Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Member
    Join Date
    Mar 2011
    Posts
    27
    Points
    0

    Default Trojan:Win32/Sirefef.p

    When my pc loads, I get a prompt from Microsoft Essential software that my system has been infected by a specific Trojan virus (printed above). I have attempted to remove it several times, but i just doesn't seem to go away. I restarted my pc (in both "Safe" and "Safe With Networking" mode) and used "Malwarebytes" anti-malware application to peform a full scan. It found over 30 objectionable items and I removed them all. However, upon rebooting pc Trojan virus still seems to be lingering around. Any time I do a google search for a website and then click on the found link, i get redireted to some wierd sites. I have rebooted and ran Malwarebytes application several times without any success. I turn to you now for help. I installed HijackThis application and scan my pc using the application. The findings of the scan are as follows:

    *******
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:29:42 PM, on 14/02/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe
    C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    O1 - Hosts: ˙ţ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [WZCSLDR2] C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe
    O4 - HKLM\..\Run: [NvCplDaemon] C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe
    O4 - HKCU\..\Run: [WinPatrol System Monitor] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {08496B45-6BB1-4F92-A8E6-B9E7978634CB} (Trustsite Control) - https://remote-gcc.rbc.com/nortel_ca.../TrustSite.cab
    O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://remote-gcc.rbc.com/nortel_cacheable/iewiper.cab
    O16 - DPF: {ACDB1787-986D-434D-9857-2172CDB2108D} (popupunblk Class) - https://remote-occ.rbc.com/nortel_ca...e/punblock.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
    O23 - Service: PSDFilter (contentfilter) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
    O23 - Service: D_Link_DWA-125 Service (D_Link_DWA-125) - Wireless Service - C:\Program Files\D-Link\DWA-125 revA\ANIWZCSdS.exe
    O23 - Service: D_Link_DWA-125_WPS Service (D_Link_DWA-125_WPS) - Unknown owner - C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
    O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
    O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe

    --
    End of file - 8846 bytes
    *************

    Any assistance to get rid of this virus will be greatly apprecaited.

    Regards,

  2. #2
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello and welcome to Help2Go

    We apologize for the delay in responding to your request for help. Here at Help2Go we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

    Please take note:

    1. If you have since resolved the original problem you were having, we would appreciate you letting us know.
    2. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
      • If you are unsure about any of these characteristics just post what you can and we will guide you.
    3. Please tell us if you have your original Windows CD/DVD available.
    4. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
    5. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
    6. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
    7. If you have already posted a DDS log, please do so again, as your situation may have changed.
    8. Use the 'Add Reply' and add the new log to this thread.


    We need to see some information about what is happening in your machine. Please perform the following scan again:

    • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results.
    • Follow the instructions that pop up for posting the results.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


    We also need a new log from the GMER anti-rootkit Scanner.

    Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

    Please first disable any CD emulation programs using the steps found in this topic:

    Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:


    Note:
    If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.




    Thanks and again sorry for the delay.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  3. #3
    Member
    Join Date
    Mar 2011
    Posts
    27
    Points
    0

    Default

    The original issue remains. I am forced to run the Microsoft Essentials to remove the threat at every boot.

    I do not have original Windows CD/DVD.

    The logs from the scans are below: (For DDS, there were two notepad files created. I am only sending one since there was a warning note printed in the other file: "UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT")

    ******************* DDS Log ********************
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Run by Amar Khan at 20:42:38 on 2012-02-15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.505 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uWindow Title =
    mWindow Title =
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [WinPatrol System Monitor] c:\program files\billp studios\winpatrol\WinPatrol.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe
    mRun: [NvCplDaemon] c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [SunJavaUpdateSched] c:\program files\common files\java\java update\jusched.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: mswsock.dll
    Trusted Zone: rbc.com\remote
    Trusted Zone: rbc.com\remote-gcc
    DPF: {08496B45-6BB1-4F92-A8E6-B9E7978634CB} - hxxps://remote-gcc.rbc.com/nortel_cacheable/TrustSite.cab
    DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://remote-gcc.rbc.com/nortel_cacheable/iewiper.cab
    DPF: {ACDB1787-986D-434D-9857-2172CDB2108D} - hxxps://remote-occ.rbc.com/nortel_cacheable/punblock.cab
    TCP: DhcpNameServer = 10.168.122.1
    TCP: Interfaces\{A4BA3216-835D-4575-B897-AC4E5EF7DDB9} : DhcpNameServer = 10.168.122.1
    TCP: Interfaces\{CAA9477C-DA78-40B1-A726-75A7CC333A8D} : DhcpNameServer = 10.168.122.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\amar khan\application data\mozilla\firefox\profiles\ept078k1.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
    FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\documents and settings\amar khan\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.68\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npOGPPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\rogers online protection\rogers servicepoint agent\nprpspa.dll
    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\windows\system32\npOGPPlugin.dll
    FF - plugin: c:\windows\system32\npptools.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
    R1 MpKsle97b1496;MpKsle97b1496;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b4c74d6-2004-48b9-9612-433b76a5d783}\MpKsle97b1496.sys [2012-2-15 29904]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-13 14336]
    R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [2011-4-1 29411]
    R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2011-4-1 40960]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-6 652360]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
    R2 ServicepointService;ServicepointService;c:\program files\rogers online protection\rogers servicepoint agent\ServicepointService.exe [2011-1-22 689464]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-6 20464]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
    S1 jgpcoaqj;jgpcoaqj;c:\windows\system32\drivers\jgpcoaqj.sys [2012-2-15 41680]
    S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2011-4-1 126976]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2011-4-1 779136]
    S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-27 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-27 136176]
    UnknownUnknown yrqyqtid;yrqyqtid; [x]
    .
    =============== Created Last 30 ================
    .
    2012-02-16 01:28:01 41680 ----a-w- c:\windows\system32\drivers\jgpcoaqj.sys
    2012-02-16 01:17:42 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b4c74d6-2004-48b9-9612-433b76a5d783}\offreg.dll
    2012-02-16 01:17:42 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b4c74d6-2004-48b9-9612-433b76a5d783}\MpKsle97b1496.sys
    2012-02-15 02:35:28 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b4c74d6-2004-48b9-9612-433b76a5d783}\mpengine.dll
    2012-02-14 19:23:33 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
    .
    ==================== Find3M ====================
    .
    2012-01-31 12:44:05 237072 -c----w- c:\windows\system32\MpSigStub.exe
    2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 20:43:07.56 ===============


