uiuci

View previous topic View next topic Go down

uiuci

Post by demoncurrie on Thu Jun 17, 2010 10:41 pm

Hi,
My pc seems to have slowed down. I have started to investigate by checking what is activated on startup, by running MSCONFIG and looking at the Startup tab. Something called UIUCI.exe is called from C:\document~1\...TEMP. (But I can't find it when I look for it).

I have searched th eweb and it seems to be a driver from Conexant. But some sites suggest it could be a virus.

What should I do?

thanks

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Fri Jun 18, 2010 12:04 am

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

OTL output

Post by demoncurrie on Sat Jun 19, 2010 3:13 pm

Here's OTL.txt
[2010/06/17 09:51:30 | 000,067,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/17 09:00:00 | 000,000,400 | ---- | M] () -- C:\WINDOWS\tasks\0000055958[2].job
[2010/06/16 07:33:13 | 000,081,496 | ---- | M] () -- C:\Documents and Settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/06/16 03:16:58 | 000,282,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/16 00:26:03 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Yule family\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/15 00:08:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Yule family\ntuser.ini
[2010/06/13 19:08:18 | 000,000,000 | ---- | M] () -- C:\WINDOWS\PhEdit.INI
[2010/06/12 19:23:28 | 000,001,913 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
[2010/06/12 18:24:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/12 18:21:58 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Yule family\Desktop\FZ38 Operating Instructions.lnk
[2010/06/06 16:23:31 | 000,003,350 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/06/06 13:29:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/03 00:38:41 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\Yule family\Desktop\Microsoft Excel.lnk
[2010/05/30 16:22:33 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
[2010/05/30 15:10:01 | 007,470,248 | -H-- | M] () -- C:\Documents and Settings\Yule family\Local Settings\Application Data\IconCache.db
[2010/05/29 15:49:59 | 000,003,925 | ---- | M] () -- C:\Documents and Settings\Yule family\DslTest.html
[2010/05/29 15:49:55 | 000,000,524 | ---- | M] () -- C:\Documents and Settings\Yule family\dsltest.cfg
[2010/05/27 00:42:31 | 000,022,451 | ---- | M] () -- C:\Documents and Settings\Yule family\DModem_Trace.trc
[2010/05/21 00:12:37 | 000,000,689 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/21 00:12:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/21 00:12:37 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/19 11:41:22 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\McAfee Security Center.lnk
[2010/06/14 22:38:26 | 000,000,400 | ---- | C] () -- C:\WINDOWS\tasks\0000055958[2].job
[2010/06/13 19:08:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhEdit.INI
[2010/06/12 19:23:27 | 000,001,913 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
[2010/06/12 19:05:36 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/06/12 19:05:35 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2010/06/12 19:05:35 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/06/12 19:05:35 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
[2010/06/12 19:05:35 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
[2010/06/12 19:05:35 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/06/12 19:05:34 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2010/06/12 19:05:34 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2010/06/12 19:05:34 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2010/06/12 19:05:34 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2010/06/12 19:05:34 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2010/06/12 19:05:34 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2010/06/12 19:05:34 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2010/06/12 19:05:34 | 000,005,817 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_KO.cfg
[2010/06/12 19:05:34 | 000,005,436 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_SC.cfg
[2010/06/12 19:05:34 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2010/06/12 19:05:34 | 000,002,889 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_RU.cfg
[2010/06/12 19:05:34 | 000,002,426 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_TC.cfg
[2010/06/12 19:05:34 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
[2010/06/12 19:05:34 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/06/12 19:05:34 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/06/12 19:05:34 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/06/12 19:05:34 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/06/12 19:05:33 | 000,013,732 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_EN.cfg
[2010/06/12 19:05:33 | 000,006,442 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_IT.cfg
[2010/06/12 19:05:33 | 000,006,347 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_PT.cfg
[2010/06/12 19:05:33 | 000,006,347 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_BP.cfg
[2010/06/12 19:05:33 | 000,006,335 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_GE.cfg
[2010/06/12 19:05:33 | 000,006,195 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_FR.cfg
[2010/06/12 19:05:33 | 000,006,195 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_CF.cfg
[2010/06/12 19:05:33 | 000,006,122 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_DU.cfg
[2010/06/12 19:05:33 | 000,006,103 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_ES.cfg
[2010/06/12 18:21:58 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Yule family\Desktop\FZ38 Operating Instructions.lnk
[2010/05/30 16:22:33 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
[2010/05/15 23:44:19 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/04/09 22:49:06 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/04/09 22:49:06 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/02/18 14:25:09 | 000,000,008 | RHS- | C] () -- C:\WINDOWS\System32\57E1DD82AC.sys
[2010/02/18 11:57:16 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/01/19 21:14:07 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\CoInst.dll
[2010/01/19 21:14:04 | 000,016,938 | ---- | C] () -- C:\WINDOWS\wwdslcfg.ini
[2010/01/17 17:48:48 | 000,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2010/01/17 14:14:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/17 10:58:51 | 000,000,175 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2010/01/17 10:57:53 | 000,000,037 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2010/01/17 10:57:52 | 000,001,534 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/01/16 19:57:03 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 19:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 09:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
< End of report >

