View Full Version : Tasker exe Trojan virus issue
Hello,
Tasker exe Trojan virus that was not removed by Anti-malware
I still have a tasker exe Tojan virus. Anti- Malware did not remove.
Any help would greatly be appreciated
Thank you
Luebs
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by John Luebbers at 13:48:38 on 2011-10-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1305 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JOHNLU~1\LOCALS~1\Temp\acd\tasker.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292535005390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{44C4E563-24F1-41FA-A1A3-B9EC8A50ECD2} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-17 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-17 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-17 66616]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2010-12-16 26958]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-7-27 14336]
.
=============== Created Last 30 ================
.
2011-10-01 21:14:40 452418 ----a-w- c:\documents and settings\john luebbers\application data\4.exe
2011-10-01 21:02:45 452418 ----a-w- c:\documents and settings\john luebbers\application data\1.exe
2011-10-01 20:56:43 452418 ----a-w- c:\documents and settings\john luebbers\application data\2.exe
2011-10-01 17:55:05 245760 ----a-w- c:\documents and settings\john luebbers\application data\C.tmp
2011-10-01 17:55:02 452418 ----a-w- c:\documents and settings\john luebbers\application data\B.exe
2011-10-01 17:07:36 -------- d-----w- c:\windows\system32\Win64
2011-09-26 22:48:49 -------- d-----w- c:\program files\iPod
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-07-05 20:05:36 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
============= FINISH: 13:50:02.51 ===============
Dakeyras
2011-10-05, 16:14
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.
Hi and welcome back to Safer Networking. :)
I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
Next:
Out of date Adobe and Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. We will update both in due course.
Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):
Adobe Reader X
Java(TM) 6 Update 23
To do so, click once on each of the above in turn to highlight and then click on the Remove button.
Reset SP3 Firewall:
Click on Start >> Run... and cut/paste in the following and click on OK
firewall.cplClick on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK
Now click on the General tab >> select On(recommended) >> OK.
Scan With RKUnHooker:
Please Download Rootkit Unhooker (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE) Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note: You may get this warning it is ok, just ignore it:
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
When completed the above, please post back the following in the order asked for:
How is your computer performing now, any further symptoms and or problems encountered?
RKUnHooker Log.
A new DDS Log.
Hi Dakeyras,
Thank you so much for taking the time to assist me with my issues.
When I try to past or try to attache the Rootkit it says it is too big. Any thoughts? I have the DDS log below
Let me know what you think.
Thanks again!
Luebs
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by John Luebbers at 17:11:27 on 2011-10-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1306 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292535005390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{44C4E563-24F1-41FA-A1A3-B9EC8A50ECD2} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-17 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-17 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-17 66616]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2010-12-16 26958]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-7-27 14336]
.
=============== Created Last 30 ================
.
2011-10-05 20:39:49 249856 ----a-w- c:\documents and settings\john luebbers\application data\1.tmp
2011-10-03 19:39:33 253952 ----a-w- c:\documents and settings\john luebbers\application data\D.tmp
2011-10-01 21:14:40 452418 ----a-w- c:\documents and settings\john luebbers\application data\4.exe
2011-10-01 21:02:45 452418 ----a-w- c:\documents and settings\john luebbers\application data\1.exe
2011-10-01 20:56:43 452428 ----a-w- c:\documents and settings\john luebbers\application data\2.exe
2011-10-01 17:55:05 245760 ----a-w- c:\documents and settings\john luebbers\application data\C.tmp
2011-10-01 17:55:02 452418 ----a-w- c:\documents and settings\john luebbers\application data\B.exe
2011-10-01 17:07:36 -------- d-----w- c:\windows\system32\Win64
2011-09-26 22:48:49 -------- d-----w- c:\program files\iPod
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 17:12:44.79 ===============
Dakeyras,
My computer is working much much slower now.
I also keep getting the attached message
Thanks
Luebs
Dakeyras
2011-10-06, 09:39
Hi. :)
Thank you so much for taking the time to assist me with my issues.
You're welcome!
When I try to past or try to attache the Rootkit it says it is too big.
Have you tired sending the log to a Zipfile? If not please do so and then check if it small enough to attach, thank you.
My computer is working much much slower now.
I also keep getting the attached message
OK and thanks for the update.
Scan with RogueKiller:
Please download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop
Alternate download is here (http://www.geekstogo.com/forum/files/file/413-roguekiller/).
Quit all running programs
Double-click on RogueKiller.exe to start the application.
When prompted, type 1 and then Enter.
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next reply.
Greetings Dakeyras,
I did try to zip and the file was still too big. :sad:
Any thoughts?
Here are the RogueKiller results.
Thanks again. Hope you are having a good day!
Luebs
RogueKiller V6.1.1 [09/28/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: John Luebbers [Admin rights]
Mode: Scan -- Date : 10/06/2011 14:35:54
Bad processes: 0
Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
Particular Files / Folders:
Driver: [LOADED]
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xBA7AA2A5)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xBA7AA2A0)
HOSTS File:
˙ž1
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
Dakeyras
2011-10-07, 00:34
Hi. :)
I did try to zip and the file was still too big. :sad:
Any thoughts?
Maybe you did not quite run the scan as I outlined by genuine mistake and or just one of them things and the log is just very large(it happens upon occasion). OK as it stands not a problem as I have enough information from the RogueKiller scan.
Thanks again. Hope you are having a good day!
You're welcome and indeed I am thank you!
Download/Run ComboFix:
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html) <-- Click on this link.Please include the C:\ComboFix.txt in your next reply for further review.
Note: If ComboFix detects Rootkit activitity and asks to reboot the system, please allow this to be done...If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart(reboot) the computer immediately.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper
When completed the above, please post back the following in the order asked for:
How is your computer performing now, any other symptoms and or problems encountered?
