Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

win32:sirefef-sm[trj] & win32:rootkit-gen[rtk] [Closed]

Started by portboy123 , May 08 2012 09:16 AM

  • This topic is locked This topic is locked
134 replies to this topic

#91 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 15 May 2012 - 07:20 PM

jeff forgot to tell you after combo fix i hooked my computer up and i had to copy and paste the netbt file into c/ windows/ system32/ drivers it was gone again. then went to control panel/ services/ and had to start the dhcp. the ot scan is running now

    Advertisements

Register to Remove

#92 jeffce

jeffce

    Malware Guy

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,693 posts

Posted 15 May 2012 - 07:39 PM

Hi, Ok thanks for letting me know. You are doing a great job. :thumbup:
Posted Image
 
 

#93 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 15 May 2012 - 07:43 PM

hi jeff ran the otl but i dont see a extras .txt OTL logfile created on: 5/15/2012 9:09:54 PM - Run 3
OTL by OldTimer - Version 3.2.42.3 Folder = G:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.46 Mb Total Physical Memory | 203.04 Mb Available Physical Memory | 39.70% Memory free
1.22 Gb Paging File | 0.96 Gb Available in Paging File | 78.75% Paging File free
Paging file location(s): c:\pagefile.sys 768 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 14.04 Gb Free Space | 18.84% Space Free | Partition Type: NTFS
Drive G: | 1.87 Gb Total Space | 1.78 Gb Free Space | 95.17% Space Free | Partition Type: FAT

Computer Name: FRANK-SONY | User Name: Frank | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - G:\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.)
PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Alwil Software\Avast5\defs\12051501\algo.dll ()
MOD - C:\Program Files\Unlocker\UnlockerCOM.dll ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (UMVPFSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.)
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (WDC_SAM) -- system32\DRIVERS\wdcsam.sys File not found
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- system32\DRIVERS\RTL8139.SYS File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (pctplsg) -- C:\WINDOWS\system32\drivers\pctplsg.sys File not found
DRV - (PCIDump) -- File not found
DRV - (MFE_RR) -- C:\DOCUME~1\Frank\LOCALS~1\Temp\mfe_rr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (ivusb) -- system32\DRIVERS\ivusb.sys File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\franks\catchme.sys File not found
DRV - (CA500AV) -- system32\DRIVERS\CA500AV.SYS File not found
DRV - (CA500AI) -- System32\Drivers\BULKUSB.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (LVUVC) Logitech Webcam 200(UVC) -- C:\WINDOWS\system32\drivers\lvuvc.sys (Logitech Inc.)
DRV - (LVRS) -- C:\WINDOWS\system32\drivers\lvrs.sys (Logitech Inc.)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (FilterService) -- C:\WINDOWS\system32\drivers\lvuvcflt.sys (Logitech Inc.)
DRV - (lvpopflt) -- C:\WINDOWS\system32\drivers\lvpopflt.sys (Logitech Inc.)
DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (IPN2120) -- C:\WINDOWS\system32\drivers\LSIPNDS.sys (The Linksys Group, Inc.)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (Jukebox3) -- C:\WINDOWS\system32\drivers\ctpdusb.sys (Creative Technology Ltd.)
DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\..\SearchScopes,DefaultScope =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 30 C7 3E 01 0C 3D 7A 48 8C 83 89 32 12 DA 00 17 [binary data]
IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 30 C7 3E 01 0C 3D 7A 48 8C 83 89 32 12 DA 00 17 [binary data]
IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 30 C7 3E 01 0C 3D 7A 48 8C 83 89 32 12 DA 00 17 [binary data]
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {2381E4B7-5C04-459E-9D46-2F9AC1608B66}
IE - HKU\S-1-5-19\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo....e...tf-8&fr=ysp

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 30 C7 3E 01 0C 3D 7A 48 8C 83 89 32 12 DA 00 17 [binary data]
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {2381E4B7-5C04-459E-9D46-2F9AC1608B66}
IE - HKU\S-1-5-20\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo....e...tf-8&fr=ysp

IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\..\SearchScopes,DefaultScope = {889CB885-E6C0-470E-88CD-594D14DCCFF3}
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\..\SearchScopes\{889CB885-E6C0-470E-88CD-594D14DCCFF3}: "URL" = http://search.yahoo....e...-8&fr=b2ie7
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\..\SearchScopes\{C5D07EE2-8911-480D-9EEE-8E17C0767F73}: "URL" = http://search.yahoo....amp;fr=veri-ie8
IE - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)


