Solved Can't access antivirus site, 5 step reports

T

TheRealTimWells

Posts: 24   +0
Hello
I'm have problems accessing any antivirus site and microsoft. I am trying to follow your 5 steps, here are my logs, if I've made a mistake or any other problems please let me know otherwise any help fixing the problem would be much appreciated.
Thanks
Tim



Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.10.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ali :: CHANGEME1 [administrator]

Protection: Enabled

3/11/2012 12:28:09 AM
mbam-log-2012-03-11 (00-28-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 161070
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Detected: 2
C:\WINDOWS\system32\A58227\E54A4C.EXE (Worm.AutoRun) -> 348 -> Delete on reboot.
C:\WINDOWS\system32\216C96\V9ED2F9F.EXE (Trojan.Agent) -> 3420 -> Delete on reboot.

Memory Modules Detected: 3
C:\WINDOWS\system32\216C96\krnln.fnr (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\216C96\eAPI.fne (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\216C96\dp1.fne (Worm.Autorun) -> Delete on reboot.

Registry Keys Detected: 19
HKCR\CLSID\{7952f465-ac46-4a82-b383-870f3784d1cd} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5D79F641-C168-40DF-A32F-BACEA7509E75} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D79F641-C168-40DF-A32F-BACEA7509E75} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{04D2B915-19FF-41E9-994D-95DC898BEA43} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0696F815-A3A9-490A-BB14-9EC3350B1276} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A7D2060-824D-4B17-B00A-759B1B5F30D9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F02C0832-C85C-4B93-8C6F-9DF20121A10D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d09094b3-b426-4f16-a6d9-e211fe222127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7895609d-c8b4-4cf5-a2c7-28223d0c3d92} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|E54A4C (Worm.AutoRun) -> Data: C:\WINDOWS\system32\A58227\E54A4C.EXE -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL|CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4 (Worm.Autorun) -> Delete on reboot.

Files Detected: 22
C:\WINDOWS\system32\A58227\E54A4C.EXE (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\krnln.fnr (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\HtmlView.fne (HackTool.Patcher) -> Delete on reboot.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\shell.fne (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\dp1.fne (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\eAPI.fne (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\internet.fne (HackTool.Patcher) -> Delete on reboot.
C:\WINDOWS\system32\216C96\V9ED2F9F.EXE (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\216C96\krnln.fnr (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\216C96\eAPI.fne (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\216C96\dp1.fne (Worm.Autorun) -> Delete on reboot.
C:\Program Files\14res.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\14Uninstall TotalRecipeSearch.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\2bres.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\2bUninstall BetterCareerSearch.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\64res.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\64Uninstall TelevisionFanatic.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\cnvpe.fne (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Program Files\14res.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\2bres.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\64res.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali\Local Settings\Temp\E_N4\spec.fne (Worm.Autorun) -> Delete on reboot.

(end)


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-11 01:07:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVT-24A23T0 rev.01.01A02
Running: wnn3s7c3.exe; Driver: C:\DOCUME~1\Ali\LOCALS~1\Temp\fwdcapog.sys


---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] apxqn <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] blzjtmx <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] wofflzn <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ali at 1:17:09 on 2012-03-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.516 [GMT 13:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ali\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ali\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\ali\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\ali\startm~1\programs\startup\e54a4c.lnk - c:\windows\system32\a58227\E54A4C.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/en/downloads/getmodule.aspx?lang=en
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-11 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-11 20464]
S2 apxqn;Time Shell;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
S2 blzjtmx;Config System;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-26 136176]
S2 wofflzn;Task Universal;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-3-20 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-26 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2012-03-10 11:25:35 -------- d-----w- c:\documents and settings\ali\application data\Malwarebytes
2012-03-10 11:25:29 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-10 11:25:28 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 11:25:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\CF6B60
2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\A58227
2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\216C96
2012-02-26 20:52:46 -------- d--h--w- c:\windows\system32\18CB3B
2012-02-25 02:39:25 -------- d-----w- c:\program files\CCleaner
2012-02-25 02:25:46 -------- d-----w- c:\documents and settings\ali\local settings\application data\WMTools Downloaded Files
2012-02-19 20:53:03 -------- d-----w- c:\documents and settings\ali\application data\Foxit Software
2012-02-09 21:21:13 -------- d-----w- c:\program files\Foxit Software
2012-02-09 21:13:46 -------- d-----w- c:\program files\Installs
.
==================== Find3M ====================
.
.
============= FINISH: 1:23:30.93 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/21/2011 8:11:58 AM
System Uptime: 3/11/2012 12:53:40 AM (1 hours ago)
.
Motherboard: LENOVO | | Mariana2
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU | 798/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 127.989 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) WiFi Link 5100 AGN
Device ID: PCI\VEN_8086&DEV_4237&SUBSYS_12118086&REV_00\4&20975680&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) WiFi Link 5100 AGN
PNP Device ID: PCI\VEN_8086&DEV_4237&SUBSYS_12118086&REV_00\4&20975680&0&00E1
Service: NETw5x32
.
Class GUID:
Description:
Device ID: ACPI\VPC2004\0
Manufacturer:
Name:
PNP Device ID: ACPI\VPC2004\0
Service:
.
==== System Restore Points ===================
.
RP53: 12/13/2011 3:28:58 PM - System Checkpoint
RP54: 12/15/2011 12:23:05 PM - System Checkpoint
RP55: 12/22/2011 11:50:35 AM - System Checkpoint
RP56: 2/1/2012 2:52:21 PM - System Checkpoint
RP57: 2/3/2012 11:08:40 AM - System Checkpoint
RP58: 2/7/2012 9:49:14 AM - System Checkpoint
RP59: 2/9/2012 10:55:54 AM - System Checkpoint
RP60: 2/10/2012 2:40:54 PM - System Checkpoint
RP61: 2/14/2012 11:01:03 AM - System Checkpoint
RP62: 2/16/2012 9:26:04 AM - System Checkpoint
RP63: 2/20/2012 11:27:07 AM - System Checkpoint
RP64: 2/20/2012 3:09:20 PM - Unsigned driver install
RP65: 2/20/2012 3:11:50 PM - Unsigned driver install
RP66: 2/20/2012 3:35:17 PM - Unsigned driver install
RP67: 2/22/2012 2:52:25 PM - System Checkpoint
RP68: 2/24/2012 11:18:38 AM - System Checkpoint
RP69: 2/26/2012 6:03:04 PM - System Checkpoint
RP70: 3/2/2012 6:46:15 PM - System Checkpoint
RP71: 3/6/2012 10:31:34 AM - System Checkpoint
RP72: 3/9/2012 9:57:28 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
CCleaner
Document Express DjVu Plug-in (autoinstall)
Foxit Reader 5.1
GIMP 2.6.11
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 24
Lenovo Bluetooth with Enhanced Data Rate Software
Malwarebytes Anti-Malware version 1.60.1.1000
MSN
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB941569)
Sereby's Updatepack - IE8 Addon Version 1.0.7
USB2.0 Card Reader Software
VLC media player 1.1.9
WebFldrs XP
Windows Driver Package - Intel (NETw5x32) net (11/17/2008 12.2.0.11)
Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
.
==== Event Viewer Messages From Past Week ========
.
3/8/2012 9:05:12 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.7 with the system having network hardware address 78:A3:E4:C1:B6:57. Network operations on this system may be disrupted as a result.
3/6/2012 2:16:23 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
3/5/2012 9:32:51 AM, error: Service Control Manager [7023] - The Time Shell service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
3/5/2012 9:32:51 AM, error: Service Control Manager [7023] - The Task Universal service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
3/5/2012 9:32:51 AM, error: Service Control Manager [7023] - The Config System service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
3/5/2012 9:32:51 AM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/11/2012 12:51:16 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
3/11/2012 12:50:07 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/11/2012 12:36:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/10/2012 11:55:19 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
.
==== End Of File ===========================
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===================================================================

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
TDSS Report

Completed in safe mode, is that ok?

