View Full Version : CPU@100%;Onecare won't open;ho-ho-ho!
Greetings all. My PC has been hit with something that has resulted in the following:
CPU spinning constantly at or near 100%
Onecare seems to be running but it won't open
Tryed to boot into safe mode - crashed and gave an "0x0000007e" error msg
Routine programs show as "running" in the task manager, but they just ramp up the CPU more and won't open.
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:40 PM, on 12/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSIntro.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.79.19.224:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft.com
O1 - Hosts: ??????????????? spywareprotector-2009.com
O1 - Hosts: ??????????????? www.spywareprotector-2009.com
O1 - Hosts: ??????????????? secure.spywareprotector-2009.com
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: CacherBHO - {9B4DF450-DCC7-4B07-935D-0CD757A64583} - C:\Program Files\Moyea\YouTube FLV Downloader\MoyeaCatcher.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.playhub.com/racing-games/116/Motocross-Urban-Fever.html"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.modthesims2.com
O15 - Trusted Zone: *.thesimsresource.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135834653062
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5125/mcfscan.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WMDM PMSP Service WMDMNetDDE (WMDMNetDDE) - Unknown owner - C:\WINDOWS\system32\algs.exe (file missing)
--
End of file - 13681 bytes
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
Thanks for your reply. I actually anticipated this request and have these stored on the PC.
Unfortunately, after the Malware scan I selected to repair the "errors" found and am now unable to reboot but instead see a pretty blue screen.
I am unable to boot into safe mode.
The BSOD shows an "0x0000007b" error message. I am able to access the XP recovery console - can I access the txt files from there? I haven't attempted any fixes using the Recovery Console commands. Please advise on how to proceed.
Thanks!
Hi,
We may be able to get the system back alive but need some information first. What is the model of infected computer?
Thanks for your help. I have a Dell Dimension E510.
Hi,
Reboot to recovery console and run following commands. Note down results for each of two dir commands below:
set AllowAllPaths = true
c:
cd\
dir /s/a iastor.sys
dir /s/a atapi.sys
Blade81,
I entered:
set AllowAllPaths = true
I received:
The SET command is currently disabled. The SET command is an optional Recovery Console Command than can only be enabled by using the Security Configuration and Analysis snap-in.
I stopped there because I am way out of my range of knowledge and don't want to make anything worse.
Thanks again for your help. I'll be travelling to my in-laws today and won't return until tomorrow night. Have a Merry Christmas. I can't thank you enough for helping me.
I forgot to add that I am a bit confused as to exactly what I am supposed to enter.
For instance, when I boot into the recovery console I am in the C:\windows directory. Am I trying to switch to the C:\ directory with this string -
c:
cd\
Am I trying to find the two .sys files here?
dir /s/a iastor.sys
dir /s/a atapi.sys
Merry Christmas to you too :)
Let's skip over that set command.
For instance, when I boot into the recovery console I am in the C:\windows directory. Am I trying to switch to the C:\ directory with this string -
c:
cd\
Yes.
Am I trying to find the two .sys files here?
dir /s/a iastor.sys
dir /s/a atapi.sys
Correct. We need to find all available instances for those files.
I don't know the syntax to use the commands you suggested.
I can't find the "iastor.sys" file, but I've only searched int the c:windows\system32\drivers directory.
I have the following instances of the "atapi.sys" file in the "c:\windows\system32\drivers" location:
DATE TIME ATTRIBUTE NAME
12/17/09 08:56p -a------ atapi.sys
12/17/09 06:05p --------- atapi.sys02FC62AC
12/17/09 06:05p --------- atapi.sys16F2AA30
12/17/09 06:09p --------- atapi.sys1EE5C01E
12/17/09 07:18p --------- atapi.sys2504212F
12/17/09 06:04p --------- atapi.sys68FB2559
12/17/09 11:09a -a------- atapi.sys801A9441
12/17/09 06:55p --------- atapi.sysD0169EBC
12/17/09 06:32p --------- atapi.sysD598D5B0
I don't know the syntax to use the commands you suggested.