ComboFix Log.
A new DDS Log.
Hello Dakeyras
Hope you are having a good weekend!
The computer is working faster but I am getting an error when I start up. I attached on error attachement along with and message when I ran Combofix
Combofix log is attached along with nes DDS.
Thanks again for all your help
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by John Luebbers at 19:23:38 on 2011-10-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1336 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292535005390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{44C4E563-24F1-41FA-A1A3-B9EC8A50ECD2} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-17 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-17 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-17 66616]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2010-12-16 26958]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 TrueSight;TrueSight;c:\documents and settings\john luebbers\desktop\TrueSight.sys [2011-10-6 111104]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-7-27 14336]
.
=============== Created Last 30 ================
.
2011-10-08 23:09:36 17639 ----a-w- c:\documents and settings\john luebbers\application data\13.exe
2011-09-26 22:48:49 -------- d-----w- c:\program files\iPod
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 19:24:48.73 ===============
Dakeyras
2011-10-09, 15:38
Hi. :)
Hope you are having a good weekend!
Fine thank you and likewise!
I am getting an error when I start up. I attached on error attachement along with and message when I ran Combofix
OK we should be able to deal with the first error but unfortunately I am unable to fully view the second. So what we will do is scan your machine with a different application so I can better ascertain what is going on now before anything further proactive as follows...
Scan with OTL:
Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) and save it to your Desktop.
Alternate downloads are here (http://oldtimer.geekstogo.com/OTL.com) and here (http://oldtimer.geekstogo.com/OTL.scr).
Double-click on OTL.exe to start OTL.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.
When completed the above, please post back the following in the order asked for:
How is your computer performing now, any further symptoms and or problems encountered?
Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.
Hello Dakeyras
I have not used this computer since our last communication until now running OTL. I will check it out after my posts
Here is OTL
Thank You!
Luebs
Dakeyras
Here is the extra attachement. Thanks again for all your support!
Dakeyras
2011-10-12, 11:32
Hi. :)
Thanks again for all your support!
You're welcome! In future no need to attach any logs I request unless I specify otherwise. Just post them please, thank you.
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
Click on Start >> Run...(or the Windows key and R together) to bring up the Run box and and copy and paste in:
"C:\Program Files\ERUNT\ERUNT.EXE" %SystemRoot%\ERDNT\OTL-backup
and click on OK.
Custom OTL Script:
Double-click OTL.exe to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:OTL
IE - HKU\S-1-5-21-1993962763-1715567821-839522115-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\John Luebbers\Start Menu\Programs\Startup\wt4.exe ()
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2 C:\Documents and Settings\John Luebbers\Application Data\*.tmp files -> C:\Documents and Settings\John Luebbers\Application Data\*.tmp -> ]
[2011/10/10 15:23:14 | 000,448,171 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\2.exe
[2011/10/09 16:14:58 | 000,448,171 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\4.exe
[2011/10/08 21:16:43 | 000,448,171 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\22.exe
[2011/10/08 21:13:42 | 000,017,639 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\1F.exe
[2011/10/08 19:09:36 | 000,017,639 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\13.exe
[2011/10/06 14:38:31 | 000,111,104 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Desktop\TrueSight.sys
[2011/10/05 17:47:10 | 000,058,665 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Desktop\Maleware.zip
[2011/10/05 17:45:23 | 000,599,867 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Desktop\Maleware.rtf
[2011/10/05 17:42:47 | 000,050,688 | ---- | M] () -- C:\Documents and Settings\John Luebbers\My Documents\Maleware.wps
:Files
ipconfig /flushdns /c
%systemroot%\prefetch\*.*
C:\Documents and Settings\John Luebbers\Local Settings\temp\acd
:Commands
[Purity]
[ResetHosts]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]
Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.
Malwarebytes Anti-Malware:
Launch the application, Check for Updates >> Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed the above, please post back the following in the order asked for:
How is your computer performing now, any further symptoms and or problems encountered?
OTL Log from the Custom Script.
Malwarebytes Anti-Malware Log.
Dakeyras
Computer seems to be working better
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1993962763-1715567821-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk moved successfully.
C:\Program Files\ERUNT\AUTOBACK.EXE moved successfully.
C:\Documents and Settings\John Luebbers\Start Menu\Programs\Startup\wt4.exe moved successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Documents and Settings\John Luebbers\Application Data\1.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\17.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\3.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\33.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\7.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\2.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\4.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\22.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\1F.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\13.exe moved successfully.
C:\Documents and Settings\John Luebbers\Desktop\TrueSight.sys moved successfully.
C:\Documents and Settings\John Luebbers\Desktop\Maleware.zip moved successfully.
C:\Documents and Settings\John Luebbers\Desktop\Maleware.rtf moved successfully.
C:\Documents and Settings\John Luebbers\My Documents\Maleware.wps moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\John Luebbers\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\John Luebbers\Desktop\cmd.txt deleted successfully.
C:\WINDOWS\prefetch\2.EXE-02345D5E.pf moved successfully.
C:\WINDOWS\prefetch\3.EXE-04039925.pf moved successfully.
C:\WINDOWS\prefetch\4.EXE-35C7F51B.pf moved successfully.
C:\WINDOWS\prefetch\5.EXE-1936E897.pf moved successfully.
C:\WINDOWS\prefetch\A5053DA8.EXE-32474650.pf moved successfully.
C:\WINDOWS\prefetch\ALG.EXE-0F138680.pf moved successfully.
C:\WINDOWS\prefetch\ATTRIB.3XE-09E9D153.pf moved successfully.