[2009/09/04 08:25:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Frank\Application Data\Mozilla\Extensions
[2009/09/04 08:25:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Frank\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2012/05/15 19:15:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKU\.DEFAULT..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O4 - HKU\S-1-5-18..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Frank\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-1563985344-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Reg Error: Key error.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://dcode.suppor...veX/MSDcode.cab (Reg Error: Key error.)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} http://support.asus....ek_sys_ctrl.cab (Reg Error: Key error.)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com...t/PCPitStop.CAB (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase8942.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1319572156188 (WUWebControl Class)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creat...101/CTSUEng.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1194880429139 (MUWebControl Class)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.c...loadControl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} https://www36.verizo...l/VCAVMUtil.CAB (Reg Error: Key error.)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.c.../cpcScanner.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} http://www.cvsphoto....veX_Control.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creat...15112/CTPID.cab (Reg Error: Key error.)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcp.../pcpitstop2.dll (Reg Error: Key error.)
O16 - DPF: PackageCab http://ak.imgag.com/...tall/AxCtp2.cab (Reg Error: Key error.)
O16 - DPF: vzTCPConfig http://www2.verizon....vzTCPConfig.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6A7294FE-46F4-4D39-BB22-2F43897138D5}: DhcpNameServer = 192.168.1.1 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/14 17:38:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (cleanMFT32 -c C:\Program)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Unable to start System Restore Service. Error code 1056

========== Files/Folders - Created Within 30 Days ==========

[2012/05/15 19:32:07 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/05/15 13:43:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop\RK_Quarantine
[2012/05/15 11:00:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Frank\Recent
[2012/05/14 11:21:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/05/11 22:06:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/05/08 22:40:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/05/08 22:40:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/05/08 22:40:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/05/08 22:40:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/05/08 22:40:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/08 20:42:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/05/08 20:42:45 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/05/07 22:06:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\DriverCure
[2012/05/07 00:10:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

========== Files - Modified Within 30 Days ==========

[2012/05/15 20:59:26 | 000,000,262 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to OTL.lnk
[2012/05/15 19:36:03 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2012/05/15 19:35:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/15 19:35:18 | 536,379,392 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/15 19:35:16 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2012/05/15 19:15:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/15 13:42:31 | 001,420,288 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\RogueKiller.exe
[2012/05/15 09:04:39 | 000,000,275 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to franks.lnk
[2012/05/14 22:45:24 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Adobe - Flash Player Settings.url
[2012/05/14 14:12:27 | 000,000,699 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\XPSP3_netsvcs.zip
[2012/05/14 05:21:25 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\SystemLook.exe
[2012/05/13 11:50:44 | 002,055,783 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\tdsskiller.zip
[2012/05/12 21:48:50 | 000,000,246 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to Security Center.lnk
[2012/05/11 22:30:07 | 000,276,560 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/11 22:08:30 | 000,717,448 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/11 22:08:30 | 000,159,912 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/11 22:06:47 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/05/11 10:03:28 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/05/11 10:03:26 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/05/10 14:05:43 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/08 20:42:56 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Frank\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/05/08 20:42:47 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\ERUNT.lnk
[2012/05/07 12:42:51 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/06 23:19:59 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/05/15 20:59:26 | 000,000,262 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to OTL.lnk
[2012/05/15 13:42:31 | 001,420,288 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\RogueKiller.exe
[2012/05/15 13:24:42 | 536,379,392 | -HS- | C] () -- C:\hiberfil.sys
[2012/05/15 09:04:39 | 000,000,275 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to franks.lnk
[2012/05/14 14:13:08 | 000,000,699 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\XPSP3_netsvcs.zip
[2012/05/14 05:21:25 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\SystemLook.exe
[2012/05/13 11:50:44 | 002,055,783 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\tdsskiller.zip
[2012/05/12 21:48:50 | 000,000,246 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to Security Center.lnk
[2012/05/11 22:06:47 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2012/05/11 10:03:28 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/05/08 22:40:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/05/08 22:40:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/05/08 22:40:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/05/08 22:40:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/05/08 22:40:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/05/08 20:42:56 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Frank\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/05/08 20:42:47 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\ERUNT.lnk
[2012/02/15 23:29:55 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/11 21:02:36 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2011/10/22 15:08:59 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/10/14 17:47:57 | 000,000,021 | ---- | C] () -- C:\WINDOWS\FH_setup.ini
[2011/08/19 10:26:20 | 010,898,456 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2011/08/19 10:26:20 | 000,336,408 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2011/08/19 10:26:20 | 000,104,472 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2010/09/09 15:56:01 | 000,000,145 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010/09/05 16:27:24 | 000,203,776 | -HS- | C] () -- C:\WINDOWS\System32\unrar.exe
[2010/09/05 14:36:10 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/09/05 14:36:09 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/07/10 13:33:05 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

