistant] c:\program files\freepdf_xp\fpassist.exe
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
    mRun: [BigDogPath] c:\windows\VM_STI.EXE Philips SPC210NC Webcam
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [EasyDownloads] "d:\copia-program files\easy downloads\easydownloads.exe" -tray
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
    IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
    IE: {5FC86FB3-A8B1-400B-8BE7-0EAF0D857F5D} - {5FC86FB3-A8B1-400B-8BE7-0EAF0D857F5D} - c:\program files\allgameshome toolbar\tbcore3.dll
    IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: DhcpNameServer = 95.77.94.88 78.96.7.88
    TCP: Interfaces\{4E786DC3-5AF6-4721-9E2D-96B963882B6B} : DhcpNameServer = 95.77.94.88 78.96.7.88
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: klogon - c:\windows\system32\klogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\maman\application data\mozilla\firefox\profiles\5o0ar2p0.default\
    FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: d:\depozit\pachete\picasa3\npPicasa3.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
    R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
    R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-3-20 475736]
    R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-21 652872]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
    R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-8-24 185640]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-21 20464]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-10-25 1617408]
    S2 gupdate;Serviciul Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 136176]
    S3 AMBFilt;AMBFilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-26 1656960]
    S3 AsrCDDrv;AsrCDDrv;\??\c:\windows\system32\drivers\asrcddrv.sys --> c:\windows\system32\drivers\AsrCDDrv.sys [?]
    S3 cpuz135;cpuz135;\??\c:\docume~1\test\locals~1\temp\cpuz135\cpuz135_x32.sys --> c:\docume~1\test\locals~1\temp\cpuz135\cpuz135_x32.sys [?]
    S3 gupdatem;Serviciul Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 136176]
    S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-2-6 136704]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-2-6 8320]
    S4 Joulemeter Service;Joulemeter Service;"d:\copia-program files\joulemeterservice.exe" --> d:\copia-program files\JoulemeterService.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-01-21 11:40:09 -------- d-----w- c:\windows\IrfanView
    2012-01-21 11:34:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-21 11:34:51 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2012-01-21 11:34:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-21 11:29:01 -------- d-----w- c:\documents and settings\maman\local settings\application data\Secunia PSI
    2012-01-21 11:28:38 -------- d-----w- c:\program files\Secunia
    2012-01-21 08:39:33 -------- d-----w- c:\documents and settings\maman\application data\Malwarebytes
    2012-01-21 08:39:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-01-21 08:38:59 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-21 08:38:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-21 07:50:20 -------- d-----w- c:\documents and settings\maman\local settings\application data\Mozilla
    2012-01-20 21:13:42 -------- d-----w- c:\documents and settings\maman\local settings\application data\Microsoft
    2012-01-12 11:45:03 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2012-01-12 11:45:03 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-01-12 11:45:03 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-01-12 11:45:03 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2011-12-24 22:20:22 -------- d-----w- C:\spoolerlogs
    .
    ==================== Find3M ====================
    .
    2012-01-21 11:42:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-29 21:35:09 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
    .
    ============= FINISH: 13:46:42,31 ===============
     