C:\WINDOWS\prefetch\ATTRIB.3XE-10E166FB.pf moved successfully.
C:\WINDOWS\prefetch\ATTRIB.EXE-39EAFB02.pf moved successfully.
C:\WINDOWS\prefetch\AUTOBACK.EXE-14D36A86.pf moved successfully.
C:\WINDOWS\prefetch\AVNOTIFY.EXE-05ED5FD8.pf moved successfully.
C:\WINDOWS\prefetch\AVSCAN.EXE-07FC469C.pf moved successfully.
C:\WINDOWS\prefetch\AVWSC.EXE-0283F9DD.pf moved successfully.
C:\WINDOWS\prefetch\CCLEANER.EXE-0BCE437C.pf moved successfully.
C:\WINDOWS\prefetch\CF30874.3XE-08A56C19.pf moved successfully.
C:\WINDOWS\prefetch\CHCP.COM-18156052.pf moved successfully.
C:\WINDOWS\prefetch\CMD.3XE-32EEC145.pf moved successfully.
C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf moved successfully.
C:\WINDOWS\prefetch\COMBOFIX-DOWNLOAD.3XE-28648E1C.pf moved successfully.
C:\WINDOWS\prefetch\COMBOFIX.EXE-039C43A3.pf moved successfully.
C:\WINDOWS\prefetch\CSCRIPT.3XE-1AD11928.pf moved successfully.
C:\WINDOWS\prefetch\CSCRIPT.EXE-1C26180C.pf moved successfully.
C:\WINDOWS\prefetch\DDS[1].SCR-07CCB91D.pf moved successfully.
C:\WINDOWS\prefetch\DDS[1].SCR-3A2C7FD2.pf moved successfully.
C:\WINDOWS\prefetch\DEFRAG.EXE-273F131E.pf moved successfully.
C:\WINDOWS\prefetch\DFRGNTFS.EXE-269967DF.pf moved successfully.
C:\WINDOWS\prefetch\DUMPREP.EXE-1B46F901.pf moved successfully.
C:\WINDOWS\prefetch\DWWIN.EXE-30875ADC.pf moved successfully.
C:\WINDOWS\prefetch\E26AFD46.EXE-26BB194F.pf moved successfully.
C:\WINDOWS\prefetch\EMHOHS.EXE-2C1D521A.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT-SETUP.EXE-1D13226E.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT.EXE-10F447C7.pf moved successfully.
C:\WINDOWS\prefetch\FIND.EXE-0EC32F1E.pf moved successfully.
C:\WINDOWS\prefetch\FINDSTR.EXE-0CA6274B.pf moved successfully.
C:\WINDOWS\prefetch\FLASHUTIL10R_ACTIVEX.EXE-1A2E5C1D.pf moved successfully.
C:\WINDOWS\prefetch\FXSSVC.EXE-3B8F7819.pf moved successfully.
C:\WINDOWS\prefetch\GREP.3XE-0FD7DFD4.pf moved successfully.
C:\WINDOWS\prefetch\GREP.3XE-254D6273.pf moved successfully.
C:\WINDOWS\prefetch\GSAR.3XE-1971B17C.pf moved successfully.
C:\WINDOWS\prefetch\GUARDGUI.EXE-00ECD849.pf moved successfully.
C:\WINDOWS\prefetch\HANDLE.3XE-10DA2EFC.pf moved successfully.
C:\WINDOWS\prefetch\HELPSVC.EXE-2878DDA2.pf moved successfully.
C:\WINDOWS\prefetch\HIDEC.3XE-111262DC.pf moved successfully.
C:\WINDOWS\prefetch\HIDEC.3XE-2D8618DD.pf moved successfully.
C:\WINDOWS\prefetch\HSBCA.EXE-19EC324E.pf moved successfully.
C:\WINDOWS\prefetch\ICRDCLL.EXE-23A46A26.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-0A31FE70.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-12915967.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-12BBAE74.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-27122324.pf moved successfully.
C:\WINDOWS\prefetch\IFRMEWRK.EXE-32B41199.pf moved successfully.
C:\WINDOWS\prefetch\IMAPI.EXE-0BF740A4.pf moved successfully.
C:\WINDOWS\prefetch\IPODSERVICE.EXE-3192DE38.pf moved successfully.
C:\WINDOWS\prefetch\IS-7G466.TMP-396AE5E3.pf moved successfully.
C:\WINDOWS\prefetch\IWRAP.EXE-082C3803.pf moved successfully.
C:\WINDOWS\prefetch\JAUREG.EXE-009F59AE.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-2DC32ABC.pf moved successfully.
C:\WINDOWS\prefetch\JQS.EXE-1D781F77.pf moved successfully.
C:\WINDOWS\prefetch\Layout.ini moved successfully.
C:\WINDOWS\prefetch\LOGONUI.EXE-0AF22957.pf moved successfully.
C:\WINDOWS\prefetch\MBAM.EXE-0BEE0439.pf moved successfully.
C:\WINDOWS\prefetch\MBR.DAT-037D4AC1.pf moved successfully.
C:\WINDOWS\prefetch\MBR.DAT-35800A8F.pf moved successfully.
C:\WINDOWS\prefetch\MSI21.TMP-2C01F87B.pf moved successfully.
C:\WINDOWS\prefetch\MSIEXEC.EXE-2F8A8CAE.pf moved successfully.
C:\WINDOWS\prefetch\MSIMN.EXE-38BA891D.pf moved successfully.
C:\WINDOWS\prefetch\MSOHELP.EXE-1D219C01.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMD.3XE-0A841DB5.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMD.3XE-117BB35D.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMDB.EXE-137B12EA.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMDC.3XE-03B38F81.pf moved successfully.