And here's Extra.txt:
OTL Extras logfile created on: 19/06/2010 15:59:46 - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Yule family\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

446.00 Mb Total Physical Memory | 100.00 Mb Available Physical Memory | 22.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 35.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.59 Gb Total Space | 64.09 Gb Free Space | 59.02% Space Free | Partition Type: NTFS
Drive D: | 37.24 Gb Total Space | 37.17 Gb Free Space | 99.83% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YULES
Current User Name: Yule family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3029:TCP" = 3029:TCP:*:Enabled:Services
"4558:TCP" = 4558:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"80:TCP" = 80:TCP:*:Enabled:Services
"443:TCP" = 443:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3029:TCP" = 3029:TCP:*:Enabled:Services
"4558:TCP" = 4558:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- File not found
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{05C56753-F144-44BC-BA67-83CC5DBF395C}" = F300
"{12665B01-3F3A-4433-B179-9D8E352D7547}" = Try Corel Snapfire muvee autoProducer add on
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 19
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{366CC735-543D-42CB-9C03-D7512314DE52}" = Quicken 2004
"{381D847E-7E56-4E82-B261-F799E0F40EB4}" = PHOTOfunSTUDIO 4.0 HD Edition
"{3CB41017-F5CA-4C56-934C-ED02156251E6}" = iTunes
"{402ED4A1-8F5B-387A-8688-997ABF58B8F2}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{4571CC76-42C4-7D67-E024-0AEB166E1C6F}" = Acrobat.com
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{78B50D1D-642C-4B89-BCC7-352EAE3614D7}" = iPod for Windows 2005-02-07
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}" = Broadcom 440x 10/100 Integrated Controller
"{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C252EB7B-7AE0-46DE-9BEE-DF681B885F13}" = Modem Diagnostic Tool
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CC2C40CE-62A8-4BC2-9FB1-FD8794DE3C1A}" = ClickArt Fonts 3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E5966E4C-0A93-4F59-A981-BD3173D4799F}" = F300_Help
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"{FE4270D7-A642-49C1-9A40-854DA3F13FB2}_is1" = Moyea FLV Player version: 2.0.2.96
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BT Voyager 105 ADSL Modem" = BT Voyager 105 ADSL Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{3CB41017-F5CA-4C56-934C-ED02156251E6}" = iTunes
"InstallShield_{78B50D1D-642C-4B89-BCC7-352EAE3614D7}" = iPod for Windows 2005-02-07
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.2.5 Standard
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MP4 Player" = MP4 Player
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"QuickTime" = QuickTime
"Rapport_msi" = Rapport
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17/06/2010 03:39:33 | Computer Name = YULES | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 17/06/2010 03:39:33 | Computer Name = YULES | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 17/06/2010 03:39:33 | Computer Name = YULES | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 19/06/2010 05:10:07 | Computer Name = YULES | Source = Google Update | ID = 20
Description =

Error - 19/06/2010 06:47:20 | Computer Name = YULES | Source = Application Hang | ID = 1002
Description = Hanging application qw.exe, version 13.1.2.73, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/06/2010 06:48:24 | Computer Name = YULES | Source = Application Hang | ID = 1001
Description = Fault bucket 166010596.

Error - 19/06/2010 10:25:35 | Computer Name = YULES | Source = Application Error | ID = 1000
Description = Faulting application hp_ize.exe, version 1.12.0.46, faulting module
hp_ize.exe, version 1.12.0.46, fault address 0x00037265.

Error - 19/06/2010 10:25:48 | Computer Name = YULES | Source = Application Error | ID = 1001
Description = Fault bucket 309826107.

