Solved XP Antivirus 2012 fixed? Now I do not have NetBT in my registry & c/n get to Internet

J

jhdroge

Posts: 31   +0
Got the XP Antivirus 2012 rogue (I find out) on my computer and I thought I got rid of it with Revo Uninstaler. Now I c/n get to the internet and I am writing from work. Very similar to another, poster 952SF, but he said he d/n have netbt.sys after the same virus and says he fixed that but not how he did it he did not say he lost NetBT from his registry (is mine gone or I just d/n see it??)
I have winows XP Home Media Sp3 on a dell - it's at home and I think it's an Inspiron 5325?
I have run AVG free (about a week since updated) found virues and quarantined then ran MalwareAntibytes (but about 1 month old) found viruses and deleted and TDSSKiller (about 6 months old) found nothing.
I thought it was a problem from my ISP so I called them and did trouble shooting with them and found the same Error 1075 and did more trouble shooting with them and ultimaely they wanted me to do a change to NetBT in the reistry but when I ran regdeit it was not there to do a change. Ultimate answer from them was format the drive and reinstal windows.
I hope there is a different answer.
Thanks in advance for your help
John
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
 
Hello Broni - Thanks for coming to my Aid
My mistake about my pc - it is a Dell Demension E520

Here is the log of the scan
bar Service Scanner
Ran by Jade Xing (administrator) on 20-12-2011 at 18:08:35
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

I am not a pro but it looks like either the virus or an overly aggressive Revo Uninstal deleted my NetBt from the registry
I do have the Dell Discs
"OPERATING SYSTEM"
"Reinstallation DVD"
"Microsoft Windows XP Media Center V Version 2005 with Upate Rollup 2"
and
"DRIVERS AND UTILITIES"
"Dell Dimension ResouceCD"
if they might be useful in just putting the key back.
Or do I need to do a full reinstall?
Thanks
John
 
Yes, it looks like one registry key is missing.
Very common issue with the latest type of infections.

Let's see....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    Code: 
    :reg
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Hello Broni
Thanks for the reply. I am communicating from work as I have no internet at home so I post one day- get your reply the next day - download or whatever to my flash drive - do the steps at home that night and save to the flash - reply the next day at work - and get your reply the yet next day. So this is dragged out. There is a 3 day gap coming up during the weekend and holiday. If we are leading to a reload of my OS please let me know so I could do that during the long weekend. I hope there is some way to add just the missing NetBTkey.
Thanks
John
 
Hi Broni
here's the result of the SystemLook scan

SystemLook 30.07.11 by jpshortstuff
Log created at 20:31 on 22/12/2011 by Jade Xing
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt]
(Unable to open key - key not found)

-= EOF =-

I did not really understand your response. Is there a possible way to replace this missing Reg Key? You did not say if there was in your response.
I'd rather do that then reinstall the OS.

I have an old P3 clone computer with Windows XP Pro on it in the closet that I will try and use to get to the internet tonight or tomorrow afternoon. I had forgotten I had kept it buried for possible spare parts but never took anything out of it. Maybe it will be able to get me to yahoo mail and the net over the weekend.
John
 
Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find six files inside.
Right click on netbt.reg file, click "Merge".
Allow registry merge.
Restart computer and see if internet works.
 
Thanks Broni I will save this to the flash and do it. I will do the restore point but part of my trying to fix things before I posted here was to do the system restore and it failed from every restore point that was availible - maybe that function in Windows is corrupted.
John
 
You're not paying attention.
I don't want you to USE any restore points.
I want you to CREATE new restore point.
 
Broni - I printed out the How to set a system restore point and I will do that when I get home.
I downloaded the zip to my flash and it has the netbt.reg file in it. At work here when I right click that file (in my flash) I get
Open
cut
copy
delete
and properties
but no Merge option
I would not run or do the merge or any more then just right clicking the file at work of course but I was checking if I had gotten it downloaded successfully and if it gave me a merge option
Do I need to save it to my desktop at home before I unzip it?
Save it to my desktop at home after I unzip it?
Do I need to copy the netbt.reg to my desktop at home before I right click it?
Thanks
John
 
Hello Broni I am online now from my home pc
Thanks so much! I am sure there is more cleaning to do from this point.
John
 
Hi Broni
I hit the wrong key and may or may not have sent the reply I was working on. I case I lost it it was short and I'll repeat it

Here's the new FSS Log

Farbar Service Scanner
Ran by Jade Xing (administrator) on 24-12-2011 at 11:21:41
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Yahoo IP is accessible.

