System Recovery Virus

View previous topic View next topic Go down

System Recovery Virus

Post by carols on Mon Sep 05, 2011 11:40 pm

Hi,

I have followed instructions. Files were too long so OTL.txt is attached.

I am currently logged in in "safe mode with networking"

Regards,
Carol

Extras.txt
OTL Extras logfile created on: 06/09/2011 00:08:37 - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\All Users\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1013.82 Mb Total Physical Memory | 295.22 Mb Available Physical Memory | 29.12% Memory free
2.38 Gb Paging File | 1.85 Gb Available in Paging File | 77.43% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.09 Gb Total Space | 28.49 Gb Free Space | 26.61% Space Free | Partition Type: NTFS
Drive D: | 37.23 Gb Total Space | 21.66 Gb Free Space | 58.19% Space Free | Partition Type: NTFS
Drive H: | 298.09 Gb Total Space | 79.90 Gb Free Space | 26.80% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Carol | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10421:UDP" = 10421:UDP:*:Enabled:SingleClick Discovery Protocol
"10426:UDP" = 10426:UDP:*:Enabled:SingleClick ICC

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\games\RedFaction\rf.exe" = C:\games\RedFaction\rf.exe:*:Disabled:Red Faction
"C:\tibco\rv\bin\rvd.exe" = C:\tibco\rv\bin\rvd.exe:*:Disabled:TIB/Rendezvous Daemon
"C:\Program Files\AOL 9.0\waol.exe" = C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL 9.0 -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialler -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL Connectivity Services -- (AOL LLC)
"C:\Program Files\Common Files\AOL\1170957951\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1170957951\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (America Online, Inc.)
"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)
"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe" = C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant -- (SingleClick Systems)
"C:\WINDOWS\system32\[You must be registered and logged in to see this link.] = C:\WINDOWS\system32\[You must be registered and logged in to see this link.] Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0240BDFB-2995-4A3F-8C96-18D41282B716}" = Dell Network Assistant
"{07035AB3-5C70-3315-35A9-CFFECA140880}" = BBC iPlayer Desktop
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{089DD780-DB3F-4CDB-A0C2-111360247298}" = PC Connectivity Solution
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel(R) PRO Network Connections
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{1373559F-6DC6-44EA-9079-6ABDCCE8CDAD}" = OviMPlatform
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1B9B5B3B-28E7-4E59-A80D-D670AA984514}" = Nokia Connectivity Cable Driver
"{1BD07DF4-FB06-41BA-B896-B2DA59000C96}" = Windows Live Toolbar
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}" = Nokia PC Suite
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{2D10FC46-1D96-44C4-8855-85F21B9B011E}" = Ovi Desktop Sync Engine
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{41979C2F-34B8-4F92-8111-B13C5864682D}" = MediaFACE 4.01
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{70B31335-50EE-4834-8431-27412CDE62BD}" = Nokia_Multimedia_Common_Components_2_5
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B01FD07-1790-4EE9-B5E0-149527D70C7D}" = Nokia Ovi Suite
"{82AF77BC-423D-42DA-BE5B-FFCA04752181}" = MediaFACE 4.01 Image Library
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8B7443F5-E141-42A0-AB61-ED2331AAD606}" = 4oD
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A0D65C73-F2C5-432F-8788-90F8A2E99B98}" = Nokia Ovi Suite Software Updater
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}" = ubi.com
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C73CA646-73B3-4AEF-A136-C37505745174}" = iTunes
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}" = Corel Paint Shop Pro Photo XI
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EBD5129F-9656-4E28-890A-4D1D40906AC5}" = VideoWave 7 Professional
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"0C5EDC3653FED5B121F464339EAC12534D253B25" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"34EA302E7F4CBD17A19E33BBCB72363234956D7E" = Windows Driver Package - Nokia Modem (06/09/2010 4.5)
"4oD" = 4oD
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced Video FX Utility" = Advanced Video FX Utility
"America Online uk" = AOL UK (Choose which version to remove)
"AOL Pictures" = AOL Pictures Tools (version 10.6.0.4)
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AOLCoach uk" = AOL Coach Version 1.0(Build:20040229.1 uk)
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"B726756F5B5A5AA9D798B399386FC6205A45F19E" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"Board Games" = Board Games
"Card Games" = Card Games
"CD8424B9400BFF7D34AA18F816C71322AC4BDAA7" = Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer2.0" = Coupon Printer
"Creative Photo Manager" = Creative Photo Manager
"Creative WebCam Instant User's Guide English" = Creative WebCam Instant User's Guide (English)
"EEEE705096F837B7907659F100C9FE6DA001970F" = Windows Driver Package - Nokia Modem (06/09/2010 7.01.0.7)
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESPNMotion" = ESPNMotion
"ExpressBurn" = Express Burn Disc Burning Software
"ExpressRip" = Express Rip
"Get Yahoo! Messenger" = Get Yahoo! Messenger
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{41979C2F-34B8-4F92-8111-B13C5864682D}" = MediaFACE 4.01
"InstallShield_{82AF77BC-423D-42DA-BE5B-FFCA04752181}" = MediaFACE 4.01 Image Library
"king.com" = king.com (remove only)
"Kogi" = Kogi
"Lexmark 3100 Series" = Lexmark 3100 Series
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MixPad" = MixPad Audio Mixer
"Mozilla Firefox 6.0 (x86 en-GB)" = Mozilla Firefox 6.0 (x86 en-GB)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia Ovi Suite" = Nokia Ovi Suite
"Nokia PC Suite" = Nokia PC Suite
"Puzzler" = Puzzler
"Rapport_msi" = Rapport
"RealPlayer 6.0" = RealPlayer
"SearchAssist" = SearchAssist
"Spotify" = Spotify
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WavePad" = WavePad Sound Editor
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 05/09/2011 16:49:57 | Computer Name = HOME | Source = OviSuite | ID = 1
Description =