    ******************* GMER Log ***************************

    GMER 1.0.15.15641 - GMER - Rootkit Detector and Remover
    Rootkit scan 2012-02-15 22:24:06
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts2Port1Path0Target0Lun0 Maxtor_6 rev.BANC
    Running: 98fx39sq.exe; Driver: C:\DOCUME~1\AMARKH~1\LOCALS~1\Temp\pwayifow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF644E380, 0x3DF545, 0xE8000020]
    .text mrxsmb.sys F3E3B307 290 Bytes [00, 00, 00, 00, 00, 40, 00, ...]
    .text mrxsmb.sys F3E3B42A 116 Bytes [04, AF, E5, F3, 0F, 88, 7F, ...]
    .text mrxsmb.sys F3E3B49F 19 Bytes CALL F0293FF4
    .text mrxsmb.sys F3E3B4B3 9 Bytes [64, A3, 00, 00, 00, 00, C3, ...]
    .text mrxsmb.sys F3E3B4BD 191 Bytes [64, 89, 0D, 00, 00, 00, 00, ...]
    .text ...
    .INIT C:\WINDOWS\system32\DRIVERS\mrxsmb.sys entry point in ".INIT" section [0xF3E49422]
    ? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) F7677000-F7686000 (61440 bytes)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:568] 85ECF540

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB19019$\1232927944 0 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\L\ndyoaaqj 456320 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\loader.tlb 2632 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@00000001 45968 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@000000c0 3072 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@000000cb 3072 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@000000cf 1536 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@80000000 73216 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@800000c0 41984 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@800000cb 24576 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1232927944\U\@800000cf 31232 bytes
    File C:\WINDOWS\$NtUninstallKB19019$\1342089584 0 bytes

    ---- EOF - GMER 1.0.15 ----




    Looking forward to your response.

    Regards,

  4. #4
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello Arkansas,
    • Welcome to Help2Go.
    • My name is fireman4it and I will be helping you with your Malware problem.

      Please take note of some guidelines for this fix:
    • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
    • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
    • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
    • Finally, please reply using the REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



    1.
    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
      Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C.
    • Copy and paste the contents of that file in your next reply.



    2.
    Install Recovery Console and Run ComboFix

    This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

    Download Combofix from any of the links below, and save it to your desktop.

    Link 1
    Link 2
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
    • Close any open windows, including this one.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • If you did not have it installed, you will see the prompt below. Choose YES.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
    should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
    Leave your computer alone while ComboFix is running.
    ComboFix will restart your computer if malware is found; allow it to do so.


    Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


    Things to include in your next reply::
    TdssKiller log
    Combofix.txt
    How is your machine running now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  5. #5
    Member
    Join Date
    Mar 2011
    Posts
    27
    Points
    0

    Default

    Machine is running better now. I'm not getting redirected to wierd sites anymore.

    The logs, as requested, are printed below: (While running the Combofix, however, i did receive a msg that machine was infected with Rootkit.ZeroAccess! and that it had inserted itself into the tcp/ip stack... a particularly difficult infection)


    ****************************** Combofix log ******************************

    ComboFix 12-02-15.01 - Amar Khan 15/02/2012 23:08:58.6.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.685 [GMT -5:00]
    Running from: c:\documents and settings\Amar Khan\Desktop\Computer cleanup\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Amar Khan\System
    c:\documents and settings\Amar Khan\System\win_qs8.jqx
    c:\documents and settings\Kai\053.JPG
    c:\documents and settings\Rustam Khan\System
    c:\documents and settings\Rustam Khan\System\win_qs8.jqx
    c:\windows\$NtUninstallKB19019$
    c:\windows\$NtUninstallKB19019$\1232927944\@
    c:\windows\$NtUninstallKB19019$\1232927944\L\ndyoaaqj
    c:\windows\$NtUninstallKB19019$\1232927944\loader.tlb
    c:\windows\$NtUninstallKB19019$\1232927944\U\@00000001
    c:\windows\$NtUninstallKB19019$\1232927944\U\@000000c0
    c:\windows\$NtUninstallKB19019$\1232927944\U\@000000cb
    c:\windows\$NtUninstallKB19019$\1232927944\U\@000000cf
    c:\windows\$NtUninstallKB19019$\1232927944\U\@80000000
    c:\windows\$NtUninstallKB19019$\1232927944\U\@800000c0
    c:\windows\$NtUninstallKB19019$\1232927944\U\@800000cb
    c:\windows\$NtUninstallKB19019$\1232927944\U\@800000cf
    c:\windows\$NtUninstallKB19019$\1342089584
    c:\windows\system32\dds_log_trash.cmd
    c:\windows\system32\drivers\etc\hosts.ics
    c:\windows\system32\msssc.dll
    c:\windows\system32\ShellExt\CmdOpen.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-16 03:48 . 2012-02-16 03:48 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-02-16 02:16 . 2012-02-16 02:16 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B4C74D6-2004-48B9-9612-433B76A5D783}\MpKsl95b07c17.sys
    2012-02-16 01:17 . 2012-02-16 01:17 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B4C74D6-2004-48B9-9612-433B76A5D783}\MpKsle97b1496.sys
    2012-02-15 02:35 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B4C74D6-2004-48B9-9612-433B76A5D783}\mpengine.dll
    2012-02-14 19:22 . 2012-02-15 03:29 -------- d-sh--w- c:\documents and settings\Rustam Khan\Local Settings\Application Data\497cfcc8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-16 03:49 . 2009-04-26 23:41 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2012-01-31 12:44 . 2011-03-17 03:46 237072 -c----w- c:\windows\system32\MpSigStub.exe
    2012-01-06 04:19 . 2011-03-17 03:47 6557240 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-12-10 20:24 . 2011-03-06 22:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57 . 2008-04-14 03:42 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2009-04-26 23:41 1859584 ----a-w- c:\windows\system32\win32k.sys
    2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
    2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
    2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2012-02-13 14:36 . 2011-11-12 23:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-04-26 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
    [7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
    .
    [-] 2009-04-26 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
    [7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
    .
    [-] 2009-04-26 23:41 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
    [7] 2008-04-14 09:41 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
    .
    [-] 2009-04-26 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
    [7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll
    .
    [-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinPatrol System Monitor"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2011-03-16 325000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WZCSLDR2"="c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe" [2009-10-19 122880]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-03-08 128512]
    .
    c:\documents and settings\Amara Khan\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\emesene\\emesene.exe"=
    "c:\\Program Files\\Rogers Online Protection\\Rogers Servicepoint Agent\\ServicepointService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\yWorks\\yEd\\yEd.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Documents and Settings\\Amar Khan\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
    "c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
    "c:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrol.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
    "c:\\Program Files\\CCleaner\\CCleaner.exe"=
    "c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
    "c:\\Documents and Settings\\Amar Khan\\Desktop\\Computer cleanup\\tdsskiller.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59027:TCP"= 59027:TCP:Pando Media Booster
    "59027:UDP"= 59027:UDP:Pando Media Booster
    "5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
    .
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [13/04/2008 10:42 PM 14336]
    R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [01/04/2011 7:54 AM 29411]
    R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [01/04/2011 7:54 AM 40960]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [06/03/2011 5:58 PM 652360]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/01/2011 9:24 AM 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/01/2011 9:24 AM 399416]
    R2 ServicepointService;ServicepointService;c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\ServicepointService.exe [22/01/2011 12:16 PM 689464]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [06/03/2011 5:58 PM 20464]
    S?2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [01/04/2011 7:54 AM 126976]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
    S1 ivnzxnbn;ivnzxnbn;\??\c:\windows\system32\drivers\ivnzxnbn.sys --> c:\windows\system32\drivers\ivnzxnbn.sys [?]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 4:33 AM 30432]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 4:33 AM 30432]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 3:30 AM 15544]
    S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [13/04/2008 10:42 PM 14336]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/08/2011 1:31 PM 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [27/08/2011 1:31 PM 136176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Akamai REG_MULTI_SZ Akamai
    WINRM REG_MULTI_SZ WINRM
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    DCamUSBDXGTech
    PPPoEWin
    ESDCR
    prtg4service
    mdc8021x
    p2pimsvc
    lvckap
    sscdmdm
    tmxpflt
    pcandis5
    pnrouter
    admservice
    McciCMService
    elnkservice
    mssqlserverolapservice
    elbycdfl
    merakpop3
    ehsched
    REVOSENS
    dphost
    rnadirmultiplexor
    tm_cfw
    prismxl
    elagopro
    MSMQTriggers
    paamsrv
    olregcap
    mnsframework
    Epfwndis
    PSDNServ
    lanusb
    deckzpsx
    mnmsrvc
    SQTECH9080
    oracle_load_balancer_60_server-forms6i
    richvideo
    websenselogserver
    Pctspk
    UBHelper
    MREMP50
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-16 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mWindow Title =
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: rbc.com\remote
    Trusted Zone: rbc.com\remote-gcc
    TCP: DhcpNameServer = 10.168.122.1
    DPF: {08496B45-6BB1-4F92-A8E6-B9E7978634CB} - hxxps://remote-gcc.rbc.com/nortel_cacheable/TrustSite.cab
    DPF: {ACDB1787-986D-434D-9857-2172CDB2108D} - hxxps://remote-occ.rbc.com/nortel_cacheable/punblock.cab
    FF - ProfilePath - c:\documents and settings\Amar Khan\Application Data\Mozilla\Firefox\Profiles\ept078k1.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
    FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-99817428.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2012-02-15 23:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
    "ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3900)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\Citrix\ICA Client\ssonsvr.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-15 23:20:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-16 04:20
    .
    Pre-Run: 209,143,521,280 bytes free
    Post-Run: 209,342,791,680 bytes free
    .
    - - End Of File - - BC989FD6E61D36AC1D85EF3FA720A711