**** End of log ****

I started the clean up procedure but only got as far as updating and running my exisitng Malware Antibytes but I negelected to copy the log to post it now. I'll do that when I get home and continue the clean up sequence. Christmas and home chores got in the way.
Hope you had a good holiday and thanks for your help.
John
 
AVAST not Working and Logs

Hi Broni
AVAST Free is not working well. Sometimes it loads but most of the time it will not load and i get the message from it that I am not protected and it's icon has a red bar through it. If I try to manually start it I get the control window that says it is not working and a button that says "fix now" but nothing happens when I click that.
Should I uninstal and redownload?

Here are the logs

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 911122404
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/24/2011 12:14:17 PM
mbam-log-2011-12-24 (12-14-17).txt
Scan type: Quick scan
Objects scanned: 224017
Time elapsed: 28 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\jade xing\local settings\temp\kna0.17721967154110485.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-28 21:06:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 HDS72808 rev.PF2O
Running: v2vijehe.exe; Driver: C:\DOCUME~1\JADEXI~1\LOCALS~1\Temp\pxdyrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA3520BDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA3520A45]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Run by Jade Xing at 21:19:22 on 2011-12-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.635 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Sygate Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Jade Xing\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\jade xing\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: ??UUSee?? - c:\program files\uusee\geturltodown.htm
IE: ??UUSee???? - c:\program files\uusee\geturltoplay.htm
IE: {998A88A0-A355-809B-831C-B83A80000991} - http://www.henkuai.com/?from=iebannel
IE: {998A88A0-A355-809B-831C-B83A80000992} - c:\program files\uusee\UUSeePlayer.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218927117921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: btwdlns - btwdiw32.dll
Notify: igfxcui - igfxdev.dll
Notify: SMPv - btwdiw32.dll
Notify: âBs$U - btwdiw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jade xing\application data\mozilla\firefox\profiles\srzwt60x.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.search.yahoo.com/?fr=w3i&type=W3i_SP,205,0_0,StartPage,20111041,16900,0,21,0
FF - prefs.js: keyword.URL - hxxp://www.gobrs.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=jiMdHzFj&q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jade xing\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jade xing\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jade xing\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: keyword.URL - hxxp://www.gobrs.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=jiMdHzFj&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 1871b5a3-3fa7-43a3-b407-9b19347fdae8
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-16 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-16 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-16 20568]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 MpKsl1851ec07;MpKsl1851ec07;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4b048e08-2bf8-42c5-96c1-bc0615091621}\mpksl1851ec07.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4b048e08-2bf8-42c5-96c1-bc0615091621}\MpKsl1851ec07.sys [?]
S1 MpKsl258b9192;MpKsl258b9192;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be88f695-85d2-4abc-8613-fed4030d807a}\mpksl258b9192.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be88f695-85d2-4abc-8613-fed4030d807a}\MpKsl258b9192.sys [?]
S1 MpKsl6e85e19b;MpKsl6e85e19b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb3031cb-9727-4f1c-b33b-376103f3afac}\mpksl6e85e19b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb3031cb-9727-4f1c-b33b-376103f3afac}\MpKsl6e85e19b.sys [?]