C:\WINDOWS\prefetch\NOTEPAD.EXE-336351A9.pf moved successfully.
C:\WINDOWS\prefetch\NS9.TMP-2A89F400.pf moved successfully.
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf moved successfully.
C:\WINDOWS\prefetch\PEV.3XE-21FD478C.pf moved successfully.
C:\WINDOWS\prefetch\PEV.3XE-358EBDB6.pf moved successfully.
C:\WINDOWS\prefetch\PEV.DAT-1E96AF6F.pf moved successfully.
C:\WINDOWS\prefetch\PEV.DAT-3830FCB5.pf moved successfully.
C:\WINDOWS\prefetch\PEV.EXE-0806C34B.pf moved successfully.
C:\WINDOWS\prefetch\PEV.EXE-0CE2BF4A.pf moved successfully.
C:\WINDOWS\prefetch\PING.3XE-3020DEAF.pf moved successfully.
C:\WINDOWS\prefetch\PING.EXE-31216D26.pf moved successfully.
C:\WINDOWS\prefetch\POWERPNT.EXE-2F940E7E.pf moved successfully.
C:\WINDOWS\prefetch\PV.3XE-1C242CC7.pf moved successfully.
C:\WINDOWS\prefetch\QTTASK.EXE-342507FB.pf moved successfully.
C:\WINDOWS\prefetch\REGSVR32.EXE-25EEFE2F.pf moved successfully.
C:\WINDOWS\prefetch\RKUNHOOKERLE.EXE-0BD47249.pf moved successfully.
C:\WINDOWS\prefetch\RMBR.3XE-3AAE61A2.pf moved successfully.
C:\WINDOWS\prefetch\ROGUEKILLER.EXE-118CA665.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-1857459C.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-27538162.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-298E60C3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2CD85FD3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2EC34910.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-31610E45.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-483E13BB.pf moved successfully.
C:\WINDOWS\prefetch\SEARCHFILTERHOST.EXE-148579FB.pf moved successfully.
C:\WINDOWS\prefetch\SEARCHPROTOCOLHOST.EXE-34E0253A.pf moved successfully.
C:\WINDOWS\prefetch\SED.3XE-35CB81F4.pf moved successfully.
C:\WINDOWS\prefetch\SED.3XE-370DAEC3.pf moved successfully.
C:\WINDOWS\prefetch\SED.DAT-126AF303.pf moved successfully.
C:\WINDOWS\prefetch\SED.DAT-1F97CCCB.pf moved successfully.
C:\WINDOWS\prefetch\SKYPE.EXE-30AE1A60.pf moved successfully.
C:\WINDOWS\prefetch\SORT.EXE-194AE83C.pf moved successfully.
C:\WINDOWS\prefetch\SVCHOST.EXE-3530F672.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.3XE-20CC4D60.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.3XE-2965A2D9.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.DAT-138F6A32.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.DAT-1DFF5C49.pf moved successfully.
C:\WINDOWS\prefetch\SWSC.3XE-3AE13307.pf moved successfully.
C:\WINDOWS\prefetch\SWXCACLS.3XE-2D6ED659.pf moved successfully.
C:\WINDOWS\prefetch\SWXCACLS.3XE-392ED218.pf moved successfully.
C:\WINDOWS\prefetch\TASKED.EXE-325235E6.pf moved successfully.
C:\WINDOWS\prefetch\TASKKILL.EXE-0A8306E3.pf moved successfully.
C:\WINDOWS\prefetch\UNSECAPP.EXE-1A95A33B.pf moved successfully.
C:\WINDOWS\prefetch\UPDATE.EXE-2577D203.pf moved successfully.
C:\WINDOWS\prefetch\VERCLSID.EXE-3667BD89.pf moved successfully.
C:\WINDOWS\prefetch\WINWORD.EXE-37F6AE09.pf moved successfully.
C:\WINDOWS\prefetch\WKCALREM.EXE-23DFAF4B.pf moved successfully.
C:\WINDOWS\prefetch\WKDSTORE.EXE-397D96EA.pf moved successfully.
C:\WINDOWS\prefetch\WKGDCACH.EXE-09BEAA63.pf moved successfully.
C:\WINDOWS\prefetch\WKSCAL.EXE-10AB18FB.pf moved successfully.
C:\WINDOWS\prefetch\WKSWP.EXE-25E36596.pf moved successfully.
C:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf moved successfully.
C:\WINDOWS\prefetch\WMPLAYER.EXE-18DDEFA3.pf moved successfully.
C:\WINDOWS\prefetch\WORDPAD.EXE-24533991.pf moved successfully.
C:\WINDOWS\prefetch\WSCNTFY.EXE-1B24F5EB.pf moved successfully.
C:\WINDOWS\prefetch\WT4.EXE-0823C0E4.pf moved successfully.
C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf moved successfully.
C:\WINDOWS\prefetch\WUT3.EXE-2089B8A0.pf moved successfully.
C:\Documents and Settings\John Luebbers\Local Settings\temp\acd folder moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes
User: John Luebbers
->Temp folder emptied: 778703 bytes
->Temporary Internet Files folder emptied: 5500462 bytes
->Java cache emptied: 12846 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 503 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 6.00 mb
Restore point Set: OTL Restore Point (0)
OTL by OldTimer - Version 3.2.29.1 log created on 10122011_164440
Files\Folders moved on Reboot...
C:\Documents and Settings\John Luebbers\Local Settings\Temporary Internet Files\Content.IE5\8RU3S2P0\showthread[2].htm moved successfully.
C:\Documents and Settings\John Luebbers\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
Registry entries deleted on Reboot...