    *********************** TdssKiller log *******************************

    22:47:44.0765 1868 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
    22:47:46.0765 1868 ============================================================
    22:47:46.0765 1868 Current date / time: 2012/02/15 22:47:46.0765
    22:47:46.0765 1868 SystemInfo:
    22:47:46.0765 1868
    22:47:46.0765 1868 OS Version: 5.1.2600 ServicePack: 3.0
    22:47:46.0765 1868 Product type: Workstation
    22:47:46.0765 1868 ComputerName: KHAN-B6140E7979
    22:47:46.0765 1868 UserName: Amar Khan
    22:47:46.0765 1868 Windows directory: C:\WINDOWS
    22:47:46.0765 1868 System windows directory: C:\WINDOWS
    22:47:46.0765 1868 Processor architecture: Intel x86
    22:47:46.0765 1868 Number of processors: 1
    22:47:46.0765 1868 Page size: 0x1000
    22:47:46.0765 1868 Boot type: Normal boot
    22:47:46.0765 1868 ============================================================
    22:47:48.0484 1868 Drive \Device\Harddisk0\DR0 - Size: 0x3A70C70000 (233.76 Gb), SectorSize: 0x200, Cylinders: 0x7733, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
    22:47:48.0500 1868 \Device\Harddisk0\DR0:
    22:47:48.0500 1868 MBR used
    22:47:48.0500 1868 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D37F873
    22:47:48.0500 1868 Initialize success
    22:47:48.0500 1868 ============================================================
    22:47:50.0890 3976 ============================================================
    22:47:50.0890 3976 Scan started
    22:47:50.0890 3976 Mode: Manual;
    22:47:50.0890 3976 ============================================================
    22:47:51.0296 3976 Abiosdsk - ok
    22:47:51.0328 3976 abp480n5 - ok
    22:47:51.0375 3976 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    22:47:51.0406 3976 ACPI - ok
    22:47:51.0437 3976 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    22:47:51.0437 3976 ACPIEC - ok
    22:47:51.0468 3976 adpu160m - ok
    22:47:51.0531 3976 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    22:47:51.0546 3976 aec - ok
    22:47:51.0593 3976 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    22:47:51.0625 3976 AFD - ok
    22:47:51.0671 3976 Aha154x - ok
    22:47:51.0703 3976 aic78u2 - ok
    22:47:51.0734 3976 aic78xx - ok
    22:47:51.0890 3976 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    22:47:52.0062 3976 ALCXWDM - ok
    22:47:52.0156 3976 AliIde - ok
    22:47:52.0312 3976 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    22:47:52.0343 3976 AmdK8 - ok
    22:47:52.0562 3976 amsint - ok
    22:47:52.0609 3976 ANPD (d33b28d9ed695ccf9520d70d825f9d85) C:\WINDOWS\system32\ANPD.sys
    22:47:52.0609 3976 ANPD - ok
    22:47:52.0671 3976 asc - ok
    22:47:52.0687 3976 asc3350p - ok
    22:47:52.0718 3976 asc3550 - ok
    22:47:52.0734 3976 AsIO (19a1dac5bc607c212e8a94c05886ed52) C:\WINDOWS\system32\drivers\AsIO.sys
    22:47:52.0750 3976 AsIO - ok
    22:47:52.0875 3976 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    22:47:52.0906 3976 AsyncMac - ok
    22:47:53.0062 3976 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
    22:47:53.0093 3976 atapi - ok
    22:47:53.0171 3976 Atdisk - ok
    22:47:53.0218 3976 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    22:47:53.0218 3976 audstub - ok
    22:47:53.0265 3976 Avgfwdx (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
    22:47:53.0265 3976 Avgfwdx - ok
    22:47:53.0281 3976 Avgfwfd (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
    22:47:53.0281 3976 Avgfwfd - ok
    22:47:53.0312 3976 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    22:47:53.0312 3976 Beep - ok
    22:47:53.0359 3976 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    22:47:53.0359 3976 cbidf2k - ok
    22:47:53.0437 3976 cd20xrnt - ok
    22:47:53.0453 3976 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    22:47:53.0453 3976 Cdaudio - ok
    22:47:53.0515 3976 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    22:47:53.0515 3976 Cdfs - ok
    22:47:53.0562 3976 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    22:47:53.0593 3976 Cdrom - ok
    22:47:53.0609 3976 Changer - ok
    22:47:53.0640 3976 CmdIde - ok
    22:47:53.0671 3976 Cpqarray - ok
    22:47:53.0703 3976 dac2w2k - ok
    22:47:53.0734 3976 dac960nt - ok
    22:47:53.0781 3976 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    22:47:53.0781 3976 Disk - ok
    22:47:53.0812 3976 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    22:47:53.0843 3976 dmboot - ok
    22:47:53.0890 3976 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    22:47:53.0906 3976 dmio - ok
    22:47:53.0968 3976 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    22:47:53.0968 3976 dmload - ok
    22:47:54.0000 3976 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    22:47:54.0000 3976 DMusic - ok
    22:47:54.0031 3976 dpti2o - ok
    22:47:54.0062 3976 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    22:47:54.0062 3976 drmkaud - ok
    22:47:54.0109 3976 EagleNT - ok
    22:47:54.0187 3976 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    22:47:54.0203 3976 Fastfat - ok
    22:47:54.0234 3976 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    22:47:54.0234 3976 Fdc - ok
    22:47:54.0265 3976 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    22:47:54.0265 3976 Fips - ok
    22:47:54.0296 3976 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    22:47:54.0296 3976 Flpydisk - ok
    22:47:54.0343 3976 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    22:47:54.0375 3976 FltMgr - ok
    22:47:54.0421 3976 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    22:47:54.0421 3976 Fs_Rec - ok
    22:47:54.0453 3976 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    22:47:54.0468 3976 Ftdisk - ok
    22:47:54.0500 3976 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
    22:47:54.0500 3976 gameenum - ok
    22:47:54.0562 3976 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    22:47:54.0562 3976 GEARAspiWDM - ok
    22:47:54.0562 3976 GMSIPCI - ok
    22:47:54.0609 3976 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    22:47:54.0625 3976 Gpc - ok
    22:47:54.0671 3976 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    22:47:54.0687 3976 hidusb - ok
    22:47:54.0718 3976 hpn - ok
    22:47:54.0750 3976 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    22:47:54.0750 3976 HPZid412 - ok
    22:47:54.0843 3976 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    22:47:54.0843 3976 HPZipr12 - ok
    22:47:54.0875 3976 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    22:47:54.0875 3976 HPZius12 - ok
