0

Shortly after Thanksgiving, I was having issues with the Ping.exe running my CPU usage up to 100% and freezing my computer. I ran my Avira Antivirus and it said it had found a Trojan, and quarantined it. However, after this, I was still having issues with the Ping.exe issue.

I then tried to do a system restore to "undo" these issues, but it told me that it was unable to complete the restore, and left me still having issues. As I was looking for resolutions online, I found PhilliePhan's thread helping out another person with similar issues. He referred him back to a previous thread, and I followed those steps.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/390805

I ran the newest MalwareBytes AntiMalware version previously, and Avira both claimed to find 1 threat, and quarantine it. I can get you a screen shot of the message if it would help. I was still not able to run my system restore function and have it complete successfully. I read another forum that suggested turning off the system restore > rebooting > re-activating system restore. I did that already, however I have not tried it out yet.

I have also lost connectivity on my wireless adapter (however that might not be related)? It is telling me that I am connected to my network, and authenticated however it never assigns an address, and then tells me that I have limited or no connectivity. For this I have tried to reset the wireless adapter, the router, and even checked a few of the forums looking for other suggestions.

I am way over my head here, and getting frustrated. I just had my computer repaired back in April by a guy in my church.

I was hoping someone could take a look thru the files that PhilliePhan requested, and help me out with my issues.
Thanks in advance for any help!

Here are the requested files
GMER One:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-04 17:31:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3120023A rev.3.33
Running: 0d3kkovl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\afacyfog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


GMER Two:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-04 18:42:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3120023A rev.3.33
Running: 0d3kkovl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\afacyfog.sys


---- System - GMER 1.0.15 ----

SSDT F8B57A4C ZwClose
SSDT F8B57A06 ZwCreateKey
SSDT F8B57A56 ZwCreateSection
SSDT F8B579FC ZwCreateThread
SSDT F8B57A0B ZwDeleteKey
SSDT F8B57A15 ZwDeleteValueKey
SSDT F8B57A47 ZwDuplicateObject
SSDT F8B57A1A ZwLoadKey
SSDT F8B579E8 ZwOpenProcess
SSDT F8B579ED ZwOpenThread
SSDT F8B57A24 ZwReplaceKey
SSDT F8B57A1F ZwRestoreKey
SSDT F8B57A5B ZwSetContextThread
SSDT F8B57A10 ZwSetValueKey
SSDT F8B579F7 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB25972$\2319490435 0 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996 0 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\bckfg.tmp 803 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\cfg.ini 201 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\keywords 197 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\L 0 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\L\okybosud 162816 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U 0 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U\80000032.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB25972$\3449333996\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----


DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by Owner at 20:29:22 on 2011-12-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.95 [GMT -5:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Owner\Desktop\windows-kb890830-v4.2.exe
c:\6aefb0d242c0c7ff2f3e22\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NWCU] "c:\program files\wireless\nt-usb150m wireless n client utility\NWCU.exe" -nogui
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{058D4BD2-8779-4888-BA4A-BF309078DE48} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\wvpwlq2l.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R? NPF;WinPcap Packet Driver (NPF)
R? WMZuneComm;Zune Windows Mobile Connectivity Service
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? AR9271;Wireless Network Adapter Service
S? avgio;avgio
S? avgntflt;avgntflt
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
.
=============== Created Last 30 ================
.
2011-12-05 01:28:58 -------- d-----w- C:\6aefb0d242c0c7ff2f3e22
2011-12-04 01:55:10 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2011-12-03 22:45:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-03 22:45:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-03 22:44:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-03 20:02:46 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-03 20:02:11 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 18:13:05 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-11-30 18:13:05 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-11-30 18:13:05 100880 ----a-w- c:\windows\system32\Packet.dll
2011-11-09 05:08:42 -------- d-----w- c:\documents and settings\owner\local settings\application data\AOL
2011-11-09 05:04:25 -------- d-----w- c:\program files\common files\Software Update Utility
2011-11-09 05:04:24 -------- d-----w- c:\program files\common files\AOL
.
==================== Find3M ====================
.
2011-11-08 01:39:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 20:31:58.93 ===============

Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/18/2011 6:59:13 PM
System Uptime: 12/4/2011 5:03:31 PM (3 hours ago)
.
Motherboard: Dell Computer Corp. | |
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3056/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 28.217 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Input Device
Device ID: PCI\VEN_1102&DEV_7004&SUBSYS_10031102&REV_00\4&3B1CAF2B&0&11F0
Manufacturer:
Name: PCI Input Device
PNP Device ID: PCI\VEN_1102&DEV_7004&SUBSYS_10031102&REV_00\4&3B1CAF2B&0&11F0
Service:
.
==== System Restore Points ===================
.
RP103: 9/6/2011 12:48:59 PM - System Checkpoint
RP104: 9/7/2011 8:17:20 PM - System Checkpoint
RP105: 9/9/2011 12:29:39 PM - System Checkpoint
RP106: 9/12/2011 3:24:34 PM - System Checkpoint
RP107: 9/14/2011 12:04:30 AM - System Checkpoint
RP108: 9/16/2011 11:59:19 AM - System Checkpoint
RP109: 9/19/2011 9:20:25 PM - System Checkpoint
RP110: 9/21/2011 12:49:20 AM - System Checkpoint
RP111: 9/22/2011 3:10:40 PM - System Checkpoint
RP112: 9/24/2011 2:48:14 PM - System Checkpoint
RP113: 9/27/2011 12:43:00 AM - System Checkpoint
RP114: 9/28/2011 5:15:18 PM - System Checkpoint
RP115: 9/30/2011 1:09:08 PM - System Checkpoint
RP116: 10/12/2011 2:49:03 PM - System Checkpoint
RP117: 10/14/2011 1:08:30 AM - System Checkpoint
RP118: 10/17/2011 3:20:57 PM - System Checkpoint
RP119: 10/19/2011 3:18:38 PM - System Checkpoint
RP120: 10/21/2011 4:48:53 PM - System Checkpoint
RP121: 10/24/2011 4:49:43 PM - System Checkpoint
RP122: 10/25/2011 6:41:31 PM - System Checkpoint
RP123: 10/28/2011 3:07:28 PM - System Checkpoint
RP124: 10/31/2011 1:35:34 PM - System Checkpoint
RP125: 11/1/2011 2:02:13 PM - System Checkpoint
RP126: 11/2/2011 4:23:52 PM - System Checkpoint
RP127: 11/3/2011 4:50:55 PM - System Checkpoint
RP128: 11/7/2011 8:37:54 AM - System Checkpoint
RP129: 11/9/2011 8:56:52 PM - System Checkpoint
RP130: 11/14/2011 12:48:26 PM - System Checkpoint
RP131: 11/15/2011 1:37:31 PM - System Checkpoint
RP132: 11/17/2011 7:58:43 PM - System Checkpoint
RP133: 11/18/2011 11:02:27 PM - System Checkpoint
RP134: 11/21/2011 2:11:05 PM - System Checkpoint
RP135: 11/22/2011 3:49:47 PM - System Checkpoint
RP136: 11/26/2011 9:28:51 PM - no audio !!!
RP137: 11/26/2011 9:29:45 PM - Restore Operation
RP138: 11/26/2011 10:59:59 PM - after problem resolved and scan done
RP139: 11/28/2011 3:15:48 PM - System Checkpoint
RP140: 11/29/2011 7:34:41 PM - System Checkpoint
RP141: 11/30/2011 2:44:52 AM - Restore Operation
RP142: 11/30/2011 2:56:15 AM - after fake antivirus scare
RP143: 11/30/2011 1:34:00 PM - repaired after scare - SRB
RP144: 11/30/2011 9:50:10 PM - Restore Operation
RP145: 11/30/2011 9:53:01 PM - back again i think - srb
RP146: 12/3/2011 3:52:50 PM - System Checkpoint
RP147: 12/3/2011 4:53:27 PM - Restore Operation
RP148: 12/3/2011 5:06:30 PM - Restore Operation
RP149: 12/3/2011 5:10:29 PM - Restore Operation
RP150: 12/3/2011 5:24:41 PM - minus two exe's
RP151: 12/3/2011 5:44:17 PM - Restore Operation
RP152: 12/3/2011 5:56:19 PM - Restore Operation
RP153: 12/3/2011 6:21:49 PM - Restore Operation
RP154: 12/3/2011 9:02:08 PM - Restore Operation
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop 7.0
Adobe Reader X (10.1.0)
Audacity 1.3.13 (Unicode)
Avira AntiVir Personal - Free Antivirus
BCM V.92 56K Modem
CleanUp!
ConvertHelper 2.2
Download Updater (AOL LLC)
Easy CD Creator 5 Basic
Facebook Video Calling 1.0.0.8953
Ghost Recon
Google Talk Plugin
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) PRO Network Connections Drivers
Java Auto Updater
Java(TM) 6 Update 27
Logitech Vid
Logitech Webcam Software
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WinUsb 1.0
Mozilla Firefox 8.0 (x86 en-US)
NT-USB150M Wireless N Client Utility
NVIDIA Display Driver
Project64 1.6
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
Tom Clancy's Rainbow Six 3: Raven Shield
Tom Clancy's Splinter Cell
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
UpStage 1.0.2.0
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile Device Updater Component
Windows Tetris 1.01
Windows XP Service Pack 3
Zune
Zune Language Pack (DEU)
Zune Language Pack (ESP)
Zune Language Pack (FRA)
Zune Language Pack (ITA)
Zune Language Pack (NLD)
Zune Language Pack (PTB)
Zune Language Pack (PTG)
.
==== Event Viewer Messages From Past Week ========
.
12/4/2011 5:40:39 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
12/4/2011 4:20:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
12/4/2011 4:20:02 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/3/2011 9:18:36 PM, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
12/3/2011 4:52:55 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
12/3/2011 4:52:55 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
11/30/2011 9:15:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
11/30/2011 9:15:50 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/30/2011 9:15:50 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/30/2011 9:15:50 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/30/2011 9:15:50 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/30/2011 9:15:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/30/2011 9:15:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/30/2011 2:51:32 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
.
==== End Of File ===========================

MBAM Log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/4/2011 8:26:50 PM
mbam-log-2011-12-04 (20-26-50).txt

Scan type: Full scan (C:\|)
Objects scanned: 239653
Time elapsed: 1 hour(s), 43 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3
Contributors
36
Replies
37
Views
5 Years
Discussion Span
Last Post by PhilliePhan
0

You failed to update MBA-M before the scan, that is a must since MBA-M releases updates multiple times daily the absolute rule is update before each and every scan, even multiple scans run the same day. An update may have been released while you were scanning. Your log shows Database version: 7622 and current Database version is 8325. You need to update it and do the full scan again.
If you cannot get online using wifi, try plugging the internet cable directly into the computer and see if you can go online.