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7905
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/12/2011 5:00:09 PM
mbam-log-2011-10-12 (17-00-09).txt
Scan type: Quick scan
Objects scanned: 176761
Time elapsed: 2 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\john luebbers\application data\16.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\18.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\34.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\8.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
Dakeyras
2011-10-13, 10:48
Hi. :)
Computer seems to be working better
Good...
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).
Please go here (http://www.eset.co.uk/Antivirus-Utilities/Online-Scanner) to run the scan...Click on: Scan Now
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Dakeyras
I keep getting
"Internet Explorer cannot display the webpage" when I click on "
Please go here to run the scan...Click on: Scan Now"
Tried googling ESET Online Scanner: got same thing from other sites. :( Got another Avira Antivir pop up of virus again too.
Thanks
Luebs
Dakeyras
2011-10-17, 14:09
Hi. :)
Internet Explorer cannot display the webpage" when I click on
OK we will check this out shortly...
Got another Avira Antivir pop up of virus again too
Could you inform myself exactly what is being detected please.
Scan with aswMBR:
Please download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Double-click the aswMBR.exe to run it
When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
Now click on the Scan button to start scan
On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).
Dakeyras
Ok now this is too weird. I get the same
"Internet Explorer cannot display the webpage" when I click on " aswMBR link.
If I google it and then try link I get same message. I can link and google link to other sites. Never seen anything like this.
Thoughts
Here is what the Avira says
A virus or unwanteded program 'TRDrop.Softomat.AN' was found in file 'C;\System Volume Information\...\A0183915.exe' Acees to file was denind.
Dakeyras
2011-10-18, 01:53
Hi. :)
Here is what the Avira says
A virus or unwanteded program 'TRDrop.Softomat.AN' was found in file 'C;\System Volume Information\...\A0183915.exe' Acees to file was denind.
Not a cause for concern, that merely denotes a infected System Restore point...which though actually infected can be used in therory still. Anyway once we have your machine malware free we will be flushing all old System Restore points and creating a new clean one etc...
Ok now this is too weird. I get the same
"Internet Explorer cannot display the webpage" when I click on " aswMBR link.
If I google it and then try link I get same message. I can link and google link to other sites. Never seen anything like this.
Thoughts
Indeed it is, as no appranent reason as to why but wondering if the fact we have flushed your machines DNS(domain name server cache) may account for such...
Though possible malware is still the culprit and or a knock on affect due to prior infections. So please carry out the following then try the ESET online scan again, thank you.
Reset IE8:
Please download this Microsoft FixIt (http://download.microsoft.com/download/3/1/7/317254BC-6C9D-4532-827A-827041404428/MicrosoftFixit50195.msi) and save it to the desktop.
Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
Follow the on-screen prompts.
You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
Next time IE8 is launched you will be prompted to reapply settings again, this is normal.
Note: Any add-ons will require to be reapplied after the above reset.
Dakeyras
Ran Microsoft fixit then clicked on ESET
I get the same "Internet Explorer cannot display the webpage" when I click on it"
Sorry this is become more difficult.
New thoughts?
Thanks
Luebs
Dakeyras
2011-10-19, 11:33
Hi. :)
Ran Microsoft fixit then clicked on ESET
I get the same "Internet Explorer cannot display the webpage" when I click on it"
OK.
Are you using a Router at all? Plus do you have a XP Installation CD-ROM?
Sorry this is become more difficult.
New thoughts?
Not a problem I assure you. OK what we will do is scan your machine with a different application to see if I can work out exactly what the current issue is as follows...If in the event problems arise with downloading that we will merely take a different approach again.
Also we will run a quick scan with MBAM and if anything removed that will also give myself a better idea what is happening overall.
Malwarebytes Anti-Malware:
Note: If MBAM will neither update or is unable to scan merely inform myself in your next reply. As that in itself will be a further indication for myself etc.
Launch the application, Check for Updates >> Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Scan with RSIT:
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.Make sure that RSIT.exe is on the your Desktop before running the application!
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit
When completed the above, please post back the following in the order asked for:
How is your computer performing now, any further symptoms and or problems encountered?
Answers to my questions.
Malwarebytes Anti-Malware Log.
Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.
Dakeyras
Hello, Computer working about the same.
I have been using a wireless router to connect but will be able to use hard wire connect when at home. I think I have XP Installation CD-ROM at work but will not be back there until Tuesday. Heading off on a little vacation so I will not be able to communicate back with you until Tues. I am not taking this computer with me. Hope this is not an issue.