    22:47:55.0703 3976 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    22:47:55.0718 3976 HTTP - ok
    22:47:56.0156 3976 i2omgmt - ok
    22:47:56.0187 3976 i2omp - ok
    22:47:56.0218 3976 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    22:47:56.0218 3976 i8042prt - ok
    22:47:56.0265 3976 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    22:47:56.0265 3976 Imapi - ok
    22:47:56.0296 3976 ini910u - ok
    22:47:56.0328 3976 IntelIde - ok
    22:47:56.0359 3976 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    22:47:56.0359 3976 Ip6Fw - ok
    22:47:56.0390 3976 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    22:47:56.0390 3976 IpFilterDriver - ok
    22:47:56.0421 3976 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    22:47:56.0421 3976 IpInIp - ok
    22:47:56.0453 3976 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    22:47:56.0468 3976 IpNat - ok
    22:47:56.0500 3976 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    22:47:56.0562 3976 IPSec - ok
    22:47:56.0593 3976 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    22:47:56.0593 3976 IRENUM - ok
    22:47:56.0625 3976 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    22:47:56.0625 3976 isapnp - ok
    22:47:56.0656 3976 ivnzxnbn - ok
    22:47:56.0687 3976 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    22:47:56.0687 3976 Kbdclass - ok
    22:47:56.0734 3976 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    22:47:56.0765 3976 kmixer - ok
    22:47:56.0812 3976 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    22:47:56.0812 3976 KSecDD - ok
    22:47:56.0843 3976 lbrtfdc - ok
    22:47:56.0906 3976 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
    22:47:56.0906 3976 MBAMProtector - ok
    22:47:57.0015 3976 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    22:47:57.0031 3976 Modem - ok
    22:47:57.0062 3976 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    22:47:57.0062 3976 Mouclass - ok
    22:47:57.0093 3976 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    22:47:57.0109 3976 mouhid - ok
    22:47:57.0140 3976 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    22:47:57.0140 3976 MountMgr - ok
    22:47:57.0187 3976 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    22:47:57.0187 3976 MpFilter - ok
    22:47:57.0281 3976 MpKsl9566dd68 (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B4C74D6-2004-48B9-9612-433B76A5D783}\MpKsl9566dd68.sys
    22:47:57.0281 3976 MpKsl9566dd68 - ok
    22:47:57.0390 3976 mraid35x - ok
    22:47:57.0640 3976 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    22:47:57.0640 3976 MRxDAV - ok
    22:47:57.0781 3976 MRxSmb (3de9c4252c94d5233f00a917327f9fe4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    22:47:57.0781 3976 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 3de9c4252c94d5233f00a917327f9fe4, Fake md5: 7d304a5eb4344ebeeab53a2fe3ffb9f0
    22:47:57.0796 3976 MRxSmb ( Virus.Win32.ZAccess.aml ) - infected
    22:47:57.0796 3976 MRxSmb - detected Virus.Win32.ZAccess.aml (0)
    22:47:57.0828 3976 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    22:47:57.0828 3976 Msfs - ok
    22:47:57.0875 3976 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    22:47:57.0875 3976 MSKSSRV - ok
    22:47:57.0937 3976 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    22:47:57.0937 3976 MSPCLOCK - ok
    22:47:57.0968 3976 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    22:47:57.0968 3976 MSPQM - ok
    22:47:58.0000 3976 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    22:47:58.0000 3976 mssmbios - ok
    22:47:58.0031 3976 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
    22:47:58.0031 3976 ms_mpu401 - ok
    22:47:58.0078 3976 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    22:47:58.0093 3976 MTsensor - ok
    22:47:58.0156 3976 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    22:47:58.0156 3976 Mup - ok
    22:47:58.0218 3976 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    22:47:58.0218 3976 NDIS - ok
    22:47:58.0265 3976 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    22:47:58.0265 3976 NdisTapi - ok
    22:47:58.0296 3976 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    22:47:58.0296 3976 Ndisuio - ok
    22:47:58.0343 3976 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    22:47:58.0359 3976 NdisWan - ok
    22:47:58.0390 3976 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    22:47:58.0390 3976 NDProxy - ok
    22:47:58.0437 3976 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    22:47:58.0437 3976 NetBIOS - ok
    22:47:58.0468 3976 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    22:47:58.0515 3976 NetBT - ok
    22:47:58.0625 3976 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    22:47:58.0625 3976 Npfs - ok
    22:47:58.0671 3976 npkcrypt - ok
    22:47:58.0718 3976 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    22:47:58.0750 3976 Ntfs - ok
    22:47:58.0796 3976 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    22:47:58.0796 3976 Null - ok
    22:47:59.0015 3976 nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    22:47:59.0359 3976 nv - ok
    22:47:59.0390 3976 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys
    22:47:59.0453 3976 nvata - ok
    22:47:59.0609 3976 nvatabus (e4f1f95a6bbbfbbff9a713c6063aa2cb) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
    22:47:59.0609 3976 nvatabus - ok
    22:47:59.0640 3976 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    22:47:59.0671 3976 NVENETFD - ok
    22:47:59.0781 3976 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\WINDOWS\system32\DRIVERS\nvgts.sys
    22:47:59.0796 3976 nvgts - ok
    22:47:59.0906 3976 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    22:47:59.0937 3976 nvnetbus - ok
    22:48:00.0093 3976 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    22:48:00.0109 3976 Parport - ok
    22:48:00.0281 3976 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    22:48:00.0281 3976 PartMgr - ok
    22:48:00.0328 3976 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    22:48:00.0328 3976 ParVdm - ok
    22:48:00.0359 3976 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    22:48:00.0390 3976 PCI - ok
    22:48:00.0421 3976 PCIDump - ok
    22:48:00.0453 3976 PCIIde - ok
    22:48:00.0468 3976 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    22:48:00.0468 3976 Pcmcia - ok
    22:48:00.0515 3976 PDCOMP - ok
    22:48:00.0546 3976 PDFRAME - ok
    22:48:00.0578 3976 PDRELI - ok
    22:48:00.0609 3976 PDRFRAME - ok
    22:48:00.0625 3976 perc2 - ok
    22:48:00.0656 3976 perc2hib - ok
    22:48:00.0718 3976 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    22:48:00.0718 3976 PptpMiniport - ok