13:54:36.0281 1540 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
13:54:37.0218 1540 ============================================================
13:54:37.0218 1540 Current date / time: 2012/03/11 13:54:37.0218
13:54:37.0218 1540 SystemInfo:
13:54:37.0218 1540
13:54:37.0218 1540 OS Version: 5.1.2600 ServicePack: 3.0
13:54:37.0218 1540 Product type: Workstation
13:54:37.0218 1540 ComputerName: CHANGEME1
13:54:37.0218 1540 UserName: Ali
13:54:37.0218 1540 Windows directory: C:\WINDOWS
13:54:37.0218 1540 System windows directory: C:\WINDOWS
13:54:37.0218 1540 Processor architecture: Intel x86
13:54:37.0218 1540 Number of processors: 2
13:54:37.0218 1540 Page size: 0x1000
13:54:37.0218 1540 Boot type: Safe boot with network
13:54:37.0218 1540 ============================================================
13:54:41.0609 1540 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:54:41.0609 1540 \Device\Harddisk0\DR0:
13:54:41.0609 1540 MBR used
13:54:41.0609 1540 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
13:54:41.0703 1540 Initialize success
13:54:41.0703 1540 ============================================================
13:55:09.0921 1564 ============================================================
13:55:09.0921 1564 Scan started
13:55:09.0921 1564 Mode: Manual;
13:55:09.0921 1564 ============================================================
13:55:11.0093 1564 Abiosdsk - ok
13:55:11.0140 1564 abp480n5 - ok
13:55:11.0234 1564 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:55:11.0250 1564 ACPI - ok
13:55:11.0328 1564 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
13:55:11.0328 1564 ACPIEC - ok
13:55:11.0343 1564 adpu160m - ok
13:55:11.0406 1564 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:55:11.0421 1564 aec - ok
13:55:11.0437 1564 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
13:55:11.0437 1564 AFD - ok
13:55:11.0453 1564 Aha154x - ok
13:55:11.0484 1564 aic78u2 - ok
13:55:11.0515 1564 aic78xx - ok
13:55:11.0562 1564 AliIde - ok
13:55:11.0687 1564 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
13:55:11.0765 1564 Ambfilt - ok
13:55:11.0796 1564 amsint - ok
13:55:11.0828 1564 Suspicious service (NoAccess): apxqn
13:55:11.0875 1564 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
13:55:11.0875 1564 Arp1394 - ok
13:55:11.0890 1564 asc - ok
13:55:11.0921 1564 asc3350p - ok
13:55:11.0953 1564 asc3550 - ok
13:55:11.0968 1564 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:55:11.0968 1564 AsyncMac - ok
13:55:12.0031 1564 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:55:12.0046 1564 atapi - ok
13:55:12.0062 1564 Atdisk - ok
13:55:12.0078 1564 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:55:12.0093 1564 Atmarpc - ok
13:55:12.0140 1564 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:55:12.0140 1564 audstub - ok
13:55:12.0203 1564 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:55:12.0203 1564 Beep - ok
13:55:12.0218 1564 Suspicious service (NoAccess): blzjtmx
13:55:12.0296 1564 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
13:55:12.0312 1564 btaudio - ok
13:55:12.0390 1564 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
13:55:12.0390 1564 BTDriver - ok
13:55:12.0468 1564 BTKRNL (cf47c53d294abcb5159b02b68b37ba89) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
13:55:12.0500 1564 BTKRNL - ok
13:55:12.0609 1564 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
13:55:12.0609 1564 BTWDNDIS - ok
13:55:12.0640 1564 BTWUSB (6b622612fe21b59faee2ca4385959778) C:\WINDOWS\system32\Drivers\btwusb.sys
13:55:12.0640 1564 BTWUSB - ok
13:55:12.0687 1564 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:55:12.0687 1564 cbidf2k - ok
13:55:12.0703 1564 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
13:55:12.0703 1564 CCDECODE - ok
13:55:12.0734 1564 cd20xrnt - ok
13:55:12.0765 1564 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:55:12.0781 1564 Cdaudio - ok
13:55:12.0828 1564 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:55:12.0843 1564 Cdfs - ok
13:55:12.0859 1564 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:55:12.0859 1564 Cdrom - ok
13:55:12.0875 1564 Changer - ok
13:55:12.0968 1564 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
13:55:12.0968 1564 CmBatt - ok
13:55:12.0984 1564 CmdIde - ok
13:55:13.0031 1564 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
13:55:13.0046 1564 Compbatt - ok
13:55:13.0093 1564 Cpqarray - ok
13:55:13.0125 1564 dac2w2k - ok
13:55:13.0156 1564 dac960nt - ok
13:55:13.0250 1564 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:55:13.0250 1564 Disk - ok
13:55:13.0343 1564 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:55:13.0359 1564 dmboot - ok
13:55:13.0375 1564 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:55:13.0390 1564 dmio - ok
13:55:13.0421 1564 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:55:13.0421 1564 dmload - ok
13:55:13.0484 1564 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:55:13.0484 1564 DMusic - ok
13:55:13.0531 1564 dpti2o - ok
13:55:13.0562 1564 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:55:13.0562 1564 drmkaud - ok
13:55:13.0640 1564 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:55:13.0640 1564 Fastfat - ok
13:55:13.0687 1564 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:55:13.0687 1564 Fdc - ok
13:55:13.0734 1564 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:55:13.0734 1564 Fips - ok
13:55:13.0765 1564 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:55:13.0765 1564 Flpydisk - ok
13:55:13.0796 1564 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
13:55:13.0796 1564 FltMgr - ok
13:55:13.0843 1564 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:55:13.0843 1564 Fs_Rec - ok
13:55:13.0859 1564 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:55:13.0875 1564 Ftdisk - ok
13:55:13.0890 1564 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:55:13.0906 1564 Gpc - ok
13:55:14.0031 1564 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
13:55:14.0031 1564 hamachi - ok
13:55:14.0078 1564 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:55:14.0078 1564 HDAudBus - ok
13:55:14.0156 1564 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:55:14.0156 1564 hidusb - ok
13:55:14.0187 1564 hpn - ok
13:55:14.0234 1564 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
13:55:14.0234 1564 HTTP - ok
13:55:14.0265 1564 i2omgmt - ok
13:55:14.0296 1564 i2omp - ok
13:55:14.0359 1564 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:55:14.0359 1564 i8042prt - ok
13:55:14.0625 1564 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
13:55:14.0843 1564 ialm - ok
13:55:14.0875 1564 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:55:14.0875 1564 Imapi - ok
13:55:14.0921 1564 ini910u - ok
13:55:15.0203 1564 IntcAzAudAddService (f1f02e3a61342d7159c7efd22564ee93) C:\WINDOWS\system32\drivers\RtkHDAud.sys
13:55:15.0421 1564 IntcAzAudAddService - ok
13:55:15.0437 1564 IntelIde - ok
13:55:15.0484 1564 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:55:15.0484 1564 intelppm - ok
13:55:15.0531 1564 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
13:55:15.0531 1564 Ip6Fw - ok
13:55:15.0562 1564 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:55:15.0562 1564 IpFilterDriver - ok
13:55:15.0578 1564 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:55:15.0578 1564 IpInIp - ok
13:55:15.0625 1564 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:55:15.0625 1564 IpNat - ok
13:55:15.0656 1564 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:55:15.0656 1564 IPSec - ok
13:55:15.0718 1564 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:55:15.0718 1564 IRENUM - ok
13:55:15.0750 1564 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:55:15.0750 1564 isapnp - ok
13:55:15.0812 1564 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:55:15.0812 1564 Kbdclass - ok
13:55:15.0875 1564 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:55:15.0875 1564 kmixer - ok
13:55:15.0921 1564 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:55:15.0921 1564 KSecDD - ok
13:55:15.0968 1564 lbrtfdc - ok
13:55:16.0078 1564 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
13:55:16.0093 1564 MBAMProtector - ok
13:55:16.0187 1564 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:55:16.0187 1564 mnmdd - ok
13:55:16.0250 1564 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:55:16.0250 1564 Modem - ok
13:55:16.0343 1564 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
13:55:16.0390 1564 Monfilt - ok
13:55:16.0453 1564 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:55:16.0453 1564 Mouclass - ok
13:55:16.0484 1564 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:55:16.0484 1564 mouhid - ok
13:55:16.0515 1564 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:55:16.0515 1564 MountMgr - ok
13:55:16.0531 1564 mraid35x - ok
13:55:16.0562 1564 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:55:16.0562 1564 MRxDAV - ok
13:55:16.0625 1564 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:55:16.0640 1564 MRxSmb - ok
13:55:16.0671 1564 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:55:16.0687 1564 Msfs - ok
13:55:16.0734 1564 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:55:16.0750 1564 MSKSSRV - ok
13:55:16.0765 1564 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:55:16.0765 1564 MSPCLOCK - ok
13:55:16.0812 1564 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:55:16.0812 1564 MSPQM - ok
13:55:16.0859 1564 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:55:16.0859 1564 mssmbios - ok
13:55:16.0906 1564 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
13:55:16.0906 1564 MSTEE - ok
13:55:16.0953 1564 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
13:55:16.0953 1564 Mup - ok
13:55:17.0000 1564 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
13:55:17.0000 1564 NABTSFEC - ok
13:55:17.0046 1564 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:55:17.0046 1564 NDIS - ok
13:55:17.0109 1564 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
13:55:17.0109 1564 NdisIP - ok
13:55:17.0140 1564 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:55:17.0140 1564 NdisTapi - ok
13:55:17.0171 1564 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:55:17.0187 1564 Ndisuio - ok
13:55:17.0203 1564 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:55:17.0203 1564 NdisWan - ok
13:55:17.0218 1564 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
13:55:17.0234 1564 NDProxy - ok
13:55:17.0265 1564 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:55:17.0265 1564 NetBIOS - ok
13:55:17.0296 1564 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:55:17.0296 1564 NetBT - ok
13:55:17.0531 1564 NETw5x32 (05743fffc2bc88cc8e426321bc6a762e) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
13:55:17.0671 1564 NETw5x32 - ok
13:55:17.0703 1564 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
13:55:17.0718 1564 NIC1394 - ok
13:55:17.0765 1564 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:55:17.0765 1564 Npfs - ok
13:55:17.0828 1564 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:55:17.0859 1564 Ntfs - ok
13:55:17.0906 1564 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:55:17.0906 1564 Null - ok
13:55:17.0953 1564 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:55:17.0953 1564 NwlnkFlt - ok
13:55:17.0968 1564 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:55:17.0968 1564 NwlnkFwd - ok
13:55:18.0015 1564 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
13:55:18.0015 1564 ohci1394 - ok
13:55:18.0078 1564 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:55:18.0093 1564 Parport - ok
13:55:18.0109 1564 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:55:18.0109 1564 PartMgr - ok
13:55:18.0171 1564 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:55:18.0187 1564 ParVdm - ok
13:55:18.0234 1564 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:55:18.0234 1564 PCI - ok
13:55:18.0250 1564 PCIDump - ok
13:55:18.0312 1564 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:55:18.0312 1564 PCIIde - ok
13:55:18.0359 1564 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:55:18.0359 1564 Pcmcia - ok
13:55:18.0375 1564 PDCOMP - ok
13:55:18.0406 1564 PDFRAME - ok
13:55:18.0437 1564 PDRELI - ok
13:55:18.0453 1564 PDRFRAME - ok
13:55:18.0484 1564 perc2 - ok
13:55:18.0515 1564 perc2hib - ok
13:55:18.0640 1564 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:55:18.0640 1564 PptpMiniport - ok
13:55:18.0656 1564 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
13:55:18.0656 1564 Processor - ok
13:55:18.0703 1564 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:55:18.0703 1564 PSched - ok
13:55:18.0750 1564 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:55:18.0750 1564 Ptilink - ok
13:55:18.0765 1564 ql1080 - ok
13:55:18.0796 1564 Ql10wnt - ok
13:55:18.0828 1564 ql12160 - ok
13:55:18.0843 1564 ql1240 - ok
13:55:18.0875 1564 ql1280 - ok
13:55:18.0906 1564 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:55:18.0921 1564 RasAcd - ok
13:55:18.0984 1564 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:55:18.0984 1564 Rasl2tp - ok
13:55:19.0015 1564 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:55:19.0015 1564 RasPppoe - ok
13:55:19.0078 1564 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:55:19.0078 1564 Raspti - ok
13:55:19.0109 1564 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:55:19.0109 1564 Rdbss - ok
13:55:19.0125 1564 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:55:19.0125 1564 RDPCDD - ok
13:55:19.0203 1564 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:55:19.0218 1564 rdpdr - ok
13:55:19.0265 1564 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
13:55:19.0265 1564 RDPWD - ok
13:55:19.0328 1564 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:55:19.0328 1564 redbook - ok
13:55:19.0421 1564 RSUSBSTOR - ok
13:55:19.0500 1564 RTLE8023xp (832f27e6962a14ebf3b09af0e65fd7b4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
13:55:19.0500 1564 RTLE8023xp - ok
13:55:19.0515 1564 RtsUIR - ok
13:55:19.0593 1564 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:55:19.0593 1564 Secdrv - ok
13:55:19.0640 1564 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:55:19.0640 1564 serenum - ok
13:55:19.0703 1564 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:55:19.0703 1564 Serial - ok
13:55:19.0765 1564 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:55:19.0765 1564 Sfloppy - ok
13:55:19.0796 1564 Simbad - ok
13:55:19.0875 1564 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
13:55:19.0890 1564 SLIP - ok
13:55:19.0890 1564 Sparrow - ok
13:55:19.0953 1564 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:55:19.0953 1564 splitter - ok
13:55:20.0015 1564 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:55:20.0031 1564 sr - ok
13:55:20.0078 1564 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
13:55:20.0093 1564 Srv - ok
13:55:20.0140 1564 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
13:55:20.0140 1564 streamip - ok
13:55:20.0156 1564 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:55:20.0156 1564 swenum - ok
13:55:20.0203 1564 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:55:20.0203 1564 swmidi - ok
13:55:20.0234 1564 symc810 - ok
13:55:20.0265 1564 symc8xx - ok
13:55:20.0281 1564 sym_hi - ok
13:55:20.0312 1564 sym_u3 - ok
13:55:20.0343 1564 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:55:20.0343 1564 sysaudio - ok
13:55:20.0437 1564 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:55:20.0437 1564 Tcpip - ok
13:55:20.0515 1564 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:55:20.0515 1564 TDPIPE - ok
13:55:20.0546 1564 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:55:20.0546 1564 TDTCP - ok
13:55:20.0593 1564 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:55:20.0593 1564 TermDD - ok
13:55:20.0656 1564 TosIde - ok
13:55:20.0718 1564 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:55:20.0718 1564 Udfs - ok
13:55:20.0734 1564 ultra - ok
13:55:20.0812 1564 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:55:20.0812 1564 Update - ok
13:55:20.0906 1564 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:55:20.0906 1564 usbccgp - ok
13:55:20.0921 1564 USBCCID - ok
13:55:20.0984 1564 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:55:20.0984 1564 usbehci - ok
13:55:21.0015 1564 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:55:21.0031 1564 usbhub - ok
13:55:21.0062 1564 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
13:55:21.0062 1564 usbohci - ok
13:55:21.0140 1564 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:55:21.0140 1564 usbscan - ok
13:55:21.0187 1564 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:55:21.0187 1564 USBSTOR - ok
13:55:21.0234 1564 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:55:21.0234 1564 usbuhci - ok
13:55:21.0296 1564 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
13:55:21.0312 1564 usbvideo - ok
13:55:21.0343 1564 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:55:21.0359 1564 VgaSave - ok
13:55:21.0359 1564 ViaIde - ok
13:55:21.0437 1564 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:55:21.0453 1564 VolSnap - ok
13:55:21.0500 1564 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:55:21.0500 1564 Wanarp - ok
13:55:21.0531 1564 WDICA - ok
13:55:21.0593 1564 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:55:21.0593 1564 wdmaud - ok
13:55:21.0734 1564 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
13:55:21.0734 1564 WmiAcpi - ok
13:55:21.0781 1564 Suspicious service (NoAccess): wofflzn
13:55:21.0859 1564 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
13:55:21.0859 1564 WSTCODEC - ok
13:55:21.0921 1564 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:55:21.0937 1564 WudfPf - ok
13:55:21.0953 1564 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:55:21.0953 1564 WudfRd - ok
13:55:22.0078 1564 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:55:22.0281 1564 \Device\Harddisk0\DR0 - ok
13:55:22.0296 1564 Boot (0x1200) (1e442660cef99b8c28f9cbfd3969c8bc) \Device\Harddisk0\DR0\Partition0
13:55:22.0296 1564 \Device\Harddisk0\DR0\Partition0 - ok
13:55:22.0312 1564 ============================================================
13:55:22.0312 1564 Scan finished
13:55:22.0312 1564 ============================================================
13:55:22.0343 1556 Detected object count: 0
13:55:22.0343 1556 Actual detected object count: 0
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