Here is
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7985
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/19/2011 8:51:05 PM
mbam-log-2011-10-19 (20-51-05).txt
Scan type: Quick scan
Objects scanned: 173297
Time elapsed: 6 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\john luebbers\application data\3.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\start menu\Programs\Startup\wt4.exe (Trojan.BitMiner) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\start menu\Programs\Startup\dat.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
Dakeyras
Logfile of random's system information tool 1.09 (written by random/random)
Run by John Luebbers at 2011-10-19 20:58:41
Microsoft Windows XP Professional Service Pack 3
System drive C: has 95 GB (62%) free of 153 GB
Total RAM: 2046 MB (70% free)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:59:48 PM, on 10/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John Luebbers\Desktop\RSIT.exe
C:\Program Files\trend micro\John Luebbers.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ˙ž127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Emhohs] C:\Documents and Settings\John Luebbers\Application Data\Emhohs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292535005390
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
--
End of file - 5626 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-06-09 13537280]
"nwiz"=nwiz.exe /installquiet []
"NVHotkey"=nvHotkey.dll,Start []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-06-09 86016]
"IntelZeroConfig"=C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe [2009-11-03 1372160]
"IntelWireless"=C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [2009-11-03 1202448]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2011-01-03 281768]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [2011-04-20 58656]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2011-07-05 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2011-08-19 421736]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2011-06-15 15141768]
"Emhohs"=C:\Documents and Settings\John Luebbers\Application Data\Emhohs.exe []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"VIDC.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"VIDC.IYUV"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVU9"=tsbyuv.dll
"VIDC.YVYU"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"MSVideo8"=VfWWDM32.dll
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux"=wdmaud.drv
"wave2"=wdmaud.drv
"midi2"=wdmaud.drv
"mixer2"=wdmaud.drv
"aux1"=wdmaud.drv
"wave3"=wdmaud.drv
"midi3"=wdmaud.drv
"mixer3"=wdmaud.drv
"aux2"=wdmaud.drv
"wave4"=wdmaud.drv
"midi4"=wdmaud.drv
"mixer4"=wdmaud.drv
"aux3"=wdmaud.drv
======List of files/folders created in the last 1 month======
2011-10-19 20:58:41 ----D---- C:\rsit
2011-10-19 20:58:41 ----D---- C:\Program Files\trend micro
2011-10-17 11:29:25 ----A---- C:\Documents and Settings\John Luebbers\Application Data\1.tmp
2011-10-16 17:01:56 ----A---- C:\Documents and Settings\John Luebbers\Application Data\4.exe
2011-10-15 14:15:49 ----HDC---- C:\WINDOWS\$NtUninstallKB2564958$
2011-10-15 14:11:31 ----HDC---- C:\WINDOWS\$NtUninstallKB2567053$
2011-10-15 14:11:25 ----HDC---- C:\WINDOWS\$NtUninstallKB2592799$
2011-10-08 19:14:11 ----SHD---- C:\RECYCLER
2011-10-08 19:09:27 ----D---- C:\WINDOWS\temp
2011-10-08 19:09:24 ----A---- C:\ComboFix.txt
2011-10-05 17:42:11 ----D---- C:\Documents and Settings\John Luebbers\Application Data\Template
2011-10-05 17:42:10 ----A---- C:\Documents and Settings\John Luebbers\Application Data\wklnhst.dat
2011-10-03 13:46:05 ----D---- C:\Program Files\ERUNT
2011-10-01 15:52:48 ----A---- C:\TDSSKiller.2.5.3.0_01.10.2011_15.52.48_log.txt
2011-10-01 14:57:59 ----A---- C:\TDSSKiller.2.5.3.0_01.10.2011_14.57.59_log.txt
2011-10-01 13:16:56 ----A---- C:\TDSSKiller.2.6.2.0_01.10.2011_13.16.56_log.txt
2011-10-01 13:14:49 ----A---- C:\TDSSKiller.2.5.3.0_01.10.2011_13.14.49_log.txt
2011-09-26 18:48:49 ----D---- C:\Program Files\iPod
2011-09-26 18:41:50 ----D---- C:\Program Files\QuickTime
======List of files/folders modified in the last 1 month======
2011-10-19 20:59:21 ----D---- C:\WINDOWS\Prefetch
2011-10-19 20:58:41 ----RD---- C:\Program Files
2011-10-19 20:55:44 ----D---- C:\WINDOWS\system32\CatRoot2
2011-10-19 20:55:31 ----A---- C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt
2011-10-19 20:54:53 ----D---- C:\WINDOWS\system32\drivers
2011-10-19 20:54:53 ----D---- C:\WINDOWS\security
2011-10-19 20:54:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-10-19 20:51:28 ----D---- C:\WINDOWS\system32\NtmsData
2011-10-19 20:49:43 ----SHD---- C:\System Volume Information
2011-10-19 20:43:35 ----D---- C:\WINDOWS\Registration
2011-10-19 20:41:47 ----D---- C:\WINDOWS
2011-10-19 20:29:22 ----HD---- C:\WINDOWS\inf
2011-10-19 20:29:21 ----D---- C:\WINDOWS\system32\CatRoot
2011-10-18 18:14:36 ----SHD---- C:\WINDOWS\Installer
2011-10-17 13:56:03 ----D---- C:\WINDOWS\Debug
2011-10-17 11:29:03 ----D---- C:\Documents and Settings\John Luebbers\Application Data\Skype
2011-10-15 16:29:02 ----RSD---- C:\WINDOWS\assembly
2011-10-15 16:18:19 ----D---- C:\WINDOWS\Microsoft.NET
2011-10-15 15:42:32 ----D---- C:\Program Files\Microsoft Silverlight
2011-10-15 15:42:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2011-10-15 15:42:28 ----D---- C:\WINDOWS\system32
2011-10-15 14:15:32 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-10-15 14:15:04 ----D---- C:\WINDOWS\WinSxS
2011-10-15 14:11:37 ----A---- C:\WINDOWS\system32\MRT.exe
2011-10-15 14:11:24 ----HD---- C:\WINDOWS\$hf_mig$
2011-10-15 14:11:14 ----D---- C:\Program Files\Internet Explorer
2011-10-15 14:11:04 ----D---- C:\WINDOWS\ie8updates
2011-10-12 17:02:36 ----HDC---- C:\WINDOWS\$NtUninstallKB2491683$
2011-10-12 16:44:53 ----D---- C:\WINDOWS\system32\drivers\etc
2011-10-12 16:42:42 ----D---- C:\WINDOWS\ERDNT
2011-10-09 16:24:57 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-08 19:09:29 ----D---- C:\Qoobox
2011-10-08 19:06:51 ----N---- C:\WINDOWS\system.ini
2011-10-08 19:04:05 ----D---- C:\WINDOWS\AppPatch
2011-10-08 19:04:02 ----D---- C:\Program Files\Common Files
2011-10-06 21:41:52 ----D---- C:\WINDOWS\Help
2011-10-05 17:43:46 ----D---- C:\WINDOWS\system32\FxsTmp
2011-10-05 16:43:38 ----D---- C:\Program Files\Adobe
2011-10-05 16:43:36 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2011-10-03 04:35:11 ----A---- C:\WINDOWS\system32\mshtml.dll
2011-10-01 15:44:11 ----D---- C:\WINDOWS\twain_32
2011-10-01 14:55:43 ----SD---- C:\Documents and Settings\John Luebbers\Application Data\Microsoft
2011-10-01 14:55:43 ----HDC---- C:\WINDOWS\$NtUninstallKB2536276$
2011-10-01 13:13:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-09-26 18:49:34 ----D---- C:\Program Files\iTunes