    22:48:00.0750 3976 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    22:48:00.0750 3976 Processor - ok
    22:48:00.0796 3976 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    22:48:00.0812 3976 PSched - ok
    22:48:00.0859 3976 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    22:48:00.0859 3976 PSI - ok
    22:48:00.0875 3976 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    22:48:00.0875 3976 Ptilink - ok
    22:48:00.0921 3976 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    22:48:00.0921 3976 PxHelp20 - ok
    22:48:00.0953 3976 ql1080 - ok
    22:48:00.0984 3976 Ql10wnt - ok
    22:48:01.0015 3976 ql12160 - ok
    22:48:01.0031 3976 ql1240 - ok
    22:48:01.0062 3976 ql1280 - ok
    22:48:01.0093 3976 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    22:48:01.0093 3976 RasAcd - ok
    22:48:01.0140 3976 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    22:48:01.0140 3976 Rasl2tp - ok
    22:48:01.0171 3976 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    22:48:01.0171 3976 RasPppoe - ok
    22:48:01.0203 3976 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    22:48:01.0203 3976 Raspti - ok
    22:48:01.0234 3976 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    22:48:01.0296 3976 Rdbss - ok
    22:48:01.0343 3976 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    22:48:01.0343 3976 RDPCDD - ok
    22:48:01.0390 3976 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    22:48:01.0421 3976 rdpdr - ok
    22:48:01.0468 3976 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    22:48:01.0484 3976 RDPWD - ok
    22:48:01.0515 3976 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    22:48:01.0546 3976 redbook - ok
    22:48:01.0640 3976 rt2870 (ad0bad5d585afc1cb1cd5eafcae50ed4) C:\WINDOWS\system32\DRIVERS\Drt2870.sys
    22:48:01.0671 3976 rt2870 - ok
    22:48:01.0781 3976 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    22:48:01.0796 3976 Secdrv - ok
    22:48:01.0828 3976 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    22:48:01.0828 3976 serenum - ok
    22:48:01.0859 3976 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    22:48:01.0906 3976 Serial - ok
    22:48:01.0968 3976 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    22:48:01.0968 3976 Sfloppy - ok
    22:48:02.0000 3976 Simbad - ok
    22:48:02.0031 3976 Sparrow - ok
    22:48:02.0062 3976 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    22:48:02.0062 3976 splitter - ok
    22:48:02.0125 3976 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    22:48:02.0125 3976 Sr - ok
    22:48:02.0187 3976 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    22:48:02.0203 3976 Srv - ok
    22:48:02.0250 3976 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    22:48:02.0250 3976 swenum - ok
    22:48:02.0281 3976 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    22:48:02.0281 3976 swmidi - ok
    22:48:02.0312 3976 symc810 - ok
    22:48:02.0343 3976 symc8xx - ok
    22:48:02.0375 3976 sym_hi - ok
    22:48:02.0406 3976 sym_u3 - ok
    22:48:02.0437 3976 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    22:48:02.0437 3976 sysaudio - ok
    22:48:02.0484 3976 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    22:48:02.0515 3976 Tcpip - ok
    22:48:02.0562 3976 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    22:48:02.0562 3976 TDPIPE - ok
    22:48:02.0593 3976 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    22:48:02.0593 3976 TDTCP - ok
    22:48:02.0625 3976 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    22:48:02.0625 3976 TermDD - ok
    22:48:02.0656 3976 TfFsMon - ok
    22:48:02.0687 3976 TfNetMon - ok
    22:48:02.0718 3976 TfSysMon - ok
    22:48:02.0750 3976 TosIde - ok
    22:48:02.0781 3976 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    22:48:02.0781 3976 Udfs - ok
    22:48:02.0812 3976 ultra - ok
    22:48:02.0875 3976 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    22:48:02.0890 3976 Update - ok
    22:48:02.0937 3976 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    22:48:02.0937 3976 usbccgp - ok
    22:48:02.0968 3976 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    22:48:02.0968 3976 usbehci - ok
    22:48:03.0000 3976 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    22:48:03.0000 3976 usbhub - ok
    22:48:03.0031 3976 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    22:48:03.0046 3976 usbohci - ok
    22:48:03.0078 3976 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    22:48:03.0078 3976 usbprint - ok
    22:48:03.0140 3976 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    22:48:03.0140 3976 usbscan - ok
    22:48:03.0187 3976 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    22:48:03.0187 3976 usbstor - ok
    22:48:03.0218 3976 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    22:48:03.0218 3976 VgaSave - ok
    22:48:03.0250 3976 ViaIde - ok
    22:48:03.0281 3976 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    22:48:03.0296 3976 VolSnap - ok
    22:48:03.0328 3976 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    22:48:03.0328 3976 Wanarp - ok
    22:48:03.0359 3976 WDICA - ok
    22:48:03.0421 3976 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    22:48:03.0437 3976 wdmaud - ok
    22:48:03.0578 3976 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    22:48:03.0578 3976 WpdUsb - ok
    22:48:03.0625 3976 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    22:48:03.0625 3976 WS2IFSL - ok
    22:48:03.0671 3976 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    22:48:03.0671 3976 WudfPf - ok
    22:48:03.0703 3976 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    22:48:03.0703 3976 WudfRd - ok
    22:48:03.0718 3976 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    22:48:03.0828 3976 \Device\Harddisk0\DR0 - ok
    22:48:03.0828 3976 Boot (0x1200) (868853a8911ac245aa84a92632755693) \Device\Harddisk0\DR0\Partition0
    22:48:03.0828 3976 \Device\Harddisk0\DR0\Partition0 - ok
    22:48:03.0843 3976 ============================================================
    22:48:03.0843 3976 Scan finished
    22:48:03.0843 3976 ============================================================
    22:48:03.0843 3968 Detected object count: 1
    22:48:03.0843 3968 Actual detected object count: 1
    22:48:26.0734 3968 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - copied to quarantine
    22:48:27.0078 3968 Backup copy found, using it..
    22:48:27.0156 3968 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
    22:48:29.0875 3968 MRxSmb ( Virus.Win32.ZAccess.aml ) - User select action: Cure
    22:48:52.0828 3552 Deinitialize success