Did these commands (inputted one after another) throw out any errors:
cd\
dir /s/a iastor.sys
dir /s/a atapi.sys
I can't find the "iastor.sys" file, but I've only searched int the c:windows\system32\drivers directory.
How about iastorv.sys? Is it present there?
Did these commands (inputted one after another) throw out any errors:
cd\
dir /s/a iastor.sys
dir /s/a atapi.sys
The pc boots into the c:\windows directory. When I enter
cd\
the message returned is
The command is not recognized. Type HELP for a list of supported commands.
When I enter
dir /s/a iastor.sys
the message returned is
The parameter is not valid. Try /? for help.
When I enter
dir /s/a atapi.sys
the message returned is
The parameter is not valid. Try /? for help.
I cannot find any instances of the iator.sys file.
Hi,
Do you have your Windows XP installation media available (which edition infected system has, home or professional)?
Yes, I do have the installation media. The system uses XP Media Center edition.
Good. Let's try to create a boot cd. Instructions can be found here (http://www.ubcd4win.com/howto.htm).
If you use Dell cd then refer here (http://www.ubcd4win.com/faq.htm#dell) if issues arise.
Well, I'm having trouble creating the boot disc.
Here is my post on the UBCD4Win forum:
http://ubcd4win.com/forum/index.php?showtopic=14236
Do you have non Dell XP media handy or could you borrow one? I had one similar case some time ago and user decided to use non Dell media.
I'll ask my friends and coworkers. I don't have one here. Is there any site that I can download the necessary files from?
I bought a SATA/IDE to USB adapter yesterday. This would allow me to backup the data from the hard drive and reinstall the OS. Do you think I should go this route?
So you're able to access the drive contents by plugging it in USB port of the other system? If so, that means we won't need to create bootcd.
I haven't tried yet. It worked on my daughter's laptop SATA drive. I'm recovering her music files before I send the laptop to Toshiba. It's under warranty so they'll just replace the drive.
I'll take the drive out of the desktop and let you know what I am able to access.
It looks like I can access everything on the drive. I'm backing up data now, so if the only resolution is to reinstall and lose everything, that will be fine too. I just want to be sure that whatever caused the infection is lost as well.
Ok. Let's see if we can fix the issue.
Go to command prompt (click start->run->type cmd.exe and hit enter). Note: In the bolded commands below, replace X: with drive letter that plugged in drive uses.
dir /s/a x:\iastor.sys >>"%userprofile%\desktop\locations.txt"
dir /s/a x:\atapi.sys>>"%userprofile%\desktop\locations.txt"
After those two commands there should be locations.txt file on your desktop. Post back the contents of it.
iastor.sys locations.txt:
File Not Found
atapi.sys locations.txt:
Volume in drive F has no label.
Volume Serial Number is D860-6B13
Volume in drive F has no label.
Volume Serial Number is D860-6B13
Directory of f:\i386
08/03/2004 10:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of f:\WINDOWS\ServicePackFiles\i386
04/13/2008 12:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of f:\WINDOWS\system32\drivers
12/17/2009 07:56 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of f:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386
08/03/2004 10:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of f:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386
08/03/2004 10:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Total Files Listed:
5 File(s) 479,104 bytes
0 Dir(s) 15,817,609,216 bytes free
Hi,
Please upload f:\WINDOWS\system32\drivers\atapi.sys file to http://www.virustotal.com and post back the results.
I tried to, but it said I didn't have permission to access the file and then my laptop antivirus said it detected the same Alureon.F infection!! What do I do now?
Hi,
Type these two commands in command prompt:
copy /y f:\WINDOWS\system32\drivers\atapi.sys f:\WINDOWS\system32\drivers\atapi.sys.vir
copy /y f:\WINDOWS\ServicePackFiles\i386\atapi.sys f:\WINDOWS\system32\drivers\atapi.sys
If that went without problems, plug the hard drive into the other system and see if you're able to reboot.