Error - 19/06/2010 10:30:20 | Computer Name = YULES | Source = Application Error | ID = 1000
Description = Faulting application hp_ize.exe, version 1.12.0.46, faulting module
hp_ize.exe, version 1.12.0.46, fault address 0x00037265.

Error - 19/06/2010 10:30:28 | Computer Name = YULES | Source = Application Error | ID = 1001
Description = Fault bucket 309826107.

[ System Events ]
Error - 17/06/2010 03:38:20 | Computer Name = YULES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 17/06/2010 03:40:05 | Computer Name = YULES | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 17/06/2010 03:40:50 | Computer Name = YULES | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 17/06/2010 13:58:53 | Computer Name = YULES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 17/06/2010 14:00:38 | Computer Name = YULES | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 19/06/2010 05:11:03 | Computer Name = YULES | Source = System Error | ID = 1003
Description = Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3
00000000, parameter4 84c8a810.

Error - 19/06/2010 05:11:31 | Computer Name = YULES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 19/06/2010 06:33:54 | Computer Name = YULES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 19/06/2010 06:36:45 | Computer Name = YULES | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 19/06/2010 06:41:57 | Computer Name = YULES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6


< End of report >


thanks

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Sat Jun 19, 2010 4:52 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Combofix text

Post by demoncurrie on Sun Jun 20, 2010 12:14 am

omboFix 10-06-18.03 - Yule family 20/06/2010 0:38.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.32 [GMT 1:00]
Running from: c:\documents and settings\Yule family\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\pswi_preloaded.exe
c:\program files\alot
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\program files\alot\bin\BHO\alotBHO.dll
C:\s
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMAuspprpfdiv
-------\Service_PRAGMAuspprpfdiv