DO NOT use System Restore, this will not remove an infection and possibly make it that much harder to remove because system restore could possibly remove visible traces of the infection, but not the infection itself.
Leave System Restore alone.

A screen shot of items removed by Avira and MBA-M are not what we need to see, what we need to see are the logs created by both programs at the time of removal. Both are readily available within each program. Please look for those logs and post them both.

I do have to stress, since MBA-M found something with an out of date database there very likely is much more there, that program must be updated and run again.

Edited by jholland1964: n/a

0

Hi CCG,

In addition to what Judy has posted above, there are a couple tools we need to run after the fresh MBAM scan.

If you have any trouble with the steps, just let us know and we'll talk you through it - no worries :)

When you run these tools, be sure ALL other windows are closed and you are not running any other tools or programs.

--- Please download aswMBR and run it as per the directions in the linky.
- Please save the scanlog as directed in the linky and just Copy & Paste it into your next reply. Do Not fix anything just yet.
- If it asks to download Avast!'s Anti-virus database, please go ahead and do that.


--- Then, please download OTL.exe to the Desktop.

Run OTL.

- Where it says Output, change it to Minimal Output.
- Change the Standard Registry Box to All.
- Check the boxes for the LOP Check and and the Purity Check.

Then, hit the Run Scan button.

--- TWO scanlogs should open (and also be saved on the Desktop with OTL.exe) --- > OTL.Txt and Extras.Txt.

Please Copy & Paste these into your reply for us and we will go from there.
There are likely two more tools we'll need to run, but let's just start with the above for now.

Cheers :)
PP

Edited by PhilliePhan: clarification

0

You failed to update MBA-M before the scan, that is a must since MBA-M releases updates multiple times daily the absolute rule is update before each and every scan, even multiple scans run the same day. An update may have been released while you were scanning. Your log shows Database version: 7622 and current Database version is 8325. You need to update it and do the full scan again.
If you cannot get online using wifi, try plugging the internet cable directly into the computer and see if you can go online.

DO NOT use System Restore, this will not remove an infection and possibly make it that much harder to remove because system restore could possibly remove visible traces of the infection, but not the infection itself.
Leave System Restore alone.

A screen shot of items removed by Avira and MBA-M are not what we need to see, what we need to see are the logs created by both programs at the time of removal. Both are readily available within each program. Please look for those logs and post them both.

I do have to stress, since MBA-M found something with an out of date database there very likely is much more there, that program must be updated and run again.

I would have sworn I accepted the updated MBA-M when it gave me an option. I will try that now. I will also post copies of the other logs as soon as possible.

As for plugging in the network cable directly, it has no effect. I get the pop up that tells me that the wireless connection has been de-activated because the cable is plugged in. Then it sits there with the same type of message; "connected, and looking for an address" It never connects.

0

I would have sworn I accepted the updated MBA-M when it gave me an option. I will try that now. I will also post copies of the other logs as soon as possible.

As for plugging in the network cable directly, it has no effect. I get the pop up that tells me that the wireless connection has been de-activated because the cable is plugged in. Then it sits there with the same type of message; "connected, and looking for an address" It never connects.

Ok, please bare with me on this. How do you update the MBA-M on a computer that doesn't connect to the internet? I tried to save the updated database from their website to my jump drive, but my sisters A/V program told me I needed to enter a pass word for it. (I'm accessing the forum from her laptop, and dont want to risk anything happening to hers).

0

You will have to get her password from her as it is her program asking for a password.

For now skip that part and do the other steps that PhilliePhan has given you.

Edited by jholland1964: n/a

0

Hey CCG,

These tools can be burned to a CD if that is easier for you. That way you can use the flash drive only to help post scanlogs.

I completely spaced on the connectivity issue, so it may save some time to download these tools in addition to the ones I mentioned before and put them on the disk as well:

combofix

tdsskiller

-- See if you are able to run the two scans from my previous post and we'll go from there. Judy may add some steps as I imagine she is more up to date on these baddies than I am these days.

PP:)

0

Hi CCG,

In addition to what Judy has posted above, there are a couple tools we need to run after the fresh MBAM scan.

If you have any trouble with the steps, just let us know and we'll talk you through it - no worries :)

When you run these tools, be sure ALL other windows are closed and you are not running any other tools or programs.

--- Please download aswMBR and run it as per the directions in the linky.
- Please save the scanlog as directed in the linky and just Copy & Paste it into your next reply. Do Not fix anything just yet.
- If it asks to download Avast!'s Anti-virus database, please go ahead and do that.


--- Then, please download OTL.exe to the Desktop.

Run OTL.

- Where it says Output, change it to Minimal Output.
- Change the Standard Registry Box to All.
- Check the boxes for the LOP Check and and the Purity Check.

Then, hit the Run Scan button.

--- TWO scanlogs should open (and also be saved on the Desktop with OTL.exe) --- > OTL.Txt and Extras.Txt.

Please Copy & Paste these into your reply for us and we will go from there.
There are likely two more tools we'll need to run, but let's just start with the above for now.