  4. evtoma

    evtoma TS Rookie Topic Starter

    attach file from dds

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 25.10.2011 14:24:44
    System Uptime: 21.01.2012 11:34:08 (2 hours ago)
    .
    Motherboard: ASRock | | N68C-S UCC
    Processor: AMD Sempron(tm) Dual Core Processor 2100 | CPUSocket | 1808/200mhz
    Processor: AMD Sempron(tm) Dual Core Processor 2100 | CPUSocket | 1808/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 49 GiB total, 29,443 GiB free.
    D: is FIXED (NTFS) - 249 GiB total, 156,438 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Kaspersky Anti-Virus NDIS Miniport
    Device ID: ROOT\KL_KLIM5MP\0000
    Manufacturer: Kaspersky Lab
    Name: WAN Miniport (Network Monitor) - Kaspersky Anti-Virus NDIS Miniport
    PNP Device ID: ROOT\KL_KLIM5MP\0000
    Service: klim5
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Kaspersky Anti-Virus NDIS Miniport
    Device ID: ROOT\KL_KLIM5MP\0001
    Manufacturer: Kaspersky Lab
    Name: Hamachi Network Interface - Kaspersky Anti-Virus NDIS Miniport
    PNP Device ID: ROOT\KL_KLIM5MP\0001
    Service: klim5
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Kaspersky Anti-Virus NDIS Miniport
    Device ID: ROOT\KL_KLIM5MP\0002
    Manufacturer: Kaspersky Lab
    Name: NVIDIA nForce 10/100 Mbps Ethernet - Kaspersky Anti-Virus NDIS Miniport
    PNP Device ID: ROOT\KL_KLIM5MP\0002
    Service: klim5
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Kaspersky Anti-Virus NDIS Miniport
    Device ID: ROOT\KL_KLIM5MP\0003
    Manufacturer: Kaspersky Lab
    Name: WAN Miniport (IP) - Kaspersky Anti-Virus NDIS Miniport
    PNP Device ID: ROOT\KL_KLIM5MP\0003
    Service: klim5
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Hamachi Network Interface
    Device ID: ROOT\NET\0000
    Manufacturer: LogMeIn, Inc.
    Name: Hamachi Network Interface
    PNP Device ID: ROOT\NET\0000
    Service: hamachi
    .
    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia Windows Portable Device Driver
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia 3110c
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Common File Installer
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Reader X (10.1.1)
    Adobe Stock Photos 1.0
    AllGamesHome Toolbar
    Ask Toolbar
    µTorrent
    Audacity 1.3.12 (Unicode)
    BS Player Toolbar
    BS.Player FREE
    Canon LBP2900
    ConvertHelper 2.2
    ebgcInfra
    ebgcRes
    ebgcSDK
    FreePDF XP (Remove only)
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    GPL Ghostscript 8.71
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB960043)
    Hotfix for Windows XP (KB915865)
    Inca Ball Cave ScreenSaver
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 29
    JavaScript Menu Builder Titanium Trial
    Kaspersky Internet Security 2011
    Kea Coloring Book 3.5.0
    Malwarebytes Anti-Malware versiunea 1.60.0.1800
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox 9.0.1 (x86 ro)
    MSVC80_x86
    MSVC80_x86_v2
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Nero 7 Ultra Edition
    neroxml
    Nokia Connectivity Cable Driver
    Nokia PC Suite
    NVIDIA Drivers
    OpenOffice.org 3.3
    PC Connectivity Solution
    PeerGuardian 2.0
    Picasa 3
    Platform
    Realtek High Definition Audio Driver
    RedMon - Redirection Port Monitor
    Secunia PSI (2.0.0.4003)
    Skype™ 4.2
    Software Update for Web Folders
    TeamViewer 4
    TransferDesktop
    Treasure Pyramid
    Unlocker 1.9.0
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VIA Platform Device Manager
    Web Games Player Plugin
    WebFldrs XP
    Winamp
    Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    WinUtilities 9.67 Free Edition
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    YouSendIt Express
    .
    ==== Event Viewer Messages From Past Week ========
    .
    20.01.2012 23:06:20, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    20.01.2012 23:04:32, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips KLIF Processor
    20.01.2012 23:03:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    20.01.2012 14:53:53, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    18.01.2012 17:01:04, error: System Error [1003] - Error code 000000d1, parameter1 0000002c, parameter2 00000002, parameter3 00000000, parameter4 b6665b8f.
    15.01.2012 09:49:12, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    .
    ==== End Of File ===========================
     
  5. evtoma

    evtoma TS Rookie Topic Starter

    let me know...

    ... if that PC it's officially clean.

    BTW, who/what is big blue from your random question, beside the movie?

    Thank you,

    Emil
     
  6. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  7. evtoma

    evtoma TS Rookie Topic Starter

    Hi,
    I downloaded the required software but I didn't have enough time to finish the job as the infected computer is 2000km away and I understood everything it's ok. Of course I have to do it but it will take some more days.

    Thank you Broni,

    Emil
     
  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Keep me posted...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...