((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-15 23:37 . 2010-06-15 23:37 -------- d-----w- c:\windows\system32\XPSViewer
2010-06-15 23:37 . 2010-06-15 23:37 -------- d-----w- c:\program files\MSBuild
2010-06-15 23:36 . 2010-06-15 23:36 -------- d-----w- c:\program files\Reference Assemblies
2010-06-15 23:36 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-06-15 23:35 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-15 23:35 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-15 23:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-15 23:35 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-06-15 23:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-15 23:35 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-15 23:35 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-06-15 23:35 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-06-15 23:35 . 2010-06-15 23:36 -------- d-----w- C:\49a5d9991f799650a764
2010-06-13 09:30 . 2010-06-13 09:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Panasonic
2010-06-13 09:30 . 2010-06-13 09:30 -------- d-----w- c:\documents and settings\Yule family\Local Settings\Application Data\Panasonic
2010-06-12 17:55 . 2006-02-20 18:17 33408 ----a-w- c:\windows\system32\drivers\cdrbsdrv.sys
2010-06-12 17:54 . 2007-06-15 11:57 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2010-06-12 17:54 . 2007-06-15 11:57 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2010-06-12 17:53 . 2010-06-12 17:53 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-12 17:53 . 2010-06-12 17:53 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-12 17:21 . 2010-06-12 17:48 -------- d-----w- c:\program files\Panasonic
2010-06-12 11:11 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-06 19:16 . 2010-06-06 19:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Trusteer
2010-06-06 18:16 . 2010-06-06 18:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NVIDIA Corporation
2010-06-06 18:16 . 2010-06-06 18:17 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-30 15:16 . 2010-04-27 16:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-30 15:15 . 2010-04-27 16:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-30 15:15 . 2010-04-27 16:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-30 15:15 . 2010-04-27 16:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-30 15:15 . 2010-04-27 16:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-30 15:15 . 2010-04-27 16:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-26 23:59 . 2010-05-26 23:59 -------- d-sh--w- c:\documents and settings\test\PrivacIE
2010-05-26 23:58 . 2010-05-26 23:58 80704 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 23:58 . 2010-05-26 23:58 -------- d-----w- c:\documents and settings\test\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 14:29 . 2010-02-21 11:24 -------- d-----w- c:\documents and settings\Yule family\Application Data\Image Zone Express
2010-06-19 10:48 . 2007-04-05 13:51 -------- d-----w- c:\program files\Quicken
2010-06-17 17:57 . 2010-01-20 22:38 -------- d-----w- c:\program files\McAfee
2010-06-16 06:33 . 2010-01-16 19:05 81496 ----a-w- c:\documents and settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 01:58 . 2010-02-12 08:16 -------- d-----w- c:\documents and settings\Yule family\Application Data\Skype
2010-06-13 23:08 . 2010-02-12 08:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\skypePM
2010-06-12 17:53 . 2007-04-05 13:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 17:07 . 2010-06-07 17:07 434176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-06 15:23 . 2010-02-18 10:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-06 12:29 . 2010-01-29 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-30 15:21 . 2010-01-20 22:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-05-30 15:17 . 2010-01-20 22:38 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-19 22:25 . 2010-05-15 09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 22:01 . 2008-09-27 10:09 -------- d-----w- c:\program files\QuickTime
2010-05-18 22:14 . 2010-01-16 19:02 -------- d-----w- c:\documents and settings\Yule family\Application Data\HP
2010-05-17 21:00 . 2010-01-16 17:25 -------- d-----w- c:\program files\Modem Diagnostic Tool
2010-05-16 20:43 . 2010-05-16 20:43 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS
2010-05-15 09:09 . 2010-05-15 09:09 -------- d-----w- c:\documents and settings\Yule family\Application Data\Malwarebytes
2010-05-15 09:09 . 2010-05-15 09:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 16:16 . 2010-04-14 11:50 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 16:16 . 2010-01-20 22:39 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 16:16 . 2010-01-20 22:39 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 16:16 . 2009-11-04 16:54 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-21 07:36 . 2010-04-21 07:36 -------- d-----w- c:\documents and settings\test\Application Data\Trusteer
2010-04-20 22:06 . 2010-04-20 22:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 21:55 . 2010-04-03 21:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 21:55 . 2010-04-03 21:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 21:55 . 2010-04-03 21:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 21:55 . 2010-04-03 21:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 21:55 . 2010-04-03 21:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 21:55 . 2010-04-03 21:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 21:55 . 2010-04-03 21:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 21:55 . 2010-04-03 21:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 21:55 . 2010-04-03 21:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 21:55 . 2010-04-03 21:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 21:55 . 2010-01-20 22:26 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-04-03 21:55 . 2008-04-14 00:12 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 18:23 . 2010-04-03 18:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 18:23 . 2010-04-03 18:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 18:23 . 2010-04-03 18:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 18:23 . 2010-04-03 18:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 18:23 . 2010-04-03 18:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 18:22 . 2010-04-03 18:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-01 22:19 . 2010-04-01 22:19 503808 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7323ad55-n\msvcp71.dll
2010-04-01 22:19 . 2010-04-01 22:19 499712 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7323ad55-n\jmc.dll
2010-04-01 22:19 . 2010-04-01 22:19 348160 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7323ad55-n\msvcr71.dll
2010-04-01 22:19 . 2010-04-01 22:19 61440 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1f5ffcee-n\decora-sse.dll
2010-04-01 22:19 . 2010-04-01 22:19 12800 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1f5ffcee-n\decora-d3d.dll
2010-02-18 13:25 . 2010-02-18 13:25 8 --sh--r- c:\windows\system32\57E1DD82AC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2007-01-25 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2007-01-25 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
PHOTOfunSTUDIO 4.0 HD Edition.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO 4.0 HD\AutoStartupService.exe [2010-6-12 146264]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2007-4-7 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 17:38 38400 ----a-r- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-17 23:12 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3029:TCP"= 3029:TCP:Services
"4558:TCP"= 4558:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/05/2010 16:15 82952]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [07/06/2010 18:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/06/2010 18:07 166632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/01/2010 23:42 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/05/2010 16:16 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/05/2010 16:15 141792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/06/2010 18:07 840936]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/05/2010 16:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/05/2010 16:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S1 MpKsl56ce2b3f;MpKsl56ce2b3f;\??\c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys --> c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys [?]
S1 MpKsl8b16be60;MpKsl8b16be60;\??\c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys --> c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys [?]
S1 MpKslfb1eeb2a;MpKslfb1eeb2a;\??\c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys --> c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 18:28 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/05/2010 16:15 83496]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [22/02/2010 12:55 61536]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-06-20 c:\windows\Tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel MediaOne\Corel PhotoDownloader.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-20 00:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x834FF78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> ntkrnlpa.exe @ 0x8057c2df
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf71bfbb0
PacketIndicateHandler -> NDIS.sys @ 0xf71aea0d
SendHandler -> NDIS.sys @ 0xf71c2b40
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7068)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-06-20 01:05:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-20 00:05

Pre-Run: 71,455,305,728 bytes free
Post-Run: 84,733,542,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BDDB3A2FD035670987CC57B1FADD967A

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by demoncurrie on Sun Jun 20, 2010 9:24 am

This seems to have cleared off uiuci. But my pc is still slow. However, I'll look into that separately. Thanks very much.