S1 MpKslb353b479;MpKslb353b479;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ef93d587-b646-4b6a-938d-79a4ccd10cf6}\mpkslb353b479.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ef93d587-b646-4b6a-938d-79a4ccd10cf6}\MpKslb353b479.sys [?]
S1 MpKslc1bf2223;MpKslc1bf2223;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{704102c9-4ab2-436f-9021-a13d5757f48c}\mpkslc1bf2223.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{704102c9-4ab2-436f-9021-a13d5757f48c}\MpKslc1bf2223.sys [?]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-10-3 44768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2.tmp [2011-6-30 6144]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-8-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 vsdatant;vsdatant; [x]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2011-12-24 18:25:33 -------- d-----w- C:\TechSpot Scans
2011-12-16 04:07:59 -------- d-----w- c:\documents and settings\jade xing\.bitrock
2011-12-16 04:02:47 645632 ----a-w- c:\windows\system32\xvidcore.dll
2011-12-16 04:02:47 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2011-12-16 04:02:47 153088 ----a-w- c:\windows\system32\xvid.ax
2011-12-16 04:02:44 -------- d-----w- c:\program files\Xvid
2011-12-16 03:59:12 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-12-16 03:58:36 -------- d-----w- c:\program files\common files\xing shared
2011-12-16 03:58:16 150696 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-12-16 03:58:10 108544 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-12-03 02:09:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-03 02:09:38 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-12-16 03:57:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-16 03:57:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-26 03:25:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-20 01:18:24 21073936 ----a-w- c:\program files\vlc-1.1.11-win32.exe
2011-10-15 00:38:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-07-01 02:23:16 1376832 ----a-w- c:\program files\sar_15_sfx.exe
2011-06-29 04:17:30 744853 ----a-w- c:\program files\PAVARK.exe
2011-06-24 00:06:39 13683064 ----a-w- c:\program files\Firefox Setup 5.0.exe
.
============= FINISH: 21:21:13.40 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/25/2007 6:16:32 PM
System Uptime: 12/28/2011 9:12:17 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 70 GiB total, 33.782 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1796: 11/12/2011 12:25:10 PM - System Checkpoint
RP1797: 11/13/2011 2:46:30 PM - System Checkpoint
RP1798: 11/14/2011 8:33:08 PM - System Checkpoint
RP1799: 11/15/2011 9:42:12 PM - System Checkpoint
RP1800: 11/17/2011 8:40:58 PM - System Checkpoint
RP1801: 11/18/2011 12:24:56 AM - Revo Uninstaller's restore point - Windows Internet Explorer 8
RP1802: 11/18/2011 12:42:41 AM - Installed Windows Internet Explorer 8.
RP1803: 11/18/2011 12:43:40 AM - Software Distribution Service 3.0
RP1804: 11/18/2011 2:28:18 AM - Software Distribution Service 3.0
RP1805: 11/19/2011 1:21:18 PM - Revo Uninstaller's restore point - Windows Internet Explorer 8
RP1806: 11/19/2011 1:30:25 PM - Revo Uninstaller's restore point - Microsoft .NET Framework 1.1
RP1807: 11/19/2011 1:31:02 PM - Removed Microsoft .NET Framework 1.1
RP1808: 11/20/2011 12:54:21 AM - Software Distribution Service 3.0
RP1809: 11/20/2011 10:55:55 AM - Software Distribution Service 3.0
RP1810: 11/21/2011 12:07:22 AM - Software Distribution Service 3.0
RP1811: 11/22/2011 12:10:54 AM - Software Distribution Service 3.0
RP1812: 11/24/2011 4:13:59 PM - System Checkpoint
RP1813: 11/26/2011 1:06:55 AM - System Checkpoint
RP1814: 11/27/2011 12:54:36 PM - System Checkpoint
RP1815: 11/28/2011 8:44:30 PM - System Checkpoint
RP1816: 11/30/2011 7:08:25 PM - System Checkpoint
RP1817: 12/1/2011 9:38:55 PM - System Checkpoint
RP1818: 12/2/2011 7:08:18 PM - Restore Operation