  6. #6
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,

    It looks like Combofix did its job. Let's run a couple of other scanners to make sure no leftovers. Could also please post the Attach.txt portion of the DDS log.



    1.
    Please download Malwarebytes Anti-Malware and save it to your desktop.
    • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.

    Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

    • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
      For instructions with screenshots, please refer to this Guide.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

    • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
    • Click on the Scan button.
    • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked and then click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.

    Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


    2.
    I'd like us to scan your machine with ESET OnlineScan
    1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the
        icon on your desktop.
    4. Check "YES, I accept the Terms of Use."
    5. Click the Start button.
    6. Accept any security warnings from your browser.
    7. Under scan settings, check "Scan Archives" and "Remove found threats"
    8. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, click List Threats
    11. Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Click the Back button.
    13. Click the Finish button.



    Things to include in your next reply::
    MBAm log
    Eset log
    Attach.txt
    How is your computer running now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  7. #7
    Member
    Join Date
    Mar 2011
    Posts
    27
    Points
    0

    Default

    My system detected another virus: Exploit:Java/Blacole.DW etc. But upon running the Malware and Eset scan, the virus seems to have disappeared. The requested logs are printed below:

    ************************** MBAm log ****************************

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: v2012.02.15.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Amar Khan :: KHAN-B6140E7979 [administrator]

    Protection: Disabled

    16/02/2012 8:23:45 AM
    mbam-log-2012-02-16 (08-23-45).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 242528
    Time elapsed: 5 minute(s), 5 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\Kai\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

    (end)



    ************************** Eset log **************************

    C:\Documents and Settings\Rustam Khan\Application Data\Sun\Java\Deployment\cache\6.0\61\5591133d-33e5c4df a variant of Java/Agent.DU trojan deleted - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP304\A0025621.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP304\A0025631.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP304\A0025642.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP304\A0025652.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0025685.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0025695.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0025703.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0025717.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0025726.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0026725.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0026741.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0026750.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0026797.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0026805.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0026816.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0026828.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0027828.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0028827.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0029827.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0029842.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{A030B270-1E64-4A0F-8646-CF5911E73AA9}\RP305\A0030841.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\15.02.2012_22.47.46\rtkt0000\svc0000\tsk0000.dta Win32/Sirefef.DA trojan cleaned by deleting - quarantined