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Sun Jun 20, 2010 7:02 pm

Hello.

  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

TDSKILLER

Post by demoncurrie on Sun Jun 20, 2010 8:36 pm

here is the result of TDSKiller
21:32:25:968 2884 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
21:32:25:968 2884 ================================================================================
21:32:25:968 2884 SystemInfo:

21:32:25:968 2884 OS Version: 5.1.2600 ServicePack: 3.0
21:32:25:968 2884 Product type: Workstation
21:32:25:968 2884 ComputerName: YULES
21:32:25:968 2884 UserName: Yule family
21:32:25:968 2884 Windows directory: C:\WINDOWS
21:32:25:968 2884 Processor architecture: Intel x86
21:32:25:968 2884 Number of processors: 1
21:32:25:968 2884 Page size: 0x1000
21:32:26:000 2884 Boot type: Normal boot
21:32:26:000 2884 ================================================================================
21:32:27:859 2884 Initialize success
21:32:27:859 2884
21:32:27:859 2884 Scanning Services ...
21:32:28:375 2884 Raw services enum returned 366 services
21:32:28:406 2884
21:32:28:406 2884 Scanning Drivers ...
21:32:29:890 2884 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:32:29:937 2884 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:32:30:000 2884 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:32:30:046 2884 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
21:32:30:171 2884 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
21:32:30:296 2884 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:32:30:328 2884 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:32:30:390 2884 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:32:30:453 2884 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:32:30:500 2884 bcm4sbxp (78e7b52da292fa90bad2f887bbf22159) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
21:32:30:578 2884 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:32:30:671 2884 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
21:32:30:718 2884 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
21:32:30:765 2884 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
21:32:30:796 2884 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
21:32:30:859 2884 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:32:30:921 2884 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:32:30:984 2884 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:32:31:031 2884 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:32:31:078 2884 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
21:32:31:437 2884 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:32:31:468 2884 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
21:32:31:812 2884 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys
21:32:31:875 2884 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
21:32:32:046 2884 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:32:32:093 2884 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:32:32:156 2884 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:32:32:187 2884 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:32:32:218 2884 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:32:32:265 2884 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:32:32:296 2884 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:32:32:328 2884 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:32:32:453 2884 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:32:32:468 2884 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:32:32:531 2884 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:32:32:562 2884 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:32:32:625 2884 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:32:32:656 2884 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:32:32:687 2884 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:32:32:703 2884 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:32:32:734 2884 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:32:32:796 2884 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
21:32:32:828 2884 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
21:32:32:859 2884 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
21:32:32:906 2884 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:32:32:984 2884 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
21:32:33:046 2884 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
21:32:33:109 2884 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:32:33:171 2884 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:32:33:234 2884 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:32:33:265 2884 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:32:33:312 2884 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:32:33:359 2884 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:32:33:406 2884 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:32:33:437 2884 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:32:33:468 2884 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:32:33:500 2884 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:32:33:546 2884 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
21:32:33:593 2884 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:32:33:640 2884 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:32:33:703 2884 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
21:32:33:828 2884 LVUSBSta (5f987fc1aad215ec2c60cf07719b1cce) C:\WINDOWS\system32\drivers\lvusbsta.sys
21:32:33:906 2884 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys
21:32:33:921 2884 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys
21:32:33:968 2884 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys
21:32:34:015 2884 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys
21:32:34:078 2884 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys
21:32:34:171 2884 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
21:32:34:171 2884 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
21:32:34:203 2884 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys
21:32:34:265 2884 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
21:32:34:312 2884 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
21:32:34:343 2884 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys
21:32:34:390 2884 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:32:34:437 2884 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:32:34:515 2884 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:32:34:562 2884 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:32:34:625 2884 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:32:34:656 2884 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
21:32:34:796 2884 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:32:34:843 2884 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:32:34:890 2884 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:32:34:921 2884 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:32:34:984 2884 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:32:35:031 2884 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:32:35:093 2884 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:32:35:140 2884 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:32:35:171 2884 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
21:32:35:203 2884 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:32:35:218 2884 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:32:35:265 2884 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:32:35:312 2884 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:32:35:328 2884 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:32:35:343 2884 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:32:35:390 2884 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
21:32:35:437 2884 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:32:35:484 2884 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:32:35:515 2884 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:32:35:562 2884 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:32:35:625 2884 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:32:35:984 2884 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:32:36:265 2884 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:32:36:312 2884 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:32:36:390 2884 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:32:36:453 2884 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:32:36:484 2884 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:32:36:546 2884 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:32:36:609 2884 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:32:36:656 2884 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:32:36:781 2884 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:32:36:812 2884 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:32:36:828 2884 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:32:36:859 2884 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:32:36:890 2884 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:32:37:031 2884 RapportKELL (c2c15a95a8e4897bcebe7ac8164f7002) C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
21:32:37:046 2884 RapportPG (3c2a69b9e8673e31a2976362023caff1) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
21:32:37:093 2884 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:32:37:140 2884 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:32:37:171 2884 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:32:37:203 2884 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:32:37:234 2884 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:32:37:265 2884 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.SYS
21:32:37:296 2884 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
21:32:37:343 2884 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:32:37:390 2884 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
21:32:37:453 2884 se46bus (d3279a8f45724495e9379328f09b979a) C:\WINDOWS\system32\DRIVERS\se46bus.sys
21:32:37:859 2884 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:32:38:171 2884 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:32:38:234 2884 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:32:38:296 2884 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:32:38:343 2884 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:32:38:390 2884 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:32:38:453 2884 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
21:32:38:640 2884 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
21:32:38:765 2884 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:32:38:812 2884 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:32:38:843 2884 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:32:38:968 2884 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:32:39:015 2884 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:32:39:078 2884 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:32:39:140 2884 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:32:39:171 2884 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:32:39:234 2884 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:32:39:343 2884 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:32:39:390 2884 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
21:32:39:437 2884 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:32:39:468 2884 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:32:39:500 2884 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:32:39:515 2884 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:32:39:562 2884 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:32:39:593 2884 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:32:39:625 2884 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:32:39:671 2884 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
21:32:39:734 2884 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:32:39:796 2884 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:32:39:828 2884 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:32:39:875 2884 wanusb (17f885a2af5951a21c968a746358cdfc) C:\WINDOWS\system32\DRIVERS\gwausb.sys
21:32:39:937 2884 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:32:39:968 2884 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:32:40:000 2884 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:32:40:062 2884 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:32:40:093 2884 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:32:40:093 2884
21:32:40:093 2884 Completed
21:32:40:093 2884
21:32:40:093 2884 Results:
21:32:40:093 2884 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:32:40:093 2884 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:32:40:093 2884
21:32:40:093 2884 KLMD(ARK) unloaded successfully