RP1819: 12/3/2011 9:27:52 PM - System Checkpoint
RP1820: 12/4/2011 10:12:42 PM - System Checkpoint
RP1821: 12/5/2011 10:23:29 PM - System Checkpoint
RP1822: 12/7/2011 6:31:46 PM - System Checkpoint
RP1823: 12/8/2011 8:27:36 PM - System Checkpoint
RP1824: 12/10/2011 9:05:51 AM - System Checkpoint
RP1825: 12/11/2011 9:41:38 AM - System Checkpoint
RP1826: 12/12/2011 7:02:59 PM - System Checkpoint
RP1827: 12/13/2011 7:24:16 PM - System Checkpoint
RP1828: 12/13/2011 11:38:34 PM - Software Distribution Service 3.0
RP1829: 12/15/2011 8:04:30 PM - System Checkpoint
RP1830: 12/17/2011 9:54:16 AM - System Checkpoint
RP1831: 12/18/2011 9:31:42 AM - Revo Uninstaller's restore point - avast! Free Antivirus
RP1832: 12/18/2011 10:02:19 PM - Restore Operation
RP1833: 12/18/2011 10:07:40 PM - Restore Operation
RP1834: 12/18/2011 10:12:50 PM - Restore Operation
RP1835: 12/18/2011 10:17:38 PM - Restore Operation
RP1836: 12/18/2011 10:25:41 PM - Restore Operation
RP1837: 12/18/2011 10:29:52 PM - Restore Operation
RP1838: 12/18/2011 10:35:24 PM - Restore Operation
RP1839: 12/19/2011 7:48:14 PM - Restore Operation
RP1840: 12/19/2011 9:05:20 PM - Restore Operation
RP1841: 12/19/2011 9:18:11 PM - Restore Operation
RP1842: 12/22/2011 9:37:20 PM - System Checkpoint
RP1843: 12/23/2011 5:48:56 PM - Before Merge NetBT Key
RP1844: 12/24/2011 7:24:21 PM - System Checkpoint
RP1845: 12/25/2011 10:31:22 PM - System Checkpoint
RP1846: 12/27/2011 6:29:04 PM - System Checkpoint
.
==== Installed Programs ======================
.
?????
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.7
Adobe Shockwave Player 11
Apple Software Update
avast! Free Antivirus
CamGrab-2LE
CamGrab-2Plus
CCTVBox
CNTV ???????1.0.2.0
Comcast Desktop Software (v1.2.0.9)
Critical Update for Windows Media Player 11 (KB959772)
File Type Assistant
FinalTorrent 2011
Google Chrome
Google Talk Plugin
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImgBurn
Java Auto Updater
Java(TM) 6 Update 16
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - CHS
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - CHS
Microsoft .NET Framework 3.5 Language Pack SP1 - chs
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 ??? - ????
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Office File Validation Add-In
Microsoft Office Outlook Connector
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Move Networks Media Player for Internet Explorer
Mozilla Firefox 7.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.2
PPSÓÎÏ· V1.0.1.298
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Revo Uninstaller 1.88
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Shop To Win
Sophos Anti-Rootkit 1.5.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.11
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Management Framework Core
Windows Search 4.0
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB973768
XML Paper Specification Shared Components Language Pack 1.0
Xvid Video Codec
Yahoo! Messenger
Yahoo! Software Update
Yontoo Layers Runtime 1.10.01
.
==== Event Viewer Messages From Past Week ========
.
12/28/2011 9:04:03 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
12/28/2011 9:03:23 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
12/25/2011 8:56:09 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf2cf595, parameter3 a25a6ba4, parameter4 00000000.
12/23/2011 5:27:00 PM, error: Service Control Manager [7034] - The Sygate Personal Firewall service terminated unexpectedly. It has done this 1 time(s).
12/23/2011 5:24:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
12/23/2011 5:24:47 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
12/23/2011 5:24:47 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
12/23/2011 5:24:47 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
12/23/2011 5:24:47 PM, error: Service Control Manager [7000] - The Process Monitor service failed to start due to the following error: Access is denied.
.
==== End Of File ===========================
 
