Inactive Generic Host Process for Win32 Service problem with HijackThis log attachment

[zenoperegrinus]

Hi folks,

I searched for ways to overcome this GHS problem and was directed to run HijackThis. I attach the log file here.

Some background. I think I have malware on my system as I am often redirected by IE. The GHS problem has started since I downloaded itunes yesterday. I was directed to use Firefox last week but was unable to run it so reverted back to IE. I started to check MSCONFIG but felt a little out of my depth.

Any help is greatly appreciated.

Zeno

 

[crunchie]

Hi and welcome to TechSpot forums .

====

Please read the directions given here and when done, post the requested logs.
Please do not attach the logs unless requested, or unless they are to large to paste.

 

[zenoperegrinus]

log reports for 8-step Viruses/Spyware/Malware Preliminary Removal

Hi crunchie,

Thankyou for your response and direction.

Please find the logs pasted below.

One question: should I re-enable script blocking protection?

Regards

Zeno

----------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4811

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

13/10/2010 17:48:46
mbam-log-2010-10-13 (17-48-46).txt

Scan type: Quick scan
Objects scanned: 135505
Time elapsed: 18 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\sys32 (Trojan.Malagent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.
----------------------------------------------

GMER 1.0.15.15315 - http://www.gmer.net
Rootkit quick scan 2010-10-13 18:31:56
Windows 5.1.2600 Service Pack 3
Running: 2myf696x.exe; Driver: C:\DOCUME~1\ZENOPE~1\LOCALS~1\Temp\kxrirpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x9976AB9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x9976A9C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x9976AAFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 85535EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-10-10.03) - NTFSx86
Run by zenoperegrinus at 10:03:34.90 on 14/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.316 [GMT 1:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\zenoperegrinus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Sbofiqohuwudehi] rundll32.exe "c:\windows\kbdr40.dll",Startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Dgoxaquza] rundll32.exe "c:\windows\axoxebuxeyaki.dll",Startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {67084B91-FE65-4032-8A1B-9CEE301A6A95} - hxxp://upload.travelpod.com/includes/ImageUploader6.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-19 165456]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-19 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-19 40384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-5 54752]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-28 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-3-16 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-5 1684736]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-19 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-19 40384]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-5 232872]

=============== Created Last 30 ================

2010-10-12 22:18:10 -------- d-----w- c:\docume~1\zenope~1\applic~1\Trusteer
2010-10-12 22:16:57 -------- d-----w- c:\program files\Trusteer
2010-10-12 22:14:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-10-12 08:06:09 -------- d-----w- C:\HijackThis
2010-10-11 18:38:21 -------- d-----w- c:\docume~1\zenope~1\applic~1\Foxit Software
2010-10-11 18:38:17 -------- d-----w- c:\docume~1\zenope~1\applic~1\Foxit
2010-10-11 18:37:54 -------- d-----w- c:\program files\Foxit Software
2010-10-11 15:21:36 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-10-11 15:21:36 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-10-10 11:39:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-10 11:39:29 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-03 22:43:44 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-30 21:48:33 -------- d-----w- c:\program files\iPod
2010-09-30 21:48:19 -------- d-----w- c:\program files\iTunes
2010-09-30 21:48:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-30 21:46:13 -------- d-----w- c:\docume~1\zenope~1\locals~1\applic~1\Apple
2010-09-30 21:44:59 -------- d-----w- c:\program files\Bonjour
2010-09-30 21:43:48 -------- d-----w- c:\docume~1\zenope~1\locals~1\applic~1\Apple Computer
2010-09-30 16:25:31 -------- d-----w- c:\docume~1\zenope~1\applic~1\Malwarebytes
2010-09-30 16:24:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-30 16:24:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-30 16:24:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-30 16:24:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-21 22:05:42 -------- d-----w- c:\docume~1\zenope~1\locals~1\applic~1\{D99998DA-A89F-48C9-A08D-35A184BBF262}
2010-09-21 06:58:56 -------- d-----w- c:\program files\riv7
2010-09-17 16:27:56 -------- d-----w- c:\windows\system32\Registry Patrol
2010-09-17 16:27:44 86016 ----a-w- c:\windows\unvise32.exe
2010-09-17 16:27:18 -------- d-----w- c:\program files\Registry Patrol