================================================================

Download Bootkit Remover to your desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-11 14:59:03
-----------------------------
14:59:03.718 OS Version: Windows 5.1.2600 Service Pack 3
14:59:03.718 Number of processors: 2 586 0x1C02
14:59:03.718 ComputerName: CHANGEME1 UserName: Ali
14:59:04.328 Initialize success
14:59:12.015 AVAST engine download error: 0
14:59:49.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:59:49.109 Disk 0 Vendor: WDC_WD1600BEVT-24A23T0 01.01A02 Size: 152627MB BusType: 3
14:59:49.125 Disk 0 MBR read successfully
14:59:49.140 Disk 0 MBR scan
14:59:49.140 Disk 0 Windows XP default MBR code
14:59:49.140 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
14:59:49.140 Disk 0 scanning sectors +312560640
14:59:49.234 Disk 0 scanning C:\WINDOWS\system32\drivers
14:59:55.890 Service scanning
15:00:10.218 Modules scanning
15:00:17.468 Disk 0 trace - called modules:
15:00:17.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:00:17.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d36ab8]
15:00:17.515 3 CLASSPNP.SYS[f750efd7] -> nt!IofCallDriver -> \Device\00000065[0x86dcab10]
15:00:17.531 5 ACPI.sys[f7385620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d34940]
15:00:17.531 Scan finished successfully
15:00:55.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ali\Desktop\MBR.dat"
15:00:55.687 The log file has been saved successfully to "C:\Documents and Settings\Ali\Desktop\aswMBR.txt"


Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix 12-03-10.02 - Ali 03/11/2012 15:52:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.488 [GMT 13:00]
Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\BetterCareerSearch_2bEI
c:\program files\TelevisionFanaticEI
c:\program files\TotalRecipeSearch_14EI
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-26 20:52 . 2012-03-10 11:36 -------- d--h--w- c:\windows\system32\A58227
2012-02-26 20:52 . 2012-03-10 11:36 -------- d--h--w- c:\windows\system32\216C96
2012-02-26 20:52 . 2012-02-29 00:51 -------- d--h--w- c:\windows\system32\18CB3B
2012-02-26 20:52 . 2012-02-26 20:52 -------- d--h--w- c:\windows\system32\CF6B60
2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE8"="advpack.dll" [2009-11-05 128512]
.
c:\documents and settings\Ali\Start Menu\Programs\Startup\
E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1992:TCP"= 1992:TCP:mgkavm
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
S2 apxqn;Time Shell;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 14336]
S2 blzjtmx;Config System;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S2 wofflzn;Task Universal;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
apxqn
blzjtmx
wofflzn
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-TelevisionFanatic Browser Plugin Loader - c:\progra~1\TELEVI~2\bar\1.bin\64brmon.exe
MSConfigStartUp-TotalRecipeSearch_14 Browser Plugin Loader - c:\progra~1\TOTALR~2\bar\1.bin\14brmon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 15:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\apxqn]
"ServiceDll"="c:\windows\system32\teqbzgu.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blzjtmx]
"ServiceDll"="c:\windows\system32\teqbzgu.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wofflzn]
"ServiceDll"="c:\windows\system32\teqbzgu.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2932)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2012-03-11 16:00:36
ComboFix-quarantined-files.txt 2012-03-11 03:00
.
Pre-Run: 137,309,818,880 bytes free
Post-Run: 137,277,984,768 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4BE099375C335E7E76386BAC414D9E3A
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk
c:\windows\system32\A58227\E54A4C.EXE
c:\windows\system32\teqbzgu.dll

Folder::
c:\windows\system32\A58227
c:\windows\system32\216C96
c:\windows\system32\18CB3B
c:\windows\system32\CF6B60

Driver::
apxqn
blzjtmx
wofflzn

NetSvc::
apxqn
blzjtmx
wofflzn

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\apxqn]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\blzjtmx]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wofflzn]

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
This is the log that has popped up after it rebooted



ComboFix 12-03-10.02 - Ali 03/11/2012 16:19:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.507 [GMT 13:00]
Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk"
"c:\windows\system32\A58227\E54A4C.EXE"
"c:\windows\system32\teqbzgu.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\18CB3B
c:\windows\system32\18CB3B\405806.txt
c:\windows\system32\18CB3B\d02bd6.txt
c:\windows\system32\216C96
c:\windows\system32\216C96\cnvpe.fne
c:\windows\system32\216C96\HtmlView.fne
c:\windows\system32\216C96\internet.fne
c:\windows\system32\216C96\RegEx.fnr
c:\windows\system32\216C96\shell.fne
c:\windows\system32\216C96\spec.fne
c:\windows\system32\216C96\ZW7N.EXE
c:\windows\system32\A58227
c:\windows\system32\CF6B60
c:\windows\system32\CF6B60\9ab99d31.txt
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_APXQN
-------\Legacy_BLZJTMX
-------\Legacy_WOFFLZN
-------\Service_apxqn
-------\Service_blzjtmx
-------\Service_wofflzn
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-11_02.58.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-11 03:26 . 2012-03-11 03:26 16384 c:\windows\Temp\Perflib_Perfdata_248.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE8"="advpack.dll" [2009-11-05 128512]
.
c:\documents and settings\Ali\Start Menu\Programs\Startup\
E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1992:TCP"= 1992:TCP:mgkavm
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 16:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1876)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-11 16:29:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 03:29
ComboFix2.txt 2012-03-11 03:00
.
Pre-Run: 137,294,725,120 bytes free
Post-Run: 137,214,205,952 bytes free
.
- - End Of File - - B0446CE1F6AAAD5E33221F98DEFB041B
 
Good news :)

At this point your computer should be fairly clean so you can allow updates to run.

When done.....

Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.

Next...

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Avast moved 32 win32:Malware-gen threats to chest, but...

C:\WINDOWS\system32\teqbzgu.dll Threat: Win32:Rootkin-gen [Rtk] Error: Access denied

Should I proceed with OTL?
Should I stop Avast and Malwarebytes while scanning with OTL?
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk
c:\windows\system32\A58227\E54A4C.EXE
C:\WINDOWS\system32\teqbzgu.dll

Folder::
c:\windows\system32\A58227

Rootkit::
C:\WINDOWS\system32\teqbzgu.dll

Registry::

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
What do you mean by stopped everything?

With Avast you should have selected "Disable permanently" so it doesn't kick in after restart.

If needed re-run Combofix fix.
 