    ********************** Attach.txt *********************************

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 26/08/2009 11:03:00 PM
    System Uptime: 15/02/2012 8:14:56 PM (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | A8N-SLI SE
    Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 2010/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 234 GiB total, 194.72 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP224: 18/11/2011 2:51:18 PM - Software Distribution Service 3.0
    RP225: 19/11/2011 3:58:07 PM - Software Distribution Service 3.0
    RP226: 20/11/2011 7:42:31 PM - Software Distribution Service 3.0
    RP227: 21/11/2011 7:51:44 PM - Software Distribution Service 3.0
    RP228: 22/11/2011 9:36:09 PM - Software Distribution Service 3.0
    RP229: 23/11/2011 10:01:35 PM - Software Distribution Service 3.0
    RP230: 25/11/2011 10:05:07 AM - Software Distribution Service 3.0
    RP231: 26/11/2011 10:21:01 AM - Software Distribution Service 3.0
    RP232: 27/11/2011 10:25:39 AM - Software Distribution Service 3.0
    RP233: 28/11/2011 10:34:41 AM - Software Distribution Service 3.0
    RP234: 29/11/2011 3:38:07 PM - Software Distribution Service 3.0
    RP235: 30/11/2011 7:50:17 PM - Software Distribution Service 3.0
    RP236: 02/12/2011 11:05:21 AM - Software Distribution Service 3.0
    RP237: 03/12/2011 12:36:49 PM - Software Distribution Service 3.0
    RP238: 04/12/2011 4:11:35 PM - Software Distribution Service 3.0
    RP239: 05/12/2011 7:04:52 PM - Software Distribution Service 3.0
    RP240: 07/12/2011 10:55:43 AM - Software Distribution Service 3.0
    RP241: 08/12/2011 11:37:42 AM - Software Distribution Service 3.0
    RP242: 09/12/2011 3:12:04 PM - Software Distribution Service 3.0
    RP243: 10/12/2011 5:57:42 PM - Software Distribution Service 3.0
    RP244: 11/12/2011 7:11:01 PM - Software Distribution Service 3.0
    RP245: 13/12/2011 10:02:44 AM - Software Distribution Service 3.0
    RP246: 14/12/2011 10:45:47 AM - Software Distribution Service 3.0
    RP247: 14/12/2011 11:20:48 PM - Software Distribution Service 3.0
    RP248: 15/12/2011 1:18:25 PM - Software Distribution Service 3.0
    RP249: 16/12/2011 1:55:53 PM - Software Distribution Service 3.0
    RP250: 18/12/2011 9:26:51 AM - Software Distribution Service 3.0
    RP251: 19/12/2011 10:04:55 AM - Software Distribution Service 3.0
    RP252: 20/12/2011 10:10:02 AM - Software Distribution Service 3.0
    RP253: 21/12/2011 12:41:20 PM - Software Distribution Service 3.0
    RP254: 22/12/2011 3:17:31 PM - Software Distribution Service 3.0
    RP255: 23/12/2011 4:19:53 PM - Software Distribution Service 3.0
    RP256: 25/12/2011 3:32:26 PM - Software Distribution Service 3.0
    RP257: 26/12/2011 6:07:35 PM - Software Distribution Service 3.0
    RP258: 27/12/2011 7:54:34 PM - System Checkpoint
    RP259: 28/12/2011 11:15:16 AM - Software Distribution Service 3.0
    RP260: 29/12/2011 11:57:32 AM - Software Distribution Service 3.0
    RP261: 30/12/2011 3:33:15 PM - Software Distribution Service 3.0
    RP262: 31/12/2011 5:35:22 PM - Software Distribution Service 3.0
    RP263: 01/01/2012 3:54:18 PM - Software Distribution Service 3.0
    RP264: 01/01/2012 6:07:45 PM - Software Distribution Service 3.0
    RP265: 02/01/2012 7:10:34 PM - Software Distribution Service 3.0
    RP266: 03/01/2012 7:44:24 PM - Software Distribution Service 3.0
    RP267: 05/01/2012 10:27:41 AM - Software Distribution Service 3.0
    RP268: 06/01/2012 11:00:38 AM - Software Distribution Service 3.0
    RP269: 07/01/2012 12:35:54 PM - Software Distribution Service 3.0
    RP270: 08/01/2012 12:42:58 PM - Software Distribution Service 3.0
    RP271: 09/01/2012 1:58:37 PM - Software Distribution Service 3.0
    RP272: 10/01/2012 4:17:38 PM - Software Distribution Service 3.0
    RP273: 11/01/2012 7:44:15 PM - Software Distribution Service 3.0
    RP274: 11/01/2012 10:30:16 PM - Software Distribution Service 3.0
    RP275: 12/01/2012 8:23:27 PM - Software Distribution Service 3.0
    RP276: 13/01/2012 9:39:20 PM - Software Distribution Service 3.0
    RP277: 15/01/2012 12:08:23 PM - Software Distribution Service 3.0
    RP278: 17/01/2012 10:36:43 AM - Software Distribution Service 3.0
    RP279: 18/01/2012 11:41:53 AM - Software Distribution Service 3.0
    RP280: 19/01/2012 2:09:49 PM - Installed Citrix XenApp Plugin for Hosted Apps
    RP281: 19/01/2012 2:11:26 PM - Software Distribution Service 3.0
    RP282: 20/01/2012 5:45:45 PM - Software Distribution Service 3.0
    RP283: 21/01/2012 8:51:04 PM - Software Distribution Service 3.0
    RP284: 23/01/2012 8:45:25 AM - Software Distribution Service 3.0
    RP285: 24/01/2012 9:57:00 AM - Software Distribution Service 3.0
    RP286: 24/01/2012 11:17:42 AM - Software Distribution Service 3.0
    RP287: 25/01/2012 10:02:49 AM - Software Distribution Service 3.0
    RP288: 26/01/2012 10:42:24 AM - Software Distribution Service 3.0
    RP289: 28/01/2012 9:30:18 AM - Software Distribution Service 3.0
    RP290: 29/01/2012 10:30:13 AM - Software Distribution Service 3.0
    RP291: 30/01/2012 2:17:44 PM - Software Distribution Service 3.0
    RP292: 31/01/2012 2:59:50 PM - Software Distribution Service 3.0
    RP293: 01/02/2012 8:58:47 PM - Software Distribution Service 3.0
    RP294: 02/02/2012 9:50:33 PM - Software Distribution Service 3.0
    RP295: 04/02/2012 12:54:30 PM - Software Distribution Service 3.0
    RP296: 05/02/2012 2:09:35 PM - Software Distribution Service 3.0
    RP297: 05/02/2012 7:53:27 PM - Installed StudioTax 2011
    RP298: 06/02/2012 8:21:23 PM - Software Distribution Service 3.0
    RP299: 08/02/2012 11:27:51 AM - Software Distribution Service 3.0
    RP300: 09/02/2012 11:43:16 AM - System Checkpoint
    RP301: 09/02/2012 6:22:47 PM - Software Distribution Service 3.0
    RP302: 11/02/2012 10:55:49 AM - Software Distribution Service 3.0
    RP303: 12/02/2012 11:11:59 AM - Software Distribution Service 3.0
    RP304: 13/02/2012 6:12:34 PM - Software Distribution Service 3.0
    RP305: 14/02/2012 9:34:58 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    4500_Help
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.2)
    Adobe Shockwave Player 11.5
    Akamai NetSession Interface
    Akamai NetSession Interface Service
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Applian FLV Player
    AsusUpdate
    Athlon 64 Processor Driver
    Bonjour
    BPD_HPSU
    bpd_scan
    BPDSoftware
    BPDSoftware_Ini
    Broadcom 440x 10/100 Integrated Controller
    BufferChm
    CCleaner
    Citrix XenApp Plugin for Hosted Apps
    Cool & Quiet
    CustomerResearchQFolder
    D-Link DWA-125
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DivX Setup
    DocMgr
    DocProc
    DocProcQFolder
    Emesene
    eSupportQFolder
    Facebook Plug-In
    Fax
    Google Earth Plug-in
    Google Update Helper
    GPBaseService
    HashCheck Shell Extension (x86-32)
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 10.0
    HP Document Manager 1.0
    HP Imaging Device Functions 10.0
    HP Officejet J4500 Series
    HP Photosmart Essential 2.5
    HP Smart Web Printing 4.60
    HP Solution Center 10.0
    HP Update
    HPProductAssistant
    HPSSupply
    ijji REACTOR
    iTunes
    J4500
    Java Auto Updater
    Java(TM) 6 Update 24
    JDownloader
    LanguageTool
    Malwarebytes Anti-Malware version 1.60.1.1000
    MarketResearch
    MetaFrame Presentation Server Web Client for Win32
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox 10.0.1 (x86 en-GB)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MyDefrag v4.3.1
    NVIDIA Drivers
    NVIDIA nTune
    NVIDIA nView Desktop Manager
    OCR Software by I.R.I.S. 10.0
    Open Command Prompt Shell Extension (x86-32)
    Paint.NET v3.36
    Pando Media Booster
    PC Probe II
    ProductContext
    PSSWCORE
    Realtek AC'97 Audio
    Rogers Servicepoint Agent 3.7.44
    RPS CRT
    Scan
    Secunia PSI (2.0.0.3001)
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Shop for HP Supplies
    SmartDraw 2012
    SmartWebPrinting
    SolutionCenter
    SpywareBlaster 4.4
    Status
    StudioTax 2008
    StudioTax 2009
    StudioTax 2010
    StudioTax 2011
    System Requirements Lab
    TextPad 5
    Toolbox
    TrayApp
    Unity Web Player
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VC80CRTRedist - 8.0.50727.4053
    VideoToolkit01
    WebReg
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Windows Management Framework Core
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    WinPatrol
    WinRAR archiver
    Xvid 1.2.2 final uninstall
    yEd Graph Editor
    yEd Graph Editor 3.7.0.2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    14/02/2012 9:48:20 PM, error: Sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    14/02/2012 11:48:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    14/02/2012 11:09:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    14/02/2012 11:09:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    14/02/2012 10:11:01 PM, error: nvgts [5] - A parity error was detected on \Device\Scsi\nvgts2.
    14/02/2012 10:08:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    .
    ==== End Of File ===========================

  8. #8
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,


    1.
    Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
    • Look for "Java Platform, Standard Edition".
    • Click the "Download JRE" button to the right.
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • From the list, select your OS and Platform (32-bit or 64-bit).
    • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.