Cheers :)
PP

I just turned my computer on to run these scans and the avira antivirus popped up saying it found the TR/Rootkit.gen2 and blocked it. I dont know how it keep spreading but it is. This is the same thing that it supposedly blocked before, when all these problems started.

Here are the logs you requested earlier.

OTL
OTL logfile created on: 12/7/2011 11:33:48 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 184.82 Mb Available Physical Memory | 36.17% Memory free
1.22 Gb Paging File | 0.91 Gb Available in Paging File | 74.33% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 30.80 Gb Free Space | 27.55% Space Free | Partition Type: NTFS
Drive G: | 1863.01 Gb Total Space | 1780.45 Gb Free Space | 95.57% Space Free | Partition Type: NTFS

Computer Name: OWNER-0FE07171A | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe ()
PRC - C:\WINDOWS\system32\acs.exe (Atheros)
PRC - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
PRC - C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe ()
PRC - C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll ()
MOD - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\nwculoc.dll ()
MOD - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\oemresloc.dll ()
MOD - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe ()
MOD - C:\WINDOWS\system32\wgapiloc.dll ()
MOD - C:\WINDOWS\system32\wgapi.dll ()
MOD - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
MOD - C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (WMZuneComm) -- c:\Program Files\Zune\WMZuneComm.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc) -- c:\Program Files\Zune\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- c:\Program Files\Zune\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)


========== Driver Services (SafeList) ==========

DRV - (NPF) WinPcap Packet Driver (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (AR9271) -- C:\WINDOWS\system32\drivers\athuw.sys (Atheros Communications, Inc.)
DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)
DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
DRV - (PID_PEPI) Logitech QuickCam IM(PID_PEPI) -- C:\WINDOWS\system32\drivers\LV302V32.SYS (Logitech Inc.)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (P16X) Creative SB Live! Series (WDM) -- C:\WINDOWS\system32\drivers\P16X.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)
DRV - (dvd_2K) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys (Roxio)
DRV - (mmc_2K) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys (Roxio)
DRV - (pwd_2k) -- C:\WINDOWS\System32\drivers\pwd_2K.sys (Roxio)
DRV - (cdudf_xp) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys (Roxio)
DRV - (UdfReadr_xp) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys (Roxio)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Owner\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2011/07/06 10:42:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011/09/01 11:27:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/10 13:44:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/05 17:32:50 | 000,000,000 | ---D | M]

[2011/04/19 23:19:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/11/10 13:45:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\extensions
[2011/11/10 13:45:11 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/06/24 00:56:06 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\extensions\searchtoolbar@zugo.com
[2011/09/01 11:27:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/10 13:44:00 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2011/09/01 11:27:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WVPWLQ2L.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
[2011/11/10 13:43:59 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/21 01:01:55 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2011/10/21 01:01:55 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/21 01:01:55 | 000,001,131 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2011/10/21 01:01:55 | 000,002,364 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2011/11/10 13:43:59 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2011/10/21 01:01:55 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2011/10/21 01:01:55 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2011/11/30 13:14:18 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [NWCU] C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe ()
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{058D4BD2-8779-4888-BA4A-BF309078DE48}: DhcpNameServer = 192.168.2.1 192.168.2.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) -C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) -C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - (%SystemRoot%\System32\dimsntfy.dll) - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) -C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) -C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) -C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) -C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/04/18 17:56:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/07/09 20:07:18 | 000,000,000 | RH-D | M] - G:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 07:56:50 | 000,000,036 | RH-- | M] () - G:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/07 14:23:24 | 004,589,838 | ---- | C] (Curio Lab) -- C:\Documents and Settings\Owner\Desktop\ExterminateItSetup.exe
[2011/12/07 14:23:07 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2011/12/07 14:22:57 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/12/03 20:55:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2011/12/03 17:44:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/03 15:02:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/11/30 13:37:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/30 13:13:05 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/11/30 13:13:05 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/11/30 13:13:05 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/11/30 02:40:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/30 02:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/11/09 00:08:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\AOL
[2011/11/09 00:04:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AOL
[2002/04/10 23:41:00 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll

========== Files - Modified Within 30 Days ==========

[2011/12/07 23:32:53 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/12/07 17:54:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/07 17:54:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/07 17:54:11 | 535,896,064 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/07 14:48:05 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
[2011/12/07 14:43:22 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
[2011/12/07 12:25:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/12/07 12:22:52 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2011/12/05 17:37:47 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/05 17:37:47 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/05 13:43:02 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
[2011/12/05 00:11:48 | 000,000,210 | -HS- | M] () -- C:\boot.ini
[2011/12/04 22:40:10 | 004,589,838 | ---- | M] (Curio Lab) -- C:\Documents and Settings\Owner\Desktop\ExterminateItSetup.exe
[2011/12/04 20:48:02 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
[2011/12/03 14:45:10 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/30 13:14:18 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/30 13:13:05 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/11/30 13:13:05 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/11/30 13:13:05 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/11/30 02:44:01 | 000,018,184 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\w0fo67c3wb8igb
[2011/11/30 02:44:01 | 000,018,184 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\w0fo67c3wb8igb
[2011/11/09 00:08:43 | 000,000,466 | -H-- | M] () -- C:\IPH.PH