Thank you for your patience,


ComboFix 12-03-10.02 - Ali 03/12/2012 11:18:06.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.542 [GMT 13:00]
Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk"
"c:\windows\system32\A58227\E54A4C.EXE"
"c:\windows\system32\teqbzgu.dll"
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 04:46 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-11 04:46 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-11 04:46 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-11 04:46 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-11 04:46 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-11 04:46 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-11 04:46 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-11 04:46 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-11 04:45 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-11 04:45 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\program files\AVAST Software
2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-11 04:33 . 2008-04-14 11:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-03-11 04:33 . 2011-08-12 00:51 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2012-03-11 04:24 . 2012-03-11 04:24 -------- d-----w- c:\windows\ie8updates
2012-03-11 04:23 . 2012-03-11 04:37 -------- d--h--w- c:\windows\$hf_mig$
2012-03-11 03:34 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2012-03-11 03:33 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2012-03-11 03:33 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2012-03-11 03:33 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-11 03:32 . 2011-10-25 13:37 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-03-11 03:32 . 2011-10-25 13:33 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-03-11 03:32 . 2011-10-25 12:52 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2012-03-11 03:32 . 2011-10-25 12:52 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-03-11 03:32 . 2011-12-17 19:45 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-03-11 03:32 . 2011-12-17 19:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-03-11 03:32 . 2011-12-17 19:45 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-03-11 03:32 . 2011-12-17 19:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-03-11 03:32 . 2011-12-17 19:45 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-03-11 03:32 . 2011-12-17 19:45 2001408 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-03-11 03:32 . 2011-12-17 19:45 11085312 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-03-11 03:31 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-11 03:31 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-11 03:27 . 2009-08-06 06:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:54 . 2009-11-10 16:54 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:45 . 2009-12-08 17:07 919552 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:45 . 2009-12-08 17:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:45 . 2009-11-05 12:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:32 . 2009-11-05 12:53 385024 ----a-w- c:\windows\system32\html.iec
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-11_02.58.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 11:02 . 2009-07-11 11:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 11:05 . 2009-07-11 11:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 11:05 . 2009-07-11 11:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2012-03-11 22:34 . 2012-03-11 22:34 16384 c:\windows\Temp\Perflib_Perfdata_80.dat
+ 2008-11-09 20:20 . 2009-08-06 06:24 44768 c:\windows\system32\wups2.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 35552 c:\windows\system32\wups.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 53472 c:\windows\system32\wuauclt.exe
+ 2009-10-28 14:07 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
- 2009-10-28 14:07 . 2009-10-28 14:07 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 11:00 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll
+ 2008-04-14 11:00 . 2010-08-17 13:17 58880 c:\windows\system32\spoolsv.exe
- 2011-03-20 19:09 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2011-03-20 19:09 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
+ 2012-03-11 03:27 . 2009-08-06 06:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2012-03-11 03:27 . 2009-08-06 06:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-04-14 11:00 . 2011-11-18 12:35 60416 c:\windows\system32\packager.exe
+ 2008-04-14 11:00 . 2011-09-25 22:41 20480 c:\windows\system32\oleaccrc.dll
+ 2008-04-14 04:42 . 2009-11-27 17:11 17920 c:\windows\system32\msyuv.dll
+ 2008-04-14 11:00 . 2009-11-27 16:07 28672 c:\windows\system32\msvidc32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 11264 c:\windows\system32\msrle32.dll
+ 2008-04-14 11:00 . 2009-11-27 16:07 11264 c:\windows\system32\msrle32.dll
+ 2009-11-05 12:54 . 2011-12-17 19:45 66560 c:\windows\system32\mshtmled.dll
- 2009-11-05 12:54 . 2009-11-05 12:54 66560 c:\windows\system32\mshtmled.dll
- 2009-12-08 17:06 . 2009-12-08 17:06 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-12-08 17:06 . 2011-12-17 19:45 55296 c:\windows\system32\msfeedsbs.dll
+ 2008-04-14 11:00 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 23040 c:\windows\system32\mciseq.dll
- 2009-12-08 17:06 . 2009-12-08 17:06 25600 c:\windows\system32\jsproxy.dll
+ 2009-12-08 17:06 . 2011-12-17 19:45 25600 c:\windows\system32\jsproxy.dll
+ 2008-04-14 04:41 . 2009-11-27 16:07 48128 c:\windows\system32\iyuv_32.dll
- 2011-03-20 19:06 . 2008-04-14 11:00 81920 c:\windows\system32\isign32.dll
+ 2011-03-20 19:06 . 2010-11-18 18:12 81920 c:\windows\system32\isign32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 80384 c:\windows\system32\iccvid.dll
+ 2008-04-14 11:00 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll
+ 2009-11-05 12:53 . 2009-10-15 16:28 81920 c:\windows\system32\fontsub.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 81920 c:\windows\system32\fontsub.dll
+ 2011-03-20 19:56 . 2012-03-11 04:38 95072 c:\windows\system32\FNTCACHE.DAT
- 2011-03-20 19:56 . 2011-03-22 07:19 95072 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 11:00 . 2010-11-02 15:17 40960 c:\windows\system32\drivers\ndproxy.sys
+ 2008-04-14 11:00 . 2011-07-08 14:02 10496 c:\windows\system32\drivers\ndistapi.sys
+ 2008-04-14 11:00 . 2009-04-20 17:17 45568 c:\windows\system32\dnsrslvr.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 45568 c:\windows\system32\dnsrslvr.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2011-03-20 19:06 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
+ 2008-04-14 11:00 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
+ 2008-04-14 11:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2008-04-14 11:00 . 2011-11-18 12:35 60416 c:\windows\system32\dllcache\packager.exe
+ 2008-04-14 11:00 . 2011-09-25 22:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
+ 2008-04-14 11:00 . 2010-11-02 15:17 40960 c:\windows\system32\dllcache\ndproxy.sys
+ 2008-04-14 11:00 . 2011-07-08 14:02 10496 c:\windows\system32\dllcache\ndistapi.sys
+ 2008-04-14 11:00 . 2009-11-27 16:07 28672 c:\windows\system32\dllcache\msvidc32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2008-04-14 11:00 . 2009-11-27 16:07 11264 c:\windows\system32\dllcache\msrle32.dll
- 2009-11-05 12:54 . 2009-11-05 12:54 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-11-05 12:54 . 2011-12-17 19:45 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-04-14 11:00 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 23040 c:\windows\system32\dllcache\mciseq.dll
+ 2009-11-05 12:53 . 2011-12-17 19:45 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-12-08 17:06 . 2011-12-17 19:45 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-12-08 17:06 . 2009-12-08 17:06 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2011-03-20 19:06 . 2008-04-14 11:00 81920 c:\windows\system32\dllcache\isign32.dll
+ 2011-03-20 19:06 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2009-11-05 12:53 . 2009-10-15 16:28 81920 c:\windows\system32\dllcache\fontsub.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 45568 c:\windows\system32\dllcache\dnsrslvr.dll
+ 2008-04-14 11:00 . 2009-04-20 17:17 45568 c:\windows\system32\dllcache\dnsrslvr.dll
+ 2008-04-14 11:00 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2008-11-09 20:20 . 2009-08-06 06:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 11:00 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2009-11-05 12:52 . 2009-11-27 16:07 84992 c:\windows\system32\dllcache\avifil32.dll
- 2009-11-05 12:52 . 2009-11-05 12:52 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2008-04-14 11:00 . 2010-03-05 14:37 65536 c:\windows\system32\dllcache\asycfilt.dll
+ 2008-04-14 11:00 . 2011-10-28 05:31 33280 c:\windows\system32\csrsrv.dll
+ 2008-11-09 20:20 . 2009-08-06 06:24 96480 c:\windows\system32\cdm.dll
+ 2008-04-14 11:00 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
- 2009-11-05 12:52 . 2009-11-05 12:52 84992 c:\windows\system32\avifil32.dll
+ 2009-11-05 12:52 . 2009-11-27 16:07 84992 c:\windows\system32\avifil32.dll
+ 2008-04-14 11:00 . 2010-03-05 14:37 65536 c:\windows\system32\asycfilt.dll
+ 2012-03-11 04:29 . 2009-12-08 17:07 12800 c:\windows\ie8updates\KB2647516-IE8\xpshims.dll
+ 2012-03-11 04:29 . 2009-11-05 12:54 66560 c:\windows\ie8updates\KB2647516-IE8\mshtmled.dll
+ 2012-03-11 04:29 . 2009-12-08 17:06 55296 c:\windows\ie8updates\KB2647516-IE8\msfeedsbs.dll
+ 2012-03-11 04:29 . 2009-11-05 12:53 43008 c:\windows\ie8updates\KB2647516-IE8\licmgr10.dll
+ 2012-03-11 04:29 . 2009-12-08 17:06 25600 c:\windows\ie8updates\KB2647516-IE8\jsproxy.dll
+ 2012-03-11 03:34 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2012-03-11 03:33 . 2009-11-27 16:07 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-05 12:53 . 2011-02-17 12:32 5120 c:\windows\system32\xpsp4res.dll
+ 2001-08-17 21:36 . 2009-11-27 16:07 8704 c:\windows\system32\tsbyuv.dll