========== LOP Check ==========

[2011/01/08 13:29:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/10/12 08:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/03/09 00:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\dGbFjJl15406
[2010/02/24 23:20:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2010/10/19 15:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2012/03/13 11:12:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCenter
[2010/08/27 10:05:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2010/10/12 08:40:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/04/14 22:16:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nKi06511jOnOj06511
[2008/04/18 08:41:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2011/09/03 19:34:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pI15401DiFhP15401
[2011/02/01 09:38:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pNpAoGa06511
[2011/03/16 15:25:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pOdIkEo06511
[2007/09/22 10:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2010/08/23 13:01:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/09/09 20:38:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2009/11/23 22:42:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/10/27 19:44:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
[2011/12/07 20:34:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\.oit
[2011/11/17 21:34:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Catalina Marketing Corp
[2008/09/08 08:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/09/14 14:59:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\com.directv.supercast.AA1ECC8BBAFE4E1BBF2D418DC006AF207FACE6CA.1
[2011/12/07 14:58:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\deskUNPDF
[2012/05/07 22:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\DriverCure
[2012/03/30 10:09:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\ElevatedDiagnostics
[2008/03/09 20:19:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\EPSON
[2008/08/01 09:19:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\GlarySoft
[2011/12/11 21:21:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\iolo
[2007/08/31 10:17:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Leadertech
[2010/09/25 11:25:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\LimeWire
[2010/05/05 08:34:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\OfficeUpdate12
[2010/10/19 15:22:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Opera
[2011/10/26 15:42:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Orbit
[2010/12/20 15:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Panda Security
[2011/12/05 13:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Privacy Guardian
[2011/12/05 13:32:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Product_FR
[2011/10/26 14:39:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\ProgSense
[2010/04/19 21:25:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\TweakNow RegCleaner
[2010/09/09 20:38:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Western Digital
[2010/09/09 15:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Western DigitalTemp
[2009/04/15 10:33:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Windows Desktop Search
[2009/04/15 10:34:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Windows Search
[2011/12/11 21:11:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo
[2012/05/15 19:36:03 | 000,000,312 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job
[2012/05/15 19:34:31 | 000,032,636 | ---- | M] () -- C:\WINDOWS\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< %systemroot%\*. /rp /s >

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2006/02/28 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2006/02/28 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2008/12/03 05:24:40 | 000,286,720 | ---- | M] () MD5=DC3E9DF567567080CFDA56347C63A983 -- C:\Documents and Settings\Frank\My Documents\GPS PACKS\SUPERPACK\SuperPack 3.5\MioAutoRun\System\CE5\explorer.exe
[2006/11/18 21:50:04 | 000,280,064 | ---- | M] () MD5=FAC2688D868B71355E125B9332864956 -- C:\Documents and Settings\Frank\My Documents\GPS PACKS\SUPERPACK\SuperPack 3.5\MioAutoRun\System\CE4\explorer.exe

< MD5 for: SVCHOST.EXE >
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2006/02/28 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2006/02/28 08:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2006/02/28 08:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

< End of report >

#94 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 15 May 2012 - 07:53 PM

i couldnt run it as administrator as i dont remember my password. i am rerunning it now to see if i get the extras file im running it connected to the net with firewall on and avast on .