I don't know if these are connected, but when I entered the first command I received an "Access is denied." message in the command prompt window and, I guess since the file is infected, my antivirus software popped up an infected file warning.
I entered the second command and received a "1 file<s> copied." message in return. I'm waiting for your reply before putting the drive back into the other system and trying to reboot.
I went ahead and gave it a try...success!!!!!
Thanks a lot for your help. Windows Live Onecare did find three instances of the alureon.f infection. Is there anything else I should do to remove this root kit?
Good :)
Let's return to those instructions in post #2 (http://forums.spybot.info/showpost.php?p=352451&postcount=2).
The GMER program keeps locking up the system. I'll try again tomorrow when I have more time.
Here are the DDS logs:
DDS.txt
DDS (Ver_09-09-29.01) - NTFSx86
Run by Debbie at 21:26:59.32 on Tue 01/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.365 [GMT -6:00]
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSNotify.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ehome\EHTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Debbie\Desktop\dds.com
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 202.79.19.224:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: H - No File
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: CatcherBHO Class: {9b4df450-dcc7-4b07-935d-0cd757a64583} - c:\program files\moyea\youtube flv downloader\MoyeaCatcher.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.playhub.com/racing-games/116/Motocross-Urban-Fever.html"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Orb] "c:\program files\orb networks\orb\bin\OrbLauncher.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\debbie\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: modthesims2.com
Trusted Zone: thesimsresource.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135834653062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5125/mcfscan.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
============= SERVICES / DRIVERS ===============
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 ochealthmon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-7-9 26104]
S1 7b6ace4b;7b6ace4b;c:\windows\system32\drivers\7b6ace4b.sys [2009-2-1 0]
S1 goxrupcz;goxrupcz;c:\windows\system32\drivers\goxrupcz.sys [2010-1-4 30784]
S1 kxmzgwcj;kxmzgwcj;c:\windows\system32\drivers\kxmzgwcj.sys [2010-1-4 30784]
S1 lzjzceqs;lzjzceqs;c:\windows\system32\drivers\lzjzceqs.sys [2010-1-5 30784]
S1 pijybqsv;pijybqsv;c:\windows\system32\drivers\pijybqsv.sys [2010-1-4 30784]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S2 WMDMNetDDE;WMDM PMSP Service WMDMNetDDE;c:\windows\system32\algs.exe srv --> c:\windows\system32\algs.exe srv [?]
S3 crtaud;Conexant Riptide WDM Audio Driver;c:\windows\system32\drivers\crtaud.sys [2006-2-7 42112]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 rpfun;Conexant Riptide Dummy Driver;c:\windows\system32\drivers\rpfun.sys [2006-2-7 3840]
S3 rthwcls;Conexant Riptide Bus / Firmware Downloader;c:\windows\system32\drivers\rthwcls.sys [2006-2-7 30720]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\drivers\w600bus.sys [2005-8-15 60928]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\drivers\w600mdfl.sys [2005-8-15 8336]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\drivers\w600mdm.sys [2005-8-15 96672]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\drivers\w600mgmt.sys [2005-8-15 88080]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\w600obex.sys [2005-8-15 85952]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-4-3 14032]
=============== Created Last 30 ================