2011-09-26 18:48:48 ----D---- C:\Program Files\Common Files\Apple
2011-09-26 11:41:20 ----A---- C:\WINDOWS\system32\uiautomationcore.dll
2011-09-26 11:41:20 ----A---- C:\WINDOWS\system32\oleacc.dll
2011-09-26 11:41:14 ----A---- C:\WINDOWS\system32\oleaccrc.dll
2011-09-21 18:16:16 ----HD---- C:\Program Files\InstallShield Installation Information
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R0 drvmcdb;drvmcdb; C:\WINDOWS\system32\drivers\drvmcdb.sys [2004-08-04 87136]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2004-08-02 20576]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2011-07-05 138192]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2011-07-05 66616]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2008-08-13 11904]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-10-26 142720]
R3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-14 17024]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-14 101120]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-14 18944]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-07-22 1035008]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-07-22 201600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NETw5x32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw5x32.sys [2009-10-26 4221952]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-06-09 6584160]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-14 59136]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2006-06-14 29184]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-07-22 717952]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 catchme;catchme; \??\C:\DOCUME~1\JOHNLU~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\DSB650TX.sys [2001-09-25 26958]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TrueSight;TrueSight; \??\C:\Documents and Settings\John Luebbers\Desktop\TrueSight.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2011-05-10 42496]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2007-07-27 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-04-28 136360]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2011-07-05 269480]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2011-02-18 37664]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2011-07-12 387944]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2009-11-03 874768]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-06-09 159812]
R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2009-11-03 473360]
R2 S24EventMonitor;Intel(R) PROSet/Wireless WiFi Service; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [2009-11-03 909312]
R2 WLANKEEPER;Intel(R) PROSet/Wireless SSO Service; C:\Program Files\Intel\WiFi\bin\WLKeeper.exe [2009-11-03 348160]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2011-08-19 821096]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WinRM;Windows Remote Management (WS-Management); C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Dakeyras
info.txt logfile of random's system information tool 1.09 2011-10-19 20:59:50
======Uninstall list======
-->C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10r_ActiveX.exe -maintain activex
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Apple Application Support-->MsiExec.exe /I{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}
Apple Mobile Device Support-->MsiExec.exe /I{C23CD6DA-1958-43A5-ADD0-59396572E02E}
Apple Software Update-->MsiExec.exe /I{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}
Auslogics Disk Defrag-->"C:\Program Files\Auslogics\Auslogics Disk Defrag\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /X{D03482C5-9AD8-496D-B388-692AE04C93AF}
Broadcom Gigabit Integrated Controller-->MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Conexant HDA D110 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB2570791)-->"C:\WINDOWS\$NtUninstallKB2570791$\spuninst\spuninst.exe"
Intel PROSet Wireless-->Intel PROSet Wireless
iTunes-->MsiExec.exe /I{69995C7A-062A-4A90-A4DF-8C22895DF522}
Malwarebytes' Anti-Malware version 1.51.2.1300-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB2572067)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M2572067\M2572067Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Bootvis-->MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570-->MsiExec.exe /X{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161-->MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PCFriendly-->C:\Program Files\PCFriendly\inuninst.exe
PowerDVD 5.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{C9E14402-3631-4182-B377-6B0DFB1C0339}
Safari-->MsiExec.exe /I{C73F2967-062E-48F2-A462-D335B8950183}
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A8894F19-59C8-38D2-8A75-36C0CCE56A5B} /qb+ REBOOTPROMPT=""
Security Update for Microsoft Windows (KB2564958)-->"C:\WINDOWS\$NtUninstallKB2564958$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2360131)-->"C:\WINDOWS\ie8updates\KB2360131-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2416400)-->"C:\WINDOWS\ie8updates\KB2416400-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2482017)-->"C:\WINDOWS\ie8updates\KB2482017-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2497640)-->"C:\WINDOWS\ie8updates\KB2497640-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2510531)-->"C:\WINDOWS\ie8updates\KB2510531-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2530548)-->"C:\WINDOWS\ie8updates\KB2530548-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2544521)-->"C:\WINDOWS\ie8updates\KB2544521-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2559049)-->"C:\WINDOWS\ie8updates\KB2559049-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2586448)-->"C:\WINDOWS\ie8updates\KB2586448-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB2412687)-->"C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2476490)-->"C:\WINDOWS\$NtUninstallKB2476490$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2485663)-->"C:\WINDOWS\$NtUninstallKB2485663$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2491683)-->"C:\WINDOWS\$NtUninstallKB2491683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2503658)-->"C:\WINDOWS\$NtUninstallKB2503658$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2503665)-->"C:\WINDOWS\$NtUninstallKB2503665$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2506212)-->"C:\WINDOWS\$NtUninstallKB2506212$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2506223)-->"C:\WINDOWS\$NtUninstallKB2506223$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2507618)-->"C:\WINDOWS\$NtUninstallKB2507618$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2507938)-->"C:\WINDOWS\$NtUninstallKB2507938$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