Error - 05/09/2011 16:50:00 | Computer Name = HOME | Source = OviSuite | ID = 1
Description =

Error - 05/09/2011 16:50:03 | Computer Name = HOME | Source = OviSuite | ID = 1
Description =

Error - 05/09/2011 16:50:06 | Computer Name = HOME | Source = OviSuite | ID = 1
Description =

Error - 05/09/2011 16:50:06 | Computer Name = HOME | Source = OviSuite | ID = 1
Description =

Error - 05/09/2011 16:50:06 | Computer Name = HOME | Source = OviSuite | ID = 1
Description =

Error - 05/09/2011 17:06:23 | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 05/09/2011 17:55:55 | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application P1kAlMiG2Kb7Fz.exe, version 4.1.3.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 05/09/2011 17:55:55 | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application P1kAlMiG2Kb7Fz.exe, version 4.1.3.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 05/09/2011 17:55:57 | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application P1kAlMiG2Kb7Fz.exe, version 4.1.3.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 05/09/2011 18:03:22 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNaiAnn with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 05/09/2011 18:03:22 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNaiAnn with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 05/09/2011 18:03:22 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNaiAnn with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 05/09/2011 18:03:22 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNaiAnn with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 05/09/2011 18:03:22 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNaiAnn with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 05/09/2011 18:03:22 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNaiAnn with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 05/09/2011 18:43:01 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 05/09/2011 18:47:44 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 05/09/2011 18:52:00 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 05/09/2011 19:08:02 | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

aswMBR.txt
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-06 00:29:23
-----------------------------
00:29:23.578 OS Version: Windows 5.1.2600 Service Pack 3
00:29:23.578 Number of processors: 2 586 0xF06
00:29:23.578 ComputerName: HOME UserName:
00:29:26.390 Initialize success
00:31:37.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:31:37.625 Disk 0 Vendor: ST316081 3.AD Size: 152587MB BusType: 3
00:31:37.656 Disk 0 MBR read successfully
00:31:37.656 Disk 0 MBR scan
00:31:37.671 Disk 0 TDL4@MBR code has been found
00:31:37.687 Disk 0 MBR hidden
00:31:37.703 Disk 0 MBR [TDL4] **ROOTKIT**
00:31:37.703 Disk 0 trace - called modules:
00:31:37.734 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86a3af16]<<
00:31:37.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8735b468]
00:31:37.750 3 CLASSPNP.SYS[f775ffd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x87377030]
00:31:37.765 \Driver\iaStor[0x87344798] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86a3af16
00:31:37.781 Scan finished successfully
00:31:59.562 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Carol\Desktop\MBR.dat"
00:31:59.578 The log file has been saved successfully to "C:\Documents and Settings\Carol\Desktop\aswMBR.txt"

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Tue Sep 06, 2011 5:53 pm

Hi,
I tried to log in normally without success, so still in safe mode.

I also ran spybot seach and destroy, then ran the fix although it's made little difference.

Regards,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Wed Sep 07, 2011 11:32 pm

Hello.

Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.