#95 jeffce

jeffce

    Malware Guy

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,693 posts

Posted 15 May 2012 - 07:57 PM

No don't worry about getting an Extras.txt log. It is only created on the first run. :) I will return shortly.
Posted Image
 
 

#96 jeffce

jeffce

    Malware Guy

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,693 posts

Posted 15 May 2012 - 08:26 PM

Hi,

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    Folder::
C:\WINDOWS\$NtUninstallKB58311$
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Posted Image
 
 

#97 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 15 May 2012 - 09:49 PM

hi jeff i got the same message againabout rootkit zero access then the other one and it restarted and ran again. i also tryed deleating that file inside avast scan but it wont let me. well here is the combofix log and by the way the computer is much more responsive now but i did have to put the netbt file into system 32\ drivers\ then start the dhcp service again. ComboFix 12-05-15.04 - Frank 05/15/2012 23:05:07.12.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.272 [GMT -4:00]
Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Frank\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB58311$
c:\windows\$NtUninstallKB58311$\3377185364
.
.
((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))
.
.
2012-05-15 23:39 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-05-09 00:42 . 2012-05-09 00:42 -------- d-----w- c:\program files\ERUNT
2012-05-08 02:06 . 2012-05-08 02:06 -------- d-----w- c:\documents and settings\Frank\Application Data\DriverCure
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 13:12 . 2006-02-28 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2006-02-28 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2010-04-09 00:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-24 15:17 . 2011-05-16 16:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-06 23:15 . 2011-01-08 17:30 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-01-08 17:30 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-04-16 04:20 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2011-01-08 17:30 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2011-01-08 17:30 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2011-01-08 17:30 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-01-08 17:30 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-06 23:01 . 2011-01-08 17:30 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-06 23:01 . 2011-01-08 17:30 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 22:58 . 2011-01-08 17:30 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-09-05 20:27 203776 --sha-w- c:\windows\system32\unrar.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-05-12_03.20.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-16 03:24 . 2012-05-16 03:24 16384 c:\windows\temp\usgthrsvc\Perflib_Perfdata_688.dat
+ 2012-05-12 13:22 . 2012-05-12 13:22 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2012-05-12 01:53 . 2012-05-12 01:53 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2012-05-12 13:24 . 2012-05-12 13:24 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\316e223f2ab8c69cd6a5a06de21650ec\System.Windows.Presentation.ni.dll
+ 2012-05-16 03:23 . 2009-10-07 06:47 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
+ 2012-04-06 03:13 . 2012-04-06 03:13 299080 c:\windows\system32\XPSViewer\XPSViewer.exe
+ 2011-12-22 20:50 . 2011-12-22 20:50 256000 c:\windows\Installer\219a5bc.msp
+ 2012-05-15 12:38 . 2012-05-15 12:38 180224 c:\windows\ERDNT\AutoBackup\5-15-2012\Users\00000002\UsrClass.dat
+ 2012-05-15 12:38 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-15-2012\ERDNT.EXE
+ 2012-05-14 10:49 . 2012-05-14 10:49 180224 c:\windows\ERDNT\AutoBackup\5-14-2012\Users\00000002\UsrClass.dat
+ 2012-05-14 10:49 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-14-2012\ERDNT.EXE
+ 2012-05-13 14:16 . 2012-05-13 14:16 180224 c:\windows\ERDNT\AutoBackup\5-13-2012\Users\00000002\UsrClass.dat
+ 2012-05-13 14:16 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-13-2012\ERDNT.EXE
+ 2012-05-12 13:30 . 2012-05-12 13:30 180224 c:\windows\ERDNT\AutoBackup\5-12-2012\Users\00000002\UsrClass.dat
+ 2012-05-12 13:30 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-12-2012\ERDNT.EXE
+ 2012-05-12 13:23 . 2012-05-12 13:23 634368 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\931a2bece4668863db4f852401c828cf\System.AddIn.ni.dll
+ 2012-05-12 13:17 . 2012-05-12 13:17 163840 c:\windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll
- 2009-04-15 13:48 . 2009-04-15 13:48 163840 c:\windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll
+ 2012-05-11 19:57 . 2012-02-09 15:43 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154\GdiPlus.dll
+ 2012-04-05 02:38 . 2012-04-05 02:38 2831360 c:\windows\Installer\219a5cb.msp
+ 2011-08-17 13:49 . 2011-08-17 13:49 4683624 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\WRD12CNV.DLL
+ 2012-05-15 12:38 . 2012-05-15 12:38 8491008 c:\windows\ERDNT\AutoBackup\5-15-2012\Users\00000001\ntuser.dat
+ 2012-05-14 10:49 . 2012-05-14 10:49 8355840 c:\windows\ERDNT\AutoBackup\5-14-2012\Users\00000001\ntuser.dat
+ 2012-05-13 14:16 . 2012-05-13 14:16 8318976 c:\windows\ERDNT\AutoBackup\5-13-2012\Users\00000001\ntuser.dat
+ 2012-05-12 13:30 . 2012-05-12 13:30 8318976 c:\windows\ERDNT\AutoBackup\5-12-2012\Users\00000001\ntuser.dat
+ 2007-08-29 17:57 . 2012-05-12 13:12 55656824 c:\windows\system32\MRT.exe
+ 2012-04-06 06:12 . 2012-04-06 06:12 15709696 c:\windows\Installer\219a5c3.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]
.
c:\documents and settings\Frank\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0cleanMFT32 -c C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Frank^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Frank^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 23:23 102400 ----a-w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6000 Series]
2006-02-13 09:00 131072 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBIA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iIWiper]
2005-09-11 17:24 258048 ----a-w- c:\program files\iISystem Wiper\SystemWiper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 19:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sha-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-07-28 18:19 4841472 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-07-28 18:19 323584 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-31 22:38 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2010-04-01 03:34 243000 ----a-w- c:\program files\Yahoo!\Search Protection\YspService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ioloSystemService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/16/2011 12:20 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/8/2011 1:30 PM 337880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/8/2011 1:30 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/8/2010 8:40 PM 654408]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 10:26 AM 450848]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/8/2010 8:40 PM 22344]
S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;c:\windows\system32\Drivers\BULKUSB.sys --> c:\windows\system32\Drivers\BULKUSB.sys [?]
S3 CA500AV;CaptureView VGA;c:\windows\system32\DRIVERS\CA500AV.SYS --> c:\windows\system32\DRIVERS\CA500AV.SYS [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/10/2003 11:09 AM 96256]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Frank\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Frank\LOCALS~1\Temp\mfe_rr.sys [?]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 8:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-16 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-23 01:06]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mStart Page =
uSearchAssistant =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/CallAssistant/MyAccount/UnProtected/Voice%20Mail/VCAVMUtil.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-ITBar7Position - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-15 23:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(276)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-15 23:34:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-16 03:34
ComboFix2.txt 2012-05-14 22:09
ComboFix3.txt 2012-05-14 19:18
ComboFix4.txt 2012-05-14 15:21
ComboFix5.txt 2012-05-15 13:05
.
Pre-Run: 15,022,002,176 bytes free
Post-Run: 15,032,438,784 bytes free
.
- - End Of File - - 0C70240AA2481123ABB08DA843BA3C96