+ 2012-03-11 03:33 . 2009-11-27 16:07 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 11:05 . 2009-07-11 11:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 209632 c:\windows\system32\wuweb.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 327896 c:\windows\system32\wucltui.dll
+ 2011-03-20 19:07 . 2009-08-06 06:23 575704 c:\windows\system32\wuapi.dll
+ 2008-04-14 11:00 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
+ 2008-04-14 11:00 . 2011-11-25 21:57 293376 c:\windows\system32\winsrv.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 293376 c:\windows\system32\winsrv.dll
+ 2008-04-14 11:00 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 176128 c:\windows\system32\winmm.dll
+ 2009-12-08 17:11 . 2011-11-16 14:20 354816 c:\windows\system32\winhttp.dll
- 2009-12-08 17:11 . 2009-12-08 17:11 354816 c:\windows\system32\winhttp.dll
+ 2009-11-05 12:54 . 2011-03-04 06:35 420864 c:\windows\system32\vbscript.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 406016 c:\windows\system32\usp10.dll
+ 2008-04-14 11:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
- 2009-11-05 12:54 . 2009-11-05 12:54 105984 c:\windows\system32\url.dll
+ 2009-11-05 12:54 . 2011-12-17 19:45 105984 c:\windows\system32\url.dll
+ 2011-09-25 22:41 . 2011-09-25 22:41 611328 c:\windows\system32\uiautomationcore.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 119808 c:\windows\system32\t2embed.dll
+ 2009-11-05 12:53 . 2010-08-27 08:02 119808 c:\windows\system32\t2embed.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 135168 c:\windows\system32\shsvcs.dll
+ 2008-04-14 11:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
+ 2008-04-14 11:00 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 11:00 . 2011-01-21 14:44 439296 c:\windows\system32\shimgvw.dll
+ 2009-11-05 12:53 . 2011-11-16 14:20 152064 c:\windows\system32\schannel.dll
+ 2008-04-14 11:00 . 2011-02-09 13:53 270848 c:\windows\system32\sbe.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 270848 c:\windows\system32\sbe.dll
+ 2009-11-05 12:53 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
+ 2008-04-14 11:00 . 2011-11-03 15:28 386048 c:\windows\system32\qdvd.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 386048 c:\windows\system32\qdvd.dll
+ 2008-04-14 11:00 . 2010-12-20 17:32 551936 c:\windows\system32\oleaut32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 551936 c:\windows\system32\oleaut32.dll
+ 2008-04-14 11:00 . 2011-09-25 22:41 220160 c:\windows\system32\oleacc.dll
+ 2008-04-14 11:00 . 2010-11-09 14:52 249856 c:\windows\system32\odbc32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 249856 c:\windows\system32\odbc32.dll
- 2009-12-08 17:07 . 2009-12-08 17:07 206848 c:\windows\system32\occache.dll
+ 2009-12-08 17:07 . 2011-12-17 19:45 206848 c:\windows\system32\occache.dll
+ 2009-02-09 11:10 . 2010-12-09 15:15 718336 c:\windows\system32\ntdll.dll
+ 2008-12-06 12:14 . 2009-08-06 06:23 215920 c:\windows\system32\muweb.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 245248 c:\windows\system32\mswsock.dll
+ 2009-11-05 12:53 . 2008-06-20 16:02 245248 c:\windows\system32\mswsock.dll
+ 2011-03-20 19:04 . 2011-01-27 11:57 677888 c:\windows\system32\mstsc.exe
- 2011-03-20 19:04 . 2008-04-14 11:00 677888 c:\windows\system32\mstsc.exe
- 2009-11-05 12:54 . 2009-11-05 12:54 611840 c:\windows\system32\mstime.dll
+ 2009-11-05 12:54 . 2011-12-17 19:45 611840 c:\windows\system32\mstime.dll
+ 2011-03-20 19:04 . 2009-12-16 18:43 343040 c:\windows\system32\mspaint.exe
- 2011-03-20 19:04 . 2008-04-14 11:00 343040 c:\windows\system32\mspaint.exe
+ 2009-12-08 17:06 . 2011-12-17 19:45 602112 c:\windows\system32\msfeeds.dll
- 2009-11-05 13:34 . 2009-11-05 13:34 317440 c:\windows\system32\mp4sdecd.dll
+ 2009-11-05 13:34 . 2010-03-29 23:24 317440 c:\windows\system32\mp4sdecd.dll
+ 2008-04-14 11:00 . 2011-02-08 06:03 974848 c:\windows\system32\mfc42u.dll
+ 2008-04-14 11:00 . 2011-02-08 13:33 978944 c:\windows\system32\mfc42.dll
+ 2008-04-14 11:00 . 2010-09-18 06:53 953856 c:\windows\system32\mfc40u.dll
+ 2008-04-14 11:00 . 2010-09-18 06:53 954368 c:\windows\system32\mfc40.dll
+ 2009-11-05 12:53 . 2010-12-20 17:26 730112 c:\windows\system32\lsasrv.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 730112 c:\windows\system32\lsasrv.dll
+ 2009-11-05 12:53 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 301568 c:\windows\system32\kerberos.dll
- 2009-11-05 12:54 . 2009-11-05 12:54 726528 c:\windows\system32\jscript.dll
+ 2009-11-05 12:54 . 2011-03-04 06:35 726528 c:\windows\system32\jscript.dll
+ 2011-03-20 19:06 . 2011-10-10 14:22 692736 c:\windows\system32\inetcomm.dll
- 2009-12-08 17:06 . 2009-12-08 17:06 184320 c:\windows\system32\iepeers.dll
+ 2009-12-08 17:06 . 2011-12-17 19:45 184320 c:\windows\system32\iepeers.dll
+ 2009-12-08 17:05 . 2011-12-17 19:45 387584 c:\windows\system32\iedkcs32.dll
- 2009-12-08 17:05 . 2009-12-08 17:05 387584 c:\windows\system32\iedkcs32.dll
+ 2009-12-08 17:05 . 2011-12-16 12:33 174080 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 11:00 . 2011-10-18 11:13 186880 c:\windows\system32\encdec.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 186880 c:\windows\system32\encdec.dll
+ 2009-11-05 12:53 . 2010-02-11 12:02 226880 c:\windows\system32\drivers\tcpip6.sys
+ 2009-11-05 12:53 . 2011-02-17 13:18 357888 c:\windows\system32\drivers\srv.sys
+ 2011-03-20 19:04 . 2011-06-24 14:10 139656 c:\windows\system32\drivers\rdpwd.sys
- 2011-03-20 19:04 . 2008-04-14 11:00 139656 c:\windows\system32\drivers\rdpwd.sys
+ 2008-04-14 11:00 . 2011-04-21 13:37 105472 c:\windows\system32\drivers\mup.sys
+ 2009-11-05 12:53 . 2011-07-15 13:29 456320 c:\windows\system32\drivers\mrxsmb.sys
+ 2009-11-05 12:52 . 2011-08-17 13:49 138496 c:\windows\system32\drivers\afd.sys
- 2009-11-05 12:52 . 2009-11-05 12:52 138496 c:\windows\system32\drivers\afd.sys
+ 2009-11-05 12:53 . 2011-03-03 06:55 149504 c:\windows\system32\dnsapi.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2011-03-20 19:07 . 2009-08-06 06:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2011-03-20 19:07 . 2009-08-06 06:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2011-03-20 19:04 . 2010-07-12 12:55 218112 c:\windows\system32\dllcache\wordpad.exe
+ 2008-04-14 11:00 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-04-14 11:00 . 2011-11-25 21:57 293376 c:\windows\system32\dllcache\winsrv.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 176128 c:\windows\system32\dllcache\winmm.dll
+ 2008-04-14 11:00 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
+ 2009-12-08 17:07 . 2011-12-17 19:45 919552 c:\windows\system32\dllcache\wininet.dll
- 2009-12-08 17:11 . 2009-12-08 17:11 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2009-12-08 17:11 . 2011-11-16 14:20 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2011-03-20 19:07 . 2011-04-30 03:01 758784 c:\windows\system32\dllcache\vgx.dll
+ 2009-11-05 12:54 . 2011-03-04 06:35 420864 c:\windows\system32\dllcache\vbscript.dll
+ 2008-04-14 11:00 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 406016 c:\windows\system32\dllcache\usp10.dll
+ 2009-11-05 12:54 . 2011-12-17 19:45 105984 c:\windows\system32\dllcache\url.dll
- 2009-11-05 12:54 . 2009-11-05 12:54 105984 c:\windows\system32\dllcache\url.dll
+ 2009-11-05 12:53 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2009-11-05 12:53 . 2010-08-27 08:02 119808 c:\windows\system32\dllcache\t2embed.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-11-05 12:53 . 2011-02-17 13:18 357888 c:\windows\system32\dllcache\srv.sys
- 2008-04-14 11:00 . 2008-04-14 11:00 135168 c:\windows\system32\dllcache\shsvcs.dll
+ 2008-04-14 11:00 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
+ 2008-04-14 11:00 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2008-04-14 11:00 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
+ 2009-11-05 12:53 . 2011-11-16 14:20 152064 c:\windows\system32\dllcache\schannel.dll
+ 2008-04-14 11:00 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 270848 c:\windows\system32\dllcache\sbe.dll
+ 2009-11-05 12:53 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
- 2011-03-20 19:04 . 2008-04-14 11:00 139656 c:\windows\system32\dllcache\rdpwd.sys
+ 2011-03-20 19:04 . 2011-06-24 14:10 139656 c:\windows\system32\dllcache\rdpwd.sys
+ 2008-04-14 11:00 . 2011-11-03 15:28 386048 c:\windows\system32\dllcache\qdvd.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 386048 c:\windows\system32\dllcache\qdvd.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 551936 c:\windows\system32\dllcache\oleaut32.dll
+ 2008-04-14 11:00 . 2010-12-20 17:32 551936 c:\windows\system32\dllcache\oleaut32.dll
+ 2008-04-14 11:00 . 2011-09-25 22:41 220160 c:\windows\system32\dllcache\oleacc.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 249856 c:\windows\system32\dllcache\odbc32.dll
+ 2008-04-14 11:00 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll
- 2009-12-08 17:07 . 2009-12-08 17:07 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-12-08 17:07 . 2011-12-17 19:45 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-02-09 11:10 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
+ 2008-04-14 11:00 . 2011-04-21 13:37 105472 c:\windows\system32\dllcache\mup.sys
- 2009-11-05 12:53 . 2009-11-05 12:53 245248 c:\windows\system32\dllcache\mswsock.dll
+ 2009-11-05 12:53 . 2008-06-20 16:02 245248 c:\windows\system32\dllcache\mswsock.dll
+ 2009-11-05 12:54 . 2011-12-17 19:45 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-11-05 12:54 . 2009-11-05 12:54 611840 c:\windows\system32\dllcache\mstime.dll
- 2011-03-20 19:04 . 2008-04-14 11:00 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2011-03-20 19:04 . 2009-12-16 18:43 343040 c:\windows\system32\dllcache\mspaint.exe
- 2011-03-20 19:06 . 2008-04-14 11:00 102400 c:\windows\system32\dllcache\msjro.dll
+ 2011-03-20 19:06 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll
+ 2011-03-20 19:06 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll
- 2011-03-20 19:06 . 2008-04-14 11:00 200704 c:\windows\system32\dllcache\msadox.dll
- 2011-03-20 19:06 . 2008-04-14 11:00 180224 c:\windows\system32\dllcache\msadomd.dll
+ 2011-03-20 19:06 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll
- 2011-03-20 19:06 . 2008-04-14 11:00 536576 c:\windows\system32\dllcache\msado15.dll
+ 2011-03-20 19:06 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
+ 2011-03-20 19:06 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll
- 2011-03-20 19:06 . 2008-04-14 11:00 143360 c:\windows\system32\dllcache\msadco.dll
+ 2010-03-29 23:24 . 2010-03-29 23:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll
+ 2008-04-14 11:00 . 2011-02-08 06:03 974848 c:\windows\system32\dllcache\mfc42u.dll
+ 2008-04-14 11:00 . 2011-02-08 13:33 978944 c:\windows\system32\dllcache\mfc42.dll
+ 2008-04-14 11:00 . 2010-09-18 06:53 953856 c:\windows\system32\dllcache\mfc40u.dll
+ 2008-04-14 11:00 . 2010-09-18 06:53 954368 c:\windows\system32\dllcache\mfc40.dll
+ 2009-11-05 12:53 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2011-03-20 19:04 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
- 2011-03-20 19:04 . 2008-04-14 11:00 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2009-11-05 12:53 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-11-05 12:53 . 2009-11-05 12:53 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-11-05 12:54 . 2011-03-04 06:35 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-11-05 12:54 . 2009-11-05 12:54 726528 c:\windows\system32\dllcache\jscript.dll
+ 2011-03-20 19:06 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2009-12-08 17:06 . 2009-12-08 17:06 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-12-08 17:06 . 2011-12-17 19:45 184320 c:\windows\system32\dllcache\iepeers.dll
- 2009-12-08 17:05 . 2009-12-08 17:05 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-12-08 17:05 . 2011-12-17 19:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-12-08 17:05 . 2011-12-16 12:33 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-03-20 19:06 . 2010-06-14 14:31 744448 c:\windows\system32\dllcache\helpsvc.exe
- 2011-03-20 19:06 . 2008-04-14 11:00 744448 c:\windows\system32\dllcache\helpsvc.exe
- 2008-04-14 11:00 . 2008-04-14 11:00 186880 c:\windows\system32\dllcache\encdec.dll
+ 2008-04-14 11:00 . 2011-10-18 11:13 186880 c:\windows\system32\dllcache\encdec.dll
+ 2009-11-05 12:53 . 2011-03-03 06:55 149504 c:\windows\system32\dllcache\dnsapi.dll
+ 2008-04-14 11:00 . 2011-09-28 07:06 599040 c:\windows\system32\dllcache\crypt32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2008-04-14 11:00 . 2010-08-23 16:12 617472 c:\windows\system32\dllcache\comctl32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 617472 c:\windows\system32\dllcache\comctl32.dll
+ 2008-04-14 11:00 . 2011-02-15 12:56 290432 c:\windows\system32\dllcache\atmfd.dll
- 2009-11-05 12:52 . 2009-11-05 12:52 138496 c:\windows\system32\dllcache\afd.sys
+ 2009-11-05 12:52 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
+ 2008-04-14 11:00 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2008-04-14 11:00 . 2011-09-28 07:06 599040 c:\windows\system32\crypt32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 599040 c:\windows\system32\crypt32.dll
- 2008-04-14 11:00 . 2008-04-14 11:00 617472 c:\windows\system32\comctl32.dll
+ 2008-04-14 11:00 . 2010-08-23 16:12 617472 c:\windows\system32\comctl32.dll
+ 2008-04-14 11:00 . 2011-02-15 12:56 290432 c:\windows\system32\atmfd.dll
+ 2008-04-14 11:00 . 2010-02-12 04:33 100864 c:\windows\system32\6to4svc.dll
- 2011-03-20 19:06 . 2008-04-14 11:00 744448 c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
+ 2011-03-20 19:06 . 2010-06-14 14:31 744448 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
+ 2012-03-11 04:46 . 2012-03-11 04:46 219648 c:\windows\Installer\71b2b.msi
+ 2012-03-11 04:29 . 2009-12-08 17:07 916480 c:\windows\ie8updates\KB2647516-IE8\wininet.dll
+ 2012-03-11 04:29 . 2009-11-05 12:54 105984 c:\windows\ie8updates\KB2647516-IE8\url.dll
+ 2012-03-11 04:29 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2647516-IE8\spuninst\updspapi.dll
+ 2012-03-11 04:29 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2647516-IE8\spuninst\spuninst.exe
+ 2012-03-11 04:29 . 2009-12-08 17:07 206848 c:\windows\ie8updates\KB2647516-IE8\occache.dll
+ 2012-03-11 04:29 . 2009-11-05 12:54 611840 c:\windows\ie8updates\KB2647516-IE8\mstime.dll
+ 2012-03-11 04:29 . 2009-12-08 17:06 594432 c:\windows\ie8updates\KB2647516-IE8\msfeeds.dll
+ 2012-03-11 04:29 . 2009-12-08 17:06 246272 c:\windows\ie8updates\KB2647516-IE8\ieproxy.dll
+ 2012-03-11 04:29 . 2009-12-08 17:06 184320 c:\windows\ie8updates\KB2647516-IE8\iepeers.dll
+ 2012-03-11 04:29 . 2009-03-08 03:35 742912 c:\windows\ie8updates\KB2647516-IE8\iedvtool.dll
+ 2012-03-11 04:29 . 2009-12-08 17:05 387584 c:\windows\ie8updates\KB2647516-IE8\iedkcs32.dll
+ 2012-03-11 04:29 . 2009-12-08 17:05 173056 c:\windows\ie8updates\KB2647516-IE8\ie4uinit.exe
+ 2012-03-11 04:24 . 2009-11-05 12:54 759296 c:\windows\ie8updates\KB2544521-IE8\vgx.dll
+ 2012-03-11 04:24 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2544521-IE8\spuninst\updspapi.dll
+ 2012-03-11 04:24 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2544521-IE8\spuninst\spuninst.exe
+ 2012-03-11 04:25 . 2009-11-05 12:54 420352 c:\windows\ie8updates\KB2510531-IE8\vbscript.dll
+ 2012-03-11 04:25 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2510531-IE8\spuninst\updspapi.dll
+ 2012-03-11 04:25 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2510531-IE8\spuninst\spuninst.exe
+ 2012-03-11 04:25 . 2009-11-05 12:54 726528 c:\windows\ie8updates\KB2510531-IE8\jscript.dll
+ 2012-03-11 03:33 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2012-03-11 03:32 . 2010-10-23 00:51 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\GdiPlus.dll
+ 2012-03-11 03:33 . 2010-08-23 16:12 1054208 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 11:02 . 2009-07-11 11:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2011-03-20 19:07 . 2009-08-06 06:23 1929952 c:\windows\system32\wuaueng.dll
+ 2009-11-05 13:35 . 2010-04-05 15:52 2462720 c:\windows\system32\WMVCore.dll
+ 2009-12-08 17:07 . 2011-12-17 19:45 1214464 c:\windows\system32\urlmon.dll
+ 2009-11-05 12:53 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
+ 2009-11-05 12:53 . 2011-11-03 15:28 1292288 c:\windows\system32\quartz.dll
+ 2008-04-14 11:00 . 2011-11-01 16:07 1288704 c:\windows\system32\ole32.dll
+ 2009-11-05 12:53 . 2011-10-25 13:37 2148864 c:\windows\system32\ntoskrnl.exe
+ 2009-08-04 14:20 . 2011-10-25 12:52 2027008 c:\windows\system32\ntkrnlpa.exe
- 2009-12-08 16:32 . 2009-12-08 16:32 1172480 c:\windows\system32\msxml3.dll
+ 2009-12-08 16:32 . 2010-06-14 07:39 1172480 c:\windows\system32\msxml3.dll
+ 2011-03-20 19:04 . 2011-02-02 07:58 2067456 c:\windows\system32\mstscax.dll
+ 2009-12-08 17:07 . 2011-12-17 19:45 5980160 c:\windows\system32\mshtml.dll
+ 2009-12-08 17:06 . 2011-12-17 19:45 2001408 c:\windows\system32\iertutil.dll
+ 2011-03-20 19:07 . 2009-08-06 06:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2009-11-05 13:35 . 2010-04-05 15:52 2462720 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-11-10 16:54 . 2012-01-12 16:54 1869056 c:\windows\system32\dllcache\win32k.sys
+ 2009-12-08 17:07 . 2011-12-17 19:45 1214464 c:\windows\system32\dllcache\urlmon.dll
+ 2009-11-05 12:53 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2009-11-05 12:53 . 2011-11-03 15:28 1292288 c:\windows\system32\dllcache\quartz.dll
+ 2008-04-14 11:00 . 2011-11-01 16:07 1288704 c:\windows\system32\dllcache\ole32.dll
+ 2009-12-08 16:32 . 2010-06-14 07:39 1172480 c:\windows\system32\dllcache\msxml3.dll
- 2009-12-08 16:32 . 2009-12-08 16:32 1172480 c:\windows\system32\dllcache\msxml3.dll
- 2011-03-20 19:06 . 2009-11-05 12:53 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2011-03-20 19:06 . 2010-01-29 07:31 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-12-08 17:07 . 2011-12-17 19:45 5980160 c:\windows\system32\dllcache\mshtml.dll
+ 2011-03-20 19:07 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2011-03-20 19:07 . 2008-04-14 11:00 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2011-03-20 19:04 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
+ 2012-03-11 04:29 . 2009-12-08 17:07 1209344 c:\windows\ie8updates\KB2647516-IE8\urlmon.dll
+ 2012-03-11 04:29 . 2009-12-08 17:07 5944320 c:\windows\ie8updates\KB2647516-IE8\mshtml.dll
+ 2012-03-11 04:29 . 2009-12-08 17:06 1986048 c:\windows\ie8updates\KB2647516-IE8\iertutil.dll
+ 2012-03-11 03:32 . 2011-10-25 13:33 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2012-03-11 03:32 . 2011-10-25 12:52 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2012-03-11 03:32 . 2011-10-25 12:52 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2012-03-11 03:32 . 2011-10-25 13:37 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-11-05 13:34 . 2010-08-25 10:36 10841088 c:\windows\system32\wmp.dll
- 2009-11-05 13:34 . 2009-11-05 13:34 10841088 c:\windows\system32\wmp.dll
+ 2011-03-20 19:09 . 2012-01-26 10:20 52550552 c:\windows\system32\MRT.exe
+ 2009-12-08 17:06 . 2011-12-17 19:45 11085312 c:\windows\system32\ieframe.dll
- 2009-11-05 13:34 . 2009-11-05 13:34 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2009-11-05 13:34 . 2010-08-25 10:36 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2012-03-11 04:29 . 2009-12-08 17:06 11070464 c:\windows\ie8updates\KB2647516-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE8"="advpack.dll" [2009-11-05 128512]
.
c:\documents and settings\Ali\Start Menu\Programs\Startup\
E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1992:TCP"= 1992:TCP:mgkavm
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/11/2012 5:46 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/11/2012 5:46 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/11/2012 5:46 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-12 11:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\progra~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-12 11:40:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 22:40
ComboFix2.txt 2012-03-11 03:29
ComboFix3.txt 2012-03-11 03:00
.
Pre-Run: 135,429,967,872 bytes free
Post-Run: 135,380,049,920 bytes free
.
- - End Of File - - FEC1F31B0C23274634A6F66CB8711A3B
 