  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Thu Sep 08, 2011 5:57 pm

Hi,

Thank you. Here is the report:
2011/09/08 18:55:20.0703 2620 TDSS rootkit removing tool 2.5.20.0 Sep 7 2011 16:44:34
2011/09/08 18:55:21.0296 2620 ================================================================================
2011/09/08 18:55:21.0296 2620 SystemInfo:
2011/09/08 18:55:21.0296 2620
2011/09/08 18:55:21.0296 2620 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/08 18:55:21.0296 2620 Product type: Workstation
2011/09/08 18:55:21.0296 2620 ComputerName: HOME
2011/09/08 18:55:21.0296 2620 UserName: Carol
2011/09/08 18:55:21.0296 2620 Windows directory: C:\WINDOWS
2011/09/08 18:55:21.0296 2620 System windows directory: C:\WINDOWS
2011/09/08 18:55:21.0296 2620 Processor architecture: Intel x86
2011/09/08 18:55:21.0296 2620 Number of processors: 2
2011/09/08 18:55:21.0296 2620 Page size: 0x1000
2011/09/08 18:55:21.0296 2620 Boot type: Safe boot with network
2011/09/08 18:55:21.0296 2620 ================================================================================
2011/09/08 18:55:22.0515 2620 Initialize success
2011/09/08 18:55:29.0750 2844 ================================================================================
2011/09/08 18:55:29.0750 2844 Scan started
2011/09/08 18:55:29.0750 2844 Mode: Manual;
2011/09/08 18:55:29.0750 2844 ================================================================================
2011/09/08 18:55:31.0281 2844 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/09/08 18:55:31.0484 2844 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/08 18:55:31.0953 2844 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/08 18:55:32.0203 2844 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/09/08 18:55:32.0359 2844 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/08 18:55:32.0453 2844 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/08 18:55:32.0500 2844 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/08 18:55:32.0546 2844 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/09/08 18:55:32.0640 2844 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/09/08 18:55:32.0687 2844 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/09/08 18:55:32.0781 2844 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/09/08 18:55:32.0875 2844 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/09/08 18:55:32.0953 2844 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/09/08 18:55:33.0015 2844 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/09/08 18:55:33.0093 2844 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/09/08 18:55:33.0187 2844 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/09/08 18:55:33.0234 2844 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/09/08 18:55:33.0281 2844 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/09/08 18:55:33.0343 2844 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2011/09/08 18:55:33.0390 2844 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/08 18:55:33.0453 2844 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/08 18:55:33.0515 2844 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/08 18:55:33.0562 2844 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/08 18:55:33.0593 2844 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/08 18:55:33.0656 2844 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/09/08 18:55:33.0687 2844 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/08 18:55:33.0734 2844 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/08 18:55:33.0765 2844 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/09/08 18:55:33.0796 2844 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/08 18:55:33.0843 2844 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/08 18:55:33.0890 2844 Cdr4_xp (02412fa244e623652898fba5961b33e9) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/09/08 18:55:33.0921 2844 Cdralw2k (d6c804a16fbe0992360a93eef2c4e1e0) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/09/08 18:55:33.0953 2844 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/08 18:55:34.0015 2844 cfwids (ecaf4a51580244fef1aa32cb984f13bf) C:\WINDOWS\system32\drivers\cfwids.sys
2011/09/08 18:55:34.0171 2844 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/08 18:55:34.0250 2844 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/09/08 18:55:34.0328 2844 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/09/08 18:55:34.0375 2844 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/09/08 18:55:34.0468 2844 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/08 18:55:34.0546 2844 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/09/08 18:55:34.0578 2844 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/09/08 18:55:34.0609 2844 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/09/08 18:55:34.0625 2844 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/09/08 18:55:34.0671 2844 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/09/08 18:55:34.0718 2844 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/09/08 18:55:34.0765 2844 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/09/08 18:55:34.0812 2844 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/09/08 18:55:34.0828 2844 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/09/08 18:55:34.0937 2844 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/08 18:55:35.0031 2844 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/08 18:55:35.0078 2844 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/08 18:55:35.0109 2844 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/08 18:55:35.0234 2844 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/09/08 18:55:35.0312 2844 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/08 18:55:35.0437 2844 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/09/08 18:55:35.0484 2844 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/09/08 18:55:35.0593 2844 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
2011/09/08 18:55:35.0703 2844 DVDVRRdr_xp (b930b8d83996fadecc3b24f4f91207fe) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