2010-01-05 13:39 30,784 a------- c:\windows\system32\drivers\lzjzceqs.sys
2010-01-05 13:39 96,512 -------- c:\windows\system32\drivers\OLDCF.tmp86FDD9CA
2010-01-05 13:39 96,512 -------- c:\windows\system32\drivers\OLDCB.tmp49AA6F7F
2010-01-05 13:39 96,512 -------- c:\windows\system32\drivers\OLDD5.tmp8A23669B
2010-01-04 23:26 30,784 a------- c:\windows\system32\drivers\goxrupcz.sys
2010-01-04 23:26 96,512 -------- c:\windows\system32\drivers\OLDD5.tmp01965FF8
2010-01-04 23:26 96,512 -------- c:\windows\system32\drivers\OLDCF.tmp1DFCADCA
2010-01-04 23:26 96,512 -------- c:\windows\system32\drivers\OLDCB.tmpBB6D007A
2010-01-04 22:52 30,784 a------- c:\windows\system32\drivers\pijybqsv.sys
2010-01-04 22:52 96,512 -------- c:\windows\system32\drivers\OLDD5.tmp375908E6
2010-01-04 22:52 96,512 -------- c:\windows\system32\drivers\OLDCF.tmp0D9E4B78
2010-01-04 22:52 96,512 -------- c:\windows\system32\drivers\OLDCB.tmpAF8BBD9E
2010-01-04 21:11 30,784 a------- c:\windows\system32\drivers\kxmzgwcj.sys
2010-01-04 21:11 96,512 -------- c:\windows\system32\drivers\OLDD5.tmp6124E347
2010-01-04 21:11 96,512 -------- c:\windows\system32\drivers\OLDCF.tmpDA0C4A10
2010-01-04 21:11 96,512 -------- c:\windows\system32\drivers\OLDCB.tmp2A5C00A4
2010-01-03 09:53 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-12-17 19:55 54,016 a------- c:\windows\system32\drivers\gijakd.sys
2009-12-17 18:18 30,784 a------- c:\windows\system32\drivers\lkizrmrl.sys
2009-12-17 18:18 96,512 -------- c:\windows\system32\drivers\atapi.sys2504212F
2009-12-17 17:55 30,784 a------- c:\windows\system32\drivers\vfmqshmq.sys
2009-12-17 17:55 96,512 -------- c:\windows\system32\drivers\atapi.sysD0169EBC
2009-12-17 17:32 30,784 a------- c:\windows\system32\drivers\qjrmyofx.sys
2009-12-17 17:32 96,512 -------- c:\windows\system32\drivers\atapi.sysD598D5B0
2009-12-17 17:10 30,784 a------- c:\windows\system32\drivers\lhzctitx.sys
2009-12-17 17:09 30,784 a------- c:\windows\system32\drivers\mzkmlxpt.sys
2009-12-17 17:09 96,512 -------- c:\windows\system32\drivers\atapi.sys1EE5C01E
2009-12-17 17:07 195,456 -------- c:\windows\system32\MpSigStub.exe
2009-12-17 17:05 30,784 a------- c:\windows\system32\drivers\mnjlxcfc.sys
2009-12-17 17:05 96,512 -------- c:\windows\system32\drivers\atapi.sys16F2AA30
2009-12-17 17:05 30,784 a------- c:\windows\system32\drivers\ymgefrrq.sys
2009-12-17 17:05 96,512 -------- c:\windows\system32\drivers\atapi.sys02FC62AC
2009-12-17 17:04 30,784 a------- c:\windows\system32\drivers\hyjtlcss.sys
2009-12-17 17:04 96,512 -------- c:\windows\system32\drivers\atapi.sys68FB2559
2009-12-17 10:09 96,512 a------- c:\windows\system32\drivers\OLDD5.tmp56A07E91
2009-12-17 10:09 96,512 a------- c:\windows\system32\drivers\OLDCF.tmp24B47EE8
2009-12-17 10:09 96,512 a------- c:\windows\system32\drivers\OLDCB.tmp1EB8E9B0
2009-12-17 10:09 96,512 a------- c:\windows\system32\drivers\atapi.sys801A9441
2009-12-17 10:09 30,784 a------- c:\windows\system32\drivers\qrtbknlf.sys
2009-12-17 00:17 96,512 -------- c:\windows\system32\drivers\OLDD5.tmp
2009-12-17 00:17 96,512 -------- c:\windows\system32\drivers\OLDCF.tmp
2009-12-17 00:17 96,512 -------- c:\windows\system32\drivers\OLDCB.tmp
2009-12-16 22:17 <DIR> --d----- c:\program files\Trend Micro
2009-12-16 00:09 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-12-16 00:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
==================== Find3M ====================
2009-12-03 16:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-28 08:40 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-20 23:38 75,776 a------- c:\windows\system32\strmfilt.dll
2009-10-20 23:38 25,088 a------- c:\windows\system32\httpapi.dll
2009-10-20 23:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll
2009-10-20 23:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 10:20 265,728 -------- c:\windows\system32\dllcache\http.sys
2009-10-13 04:30 270,336 a------- c:\windows\system32\oakley.dll
2009-10-13 04:30 270,336 -------- c:\windows\system32\dllcache\oakley.dll
2009-10-12 07:38 149,504 a------- c:\windows\system32\rastls.dll
2009-10-12 07:38 149,504 -------- c:\windows\system32\dllcache\rastls.dll
2009-10-12 07:38 79,872 a------- c:\windows\system32\raschap.dll
2009-10-12 07:38 79,872 -------- c:\windows\system32\dllcache\raschap.dll
2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll
2007-04-23 20:37 251 a------- c:\program files\wt3d.ini
2005-11-29 05:55 4,068 a--sh--- c:\windows\rreg64.dll
2005-11-29 05:55 5,295 a--sh--- c:\windows\utapi64.dll
2009-07-08 16:59 16,384 a--sh--- c:\windows\system32\1033c.dll
2009-08-13 21:14 56 ---shr-- c:\windows\system32\A6517EDF5F.sys
2008-03-19 21:27 88 ---shr-- c:\windows\system32\C40CC714AE.sys
2009-08-13 21:14 6,060 a--sh--- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 21:27:56.80 ===============
Attach.txt
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/28/2005 6:07:26 PM
System Uptime: 1/5/2010 3:08:21 AM (18 hours ago)
Motherboard: Dell Inc. | | 0KF623
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 144 GiB total, 13.963 GiB free.
D: is CDROM ()
F: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA
==== System Restore Points ===================
RP1815: 10/8/2009 8:30:35 AM - System Checkpoint
RP1816: 10/9/2009 8:34:28 AM - System Checkpoint
RP1817: 10/10/2009 8:39:58 AM - System Checkpoint
RP1818: 10/11/2009 2:56:18 PM - System Checkpoint
RP1819: 10/12/2009 4:08:01 PM - System Checkpoint
RP1820: 10/13/2009 4:30:08 PM - System Checkpoint
RP1821: 10/15/2009 3:00:52 AM - Software Distribution Service 3.0
RP1822: 10/26/2009 10:39:46 AM - System Checkpoint
RP1823: 10/27/2009 10:48:03 AM - System Checkpoint
RP1824: 10/28/2009 10:53:23 AM - System Checkpoint
RP1825: 10/29/2009 12:10:07 PM - System Checkpoint
RP1826: 10/31/2009 9:59:31 AM - System Checkpoint
RP1827: 11/1/2009 10:49:28 AM - System Checkpoint
RP1828: 11/2/2009 12:13:35 PM - System Checkpoint
RP1829: 11/2/2009 5:28:28 PM - Installed Java(TM) 6 Update 15
RP1830: 11/4/2009 9:02:15 AM - System Checkpoint
RP1831: 11/5/2009 7:50:41 AM - Software Distribution Service 3.0
RP1832: 11/6/2009 8:36:08 AM - System Checkpoint
RP1833: 11/7/2009 8:39:37 AM - System Checkpoint
RP1834: 11/8/2009 8:30:52 AM - System Checkpoint
RP1835: 11/9/2009 9:21:10 AM - System Checkpoint
RP1836: 11/10/2009 9:25:07 AM - System Checkpoint
RP1837: 11/10/2009 10:59:20 PM - Software Distribution Service 3.0
RP1838: 11/11/2009 5:32:36 PM - Installed Java(TM) 6 Update 17
RP1839: 11/12/2009 6:42:45 PM - System Checkpoint
RP1840: 11/15/2009 4:04:56 PM - System Checkpoint
RP1841: 11/17/2009 8:18:25 AM - System Checkpoint
RP1842: 11/18/2009 9:34:40 AM - System Checkpoint
RP1843: 11/19/2009 9:53:28 AM - System Checkpoint
RP1844: 11/20/2009 9:53:53 AM - System Checkpoint
RP1845: 11/21/2009 4:38:32 PM - System Checkpoint
RP1846: 11/22/2009 5:40:22 PM - System Checkpoint
RP1847: 11/23/2009 6:31:37 PM - System Checkpoint
RP1848: 11/24/2009 6:35:16 PM - System Checkpoint
RP1849: 11/25/2009 7:28:27 PM - System Checkpoint
RP1850: 11/26/2009 8:21:29 AM - Software Distribution Service 3.0
RP1851: 11/27/2009 4:40:44 PM - System Checkpoint
RP1852: 11/28/2009 5:35:05 PM - System Checkpoint
RP1853: 11/29/2009 5:47:11 PM - System Checkpoint
RP1854: 11/30/2009 7:43:27 PM - System Checkpoint
RP1855: 12/1/2009 8:03:01 PM - System Checkpoint
RP1856: 12/2/2009 8:48:58 PM - System Checkpoint
RP1857: 12/3/2009 9:23:44 PM - System Checkpoint
RP1858: 12/4/2009 10:17:13 PM - System Checkpoint
RP1859: 12/5/2009 11:00:11 PM - System Checkpoint