==================== Find3M ====================

2010-09-23 23:28:35 0 ----a-w- c:\windows\Xtetovisidubadi.bin
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 17:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44:10 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-27 17:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 17:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 10:06:12.07 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 26/08/2009 15:19:18
System Uptime: 14/10/2010 09:54:31 (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | 1005HA
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | PBGA 437 | 1599/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 68.038 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP121: 10/10/2010 11:42:37 - Restore Operation
RP122: 11/10/2010 13:38:06 - System Checkpoint
RP123: 11/10/2010 16:20:25 - Installed iTunes
RP124: 12/10/2010 23:16:48 - Installed Rapport

==== Installed Programs ======================

32 Bit HP BiDi Channel Components Installer
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Altitude
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Asus ACPI Driver
ASUSUpdate for Eee PC
Atheros Client Installation Program
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
avast! Free Antivirus
Azurewave Wireless LAN Card
Bonjour
CM 03-04 Demo
Compatibility Pack for the 2007 Office system
Data Sync
EasyZip
Eee Docking 1.3.1.0
EeePC_1005HA Screen Saver
EeeSplendid
EzMessenger
FontResizer
Football Manager 2010
Foxit Reader
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP LaserJet P4010_P4510 Series
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Junk Mail filter update
LimeWire 5.5.9
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office InfoPath MUI (Spanish) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Plus 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Software Update for Web Folders (Spanish) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MSVCRT
QuickTime
Rapport
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
Registry Patrol
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Skype™ 4.2
Steam
Super Hybrid Engine
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2279264)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 UVC Camera Device
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11

==== Event Viewer Messages From Past Week ========

14/10/2010 09:56:24, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f743ae7d, parameter3 a9ebe9b0, parameter4 00000000.
14/10/2010 09:56:15, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f743ae7d, parameter3 f28d79b0, parameter4 00000000.
13/10/2010 20:12:46, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
13/10/2010 19:39:00, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the PolicyAgent service.
13/10/2010 19:38:50, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
13/10/2010 16:37:26, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
13/10/2010 16:37:26, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
13/10/2010 16:37:26, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
13/10/2010 16:37:26, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
13/10/2010 16:37:26, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2010 08:40:51, error: System Error [1003] - Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3 00000000, parameter4 8050c653.
11/10/2010 01:00:43, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
10/10/2010 12:56:21, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
10/10/2010 12:56:16, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
10/10/2010 11:30:53, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
10/10/2010 11:28:06, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 0025D3459755 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
09/10/2010 13:15:00, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

 

[crunchie]

Keep the script blocking disabled for now please.

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[zenoperegrinus]

Hi crunchie,

I have a problem.

I followed the instructions disconnecting from the internet and stopping all monitoring software. i started combifix. it started well. then it instructed me to reconnect to the internet so it could download some windows software to allow the system to create restore points. combofix then said it had found rootkit activity and needed to restart the system. i gave the ok. combifix restarted when the system restarted but i think it crashed when other programmes automatically reopened. i was never asked to save and can't find an automatically saved log so i don't think it completed. what should i do?

Regards

Zeno

 

[crunchie]

If there is a log you will find it at C:\qoobox otherwise run Combofix again please.

 

[zenoperegrinus]

Hi crunchie,

2nd run went smoothly. Please find the log pasted below.