2011/09/08 18:55:35.0765 2844 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/09/08 18:55:35.0812 2844 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/09/08 18:55:36.0046 2844 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/08 18:55:36.0140 2844 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/08 18:55:36.0203 2844 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/08 18:55:36.0250 2844 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/08 18:55:36.0312 2844 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/08 18:55:36.0390 2844 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/09/08 18:55:36.0437 2844 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/08 18:55:36.0484 2844 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/08 18:55:36.0578 2844 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/08 18:55:36.0656 2844 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/08 18:55:36.0734 2844 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/08 18:55:36.0812 2844 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/08 18:55:36.0859 2844 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/09/08 18:55:36.0921 2844 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/08 18:55:36.0968 2844 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/09/08 18:55:36.0984 2844 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/09/08 18:55:37.0046 2844 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/08 18:55:37.0125 2844 ialm (0674ce8ae167d830b871a99c677c5c59) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/09/08 18:55:37.0203 2844 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\drivers\iaStor.sys
2011/09/08 18:55:37.0250 2844 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/08 18:55:37.0312 2844 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/09/08 18:55:37.0359 2844 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/08 18:55:37.0406 2844 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/08 18:55:37.0468 2844 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/08 18:55:37.0546 2844 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/08 18:55:37.0625 2844 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/08 18:55:37.0656 2844 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/08 18:55:37.0718 2844 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/08 18:55:37.0750 2844 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/08 18:55:37.0796 2844 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/08 18:55:37.0843 2844 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/08 18:55:37.0875 2844 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/08 18:55:37.0921 2844 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/08 18:55:37.0968 2844 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/08 18:55:38.0140 2844 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/09/08 18:55:38.0328 2844 mfeapfk (688b626fca708ee9eb161cad1f7363a9) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/09/08 18:55:38.0359 2844 mfeavfk (693a8d924b640223974e0a88f2baf0f4) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/09/08 18:55:38.0390 2844 mfebopk (52c40d19873528bd15823c969d3ad227) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/09/08 18:55:38.0453 2844 mfefirek (e37b98d49df546f4059483d49e349a53) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/09/08 18:55:38.0562 2844 mfehidk (44184f32392fa2e94d08d056ce750d56) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/09/08 18:55:38.0640 2844 mfendisk (8c434d77c7a8cd97f8f4c2b0be19d541) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/09/08 18:55:38.0671 2844 mfendiskmp (8c434d77c7a8cd97f8f4c2b0be19d541) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/09/08 18:55:38.0750 2844 mferkdet (5f5313bfd1e73233885a26ab77488f6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/09/08 18:55:38.0781 2844 mfetdi2k (8d1a44e1f46bcf4acfe9c701edd340e3) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/09/08 18:55:38.0843 2844 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/09/08 18:55:38.0875 2844 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/08 18:55:38.0953 2844 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/08 18:55:39.0000 2844 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/08 18:55:39.0046 2844 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/08 18:55:39.0093 2844 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/08 18:55:39.0140 2844 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/09/08 18:55:39.0156 2844 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/08 18:55:39.0234 2844 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/08 18:55:39.0296 2844 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/08 18:55:39.0359 2844 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/08 18:55:39.0437 2844 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/08 18:55:39.0531 2844 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/08 18:55:39.0593 2844 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/08 18:55:39.0656 2844 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/08 18:55:39.0718 2844 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/08 18:55:39.0765 2844 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/08 18:55:39.0828 2844 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/09/08 18:55:39.0875 2844 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/08 18:55:39.0921 2844 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/08 18:55:39.0953 2844 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/08 18:55:40.0000 2844 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/08 18:55:40.0031 2844 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/08 18:55:40.0093 2844 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/08 18:55:40.0140 2844 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/08 18:55:40.0171 2844 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/08 18:55:40.0250 2844 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/08 18:55:40.0328 2844 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/08 18:55:40.0375 2844 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/08 18:55:40.0468 2844 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/08 18:55:40.0546 2844 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/08 18:55:40.0593 2844 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/08 18:55:40.0687 2844 Packet (8f856dae19383bd69db444004d5d4f50) C:\WINDOWS\system32\DRIVERS\packet.sys
2011/09/08 18:55:40.0734 2844 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/08 18:55:40.0765 2844 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/08 18:55:40.0796 2844 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/08 18:55:40.0875 2844 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/09/08 18:55:40.0921 2844 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/08 18:55:40.0984 2844 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/08 18:55:41.0046 2844 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/08 18:55:41.0109 2844 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/09/08 18:55:41.0281 2844 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/09/08 18:55:41.0343 2844 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/09/08 18:55:41.0453 2844 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/08 18:55:41.0500 2844 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/08 18:55:41.0531 2844 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/08 18:55:41.0578 2844 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/08 18:55:41.0625 2844 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/09/08 18:55:41.0687 2844 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/09/08 18:55:41.0750 2844 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/09/08 18:55:41.0812 2844 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/09/08 18:55:41.0890 2844 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/09/08 18:55:41.0968 2844 QV2KUX (0087f01d35a65b32393cc8bba46ee4a6) C:\WINDOWS\system32\DRIVERS\qv2kux.sys