You're running two AV programs, Microsoft Security Essentials and Avast.
You must uninstall one of them.
If you want to keep Avast and it's not working right reinstall it.

Then...

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Hi
Yeah I see in attacht.txt where it says Microsofte Antimalware is an installed program. It was not in my list of programs and Revo Uninstaller did not show it as a program either.
I did a search and found it and Microsoft Security Essentials in Documents under Microsoft Support. I tried to do Revo Uninstall on them but Revo gave me a message that there was no program associated with them so I deleted their folders. I uninstalled and reinstalled Avast and it works well now.
I will continuse with the clean up process,
 
combofix tells me that Microsoft Security Essentials is running when i try to use combo fix so i closed combo fix. I c/n find MSE on my computer in any programs list and a Search "microsoft security" on my c drive comes up blank. I d/n see mse on task magager. Where could it be coming from?? How do I get rid of the damn thing??
 
Well I did that against Combofixes warnings and it ran for over 1 1/2 hours rebooting and restatring itself several times but I think it was sucessful finally

aswrMBR log before Combofix

aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2012-01-01 15:46:47
-----------------------------
15:46:47.248 OS Version: Windows 5.1.2600 Service Pack 3
15:46:47.248 Number of processors: 2 586 0x409
15:46:47.248 ComputerName: JADECOMPUTER UserName: Jade Xing
15:46:48.373 Initialize success
15:46:49.155 AVAST engine defs: 12010101
15:47:43.597 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
15:47:43.597 Disk 0 Vendor: HDS72808 PF2O Size: 76293MB BusType: 3
15:47:43.612 Disk 0 MBR read successfully
15:47:43.628 Disk 0 MBR scan
15:47:43.628 Disk 0 unknown MBR code
15:47:43.628 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
15:47:43.643 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 71492 MB offset 80325
15:47:43.675 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4753 MB offset 146496735
15:47:43.690 Disk 0 scanning sectors +156232125
15:47:43.753 Disk 0 scanning C:\WINDOWS\system32\drivers
15:47:57.441 Service scanning
15:47:57.926 Service .MpFilter \* **LOCKED** 123
15:47:57.942 Service .netbt \* **LOCKED** 123
15:47:58.973 Modules scanning
15:48:07.286 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
15:48:08.614 Disk 0 trace - called modules:
15:48:08.646 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
15:48:08.646 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87371778]
15:48:08.661 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x87372030]
15:48:08.958 AVAST engine scan C:\WINDOWS
15:48:33.241 AVAST engine scan C:\WINDOWS\system32
15:50:42.783 AVAST engine scan C:\WINDOWS\system32\drivers
15:50:56.316 AVAST engine scan C:\Documents and Settings\Jade Xing
15:55:19.992 File: C:\Documents and Settings\Jade Xing\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe **INFECTED** Win32:Malware-gen
16:03:38.852 AVAST engine scan C:\Documents and Settings\All Users
16:05:28.875 Scan finished successfully
16:05:58.252 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jade Xing\Desktop\MBR.dat"
16:05:58.267 The log file has been saved successfully to "C:\Documents and Settings\Jade Xing\Desktop\aswMBR.txt"