ComboFix 10-10-12.03 - zenoperegrinus 14/10/2010 18:00:29.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.489 [GMT 1:00]
Running from: c:\documents and settings\zenoperegrinus\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}
c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\chrome.manifest
c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\chrome\content\_cfg.js
c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\chrome\content\overlay.xul
c:\documents and settings\zenoperegrinus\Local Settings\Application Data\{D99998DA-A89F-48C9-A08D-35A184BBF262}\install.rdf
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\system32\dmlconf.dat
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 12:08 . 2010-10-14 12:08 -------- d-----w- c:\windows\LastGood
2010-10-12 22:18 . 2010-10-12 22:18 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Trusteer
2010-10-12 22:16 . 2010-10-12 22:16 -------- d-----w- c:\program files\Trusteer
2010-10-12 22:14 . 2010-10-12 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-10-12 08:06 . 2010-10-12 09:39 -------- d-----w- C:\HijackThis
2010-10-11 18:38 . 2010-10-11 18:38 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Foxit Software
2010-10-11 18:38 . 2010-10-11 18:38 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Foxit
2010-10-11 18:37 . 2010-10-11 18:37 -------- d-----w- c:\program files\Foxit Software
2010-10-11 15:21 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-10-11 15:21 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-10-10 11:39 . 2010-10-10 11:39 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-10 10:56 . 2010-10-10 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-30 21:50 . 2010-10-11 15:25 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Apple Computer
2010-09-30 21:48 . 2010-10-11 15:21 -------- d-----w- c:\program files\iPod
2010-09-30 21:48 . 2010-10-11 15:21 -------- d-----w- c:\program files\iTunes
2010-09-30 21:48 . 2010-09-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-30 21:46 . 2010-10-14 09:17 -------- d-----w- c:\program files\QuickTime
2010-09-30 21:46 . 2010-09-30 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-30 21:46 . 2010-09-30 21:46 -------- d-----w- c:\documents and settings\zenoperegrinus\Local Settings\Application Data\Apple
2010-09-30 21:45 . 2010-09-30 21:46 -------- d-----w- c:\program files\Apple Software Update
2010-09-30 21:44 . 2010-09-30 21:45 -------- d-----w- c:\program files\Bonjour
2010-09-30 21:44 . 2010-09-30 21:48 -------- d-----w- c:\program files\Common Files\Apple
2010-09-30 21:44 . 2010-09-30 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-30 21:43 . 2010-09-30 21:50 -------- d-----w- c:\documents and settings\zenoperegrinus\Local Settings\Application Data\Apple Computer
2010-09-30 16:25 . 2010-09-30 16:25 -------- d-----w- c:\documents and settings\zenoperegrinus\Application Data\Malwarebytes
2010-09-30 16:24 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-30 16:24 . 2010-09-30 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-30 16:24 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-30 16:24 . 2010-09-30 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-21 06:58 . 2010-09-30 16:45 -------- d-----w- c:\program files\riv7
2010-09-17 16:27 . 2010-09-17 16:27 -------- d-----w- c:\windows\system32\Registry Patrol
2010-09-17 16:27 . 1999-12-17 09:13 86016 ----a-w- c:\windows\unvise32.exe
2010-09-17 16:27 . 2010-09-17 16:44 -------- d-----w- c:\program files\Registry Patrol

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-06-10 22:28 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-05-08 395776]
"Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-24 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-5 376832]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:416082759509

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\football manager 2010\\fm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19/08/2010 18:37 165456]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 23:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19/08/2010 18:37 17744]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [28/04/2009 02:59 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [16/03/2009 22:27 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [05/05/2009 17:00 1684736]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [05/05/2009 18:16 232872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1042050900-1176399639-2793042620-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-10-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1042050900-1176399639-2793042620-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-10-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-06-10 22:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {67084B91-FE65-4032-8A1B-9CEE301A6A95} - hxxp://upload.travelpod.com/includes/ImageUploader6.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sbofiqohuwudehi - c:\windows\kbdr40.dll
HKLM-Run-Dgoxaquza - c:\windows\axoxebuxeyaki.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-{19F5658D-92E8-4A08-8657-D38ABB1574B2} - c:\program files\InstallShield Installation Information\{19F5658D-92E8-4A08-8657-D38ABB1574B2}\setup.exe
AddRemove-{3108C217-BE83-42E4-AE9E-A56A2A92E549} - c:\program files\InstallShield Installation Information\{3108C217-BE83-42E4-AE9E-A56A2A92E549}\setup.exe
AddRemove-{6333FC29-BFE5-4024-AC78-958A1A7555D1} - c:\program files\InstallShield Installation Information\{6333FC29-BFE5-4024-AC78-958A1A7555D1}\setup.exe
AddRemove-{88F08F98-12BC-4613-81A2-8F9B88CFC73E} - c:\program files\InstallShield Installation Information\{88F08F98-12BC-4613-81A2-8F9B88CFC73E}\setup.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1042050900-1176399639-2793042620-1006\Software\G*e*n*i*e*"!\FM Genie Scout 10]
"GameDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010\\games"
"ShortlistDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010\\shortlists"
"ScreenshotsDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010"
"SaveDir"="c:\\Documents and Settings\\zenoperegrinus\\My Documents\\Sports Interactive\\Football Manager 2010\\"
"HistoryDir"="c:\\Documents and Settings\\zenoperegrinus\\Desktop\\FM Genie Scout 10\\History Points"
"LangDB"="c:\\program files\\steam\\steamapps\\common\\football manager 2010\\data\\db\\1000\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:00009d36
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000072
"UniqueID"="F5-8ADF-C7BF"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-10-14 18:12:25
ComboFix-quarantined-files.txt 2010-10-14 17:12