2508272)-->"C:\WINDOWS\$NtUninstallKB2508272$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2508429)-->"C:\WINDOWS\$NtUninstallKB2508429$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2509553)-->"C:\WINDOWS\$NtUninstallKB2509553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2511455)-->"C:\WINDOWS\$NtUninstallKB2511455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2535512)-->"C:\WINDOWS\$NtUninstallKB2535512$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2536276)-->"C:\WINDOWS\$NtUninstallKB2536276$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2536276-v2)-->"C:\WINDOWS\$NtUninstallKB2536276-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2544893)-->"C:\WINDOWS\$NtUninstallKB2544893$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2555917)-->"C:\WINDOWS\$NtUninstallKB2555917$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2562937)-->"C:\WINDOWS\$NtUninstallKB2562937$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2566454)-->"C:\WINDOWS\$NtUninstallKB2566454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2567053)-->"C:\WINDOWS\$NtUninstallKB2567053$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2567680)-->"C:\WINDOWS\$NtUninstallKB2567680$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2570222)-->"C:\WINDOWS\$NtUninstallKB2570222$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2570947)-->"C:\WINDOWS\$NtUninstallKB2570947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2592799)-->"C:\WINDOWS\$NtUninstallKB2592799$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Skype™ 5.3-->MsiExec.exe /X{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD-->MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB2447568)-->"C:\WINDOWS\ie8updates\KB2447568-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB2541763)-->"C:\WINDOWS\$NtUninstallKB2541763$\spuninst\spuninst.exe"
Update for Windows XP (KB2607712)-->"C:\WINDOWS\$NtUninstallKB2607712$\spuninst\spuninst.exe"
Update for Windows XP (KB2616676)-->"C:\WINDOWS\$NtUninstallKB2616676$\spuninst\spuninst.exe"
VoiceOver Kit-->MsiExec.exe /I{7C5B4583-7CBF-4289-B195-03B553959DEA}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Management Framework Core-->"C:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
======Hosts File======
::1 localhost
======Security center information======
AV: AntiVir Desktop
======System event log======
Computer Name: JOHN-B87196AA5E
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
Record Number: 47225
Source Name: DCOM
Time Written: 20111013090911.000000-240
Event Type: error
User: NT AUTHORITY\NETWORK SERVICE
Computer Name: JOHN-B87196AA5E
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
Record Number: 47224
Source Name: DCOM
Time Written: 20111013090911.000000-240
Event Type: error
User: NT AUTHORITY\NETWORK SERVICE
Computer Name: JOHN-B87196AA5E
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
Record Number: 47223
Source Name: DCOM
Time Written: 20111013090910.000000-240
Event Type: error
User: NT AUTHORITY\NETWORK SERVICE
Computer Name: JOHN-B87196AA5E
Event Code: 18
Message: Windows cannot store Bluetooth link keys on the local transceiver because it cannot determine whether proper security is enabled for the device.
Record Number: 47212
Source Name: BTHUSB
Time Written: 20111013090856.000000-240
Event Type: warning
User:
Computer Name: JOHN-B87196AA5E
Event Code: 4
Message: Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.
Record Number: 47211
Source Name: b57w2k
Time Written: 20111013090856.000000-240
Event Type: warning
User:
=====Application event log=====
Computer Name: JOHN-B87196AA5E
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\JOHN LUEBBERS\RECENT\DESKTOP.INI> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)
Record Number: 2117
Source Name: Windows Search Service
Time Written: 20110614203912.000000-240
Event Type: error
User:
Computer Name: JOHN-B87196AA5E
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\JOHN LUEBBERS\RECENT\DESKTOP.INI> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)
Record Number: 2099
Source Name: Windows Search Service
Time Written: 20110614202927.000000-240
Event Type: error
User:
Computer Name: JOHN-B87196AA5E
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\JOHN LUEBBERS\RECENT\DESKTOP.INI> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)
Record Number: 2098
Source Name: Windows Search Service
Time Written: 20110614202927.000000-240
Event Type: error
User:
Computer Name: JOHN-B87196AA5E
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\JOHN LUEBBERS\RECENT\DESKTOP.INI> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)
Record Number: 2097
Source Name: Windows Search Service
Time Written: 20110614202927.000000-240
Event Type: error
User:
Computer Name: JOHN-B87196AA5E
Event Code: 1002
Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 2058
Source Name: Application Hang
Time Written: 20110614190050.000000-240
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\WINDOWS\system32\WindowsPowerShell\v1.0;C:\Program Files\Intel\WiFi\bin;C:\PROGRA~1\COMMON~1\SONICS~1;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0e08
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"PSModulePath"=C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
"asl.log"=Destination=file
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
-----------------EOF-----------------
Thanks again for all your help.
Will reach out to you Tuesday when I return from Vacation :)
Luebs
Dakeyras
2011-10-20, 16:07
Hi. :)
I have been using a wireless router to connect but will be able to use hard wire connect when at home. I think I have XP Installation CD-ROM at work but will not be back there until Tuesday. Heading off on a little vacation so I will not be able to communicate back with you until Tues. I am not taking this computer with me. Hope this is not an issue.
OK, not a problem. However I would be remiss at this stage if I did not inform your good self about the following...One or more of the identified infections is a Backdoor Trojan.
Since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course we strongly recommend.
Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.
Should you have any questions, please feel free to ask.
Please let myself know what you have decided to do in your next post.
Thank you for all your help I think my best option is to reformat and reinstallation of the Windows Operating System
Dakeyras
2011-10-26, 11:58
Hi. :)
Thank you for all your help I think my best option is to reformat and reinstallation of the Windows Operating System
Fair play and you're most welcome!
For future reference this forum topic would be worth reading:-
So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279)