#98 jeffce

jeffce

    Malware Guy

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,693 posts

Posted 16 May 2012 - 12:28 PM

Hi, Could you run ComboFix once again. Post the new log created and let me know if the ZeroAccess warning is still being reported. :)
Posted Image
 
 

#99 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 16 May 2012 - 08:55 PM

hi jeff NO ZERO ACCESS WARNING, but i still have to copy paste ntbt into c\ windows\ system32 \ drivers then i have to go to control panel adminnistrator \ services\ and start it . here is the log from combo fix. ComboFix 12-05-15.04 - Frank 05/16/2012 22:07:52.13.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.181 [GMT -4:00]
Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-17 to 2012-05-17 )))))))))))))))))))))))))))))))
.
.
2012-05-17 01:52 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-05-17 01:52 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-05-09 00:42 . 2012-05-09 00:42 -------- d-----w- c:\program files\ERUNT
2012-05-08 02:06 . 2012-05-16 04:12 -------- d-----w- c:\documents and settings\Frank\Application Data\DriverCure
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 13:12 . 2006-02-28 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2006-02-28 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2010-04-09 00:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-24 15:17 . 2011-05-16 16:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-06 23:15 . 2011-01-08 17:30 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-01-08 17:30 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-04-16 04:20 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2011-01-08 17:30 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2011-01-08 17:30 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2011-01-08 17:30 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-01-08 17:30 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-06 23:01 . 2011-01-08 17:30 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-06 23:01 . 2011-01-08 17:30 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 22:58 . 2011-01-08 17:30 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-09-05 20:27 203776 --sha-w- c:\windows\system32\unrar.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-05-12_03.20.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-17 01:51 . 2012-05-17 01:51 16384 c:\windows\temp\usgthrsvc\Perflib_Perfdata_3d0.dat
- 2012-05-12 01:53 . 2012-05-12 01:53 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2012-05-12 13:22 . 2012-05-12 13:22 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2012-05-12 13:24 . 2012-05-12 13:24 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\316e223f2ab8c69cd6a5a06de21650ec\System.Windows.Presentation.ni.dll
+ 2012-04-06 03:13 . 2012-04-06 03:13 299080 c:\windows\system32\XPSViewer\XPSViewer.exe
+ 2011-12-22 20:50 . 2011-12-22 20:50 256000 c:\windows\Installer\219a5bc.msp
+ 2012-05-16 15:44 . 2012-05-16 15:44 180224 c:\windows\ERDNT\AutoBackup\5-16-2012\Users\00000002\UsrClass.dat
+ 2012-05-16 15:44 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-16-2012\ERDNT.EXE
+ 2012-05-15 12:38 . 2012-05-15 12:38 180224 c:\windows\ERDNT\AutoBackup\5-15-2012\Users\00000002\UsrClass.dat
+ 2012-05-15 12:38 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-15-2012\ERDNT.EXE
+ 2012-05-14 10:49 . 2012-05-14 10:49 180224 c:\windows\ERDNT\AutoBackup\5-14-2012\Users\00000002\UsrClass.dat
+ 2012-05-14 10:49 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-14-2012\ERDNT.EXE
+ 2012-05-13 14:16 . 2012-05-13 14:16 180224 c:\windows\ERDNT\AutoBackup\5-13-2012\Users\00000002\UsrClass.dat
+ 2012-05-13 14:16 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-13-2012\ERDNT.EXE
+ 2012-05-12 13:30 . 2012-05-12 13:30 180224 c:\windows\ERDNT\AutoBackup\5-12-2012\Users\00000002\UsrClass.dat
+ 2012-05-12 13:30 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-12-2012\ERDNT.EXE
+ 2012-05-12 13:23 . 2012-05-12 13:23 634368 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\931a2bece4668863db4f852401c828cf\System.AddIn.ni.dll