RP1860: 12/7/2009 6:04:10 PM - System Checkpoint
RP1861: 12/8/2009 8:59:35 PM - System Checkpoint
RP1862: 12/9/2009 9:26:51 PM - System Checkpoint
RP1863: 12/10/2009 6:36:27 AM - Software Distribution Service 3.0
RP1864: 12/11/2009 8:51:25 AM - System Checkpoint
RP1865: 12/13/2009 8:54:57 AM - System Checkpoint
RP1866: 12/14/2009 5:38:26 PM - System Checkpoint
RP1867: 12/15/2009 6:34:01 PM - Microsoft OneCare Protection Checkpoint
RP1868: 12/16/2009 6:39:09 PM - System Checkpoint
RP1869: 12/17/2009 10:09:47 AM - Microsoft OneCare Protection Checkpoint
RP1870: 1/4/2010 8:42:36 PM - Printer driver 'Canon MP210 series Printer' installed by OneCare.
RP1871: 1/4/2010 9:11:03 PM - Microsoft OneCare Protection Checkpoint
RP1872: 1/4/2010 10:46:43 PM - Software Distribution Service 3.0
==== Installed Programs ======================
ABC (remove only)
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 7.0.9
Adobe Shockwave Player 11
Aimersoft DVD to iPhone Converter(Build 1.1.0)
Aimersoft iPhone Converter Suite(Build 1.0.19)
Aimersoft iPhone Video Converter(Build 1.1.0)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI Parental Control
AutoUpdate
AviSynth 2.5
BitZipper 5.1
Blasterball 2
Bonjour
Buccaneers Flag Screen Saver
Canon MP Navigator EX 1.0
Canon MP210 series
Canon MP210 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CardRd81
CCleaner (remove only)
CCScore
Cisco Systems VPN Client 4.8.01.0300
Compatibility Pack for the 2007 Office system
Corel Paint Shop Pro Photo XI
Corel Photo Album 6
Coupon Printer for Windows
CR2
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.6
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Digital Content Portal
DivX
DivX Player
Dr. DivX 2.0 OSS
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDx
EarthLink setup files
EducateU
EPSON EPIC
EPSON Printer Software
ERUNT 1.1j
ESPNMotion
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
FREE Hi-Q Recorder 1.92
Free Video to iPhone Converter version 2.1
FrostWire 4.13.5
GnuWin32: Grep-2.5.4
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
GTOneCare
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn (Remove Only)
Inspiration 8
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPhone Configuration Utility
iPod for Windows 2005-09-23
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Animation Shop 3
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
LEGO Island 2
LEGO Racers
LEGO Racers 2
Macromedia Flash Player
Malwarebytes' Anti-Malware
McDougal Littell EasyPlanner
MCU
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Basic Edition 2003
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Protection Service
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Live OneCare Resources v2.5.2900.28
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install
Microsoft Windows OneCare Live v2.5.2900.28
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
Moyea YouTube FLV Downloader version: 3.1.2.0
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch for Windows Media Player
Netflix Movie Viewer
Network Magic
NetZeroInstallers
Notifier
OpenOffice.org Installer 1.0
Oracle JInitiator 1.3.1.26
Orb
Orb Runtime libraries
OTtBP
OTtBPSDK
Otto
Palm Desktop by ACCESS
Photo Story 3 for Windows
Polar Bowler
Poster Forge 1.01
PowerDVD 5.5
Pure Networks Platform
PX Engine
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
RipIt4Me
Safari
ScanSoft OmniPage SE 4
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SFR
SHASTA
Shrek 2 Ogre Bowler
Sim File Maid 2 1.0.2
SimPE 0.64 (alpha)
SKIN0001
SKINXSDK
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Ericsson PC Suite 1.10.21
Sothink FLV Player
Sound Blaster Live! 24-bit
Spybot - Search & Destroy
The Sims 2
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 FreeTime