Combofix log

ComboFix 12-01-01.06 - Jade Xing 01/01/2012 23:02:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.440 [GMT -7:00]
Running from: c:\documents and settings\Jade Xing\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupcz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupda.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupfr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupge.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuphu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupin.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupit.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupjp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupko.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupms.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupnl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsk.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuptr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\trialkey.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\Jade Xing\Local Settings\Application Data\{C19C410A-38DF-492F-A87C-4A38115D65E6}
c:\documents and settings\Jade Xing\Local Settings\Application Data\{C19C410A-38DF-492F-A87C-4A38115D65E6}\chrome\content\_cfg.js
c:\documents and settings\Jade Xing\Local Settings\Application Data\{C19C410A-38DF-492F-A87C-4A38115D65E6}\chrome\content\overlay.xul
c:\documents and settings\Jade Xing\Local Settings\Application Data\{C19C410A-38DF-492F-A87C-4A38115D65E6}\install.rdf
c:\documents and settings\Jade Xing\WINDOWS
c:\program files\Shop to Win
c:\program files\Shop to Win\InstallNotifier.exe
c:\program files\Shop to Win\ProcessDetector.exe
c:\program files\Shop to Win\unins000.dat
c:\program files\Shop to Win\unins000.exe
c:\program files\Shop to Win\UnInstallPlugin.exe
C:\Thumbs.db
c:\windows\$NtUninstallKB23454$
c:\windows\$NtUninstallKB23454$\1205514026
c:\windows\$NtUninstallKB42081$
c:\windows\$NtUninstallKB42081$\100532649
c:\windows\$NtUninstallKB42081$\4163609525\@
c:\windows\$NtUninstallKB42081$\4163609525\bckfg.tmp
c:\windows\$NtUninstallKB42081$\4163609525\cfg.ini
c:\windows\$NtUninstallKB42081$\4163609525\Desktop.ini
c:\windows\$NtUninstallKB42081$\4163609525\keywords
c:\windows\$NtUninstallKB42081$\4163609525\kwrd.dll
c:\windows\$NtUninstallKB42081$\4163609525\L\pdmzmplg
c:\windows\$NtUninstallKB42081$\4163609525\lsflt7.ver
c:\windows\$NtUninstallKB42081$\4163609525\U\00000001.@
c:\windows\$NtUninstallKB42081$\4163609525\U\00000002.@
c:\windows\$NtUninstallKB42081$\4163609525\U\80000000.@
c:\windows\$NtUninstallKB42081$\4163609525\U\80000032.@
c:\windows\explorer(2).exe
c:\windows\kb913800.exe
c:\windows\struct~.ini
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\msnphoto.scr
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_.netbt
-------\Service_6to4
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2011-12-31 18:11 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-12-31 18:11 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-12-31 18:11 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-31 18:11 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-12-31 18:11 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-12-31 18:11 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-12-31 18:11 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-12-31 18:11 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-12-31 18:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2011-12-31 18:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-24 18:25 . 2012-01-01 23:06 -------- d-----w- C:\TechSpot Scans
2011-12-19 00:50 . 2011-12-19 00:50 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-12-16 04:07 . 2011-12-16 04:07 -------- d-----w- c:\documents and settings\Jade Xing\.bitrock
2011-12-16 04:02 . 2011-05-30 13:42 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2011-12-16 04:02 . 2011-05-23 09:52 153088 ----a-w- c:\windows\system32\xvid.ax
2011-12-16 04:02 . 2011-05-23 07:46 645632 ----a-w- c:\windows\system32\xvidcore.dll
2011-12-16 04:02 . 2011-12-16 04:09 -------- d-----w- c:\program files\Xvid
2011-12-16 03:59 . 2011-12-16 03:59 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-12-16 03:58 . 2011-12-16 03:58 -------- d-----w- c:\program files\Common Files\xing shared
2011-12-16 03:58 . 2011-12-16 03:58 150696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-12-16 03:58 . 2011-12-16 03:58 108544 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-12-16 03:57 . 2011-12-16 03:58 -------- d-----w- c:\program files\Real
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 03:57 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-16 03:57 . 2003-02-21 10:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-11-26 03:25 . 2011-05-16 21:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2005-08-16 10:18 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-08-16 10:18 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2005-08-16 10:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-08-16 10:18 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-20 01:18 . 2011-10-20 01:17 21073936 ----a-w- c:\program files\vlc-1.1.11-win32.exe
2011-10-15 00:38 . 2005-08-16 10:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-07-01 02:23 . 2011-07-01 02:23 1376832 ----a-w- c:\program files\sar_15_sfx.exe
2011-06-29 04:17 . 2011-06-29 04:03 744853 ----a-w- c:\program files\PAVARK.exe
2011-06-24 00:06 . 2011-06-24 00:05 13683064 ----a-w- c:\program files\Firefox Setup 5.0.exe