For x86 bit systems please download GrantPerms.zip and save it to your desktop.
For x64 bit systems please download GrantPerms64.zip and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

Code: 
c:\windows\system32\teqbzgu.dll
c:\windows\system32\a58227\E54A4C.EXE
c:\docume~1\ali\startm~1\programs\startup\e54a4c.lnk

Click Unlock. When it is done click "OK".
Click List Permissions and post the result of Perms.txt file that pops up.
A copy of Perms.txt will be saved in the same directory the tool is run.

======================================================================

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk
c:\windows\system32\A58227\E54A4C.EXE
C:\WINDOWS\system32\teqbzgu.dll

Folder::
c:\windows\system32\A58227

Rootkit::
C:\WINDOWS\system32\teqbzgu.dll
ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
I'm running xp pro V. 2002 sp3 I believe that means I'm 32bit so which GrantPerms do I use?

In the post you've got
For x86 bit systems please download GrantPerms.zip and save it to your desktop.
For x64 bit systems please download GrantPerms64.zip and save it to your desktop.

Any chance that was meant to be x32 bit or is there another version?
 
GrantPerms by Farbar
Ran by Ali (administrator) at 2012-03-13 18:19:58

===============================================
ERROR: Parsing the SD of <\\?\c:\windows\system32\teqbzgu.dll> failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <\\?\c:\windows\system32\a58227\E54A4C.EXE> failed with: The system cannot find the path specified.


Operating system error message: The system cannot find the path specified.
\\?\c:\docume~1\ali\startm~1\programs\startup\e54a4c.lnk

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
CHANGEME1\Ali FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)
 
ComboFix 12-03-10.02 - Ali 03/13/2012 18:27:46.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.520 [GMT 13:00]
Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\Ali\Start Menu\Programs\Startup\E54A4C.lnk"
"c:\windows\system32\A58227\E54A4C.EXE"
"c:\windows\system32\teqbzgu.dll"
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-11 04:46 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-11 04:46 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-11 04:46 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-11 04:46 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-11 04:46 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-11 04:46 . 2012-03-07 00:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-11 04:46 . 2012-03-07 00:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-11 04:46 . 2012-03-06 23:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-11 04:45 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-11 04:45 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\program files\AVAST Software
2012-03-11 04:45 . 2012-03-11 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-11 04:33 . 2008-04-14 11:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-03-11 04:33 . 2011-08-12 00:51 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2012-03-11 04:24 . 2012-03-11 04:24 -------- d-----w- c:\windows\ie8updates
2012-03-11 04:23 . 2012-03-11 04:37 -------- d--h--w- c:\windows\$hf_mig$
2012-03-11 03:34 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2012-03-11 03:33 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2012-03-11 03:33 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2012-03-11 03:33 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-11 03:32 . 2011-10-25 13:37 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-03-11 03:32 . 2011-10-25 13:33 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-03-11 03:32 . 2011-10-25 12:52 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2012-03-11 03:32 . 2011-10-25 12:52 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-03-11 03:32 . 2011-12-17 19:45 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-03-11 03:32 . 2011-12-17 19:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-03-11 03:32 . 2011-12-17 19:45 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-03-11 03:32 . 2011-12-17 19:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-03-11 03:32 . 2011-12-17 19:45 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-03-11 03:32 . 2011-12-17 19:45 2001408 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-03-11 03:32 . 2011-12-17 19:45 11085312 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-03-11 03:31 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-11 03:31 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-11 03:27 . 2009-08-06 06:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-03-10 11:49 . 2012-03-10 11:49 -------- d-----w- c:\documents and settings\Administrator
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Malwarebytes
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-10 11:25 . 2011-12-10 02:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 11:25 . 2012-03-10 11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-25 02:39 . 2012-02-25 02:39 -------- d-----w- c:\program files\CCleaner
2012-02-25 02:25 . 2012-02-25 02:25 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\WMTools Downloaded Files
2012-02-25 01:40 . 2012-02-25 01:40 -------- d-----w- c:\windows\Sun
2012-02-19 20:53 . 2012-02-19 20:53 -------- d-----w- c:\documents and settings\Ali\Application Data\Foxit Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:54 . 2009-11-10 16:54 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:45 . 2009-12-08 17:07 919552 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:45 . 2009-12-08 17:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:45 . 2009-11-05 12:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:32 . 2009-11-05 12:53 385024 ----a-w- c:\windows\system32\html.iec
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-05 . 600D58665D16BFBB776EFEFB0E80532D . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2012-03-11_22.34.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-18 09:51 . 2011-04-18 09:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll
+ 2012-03-13 05:43 . 2012-03-13 05:43 16384 c:\windows\Temp\Perflib_Perfdata_7fc.dat
+ 2011-04-18 09:51 . 2011-04-18 09:51 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcm90.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7\atl90.dll
+ 2012-03-12 07:49 . 2012-03-12 07:49 223744 c:\windows\Installer\153df2.msi
+ 2011-04-18 09:51 . 2011-04-18 09:51 3781960 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90u.dll
+ 2011-04-18 09:51 . 2011-04-18 09:51 3766600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-25 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2010-06-02 19527272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE8"="advpack.dll" [2009-11-05 128512]
.
c:\documents and settings\Ali\Start Menu\Programs\Startup\
E54A4C.lnk - c:\windows\system32\A58227\E54A4C.EXE [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-1-17 604776]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1992:TCP"= 1992:TCP:mgkavm
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/11/2012 5:46 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/11/2012 5:46 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/11/2012 5:46 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2012 12:25 AM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/11/2012 12:25 AM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/20/2011 9:38 PM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 8:31 AM 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-25 19:31]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003Core.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1708537768-2146881839-1003UA.job
- c:\documents and settings\Ali\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-13 18:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2720)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\progra~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-13 18:50:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 05:49
ComboFix2.txt 2012-03-11 22:40
ComboFix3.txt 2012-03-11 03:29
ComboFix4.txt 2012-03-11 03:00
.
Pre-Run: 135,119,998,976 bytes free
Post-Run: 135,096,565,760 bytes free
.
- - End Of File - - 37E925A801EF6E3AA04633C5388E8C6D
 
How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
784
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back