That's it!

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Sun Jun 20, 2010 9:39 pm

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.

  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: uiuci

Post by demoncurrie on Mon Jun 21, 2010 9:42 pm

MBR log is:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

end of log.
What is the "malicious " code?
thx

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Tue Jun 22, 2010 12:16 am

Hello.
Please make sure mbr.exe is on your Desktop.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

cmd

Enter the following in to the command prompt, pressing enter after each line:

Code:
cd desktop

mbr.exe -f

exit

Please post the resulting log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: uiuci

Post by demoncurrie on Tue Jun 22, 2010 10:16 pm

I ran the insturctions as stated. But he log is identical to that posted previously. NB I know that a new log has been creatd since "Properties" shows it to have been modifed at the current time. The log is:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !

NB McAfee was in the middle of a scheduled scan. So far it has found and resolved 7 tracking cookies.

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Tue Jun 22, 2010 11:50 pm

Hello.
Not exactly the same, we've fixed the MBR now.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "3029:TCP"=-
    "4558:TCP"=-
    "3389:TCP"=-

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: uiuci

Post by demoncurrie on Wed Jun 23, 2010 10:32 pm

Hi again; thx for the ongoing attention.
After copying the notepad file inot combofix, I was prompted to take a newer version of Combofix, which I took. I wasn't however, givien ano chance to copy over the notepad file. Will it still have been retained and used?
The log though is:
ComboFix 10-06-23.01 - Yule family 23/06/2010 22:57:04.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.36 [GMT 1:00]
Running from: c:\documents and settings\Yule family\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Yule family\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.