+ 2012-05-12 13:17 . 2012-05-12 13:17 163840 c:\windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll
- 2009-04-15 13:48 . 2009-04-15 13:48 163840 c:\windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll
+ 2012-05-11 19:57 . 2012-02-09 15:43 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154\GdiPlus.dll
+ 2012-04-05 02:38 . 2012-04-05 02:38 2831360 c:\windows\Installer\219a5cb.msp
+ 2011-08-17 13:49 . 2011-08-17 13:49 4683624 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\WRD12CNV.DLL
+ 2012-05-16 15:44 . 2012-05-16 15:44 8564736 c:\windows\ERDNT\AutoBackup\5-16-2012\Users\00000001\ntuser.dat
+ 2012-05-15 12:38 . 2012-05-15 12:38 8491008 c:\windows\ERDNT\AutoBackup\5-15-2012\Users\00000001\ntuser.dat
+ 2012-05-14 10:49 . 2012-05-14 10:49 8355840 c:\windows\ERDNT\AutoBackup\5-14-2012\Users\00000001\ntuser.dat
+ 2012-05-13 14:16 . 2012-05-13 14:16 8318976 c:\windows\ERDNT\AutoBackup\5-13-2012\Users\00000001\ntuser.dat
+ 2012-05-12 13:30 . 2012-05-12 13:30 8318976 c:\windows\ERDNT\AutoBackup\5-12-2012\Users\00000001\ntuser.dat
+ 2007-08-29 17:57 . 2012-05-12 13:12 55656824 c:\windows\system32\MRT.exe
+ 2012-04-06 06:12 . 2012-04-06 06:12 15709696 c:\windows\Installer\219a5c3.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]
.
c:\documents and settings\Frank\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0cleanMFT32 -c C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Frank^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Frank^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 23:23 102400 ----a-w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6000 Series]
2006-02-13 09:00 131072 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBIA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 19:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sha-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-07-28 18:19 4841472 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-07-28 18:19 323584 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-31 22:38 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2010-04-01 03:34 243000 ----a-w- c:\program files\Yahoo!\Search Protection\YspService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ioloSystemService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/16/2011 12:20 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/8/2011 1:30 PM 337880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/8/2011 1:30 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/8/2010 8:40 PM 654408]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 10:26 AM 450848]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/8/2010 8:40 PM 22344]
S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;c:\windows\system32\Drivers\BULKUSB.sys --> c:\windows\system32\Drivers\BULKUSB.sys [?]
S3 CA500AV;CaptureView VGA;c:\windows\system32\DRIVERS\CA500AV.SYS --> c:\windows\system32\DRIVERS\CA500AV.SYS [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/10/2003 11:09 AM 96256]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Frank\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Frank\LOCALS~1\Temp\mfe_rr.sys [?]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 8:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-23 01:06]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mStart Page =
uSearchAssistant =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/CallAssistant/MyAccount/UnProtected/Voice%20Mail/VCAVMUtil.CAB
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-ITBar7Position - (no file)
MSConfigStartUp-iIWiper - c:\program files\iISystem Wiper\SystemWiper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-16 22:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(516)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-05-16 22:30:25
ComboFix-quarantined-files.txt 2012-05-17 02:30
ComboFix2.txt 2012-05-16 03:34
ComboFix3.txt 2012-05-14 22:09
ComboFix4.txt 2012-05-14 19:18
ComboFix5.txt 2012-05-17 02:00
.
Pre-Run: 14,709,399,552 bytes free
Post-Run: 14,702,514,176 bytes free
.
- - End Of File - - F1EFC4E5DAE1AFEBE8554F9CCDED5948