========== Files Created - No Company Name ==========

[2011/12/07 23:32:52 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/12/04 23:01:35 | 535,896,064 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/30 02:25:57 | 000,018,184 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\w0fo67c3wb8igb
[2011/11/30 02:25:57 | 000,018,184 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\w0fo67c3wb8igb
[2011/11/09 00:00:52 | 000,000,466 | -H-- | C] () -- C:\IPH.PH
[2011/11/04 14:08:05 | 000,000,483 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2011/08/16 15:16:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2011/08/12 14:50:39 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2011/08/12 14:50:39 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2011/08/03 22:53:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/20 10:34:46 | 000,053,248 | ---- | C] () -- C:\WINDOWS\uneng.exe
[2011/04/20 10:28:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/04/19 23:19:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/04/19 23:18:55 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/19 23:10:15 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2011/04/19 23:10:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\wgapiloc.dll
[2011/04/19 23:09:59 | 000,422,000 | ---- | C] () -- C:\WINDOWS\System32\wgapi.dll
[2011/04/18 17:59:18 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/04/18 17:52:32 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/04/18 13:42:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/04/18 13:41:27 | 000,399,880 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/07 00:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/10/07 00:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 21:39:36 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2005/03/21 18:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 18:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/10/06 13:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/07/08 12:41:48 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll

========== LOP Check ==========

[2011/04/19 23:10:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iMicro
[2011/08/08 23:05:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Audacity
[2011/04/25 00:38:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
[2011/07/14 20:41:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2011/12/04 20:48:02 | 000,000,976 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
[2011/12/07 14:48:05 | 000,000,998 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job

========== Purity Check ==========

< End of report >

EXTRAS:
OTL Extras logfile created on: 12/7/2011 11:33:48 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 184.82 Mb Available Physical Memory | 36.17% Memory free
1.22 Gb Paging File | 0.91 Gb Available in Paging File | 74.33% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 30.80 Gb Free Space | 27.55% Space Free | Partition Type: NTFS
Drive G: | 1863.01 Gb Total Space | 1780.45 Gb Free Space | 95.57% Space Free | Partition Type: NTFS

Computer Name: OWNER-0FE07171A | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Red Storm Entertainment\Ghost Recon\GhostRecon.exe" = C:\Program Files\Red Storm Entertainment\Ghost Recon\GhostRecon.exe:*:Enabled:GhostRecon -- ()
"C:\Program Files\Logitech\Logitech Vid\Vid.exe" = C:\Program Files\Logitech\Logitech Vid\Vid.exe:*:Enabled:Logitech Vid -- (Logitech Inc.)
"G:\Games\RavenShield\system\ravenshield.exe" = G:\Games\RavenShield\system\ravenshield.exe:*:Enabled:ravenshield -- ()
"C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\SRB CUSTOMS\Switch\switch.exe" = C:\SRB CUSTOMS\Switch\switch.exe:*:Enabled:Switch -- (Tams11 Software)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM
"C:\Documents and Settings\Owner\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe:*:Enabled:Facebook Video Calling Plugin -- (Skype Limited)
"C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe" = C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe:*:Enabled:NT-USB150M Wireless N Client Utility -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002FB560-E9F9-45CD-B94B-9B264D038C74}" = Windows Tetris 1.01
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{1D7CE340-70C3-4848-BCCF-215950328A4C}" = Facebook Video Calling 1.0.0.8953
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java(TM) 6 Update 27
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{2C4E2E4E-A7C9-4CCB-BF03-FE6EBD5D4AB7}" = Windows Mobile Device Updater Component
"{31BB469B-4FC0-4E31-9FA4-A3BC3AD36CB0}" = NT-USB150M Wireless N Client Utility
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}" = Logitech Vid
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{5CF6EEE9-86B1-3DB6-A07C-8F6C079C39BA}" = Google Talk Plugin
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90B3B219-E807-4EC2-B986-A9CE9AB6E0E8}" = NT-USB150M Wireless N Client Utility
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A174402A-2EE6-4B86-A930-7BC85A9933BD}" = Tom Clancy's Splinter Cell
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AF131494-F5D8-45C5-938C-D5F020CF1B0D}" = Tom Clancy's Rainbow Six 3: Raven Shield
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}" = Ghost Recon
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.13 (Unicode)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CleanUp!" = CleanUp!
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Display Driver" = NVIDIA Display Driver
"PROSet" = Intel(R) PRO Network Connections Drivers
"Switch_is1" = UpStage 1.0.2.0
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/14/2011 5:50:38 PM | Computer Name = OWNER-0FE07171A | Source = Application Hang | ID = 1001
Description = Fault bucket -1612583200.

Error - 11/18/2011 5:21:36 PM | Computer Name = OWNER-0FE07171A | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 8.0.0.4325, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/26/2011 10:38:51 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/27/2011 10:16:47 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/28/2011 1:19:46 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/28/2011 7:16:39 PM | Computer Name = OWNER-0FE07171A | Source = ZuneDriver | ID = 80837
Description =

Error - 11/28/2011 7:17:09 PM | Computer Name = OWNER-0FE07171A | Source = WPDMTPDriver | ID = 80836
Description =

Error - 11/29/2011 12:12:49 AM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/29/2011 1:39:49 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/29/2011 1:44:59 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

[ System Events ]
Error - 12/7/2011 4:12:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 4:12:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 12/7/2011 4:16:20 AM | Computer Name = OWNER-0FE07171A | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/7/2011 4:34:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 4:34:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 12/7/2011 4:36:06 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 12/7/2011 3:11:05 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 3:11:05 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 12/7/2011 6:54:30 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 6:54:30 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT


< End of report >

aswMBR Log:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-07 23:31:28
-----------------------------
23:31:28.453 OS Version: Windows 5.1.2600 Service Pack 3
23:31:28.453 Number of processors: 2 586 0x207
23:31:28.453 ComputerName: OWNER-0FE07171A UserName: Owner
23:31:29.015 Initialize success
23:31:33.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:31:33.078 Disk 0 Vendor: ST3120023A 3.33 Size: 114473MB BusType: 3
23:31:35.093 Disk 0 MBR read successfully
23:31:35.093 Disk 0 MBR scan
23:31:35.093 Disk 0 Windows XP default MBR code
23:31:35.093 Disk 0 scanning sectors +234420480
23:31:35.156 Disk 0 scanning C:\WINDOWS\system32\drivers
23:31:49.296 Service scanning
23:31:50.562 Modules scanning
23:31:59.109 Disk 0 trace - called modules:
23:31:59.125 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
23:31:59.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8238dab8]
23:31:59.125 3 CLASSPNP.SYS[f8576fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82394b00]
23:31:59.125 Scan finished successfully
23:32:52.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
23:32:53.000 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR log 12_6_2011.txt"


I thought I could find the logs folder from the avira antivirus and so far cant find it. I can view them thru the interface but I'm not sure how to put them into a notepad document or anything.

0

I just turned my computer on to run these scans and the avira antivirus popped up saying it found the TR/Rootkit.gen2 and blocked it. I dont know how it keep spreading but it is. This is the same thing that it supposedly blocked before, when all these problems started......

I thought I could find the logs folder from the avira antivirus and so far cant find it. I can view them thru the interface but I'm not sure how to put them into a notepad document or anything.

Hey CCG,

Did Avira remove or quarantine anything? You ought to be able to find that in the History via the gui.
Chances are that the last thing it removed was an infected driver that was needed to connect to the internet. If that is the case, we ought to be able to replace it and re-establish a connection.

-- Were you able to download Combofix and TDSSKiller?
Let us know. We are going to need them.

It's midnight EST and I've got to run - will look at the logs as soon as I can and get back to you. Judy may beat me to it.

Cheers :)
PP

EDIT:
Never mind that last bit about Avira - I just saw it in the logs:

Error - 12/7/2011 4:12:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

When I post back, we can repair NetBT and try to get the machine back online and hopefully make the cleaning process a bit easier....

Edited by PhilliePhan: n/a

0

ComboFix is running right now. It said it found a RootKit Virus, and sat there for a bit, then asked me to restart the computer. It is now restarted and ComboFix is running again. I took a quick screen shot of the actual message to get the name of the virus. (If it helps?)

It also said that I didn't have an active System Restore program running, however I had just created a restore point, shortly after I turned it on. Maybe the virus had infected that along with the wireless adapter I use.

The ComboFix auto scan is now telling me that it has "Completed Stage 4"


will post up the results after I run the TDSSKiller

0

Here is the ComboFix Log:

ComboFix 11-12-08.01 - Owner 12/08/2011 22:26:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.219 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\$NtUninstallKB25972$
c:\windows\$NtUninstallKB25972$\2319490435
c:\windows\$NtUninstallKB25972$\3449333996\@
c:\windows\$NtUninstallKB25972$\3449333996\bckfg.tmp
c:\windows\$NtUninstallKB25972$\3449333996\cfg.ini
c:\windows\$NtUninstallKB25972$\3449333996\Desktop.ini
c:\windows\$NtUninstallKB25972$\3449333996\keywords
c:\windows\$NtUninstallKB25972$\3449333996\kwrd.dll
c:\windows\$NtUninstallKB25972$\3449333996\L\okybosud
c:\windows\$NtUninstallKB25972$\3449333996\lsflt7.ver
c:\windows\$NtUninstallKB25972$\3449333996\U\00000001.@
c:\windows\$NtUninstallKB25972$\3449333996\U\00000002.@
c:\windows\$NtUninstallKB25972$\3449333996\U\00000004.@
c:\windows\$NtUninstallKB25972$\3449333996\U\80000000.@
c:\windows\$NtUninstallKB25972$\3449333996\U\80000004.@
c:\windows\$NtUninstallKB25972$\3449333996\U\80000032.$
c:\windows\$NtUninstallKB25972$\3449333996\U\80000032.@
c:\windows\CSC\d6
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
G:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-04 01:55 . 2011-12-04 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-12-03 22:45 . 2011-12-03 22:45 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-03 22:44 . 2011-12-07 08:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-03 20:02 . 2011-12-03 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-01 02:15 . 2011-12-05 03:44 -------- d-----w- c:\documents and settings\Administrator
2011-11-30 18:29 . 2011-12-04 21:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-11-30 18:13 . 2011-11-30 18:13 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2011-11-09 05:04 . 2011-12-05 18:06 -------- d-----w- c:\program files\Common Files\AOL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:39 . 2011-08-11 00:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 18:43 . 2011-10-21 06:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
"NWCU"="c:\program files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe" [2009-11-18 557152]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 20:44 679936 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2011-08-19 00:43 137536 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-07-15 02:06 136176 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 19:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-11-11 17:55 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"WMZuneComm"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"g:\\Games\\RavenShield\\system\\ravenshield.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\SRB CUSTOMS\\Switch\\switch.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Wireless\\NT-USB150M Wireless N Client Utility\\NWCU.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 11:55 AM 136360]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [4/19/2011 10:55 PM 1668352]
S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 12:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-19 00:43]
.
2011-12-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-19 00:43]
.
2011-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 02:06]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 02:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-MozillaAgent - c:\windows\Temp\_ex-68.exe
AddRemove-{002FB560-E9F9-45CD-B94B-9B264D038C74} - c:\srb customs\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-08 22:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4336)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-12-08 22:46:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-09 03:46
.
Pre-Run: 32,934,670,336 bytes free
Post-Run: 32,969,920,512 bytes free
.
- - End Of File - - 23F91997C5D34B2B43F9089D7AD0A66E