2011-11-09 03:55 . 2011-06-24 00:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-06-03 20:36 . 2011-03-21 08:38 13696 ----a-w- c:\program files\mozilla firefox\components\CntvSpeedup.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-08-19 16:45 790304 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Desktop Software"="c:\program files\Common Files\supportsoft\bin\bcont.exe" [2009-04-24 1025320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-22 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-22 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-06-28 421888]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-12-16 296056]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-14 24576]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Documents and Settings\\Jade Xing\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jade Xing\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\PPSGame\\PPSGame.exe"=
"c:\\Program Files\\cntv\\Speedup\\CNTVSpeedupper.exe"=
"c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
"c:\\Program Files\\FinalTorrent\\FTCheckForUpdates.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/31/2011 11:11 AM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/31/2011 11:11 AM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/31/2011 11:11 AM 20568]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 MpKsl1851ec07;MpKsl1851ec07;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4B048E08-2BF8-42C5-96C1-BC0615091621}\MpKsl1851ec07.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4B048E08-2BF8-42C5-96C1-BC0615091621}\MpKsl1851ec07.sys [?]
S1 MpKsl258b9192;MpKsl258b9192;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE88F695-85D2-4ABC-8613-FED4030D807A}\MpKsl258b9192.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE88F695-85D2-4ABC-8613-FED4030D807A}\MpKsl258b9192.sys [?]
S1 MpKsl6e85e19b;MpKsl6e85e19b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB3031CB-9727-4F1C-B33B-376103F3AFAC}\MpKsl6e85e19b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB3031CB-9727-4F1C-B33B-376103F3AFAC}\MpKsl6e85e19b.sys [?]
S1 MpKslb353b479;MpKslb353b479;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF93D587-B646-4B6A-938D-79A4CCD10CF6}\MpKslb353b479.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF93D587-B646-4B6A-938D-79A4CCD10CF6}\MpKslb353b479.sys [?]
S1 MpKslc1bf2223;MpKslc1bf2223;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{704102C9-4AB2-436F-9021-A13D5757F48C}\MpKslc1bf2223.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{704102C9-4AB2-436F-9021-A13D5757F48C}\MpKslc1bf2223.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/16/2005 3:18 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
bthsvc REG_MULTI_SZ btwdlns
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2012-01-02 c:\windows\Tasks\FinalTorrent Update Checker.job
- c:\program files\FinalTorrent\FTCheckForUpdates.exe [2011-10-08 21:24]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2166645397-1413220193-206111531-1006Core.job
- c:\documents and settings\Jade Xing\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-31 02:45]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2166645397-1413220193-206111531-1006UA.job
- c:\documents and settings\Jade Xing\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-31 02:45]
.
2012-01-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2166645397-1413220193-206111531-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
2012-01-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2166645397-1413220193-206111531-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: ??UUSee?? - c:\program files\uusee\geturltodown.htm
IE: ??UUSee???? - c:\program files\uusee\geturltoplay.htm
IE: {{998A88A0-A355-809B-831C-B83A80000991} - http://www.henkuai.com/?from=iebannel
Trusted Zone: intuit.com\ttlc
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Jade Xing\Application Data\Mozilla\Firefox\Profiles\srzwt60x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.search.yahoo.com/?fr=w3i&type=W3i_SP,205,0_0,StartPage,20111041,16900,0,21,0
FF - prefs.js: keyword.URL - hxxp://www.gobrs.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=jiMdHzFj&q=
FF - user.js: keyword.URL - hxxp://www.gobrs.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=jiMdHzFj&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 1871b5a3-3fa7-43a3-b407-9b19347fdae8
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
URLSearchHooks-{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
Notify-btwdlns - btwdiw32.dll
Notify-SMPv - btwdiw32.dll
Notify-âBs$U - btwdiw32.dll
SafeBoot-MsMpSvc
AddRemove-AddressBar - c:\program files\Baidu\AddressBar\ASBarBroker.exe
AddRemove-CCTVBox - c:\documents and settings\Jade Xing\Local Settings\Temporary Internet Files\Content.IE5\Q16JYRBV\CCTVRegOcx[1].exe
AddRemove-{50D9C7D1-86C4-4982-A47E-D490C70A1C7D}_is1 - c:\program files\Shop To Win\unins000.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 00:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.MpFilter]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,5b,0f,31,36,0a,3a,46,b3,13,04,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,5b,0f,31,36,0a,3a,46,b3,13,04,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2620)
c:\windows\system32\WININET.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\eHome\ehmsas.exe
c:\windows\stsystra.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2012-01-02 00:19:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-02 07:19
.
Pre-Run: 29,994,795,008 bytes free
Post-Run: 33,880,727,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center" /NoExecute=Optin /fastdetect
.
- - End Of File - - AD3614AF087BA45F525DE271E8D5D7C7
 
You must log in or register to reply here.

Similar threads

R
  • Locked
Inactive [A] Fixed Xp Antivirus 2012 can't c/n to internet
Replies
23
Views
4K
Broni
Broni
T
Solved Have 'antivirus security pro' virus and copying logs for review
Replies
21
Views
5K
Broni
Broni
T
  • Locked
Solved XP Antivirus 2012 supposedly fixed, but now ping.exe and browser redirect issues
2
Replies
27
Views
10K
Bobbye
Bobbye

Latest posts

Back