2010-06-20 21:31 . 2010-06-21 22:24 -------- d-----w- c:\windows\ttemp
2010-06-15 23:37 . 2010-06-15 23:37 -------- d-----w- c:\windows\system32\XPSViewer
2010-06-15 23:37 . 2010-06-15 23:37 -------- d-----w- c:\program files\MSBuild
2010-06-15 23:36 . 2010-06-15 23:36 -------- d-----w- c:\program files\Reference Assemblies
2010-06-15 23:36 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-06-15 23:35 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-15 23:35 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-15 23:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-15 23:35 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-06-15 23:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-15 23:35 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-15 23:35 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-06-15 23:35 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-06-15 23:35 . 2010-06-15 23:36 -------- d-----w- C:\49a5d9991f799650a764
2010-06-13 09:30 . 2010-06-13 09:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Panasonic
2010-06-13 09:30 . 2010-06-13 09:30 -------- d-----w- c:\documents and settings\Yule family\Local Settings\Application Data\Panasonic
2010-06-12 17:55 . 2006-02-20 18:17 33408 ----a-w- c:\windows\system32\drivers\cdrbsdrv.sys
2010-06-12 17:54 . 2007-06-15 11:57 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2010-06-12 17:54 . 2007-06-15 11:57 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2010-06-12 17:53 . 2010-06-12 17:53 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-12 17:53 . 2010-06-12 17:53 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-12 17:21 . 2010-06-12 17:48 -------- d-----w- c:\program files\Panasonic
2010-06-12 11:11 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-06 19:16 . 2010-06-06 19:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Trusteer
2010-06-06 18:16 . 2010-06-06 18:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NVIDIA Corporation
2010-06-06 18:16 . 2010-06-06 18:17 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-30 15:16 . 2010-04-27 16:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-30 15:15 . 2010-04-27 16:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-30 15:15 . 2010-04-27 16:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-30 15:15 . 2010-04-27 16:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-30 15:15 . 2010-04-27 16:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-30 15:15 . 2010-04-27 16:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-26 23:59 . 2010-05-26 23:59 -------- d-sh--w- c:\documents and settings\test\PrivacIE
2010-05-26 23:58 . 2010-05-26 23:58 80704 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 23:58 . 2010-05-26 23:58 -------- d-----w- c:\documents and settings\test\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 21:54 . 2010-01-20 22:38 -------- d-----w- c:\program files\McAfee
2010-06-19 14:29 . 2010-02-21 11:24 -------- d-----w- c:\documents and settings\Yule family\Application Data\Image Zone Express
2010-06-19 10:48 . 2007-04-05 13:51 -------- d-----w- c:\program files\Quicken
2010-06-16 06:33 . 2010-01-16 19:05 81496 ----a-w- c:\documents and settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 01:58 . 2010-02-12 08:16 -------- d-----w- c:\documents and settings\Yule family\Application Data\Skype
2010-06-13 23:08 . 2010-02-12 08:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\skypePM
2010-06-12 17:53 . 2007-04-05 13:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 17:07 . 2010-06-07 17:07 434176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-06 15:23 . 2010-02-18 10:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-06 12:29 . 2010-01-29 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-30 15:21 . 2010-01-20 22:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-05-30 15:17 . 2010-01-20 22:38 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-19 22:25 . 2010-05-15 09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 22:01 . 2008-09-27 10:09 -------- d-----w- c:\program files\QuickTime
2010-05-18 22:14 . 2010-01-16 19:02 -------- d-----w- c:\documents and settings\Yule family\Application Data\HP
2010-05-17 21:00 . 2010-01-16 17:25 -------- d-----w- c:\program files\Modem Diagnostic Tool
2010-05-16 20:43 . 2010-05-16 20:43 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS
2010-05-15 09:09 . 2010-05-15 09:09 -------- d-----w- c:\documents and settings\Yule family\Application Data\Malwarebytes
2010-05-15 09:09 . 2010-05-15 09:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 16:16 . 2010-04-14 11:50 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 16:16 . 2010-01-20 22:39 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 16:16 . 2010-01-20 22:39 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 16:16 . 2009-11-04 16:54 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-20 22:06 . 2010-04-20 22:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 21:55 . 2010-04-03 21:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 21:55 . 2010-04-03 21:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 21:55 . 2010-04-03 21:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 21:55 . 2010-04-03 21:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 21:55 . 2010-04-03 21:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 21:55 . 2010-04-03 21:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 21:55 . 2010-04-03 21:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 21:55 . 2010-04-03 21:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 21:55 . 2010-04-03 21:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 21:55 . 2010-04-03 21:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 21:55 . 2010-01-20 22:26 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-04-03 21:55 . 2008-04-14 00:12 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 18:23 . 2010-04-03 18:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 18:23 . 2010-04-03 18:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 18:23 . 2010-04-03 18:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 18:23 . 2010-04-03 18:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 18:23 . 2010-04-03 18:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 18:22 . 2010-04-03 18:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-01 22:19 . 2010-04-01 22:19 503808 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7323ad55-n\msvcp71.dll
2010-04-01 22:19 . 2010-04-01 22:19 499712 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7323ad55-n\jmc.dll
2010-04-01 22:19 . 2010-04-01 22:19 348160 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7323ad55-n\msvcr71.dll
2010-04-01 22:19 . 2010-04-01 22:19 61440 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1f5ffcee-n\decora-sse.dll
2010-04-01 22:19 . 2010-04-01 22:19 12800 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1f5ffcee-n\decora-d3d.dll
2010-02-18 13:25 . 2010-02-18 13:25 8 --sh--r- c:\windows\system32\57E1DD82AC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2007-01-25 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2007-01-25 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-01-17 98304]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2007-4-7 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0 HD Edition.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0 HD Edition.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 17:38 38400 ----a-r- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-17 23:12 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1725:TCP"= 1725:TCP:Services
"1950:TCP"= 1950:TCP:Services