The Sims™ 2 Seasons
ThinkWave Educator 2.6.1X
TimeLiner 5.0
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VPRINTOL
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare
Windows Live OneCare safety scanner
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Vista Upgrade Advisor
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Wine Label - Classic Studio Templates (R4)
Wine Label 3.0 (r6)
WinRAR archiver
WinX DVD Ripper 4.1.2
WinZip 11.1
WinZip Self-Extractor
WIRELESS
XLink Kai Evolution 7
Xvid 1.1.3 final uninstall
XviD MPEG4 Video Codec (remove only)
==== Event Viewer Messages From Past Week ========
1/5/2010 1:39:04 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {11F0C863-E08B-4769-9B9E-E62DC296D357} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/5/2010 1:39:04 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {11F0C863-E08B-4769-9B9E-E62DC296D357} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/5/2010 1:39:04 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {11F0C863-E08B-4769-9B9E-E62DC296D357} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 9:11:03 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {522C578D-3F61-4FE1-839F-5BE7B0D6E6EA} Scan Type: AntiMalware User: FAMILY\Debbie Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 9:11:03 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {522C578D-3F61-4FE1-839F-5BE7B0D6E6EA} Scan Type: AntiMalware User: FAMILY\Debbie Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 9:11:03 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {522C578D-3F61-4FE1-839F-5BE7B0D6E6EA} Scan Type: AntiMalware User: FAMILY\Debbie Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 8:43:22 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Software Updater service to connect.
1/4/2010 8:42:02 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
1/4/2010 8:37:49 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the file specified.
1/4/2010 8:36:18 PM, error: ati2mtag [45062] - CRT invalid display type
1/4/2010 11:26:04 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {EDC5DCF6-B032-46A1-900E-31712B9C93C4} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 11:26:04 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {EDC5DCF6-B032-46A1-900E-31712B9C93C4} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 11:26:04 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {EDC5DCF6-B032-46A1-900E-31712B9C93C4} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 10:52:47 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {0F8ACF9E-A787-421D-AD50-2E4696B02391} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 10:52:47 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {0F8ACF9E-A787-421D-AD50-2E4696B02391} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 10:52:47 PM, error: OneCareMP [1008] - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {0F8ACF9E-A787-421D-AD50-2E4696B02391} Scan Type: AntiMalware User: NT AUTHORITY\SYSTEM Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
1/4/2010 10:46:05 PM, error: OneCareMP [3006] - Windows OneCare Live Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.F&threatid=2147629654 Scan ID: {4C586835-60F4-436A-B98B-235C17C4E38A} User: FAMILY\Debbie Name: Virus:Win32/Alureon.F ID: 2147629654 Severity: Severe Category: Virus Path: Alert Type: Action: Clean Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
==== End Of File ===========================
Hi,
Start MBAM, update its definitions on update tab and then run a quick scan (let it remove its findings). Post back the report.
Unselect these in GMER options before trying the scan: sections & devices. Also, make sure protection software is disabled.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.