0

ComboFix is running right now. It said it found a RootKit Virus, and sat there for a bit, then asked me to restart the computer. It is now restarted and ComboFix is running again. I took a quick screen shot of the actual message to get the name of the virus. (If it helps?)

--- Yeah screenshot would be cool - what rootkit did it identify?

-- I imagine you are still offline? Let's try this:
Click START > CONTROL PANEL > PERFORMANCE & MAINTAINANCE > ADMINISTRATIVE TOOLS > SERVICES
- RightClick DHCP Client and select STOP
- Navigate to C:\Windows\System32\Drivers and DELETE NetBT.sys (if it remains).
- Then go to C:\Windows\servicepackfiles\i386 and locate NetBT.sys.
Copy and Paste NetBT.sys from servicepackfiles\i386 into the C:\Windows\System32\Drivers Folder.
- Then, go back to Services and RightClick DHCP Client and select START

Reboot the computer for good measure and see if the connection is restored. If so, Update MBAM and run a full scan.

Let us know how you fare and we'll work from there.

Cheers :)
PP

Edited by PhilliePhan: clarification

0

It also said that I didn't have an active System Restore program running,

It isn't System Restore, it is the Recovery Console. Don't worry about it.
Plus, you are going to have to clean out System Restore once this is clean anyway.

Edited by jholland1964: n/a

0

--- Yeah screenshot would be cool - what rootkit did it identify?
PP

"Rootkit.ZeroAccess inserted itself into the tcp/ip stack"

0

ok I am at the DHCP Client and it is already stopped. If I click on 'Start' it tells me that it can not be started. Error 1075: The dependency service does not exist or has been marked for deletion.

Hopefully this means we're getting somewhere. Should I continue the steps you recommended and see what happens?

0

Ok, I walked thru the steps PP gave me, still no change.

So, you were able to copy and paste the driver with no problem?

-- OK, let's try this. You'll need to open a command prompt:
START > RUN > Type cmd ENTER

Then, type or copy & paste the following and hit Enter:
netsh int ip reset c:\resetlog.txt

Note:
It is netsh<space>int<space> ip<space> reset<space> c:\resetlog.txt
Make sure to type it accurately or you'll get an error.

REBOOT the ill computer and see if that does the trick.

I will try to check back tomorrow PM EST.

Cheers :)
PP

Edited by PhilliePhan: n/a

0

OK, I just tried the above steps and it seems to have completely deactivated the wireless adapter. the gui is opening however everything is grayed out (un selectable).

I am wondering if re-installing the wireless software would resolve this?

I looked thru the files that Avira had quarrentined, and the rest all looked like they were restore points, compaired to the netbt.sys that you were focusing on.. Let me know and I can make a list of everything that Avira has set aside. I doubt I'll be on much this weekend, I have a few jobs lined up and helping the GF move too. Should be back Sunday night for sure..

Edited by CustomChevyGuy: n/a

0

I am wondering if re-installing the wireless software would resolve this?

Yeah - give that a try. Uninstall it and then reinstall it. Also check to make sure the DHCP Client is started - we may have to revisit that.

Resetting TCP/IP should correct the damage you noted from the malware.

-- Avira logs should be available to print or copy and paste.
I imagine you've got a number of infected restore points and, as Judy mentioned, we'll need to flush those after we complete the cleaning procedures.

I'll be around over the weekend - hopefully weather will be good and I can have another crack at those Camaro T-Tops....:)

PP

0

Yeah - give that a try. Uninstall it and then reinstall it. Also check to make sure the DHCP Client is started - we may have to revisit that.

Resetting TCP/IP should correct the damage you noted from the malware.

-- Avira logs should be available to print or copy and paste.
I imagine you've got a number of infected restore points and, as Judy mentioned, we'll need to flush those after we complete the cleaning procedures.

I'll be around over the weekend - hopefully weather will be good and I can have another crack at those Camaro T-Tops....:)

PP

So my two jobs I had lined up cancelled on me. I figure I'd jump back on here and keep cracking on this.

I uninstalled and reinstalled the wireless program. It is still doing the same thing, saying I'm connected and have full strenght connection, however it never gives me an address.

I went back and tried to start the DHCP, and got the same message as before. If I click on 'Start' it tells me that it can not be started. Error 1075: The dependency service does not exist or has been marked for deletion.
If I double click on it it brings up a new window showing 4 tabs: General, Log On, Recovery, and Dependencies. Under the General tab it states that
The file it is pointed to is c:\WINDOWS\system32\svchost.exe<SPACE>-k<SPACE>netsvcs

0


I uninstalled and reinstalled the wireless program. It is still doing the same thing, saying I'm connected and have full strenght connection, however it never gives me an address.

All right - let's throw the kitchen sink at it and see what happens:

Open a command prompt again and enter each of the following commands one by one:
sc start dhcp
sc start netbt
sc start ipsec
sc start tcpip
sc start afd
netsh int ip reset C:\resetlog.txt
netsh winsock reset
ipconfig /flushdns
ipconfig /all

REBOOT for good measure and see if that helps.

If not, please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me. That should show us what we are missing.

PP:)

Edited by PhilliePhan: Brain Cramp

0

All right - let's throw the kitchen sink at it and see what happens:

Open a command prompt again and enter each of the following commands one by one:
sc start dhcp
sc start netbt
sc start ipsec
sc start tcpip
sc start afd
netsh int ip reset C:\resetlog.txt
netsh winsock reset
ipconfig /flushdns
ipconfig /all

REBOOT for good measure and see if that helps.

If not, please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me. That should show us what we are missing.

PP:)

Here are the results from the above steps:

sc start dhcp
[sc] StartService FAILED 1075:
The dependency service does not exist or has been marked for deletion.

sc start netbt
[sc] StartService: OpenService FAILED 1060:
THe specified service does not exist as an installed service.

sc start ipsec
[sc] startservice FAILED 1056:
An instance of the service is already running.

sc start tcpip
[sc] StartService FAILED 1056:
An instance of the service is already running.

sc start afd
[sc] startservice FAILED 1056:
An instance of the service is already running.

netsh int ip reset c:\resetlog.txt
after pressing enter it jumped back to c:\

netsh winsock reset
Successfully reset the Winsock Catalog. You Must restart the machine in order to complete the rest.

ipconfig /flushdns
Windows IP Configuration
Successfully flished the DNS Resolver Cache.

ipconfig /all
(see Screenshot)

Attachments ip_config.JPG 40.3 KB
0

Ok, after I re-booted, it looks like my wireless adapter's software is not running. It has not popped up in the task bar, and when I opened the program manually everything is grayed out (unselectable).

I am going to run the FABAR Scanner now and see what happens.


Hey PP, your comment about the kitchen sink made me LOL. I spent all day Saturday, helping my gf and her sister move! That was about the only thing I actually didnt have to touch all weekend. It was a longggg moving day to say the least.

Any progress on those t-tops?

Edited by CustomChevyGuy: n/a

0

FSS.txt

Farbar Service Scanner
Ran by Owner (administrator) on 11-12-2011 at 22:31:53
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of NetBt. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of NetBt. The value does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

0

Hey CCG,

Too cold for the T-tops. Was going to try a little silicone sealant, but will probably have to wait until spring. No worries, I suppose - after all, it is a 17 year old car.

-- As for the ill computer, let's try an oldie but goodie from Option^Explicit ---> Winsock XP Fix

Run that and hit fix - that ought to automatically repair the registry damage so we don't have to do it manually. If we have to do it manually then it becomes dicey.

Let me know how that shakes out.

PP:)

Edited by PhilliePhan: n/a

0

Hey CCG,

Too cold for the T-tops. Was going to try a little silicone sealant, but will probably have to wait until spring. No worries, I suppose - after all, it is a 17 year old car.

-- As for the ill computer, let's try an oldie but goodie from Option^Explicit ---> Winsock XP Fix

Run that and hit fix - that ought to automatically repair the registry damage so we don't have to do it manually. If we have to do it manually then it becomes dicey.

Let me know how that shakes out.

PP:)

I keep forgetting that up north, winter is starting to set in.

I just ran the Winsock XP Fix and am rebooting it now. Keeping my fingers crossed, and prayers being said.

0

I have rebooted, and logged in. The wireless connection is still listes as Disabled under the Network Connections. I can not select "Enable". I tried to click on the "Repair" option, and it sits there doing its diagnostics only to tell me that a connection can not be established to the network.

I have connected a wire to see if it was the wireless connection, and it is still searching for an address as well.

0

Ok - let's try to repair the registry damage done by the malware. I thought winsock fix might do it for us, but I guess not.

Anyhoo - first I suggest backing up the registry with a tool such as ERUNT
It is simple and quick and good to have as a "fallback" in the event we need it.

Then, please download the attached FixNetBT.txt
You need to actually download the text file to the desktop.
-- RENAME it to FixNetBT.reg

On the ill machine, DoubleClick FixNetBT.reg and allow it to merge into the registry.
REBOOT and see if that fixes the connection.

--- If not, run Farbar Service Scanner again and post those results.

PP:)

Edited by PhilliePhan: It'd be nice if I actually attached the fix....

0

Ok - let's try to repair the registry damage done by the malware. I thought winsock fix might do it for us, but I guess not.

Anyhoo - first I suggest backing up the registry with a tool such as ERUNT
It is simple and quick and good to have as a "fallback" in the event we need it.

Then, please download the attached FixNetBT.txt
You need to actually download the text file to the desktop.
-- RENAME it to FixNetBT.reg

On the ill machine, DoubleClick FixNetBT.reg and allow it to merge into the registry.
REBOOT and see if that fixes the connection.

--- If not, run Farbar Service Scanner again and post those results.

PP:)

OK, I downloaded the file to my thumbnail, and then dropped it on my ill desktop. I must be missing something though. I right clicked and changed the name to .reg or do I need to do something else? It's still opening as a notepad file.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.