2011/09/08 18:55:42.0109 2844 RapportCerberus_29574 (dda98cc4f34977914c731b8155e1cbd5) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys
2011/09/08 18:55:42.0218 2844 RapportEI (9dd8f690701f6c591d71c5169d8e26b5) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
2011/09/08 18:55:42.0359 2844 RapportKELL (96cb50f2774a2bc3224e06f71882fe3c) C:\WINDOWS\system32\Drivers\RapportKELL.sys
2011/09/08 18:55:42.0437 2844 RapportPG (df35d6916fa4355e5f5f56b0d47babfb) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2011/09/08 18:55:42.0515 2844 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/08 18:55:42.0593 2844 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/08 18:55:42.0640 2844 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/08 18:55:42.0671 2844 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/08 18:55:42.0734 2844 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/08 18:55:42.0750 2844 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/08 18:55:42.0796 2844 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/08 18:55:42.0859 2844 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/08 18:55:42.0906 2844 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/08 18:55:43.0078 2844 Sahara (cb745e315ecd23d3b4379508e8128f21) C:\WINDOWS\system32\drivers\Sahara.sys
2011/09/08 18:55:43.0140 2844 Salvador (9927c857c40db3d8442ea3a0b191a27b) C:\WINDOWS\system32\drivers\Salvador.sys
2011/09/08 18:55:43.0218 2844 Scarlet (8dd7f1b7b7a161482a5e9414e5471bf3) C:\WINDOWS\system32\drivers\Scarlet.sys
2011/09/08 18:55:43.0312 2844 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/08 18:55:43.0359 2844 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/08 18:55:43.0390 2844 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/08 18:55:43.0484 2844 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/08 18:55:43.0546 2844 Sidney (ad7bbdfe2f7bf8cb22c2fb746bc2f37a) C:\WINDOWS\system32\drivers\Sidney.sys
2011/09/08 18:55:43.0625 2844 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/09/08 18:55:43.0703 2844 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/08 18:55:43.0765 2844 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/09/08 18:55:43.0843 2844 Spfd (8f2ef8e05bdc098ea92dc1137720cc2c) C:\WINDOWS\system32\drivers\Spfd.sys
2011/09/08 18:55:43.0921 2844 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/08 18:55:43.0968 2844 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/08 18:55:44.0000 2844 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/08 18:55:44.0093 2844 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
2011/09/08 18:55:44.0203 2844 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/08 18:55:44.0250 2844 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/08 18:55:44.0312 2844 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/08 18:55:44.0390 2844 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/09/08 18:55:44.0453 2844 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/09/08 18:55:44.0515 2844 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/09/08 18:55:44.0562 2844 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/09/08 18:55:44.0640 2844 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/08 18:55:44.0750 2844 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/08 18:55:44.0812 2844 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/08 18:55:44.0875 2844 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/08 18:55:44.0921 2844 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/08 18:55:44.0984 2844 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/09/08 18:55:45.0046 2844 UDFReadr (14826dbde814e4c4ebd2a0e826596f54) C:\WINDOWS\system32\drivers\UDFReadr.sys
2011/09/08 18:55:45.0125 2844 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/08 18:55:45.0156 2844 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/09/08 18:55:45.0218 2844 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/08 18:55:45.0343 2844 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/08 18:55:45.0406 2844 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/08 18:55:45.0484 2844 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/08 18:55:45.0578 2844 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/08 18:55:45.0656 2844 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/08 18:55:45.0687 2844 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/08 18:55:45.0703 2844 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/08 18:55:45.0765 2844 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/09/08 18:55:45.0812 2844 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/08 18:55:45.0875 2844 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/08 18:55:45.0968 2844 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/08 18:55:46.0046 2844 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/09/08 18:55:46.0125 2844 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/09/08 18:55:46.0218 2844 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/08 18:55:46.0406 2844 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/09/08 18:55:46.0500 2844 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/08 18:55:46.0593 2844 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/08 18:55:46.0640 2844 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/08 18:55:46.0718 2844 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
2011/09/08 18:55:46.0734 2844 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
2011/09/08 18:55:47.0046 2844 MBR (0x1B8) (739b36f7a373fc81121d831231b6d311) \Device\Harddisk1\DR5
2011/09/08 18:55:47.0343 2844 Boot (0x1200) (cd212e7d192a427c2d737995de30ea35) \Device\Harddisk0\DR0\Partition0
2011/09/08 18:55:47.0390 2844 Boot (0x1200) (c06361b4149c0f13caf97efd8207d0a8) \Device\Harddisk0\DR0\Partition1
2011/09/08 18:55:47.0406 2844 Boot (0x1200) (3bed3aa4b772a2edc307cb606077c9f9) \Device\Harddisk1\DR5\Partition0
2011/09/08 18:55:47.0421 2844 ================================================================================
2011/09/08 18:55:47.0421 2844 Scan finished
2011/09/08 18:55:47.0421 2844 ================================================================================
2011/09/08 18:55:47.0453 2836 Detected object count: 1
2011/09/08 18:55:47.0453 2836 Actual detected object count: 1
2011/09/08 18:55:57.0375 2836 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
2011/09/08 18:55:57.0375 2836 \Device\Harddisk0\DR0 - ok
2011/09/08 18:55:57.0375 2836 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Sat Sep 10, 2011 9:30 pm