#100 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 16 May 2012 - 08:58 PM

i think i might be missing c:\windows\system32\svchost.exe -k netsvcs just looking around i didnt see it anyware

    Advertisements

Register to Remove

#101 jeffce

jeffce

    Malware Guy

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,693 posts

Posted 17 May 2012 - 07:52 AM

Hi,

Please run Farbar Service Scanner on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
----------
Posted Image
 
 

#102 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 17 May 2012 - 08:00 PM

hi jeff sorry i wasout all day working i ran this after i added ntbt to c\windows\system32\drivers thenwent to control panel administrator services then e started it here is tie log Farbar Service Scanner Version: 17-05-2012 Ran by Frank (administrator) on 17-05-2012 at 21:55:38 Running from "C:\Documents and Settings\Frank\desktop" Microsoft Windows XP Home Edition Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Attempt to access Yahoo IP returned error: Yahoo IP is offline Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x0A0000000500000001000000020000000300000004000000090000000800000006000000070000 000A000000 IpSec Tag value is correct. **** End of log ****

Edited by portboy123, 17 May 2012 - 08:08 PM.

#103 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 17 May 2012 - 08:02 PM

hi jeff i am going to restart and run it when it is aquring network address ill post that log when i set up the settings

#104 portboy123

portboy123

    Authentic Member

  • Authentic Member
  • PipPip
  • 124 posts

Posted 17 May 2012 - 08:17 PM

hi jeff i no longer have to copy and paste ntbt into C\WINDOES\ SYSTEM32\DRIVERS BUT i do have to start the service in control panel - administrator - services. here is that log Farbar Service Scanner Version: 17-05-2012 Ran by Frank (administrator) on 17-05-2012 at 22:08:33 Running from "C:\Documents and Settings\Frank\desktop" Microsoft Windows XP Home Edition Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Dhcp Service is not running. Checking service configuration: The start type of Dhcp service is OK. The ImagePath of Dhcp service is OK. The ServiceDll of Dhcp service is OK. NetBt Service is not running. Checking service configuration: The start type of NetBt service is OK. The ImagePath of NetBt service is OK. Connection Status: ============== Localhost is accessible. LAN connected. Attempt to access Google IP returned error: Google IP is unreachable Attempt to access Yahoo IP returned error: Yahoo IP is unreachable Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x0A0000000500000001000000020000000300000004000000090000000800000006000000070000 000A000000 IpSec Tag value is correct. **** End of log ****

#105 jeffce

jeffce

    Malware Guy

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,693 posts

Posted 18 May 2012 - 05:28 AM

Is that service set to Automatic? Is that what you are setting it to? :)
Posted Image
 
 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·