Pre-Run: 72,790,745,088 bytes free
Post-Run: 72,842,473,472 bytes free

- - End Of File - - 0B91BC773D6ECC8E50267592C4907D99

 

[crunchie]

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\unvise32.exe

====

How is the PC now?

 

[zenoperegrinus]

Crunchie,

Here are the results from both.

The PC seems fine now. I didn't even see the dll warnings on startup. Thank you so very much for your help. Can I make a donation to this site or something to show my gratitude?

Jotti's malware scan

This file has been scanned before. The results for this previous scan are listed below.
--------------------------------------------------------------------------------
Filename: unvise32.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Thu 29 Jul 2010 05:24:43 (CET) Permalink

Additional info
File size: 86016 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 84b4f61f59a421bd85d97b35d194b42b
SHA1: d3f2bac1a72f82c42d551c066c8ec841f46adb60
----

VirusTotal

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: unvise32.exe
Submission date: 2010-09-14 18:26:33 (UTC)
Current status: finished
Result: 0 /41 (0.0%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2010.09.13.00 2010.09.13 -
AntiVir 8.2.4.52 2010.09.14 -
Antiy-AVL 2.0.3.7 2010.09.14 -
Authentium 5.2.0.5 2010.09.14 -
Avast 4.8.1351.0 2010.09.14 -
Avast5 5.0.594.0 2010.09.14 -
BitDefender 7.2 2010.09.14 -
CAT-QuickHeal 11.00 2010.09.14 -
ClamAV 0.96.2.0-git 2010.09.14 -
Comodo 6076 2010.09.14 -
Emsisoft 5.0.0.37 2010.09.14 -
eSafe 7.0.17.0 2010.09.14 -
eTrust-Vet 36.1.7854 2010.09.14 -
F-Prot 4.6.1.107 2010.09.14 -
F-Secure 9.0.15370.0 2010.09.14 -
Fortinet 4.1.143.0 2010.09.13 -
GData 21 2010.09.14 -
Ikarus T3.1.1.88.0 2010.09.14 -
Jiangmin 13.0.900 2010.09.14 -
K7AntiVirus 9.63.2512 2010.09.14 -
Kaspersky 7.0.0.125 2010.09.14 -
McAfee 5.400.0.1158 2010.09.14 -
McAfee-GW-Edition 2010.1B 2010.09.14 -
Microsoft 1.6103 2010.09.14 -
NOD32 5451 2010.09.14 -
Norman 6.06.06 2010.09.14 -
nProtect 2010-09-14.01 2010.09.14 -
Panda 10.0.2.7 2010.09.14 -
PCTools 7.0.3.5 2010.09.14 -
Prevx 3.0 2010.09.14 -
Rising 22.65.01.04 2010.09.14 -
Sophos 4.57.0 2010.09.14 -
Sunbelt 6875 2010.09.14 -
SUPERAntiSpyware 4.40.0.1006 2010.09.14 -
Symantec 20101.1.1.7 2010.09.14 -
TheHacker 6.7.0.0.017 2010.09.14 -
TrendMicro 9.120.0.1004 2010.09.14 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.14 -
VBA32 3.12.14.0 2010.09.14 -
ViRobot 2010.8.25.4006 2010.09.14 -
VirusBuster 12.65.6.0 2010.09.14 -
Additional informationShow all
MD5 : 84b4f61f59a421bd85d97b35d194b42b
SHA1 : d3f2bac1a72f82c42d551c066c8ec841f46adb60
SHA256: f241f37d423dd5c192b22ca1d4655dbf9e9b861487a6ac0f958b190e975934dc
------

 

[crunchie]

As far as I am aware, there is no facility for making a donation to the site, but thank you for the offer anyway .

Looks like you are good to go .

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.