Hi,

Not only has this virus hidden my desktop, items in start menu and quick launch bar I was also unable to connect to the internet. I therefore ran malwarebytes to see if it would help and it found and quarantined 9 items. Do you need the log?

Thanks,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Sun Sep 11, 2011 12:31 am

Hi,


Download Combofix from any of the links below, and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click PCHelpForum.exe to run it.

    You will see the following image:


Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Sun Sep 11, 2011 8:56 pm

Hi,

Here is the log:

ComboFix 11-09-11.05 - Carol 11/09/2011 20:47:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.553 [GMT 1:00]
Running from: c:\documents and settings\Carol\Desktop\PCHelpForum.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.b623dd6.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MSI2FA.tmp.4ac6fa25.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL4F.tmp.b1f8031b.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SLF5.tmp.664d238.ini
c:\documents and settings\Carol\Application Data\inst.exe
c:\documents and settings\Carol\Application Data\Microsoft\Internet Explorer\Quick Launch\System Recovery.lnk
c:\documents and settings\Carol\Desktop\System Recovery.lnk
c:\documents and settings\Carol\GoToAssistDownloadHelper.exe
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\DMX.exe.d0259252.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\DMX.exe.d0259252.ini.inuse
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\ehExtHost.exe.fa7bea74.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\ehshell.exe.a87fcbb.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.b623dd6.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\MSI253D.tmp.559d14e.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\MSI2FA.tmp.4ac6fa25.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\MSI3C7.tmp.b9a52ebf.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\ngen.exe.89f695a3.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\SL4F.tmp.b1f8031b.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\SLDE.tmp.f927a584.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\SLF5.tmp.664d238.ini
c:\documents and settings\Carol\Local Settings\Application Data\ApplicationHistory\UIMain.exe.f56a6b1b.ini
c:\documents and settings\Carol\Start Menu\Programs\System Recovery
c:\documents and settings\Carol\Start Menu\Programs\System Recovery\System Recovery.lnk
c:\documents and settings\Carol\Start Menu\Programs\System Recovery\Uninstall System Recovery.lnk
c:\documents and settings\Carol\WINDOWS
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.b623dd6.ini
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\MSI2FA.tmp.4ac6fa25.ini
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\SL4F.tmp.b1f8031b.ini
c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\SLF5.tmp.664d238.ini
c:\windows\$NtUninstallKB62619$
c:\windows\$NtUninstallKB62619$\1409354178
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\iun6002.exe
c:\windows\kb913800.exe
c:\windows\system32\comct332.ocx
c:\windows\winhelp.ini
H:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-08-11 to 2011-09-11 )))))))))))))))))))))))))))))))
.
.
2011-09-05 22:38 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-05 22:38 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-05 21:41 . 2011-09-05 21:38 1008092 ----a-w- C:\rkill.com
2011-08-24 19:28 . 2011-03-13 10:42 24376 ----a-w- c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
2011-08-17 17:59 . 2011-08-17 17:59 -------- d--h--w- c:\documents and settings\Carol\Local Settings\Application Data\Trusteer
2011-08-17 17:57 . 2011-08-17 17:57 -------- d--h--w- c:\documents and settings\Carol\Application Data\Trusteer
2011-08-17 17:57 . 2011-08-17 17:57 -------- d-----w- c:\program files\Trusteer
2011-08-17 17:56 . 2011-08-17 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2011-08-16 18:14 . 2011-08-16 18:14 -------- d-----w- c:\program files\iPod
2011-08-16 18:13 . 2011-08-16 18:15 -------- d-----w- c:\program files\iTunes
2011-08-16 18:08 . 2011-08-16 18:08 -------- d-----w- c:\program files\Bonjour
2011-08-16 18:02 . 2011-08-16 18:02 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-08-16 18:02 . 2011-08-16 18:02 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-08-16 18:02 . 2011-08-16 18:02 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-08-16 18:02 . 2011-08-16 18:02 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-08-16 18:02 . 2011-08-16 18:02 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-08-16 18:02 . 2011-08-16 18:02 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-08-16 18:02 . 2011-08-16 18:02 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-23 19:37 . 2011-06-04 09:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2007-01-29 17:54 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-08 14:02 . 2005-08-16 04:18 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 17:37 . 2011-07-05 17:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 17:37 . 2011-07-05 17:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2005-08-16 04:37 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-08-16 04:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-08-16 04:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-08-16 04:18 385024 ----a-w- c:\windows\system32\html.iec
2011-06-22 17:01 . 2011-06-22 17:01 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-06-20 17:44 . 2005-08-16 04:18 293376 ----a-w- c:\windows\system32\winsrv.dll
2007-08-31 18:57 . 2007-08-31 18:57 411248 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2007-01-31 18:03 . 2007-01-31 18:03 84961 ----a-w- c:\program files\iTunesSetup.exe
2011-08-12 06:12 . 2011-08-23 19:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-06-18 671608]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1170957951\ee\AOLSoftware.exe" [2006-11-17 50736]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 53248]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-07-13 1312384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Carol\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - i:\bbc iplayer\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
Seagate 2GHKV9G4 Product Registration.lnk - c:\documents and settings\Carol\Application Data\Leadertech\PowerRegister\Seagate 2GHKV9G4 Product Registration.exe [2010-5-1 1731736]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170957951\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\[You must be registered and logged in to see this link.]
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [22/06/2011 18:01 56336]
R0 Sahara;Sahara;c:\windows\system32\drivers\Sahara.sys [28/02/2011 23:33 166912]
R0 Salvador;Salvador;c:\windows\system32\drivers\Salvador.sys [28/02/2011 23:33 52480]
R0 Scarlet;Scarlet;c:\windows\system32\drivers\Scarlet.sys [28/02/2011 23:33 33792]
R0 Sidney;Sidney;c:\windows\system32\drivers\Sidney.sys [28/02/2011 23:33 116480]
R0 Spfd;Spfd;c:\windows\system32\drivers\Spfd.sys [28/02/2011 23:33 29056]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [04/08/2010 10:37 89368]
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [17/08/2011 18:58 216912]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [21/08/2011 10:00 70416]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [21/08/2011 10:00 161936]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [05/09/2011 23:38 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [03/03/2010 21:26 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [04/08/2010 10:37 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [04/08/2010 10:37 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [04/08/2010 10:37 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [04/08/2010 10:37 148520]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [21/08/2011 10:00 919352]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [04/08/2010 10:37 57432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [05/09/2011 23:38 22712]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [04/08/2010 10:37 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [04/08/2010 10:37 83688]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S2 gupdate1c9c6a97f4244;Google Update Service (gupdate1c9c6a97f4244);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2009 20:55 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2009 20:55 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [05/09/2011 23:38 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [04/08/2010 10:37 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [04/08/2010 10:37 85984]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2011-07-21 c:\windows\Tasks\expressburnSevenDays.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-07-21 16:55]
.
2011-07-24 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-07-21 16:55]
.
2011-07-13 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2011-07-21 16:55]
.
2011-07-21 c:\windows\Tasks\expressripSevenDays.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2011-07-21 16:55]
.
2011-07-24 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2011-07-21 16:55]
.
2011-09-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 19:53]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 19:55]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 19:55]
.
2011-07-21 c:\windows\Tasks\mixpadSevenDays.job
- c:\program files\NCH Software\MixPad\mixpad.exe [2011-07-21 17:07]
.
2011-07-24 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Software\MixPad\mixpad.exe [2011-07-21 17:07]
.
2011-07-21 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-21 16:54]
.
2011-07-21 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-21 16:54]
.
2011-07-24 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-21 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Carol\Application Data\Mozilla\Firefox\Profiles\vugv58cg.default\
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-utilman - c:\documents and settings\Carol\Application Data\utilman.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-09-11 21:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.ipsec]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\dfshim.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\common files\aol\1170957951\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\windows\system32\dllhost.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\program files\common files\aol\1170957951\ee\anotify.exe
.
**************************************************************************
.
Completion time: 2011-09-11 21:48:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-11 20:48
.
Pre-Run: 29,809,360,896 bytes free
Post-Run: 29,944,393,728 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - E2E1358AA0DEFA2B91190C822E75A7A3