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/05/2010 16:15 82952]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [07/06/2010 18:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/06/2010 18:07 166632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/01/2010 23:42 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/05/2010 16:16 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/05/2010 16:15 141792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/06/2010 18:07 840936]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/05/2010 16:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/05/2010 16:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S1 MpKsl56ce2b3f;MpKsl56ce2b3f;\??\c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys --> c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys [?]
S1 MpKsl8b16be60;MpKsl8b16be60;\??\c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys --> c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys [?]
S1 MpKslfb1eeb2a;MpKslfb1eeb2a;\??\c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys --> c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 18:28 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/05/2010 16:15 83496]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [22/02/2010 12:55 61536]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-23 23:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-06-23 23:21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-23 22:21

Pre-Run: 84,609,482,752 bytes free
Post-Run: 84,652,077,056 bytes free

- - End Of File - - 830DBB33754DC4AC9B7B6AE6BDFE7DE4

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Wed Jun 23, 2010 11:48 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: uiuci

Post by demoncurrie on Thu Jun 24, 2010 7:12 pm

Two things:
First When I selected the htreats, I ticked the two requested. But I also made sure that the other options were unticked. Was this right?
Second, here is the log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=79a5b4059a3f1a4197661145fb80a500
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-06-24 07:08:12
# local_time=2010-06-24 08:08:12 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776549 100 75 2170640 9196311 0 0
# compatibility_mode=8192 67108863 100 0 406 406 0 0
# scanned=113509
# found=0
# cleaned=0
# scan_time=2824

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Thu Jun 24, 2010 9:15 pm

Hello.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

uiuci

Post by demoncurrie on Thu Jun 24, 2010 11:23 pm

I will run the PC over a couple of days, and then answer your question.
One theory: I have 471k of "physical" memory, with 76k free. Is this enough or will be be slowing performance down?

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Fri Jun 25, 2010 7:44 pm

Not enough, means you have just under 500mb of RAM, when really for nowadays software, you should be using at least 1gb if not 2gb.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: uiuci

Post by demoncurrie on Sat Jun 26, 2010 9:43 am

Thanks for that advice. And thanks very much for the ongoing help . The PC seems to be acceptable. I have had a couople of programme hangs, but I can't be precise. So I am happy to close this problem.

You're assistance has been a great help and I'll certainly be passing on your service.

Do I have to do anything to mark this as closed?

demoncurrie
Intermediate
Intermediate

Posts Posts : 123
Joined Joined : 2010-05-14
OS OS : Windows XP Home
Points Points : 25787
# Likes # Likes : 0

View user profile

Back to top Go down

Re: uiuci

Post by Belahzur on Sat Jun 26, 2010 5:13 pm

No, only mods can do that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics
» uiuci

 
Permissions in this forum:
You cannot reply to topics in this forum