    Go to > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
    • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    • When the Java Setup - Welcome window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
    To disable the JQS service if you don't want to use it:
    • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
    • Click Ok and reboot your computer.



    2.
    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3.
    Please run MalwareBytes again we like to see all 0's.


    Things to include in your next reply::
    FSS.txt
    MBAM log
    How is your machine running now/
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  9. #9
    Member
    Join Date
    Mar 2011
    Posts
    27
    Points
    0

    Default

    Machine is running fine. No new viruses to report.

    The logs are printed below:

    ********************** FSS Log ********************

    Farbar Service Scanner Version: 14-02-2012
    Ran by Amar Khan (administrator) on 16-02-2012 at 14:10:17
    Running from "C:\Documents and Settings\Amar Khan\Desktop\Computer cleanup"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Avgfwfd(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
    0x0B00000004000000010000000200000003000000050000000600000007000000080000000A0000000B00000009000000
    IpSec Tag value is correct.

    **** End of log ****


    ************************ MBAm log *****************************

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: v2012.02.16.04

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Amar Khan :: KHAN-B6140E7979 [administrator]

    Protection: Disabled

    16/02/2012 2:11:07 PM
    mbam-log-2012-02-16 (14-11-07).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 243908
    Time elapsed: 8 minute(s), 33 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

  10. #10
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello, Arkansas.
    Congratulations! You now appear clean!


    Uninstall Combofix
    • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
      o *If it is not on your Desktop, the below will not work.
    • Click on then Run....
    • Now copy & paste the green bolded text in the run-box and click OK.

      ComboFix /Uninstall



      <Notice the space between the "x" and "/".> <--- It needs to be there
      Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

    • Please advise if this step is missed for any reason as it performs some important actions:
      "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
      It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


    Are things running okay? Do you have any more questions?

    System Still Slow?
    You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
    If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

    We Need to Clean Up Our Mess
    • Download OTC by OldTimer and save it to your desktop.
    • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
    • Then Click the big button.
    • You will get a prompt saying "Being Cleanup Process". Please select Yes.
    • Restart your computer when prompted.





    One of the most common questions found when cleaning malware is "how did my machine get infected?"

    There are a variety of reasons, but the most common ones are that you are not practicing Safe Internet, you are not running the proper security software or that your computer's security settings are set too low.

    Below I have outlined a series of categories that outline how you can increase the security of your computer to help reduce the chance of being infected again in the future.

    Do not use P2P programs
    Peer-to-peer or file-sharing programs (such as uTorrent, Limewire and Bitorrent) are probably the primary route of infection nowadays. These programs allow file sharing between users as the name(s) suggest. It is almost impossible to know whether the file you’re downloading through P2P programs is safe.

    It is therefore possible to be infected by downloading infected files via peer-to-peer programs and so I recommend that you do not use these programs. Should you wish to use them, they must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

    In addition, P2P programs facilitate cyber crime and help distribute pirated software, movies and other illegal material.

    Practice Safe Internet
    Another one of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.

    Below are a list of simple precautions to take to keep your computer clean and running securely:
    1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
    2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
    3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know who is themselves infected with malware which is trying to infect everyone in their address book. A key thing to look out for here is: does the email sound as though it’s from the person you know? Often, the email may simply have a web link or a “Run this file to make your PC run fast” message in it.
    4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop-ups, or Foistware, you should read this article: Foistware, And how to avoid it.
      There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. Removal instructions for a lot of these "rogues" can be found here.
    5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you, or will download a file to your PC without your knowledge. You can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake. DO NOT click on these windows, instead close them by finding the open window on your Taskbar, right click and chose close.
    6. Do not visit pornographic websites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do, as this can often form part of their funding.
    7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link you should message back to the person asking if it is legit.
    8. Stay away from Warez and Crack sites! As with Peer-2-Peer programs, in addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download files from a site, and are not sure if they are legitimate, you can use tools such as BitDefender Traffic Light, Norton Safe Web, or McAfee SiteAdvisor to look up info on the site and stay protected against malicious sites. Please be sure to only choose and install one of those tool bars.
    10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
      Sometimes even legitimate programs will try to bundle extra, unwanted, software with the program you want - this is done to raise money for the program. Be sure to untick any boxes which may indicate that other programs will be downloaded.


    Keep Windows up-to-date
    Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

    • Windows XP users
      You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.
    • Windows Vista users
      You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.
    • Windows 7 users
      You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP1) can be obtained directly from Microsoft here



    Keep your browser secure
    Most modern browsers have come on in leaps and bounds with their inbuilt, default security. The best way to keep your browser secure nowadays is simply to keep it up-to-date.

    The latest versions of the three common browsers can be found below:


    Use an AntiVirus Software
    It is very important that your computer has an up-to-date anti-virus software on it which has a real-time agent running. This alone can save you a lot of trouble with malware in the future.
    See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources, a couple of free Anti-Virus programs you may be interested in are Microsoft Security Essentials and Avast.

    It is imperative that you update your Antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

    Use a Firewall
    I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

    All versions of Windows starting from XP have an in-built firewall. With Windows XP this firewall will protect you from incoming traffic (i.e. hackers). Starting with Windows Vista, the firewall was beefed up to also protect you against outgoing traffic (i.e. malicious programs installed on your machine should be blocked from sending data, such as your bank details and passwords, out).

    In addition, if you connect to the internet via a router, this will normally have a firewall in-built.

    Some people will recommend installing a different firewall (instead of the Windows’ built one), this is personal choice, but the message is to definitely have one! For a tutorial on Firewalls and a listing of some available ones see this link: Understanding and Using Firewalls

    Install an Anti-Malware program
    Recommended, and free, Anti-Malware programs are Malwarebytes Anti-Malware and SuperAntiSpyware.

    You should regularly (perhaps once a week) scan your computer with an Anti-Malware program just as you would with an antivirus software.

    Make sure your applications have all of their updates
    It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is very important to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities (such as Adobe Reader and Java). You can check these by visiting Secunia Software Inspector.

    Follow this list and your potential for being infected again will reduce dramatically.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




Page 1 of 2 12 LastLast