Regards,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Sun Sep 11, 2011 11:35 pm

Hello.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Mon Sep 12, 2011 8:01 pm

Hi,

I have tried to run this a few times. In the initialisation window it says "Note: You are using ESET Online Scanner for the first time. Downloading the signature database may take some time, depending on your connection speed." It runs to 96% and then says "Can not get update. Is proxy configured?"

I'm not sure what to do now.

Regards
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Tue Sep 13, 2011 10:16 pm

Hello,

I've tried to run ESET Online Scanner again in safe mode.

This time it recognised it had already been run and only need to update the current version.

However, it ran to 100% with a message "Unexpected error 2002".

Regards,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Fri Sep 16, 2011 1:16 am

Okay leave ESET for now, how is the machine running overall?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Fri Sep 16, 2011 5:25 pm

Thank you for your help.

The virus pop ups have stopped and my icons have reappeared on the desktop, although not the wallpaper. All my program files are showing empty from the start menu and the icons are still missing from the quick launch bar. Does this mean they are still hidden due to the virus or could they have been wiped?

I am also still logging in via safe mode with networking as the internet crashes otherwise.

Regards,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Sun Sep 25, 2011 3:39 pm

Hi,

Is there anything further I can do?

Regards,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Mon Sep 26, 2011 5:49 pm

Hmm, please re-run Combofix, I want to check something.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Tue Sep 27, 2011 7:39 pm

Hi Belahzur,

I have re-run Combofix. Here is the report.

Regards,
Carol

ComboFix 11-09-27.01 - Carol 27/09/2011 20:16:18.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.668 [GMT 1:00]
Running from: c:\documents and settings\Carol\Desktop\PCHelpForum.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\d3d9caps.dat
H:\Setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.ipsec
.
.
((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
.
.
2011-09-13 22:17 . 2011-09-13 22:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-09-13 22:17 . 2011-09-13 22:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-09-05 22:38 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-05 22:38 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-05 21:41 . 2011-09-05 21:38 1008092 ----a-w- C:\rkill.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2005-08-16 04:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-23 19:37 . 2011-06-04 09:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2007-01-29 17:54 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-08 14:02 . 2005-08-16 04:18 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 17:37 . 2011-07-05 17:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 17:37 . 2011-07-05 17:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2007-08-31 18:57 . 2007-08-31 18:57 411248 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2007-01-31 18:03 . 2007-01-31 18:03 84961 ----a-w- c:\program files\iTunesSetup.exe
2011-08-12 06:12 . 2011-08-23 19:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-06-18 671608]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1170957951\ee\AOLSoftware.exe" [2006-11-17 50736]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 53248]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-07-13 1312384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Carol\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - i:\bbc iplayer\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
Seagate 2GHKV9G4 Product Registration.lnk - c:\documents and settings\Carol\Application Data\Leadertech\PowerRegister\Seagate 2GHKV9G4 Product Registration.exe [2010-5-1 1731736]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170957951\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\[You must be registered and logged in to see this link.]
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R0 Sahara;Sahara;c:\windows\system32\drivers\Sahara.sys [28/02/2011 23:33 166912]
R0 Salvador;Salvador;c:\windows\system32\drivers\Salvador.sys [28/02/2011 23:33 52480]
R0 Scarlet;Scarlet;c:\windows\system32\drivers\Scarlet.sys [28/02/2011 23:33 33792]
R0 Sidney;Sidney;c:\windows\system32\drivers\Sidney.sys [28/02/2011 23:33 116480]
R0 Spfd;Spfd;c:\windows\system32\drivers\Spfd.sys [28/02/2011 23:33 29056]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [04/08/2010 10:37 89368]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [04/08/2010 10:37 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [04/08/2010 10:37 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [04/08/2010 10:37 148520]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [04/08/2010 10:37 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [04/08/2010 10:37 83688]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [22/06/2011 18:01 56336]
S1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [17/08/2011 18:58 216912]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [21/08/2011 10:00 70416]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [21/08/2011 10:00 161936]
S2 gupdate1c9c6a97f4244;Google Update Service (gupdate1c9c6a97f4244);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2009 20:55 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [05/09/2011 23:38 366640]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [03/03/2010 21:26 88176]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [04/08/2010 10:37 214904]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [21/08/2011 10:00 919352]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [04/08/2010 10:37 57432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2009 20:55 133104]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [05/09/2011 23:38 22712]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [05/09/2011 23:38 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [04/08/2010 10:37 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [04/08/2010 10:37 85984]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [01/09/2007 21:17 47360]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2011-07-21 c:\windows\Tasks\expressburnSevenDays.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-07-21 16:55]
.
2011-07-24 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2011-07-21 16:55]
.
2011-07-13 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2011-07-21 16:55]
.
2011-07-21 c:\windows\Tasks\expressripSevenDays.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2011-07-21 16:55]
.
2011-07-24 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2011-07-21 16:55]
.
2011-09-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 19:53]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 19:55]
.
2011-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 19:55]
.
2011-07-21 c:\windows\Tasks\mixpadSevenDays.job
- c:\program files\NCH Software\MixPad\mixpad.exe [2011-07-21 17:07]
.
2011-07-24 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Software\MixPad\mixpad.exe [2011-07-21 17:07]
.
2011-07-21 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-21 16:54]
.
2011-07-21 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-21 16:54]
.
2011-07-24 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-07-21 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Carol\Application Data\Mozilla\Firefox\Profiles\vugv58cg.default\
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-09-27 20:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(396)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mslbui.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2011-09-27 20:34:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-27 19:34
ComboFix2.txt 2011-09-11 20:48
.
Pre-Run: 30,919,385,088 bytes free
Post-Run: 30,961,352,704 bytes free
.
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 6E9A1152160280418C016C6407661BD1

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Tue Sep 27, 2011 8:12 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Thu Sep 29, 2011 8:24 pm

I tried to run this before without success. Now I am getting message "Unexpected error 2002"

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Sat Oct 01, 2011 1:59 pm

Hello.

Make sure no proxy is enabled.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Try again, see if you get the same error.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Mon Oct 03, 2011 8:15 pm

Ok, I tried a few things and eventually uninstalled Firefox as I don't use it, then managed to run ESET.

Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=c3d2259e6de8ed499e27f00bbdf014bc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2011-10-03 06:37:53
# local_time=2011-10-03 07:37:53 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777190 100 75 3630970 18154935 0 0
# compatibility_mode=8192 67108863 100 0 50113123 50113123 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=c3d2259e6de8ed499e27f00bbdf014bc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-10-03 06:53:00
# local_time=2011-10-03 07:53:00 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777190 100 75 3631877 18155842 0 0
# compatibility_mode=8192 67108863 100 0 50114030 50114030 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Tue Oct 04, 2011 10:45 am

Hello.
Just some old programs to update now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 9.4.5
    Java(TM) 6 Update 20
    Viewpoint Media Player

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-7-windows-i586.exe that you downloaded to install the newest version.

Please download [You must be registered and logged in to see this link.] and install it. It will install over version 6.0 you currently have installed, so you won't lose any bookmarked websites.

Then download and install [You must be registered and logged in to see this link.]

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Tue Oct 04, 2011 9:22 pm

Hello,

I have removed the three programs but, trying to download java to my desktop has failed.

At around 2% the message:
"Internet Explorer cannot download jre-7-windows-i586.exe from download.oracle.com. The connection with the server was reset"

I haven't downloaded Adobe Reader X yet as I wasn't sure if the downloads needed to be done in a specific order.

Firefox... I don't use it so do I need to reinstall it?

Regards,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by Belahzur on Fri Oct 07, 2011 2:12 pm

Hello.
Hmm, try downloading Java 7 again, could of been a server issue with oracle.

If you don't use Firefox, uninstall it.

You can install Adobe Reader X whenever, they don't need to be done in order.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Fri Oct 07, 2011 10:45 pm

Oh dear... I've tried to save Java to desktop again and download Adobe but both have failed.

I'm sorry this is proving so much of a problem... is there anything else I can do?

Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Fri Oct 14, 2011 8:13 pm

Hi, I've just tried to log in in safe mode to download and install Java and Adobe but that didn't work either. Internet just hangs - it's not the connection, that's fine.

Do you have any further suggestions or do you think I'm looking at starting from scratch?

Regards,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

Re: System Recovery Virus

Post by carols on Mon Oct 17, 2011 3:11 pm

Hi,

I know you are busy and I'm sorry to press, but since this problem has been ongoing since 6th September, I'm wondering if it is looking likely that I will have to reinstall the operating system? Or do you have any other suggetions?

You have helped me once before and I will be more than happy to make a donation, but I struggling without the full use of my pc as I sometimes use it for work.

Many thanks,
Carol

carols
Novice
Novice

Status :
Online
Offline

Posts Posts : 16
Joined Joined : 2011-09-05
OS : Windows XP

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum