Page 1 of 3 123 LastLast
Results 1 to 10 of 30
  1. #1
    Member
    Join Date
    May 2013
    Posts
    15
    Points
    0

    Default filled with visuses & spyware - broswer & boot problems

    THANKS IN ADVANCE!!!!

    Logs below:

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 05/18/2013 at 12:14 PM

    Application Version : 5.6.1020

    Core Rules Database Version : 10419
    Trace Rules Database Version: 8231

    Scan type : Complete Scan
    Total Scan Time : 01:00:03

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
    Administrator

    Memory items scanned : 483
    Memory threats detected : 0
    Registry items scanned : 35744
    Registry threats detected : 35
    File items scanned : 28071
    File threats detected : 8

    Adware.Tracking Cookie
    C:\Documents and Settings\Administrator\Cookies\KGEU7H1I.txt [ /doubleclick.net ]
    C:\Documents and Settings\Administrator\Cookies\20CDKRE6.txt [ /ad.yieldmanager.com ]

    PUP.Wajam
    HKLM\System\ControlSet001\Services\WAJAMUPDATER
    C:\PROGRAM FILES\WAJAM\UPDATER\WAJAMUPDATER.EXE
    HKLM\System\ControlSet001\Enum\Root\LEGACY_WAJAMUPDATER
    HKLM\System\ControlSet002\Services\WAJAMUPDATER
    HKLM\System\ControlSet002\Enum\Root\LEGACY_WAJAMUPDATER
    HKLM\System\CurrentControlSet\Services\WAJAMUPDATER
    HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WAJAMUPDATER
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32#ThreadingModel
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\Programmable
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib
    HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID
    HKCR\wajam.WajamBHO.1
    HKCR\wajam.WajamBHO.1\CLSID
    HKCR\wajam.WajamBHO
    HKCR\wajam.WajamBHO\CLSID
    HKCR\wajam.WajamBHO\CurVer
    HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
    HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0
    HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0
    HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32
    HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS
    HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR
    C:\PROGRAM FILES\WAJAM\IE\PRIAM_BHO.DLL
    HKU\S-1-5-21-448539723-1035525444-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    C:\PROGRAM FILES\WAJAM\UNINSTALL.EXE
    C:\RECYCLER\S-1-5-21-448539723-1035525444-1417001333-500\DC4\UNINSTALL.LNK
    HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods
    HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid
    HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32
    HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib
    HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib#Version

    Adware.EpicPlay
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56E4076B-A42B-4745-BA35-34DA8AC4C2F2}
    HKU\S-1-5-21-448539723-1035525444-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56E4076B-A42B-4745-BA35-34DA8AC4C2F2}

    Adware.Shopper
    C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\NSF3.TMP\HAPPYLYRICS_2204-E2F0CCE3.EXE
    C:\PROGRAM FILES\HAPPYLYRICS\UNINSTALL.EXE


    Malwarebytes Anti-Malware (Trial) 1.75.0.1300
    Malwarebytes : Free anti-malware download

    Database version: v2013.05.18.04

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: DEL001 [administrator]

    Protection: Disabled

    5/18/2013 12:25:22 PM
    mbam-log-2013-05-18 (12-25-22).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 240005
    Time elapsed: 54 minute(s), 1 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 57
    C:\WINDOWS\Temp\DealioToolbar.exe (PUP.Dealio.TB) -> No action taken.
    C:\Documents and Settings\Administrator\6guzv0mwog92g.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\opera.exe (Trojan.Krypt) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\Occonu\axlaycm.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\54.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\56.exe (Trojan.Delf.ED) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\A.tmp (Trojan.Delf.ED) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\35.tmp (Trojan.Krypt) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP70\A0030406.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP70\A0030483.exe (Trojan.Delf.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP70\A0030485.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031034.data (Trojan.Tracur.DL) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031035.data (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031036.data (Trojan.Tracur.DL) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031037.data (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031039.data (Trojan.Dropper.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031040.data (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031041.data (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031042.data (Trojan.Dropper.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP73\A0031038.data (Adware.Gamevance) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036371.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036373.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036375.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036376.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036377.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036378.data (Trojan.Fareit.RRE) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036383.data (Spyware.Zbot.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036385.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036386.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036387.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036388.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036389.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036390.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036392.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036393.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036394.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036395.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036396.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036379.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036409.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036398.data (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036399.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036401.data (Trojan.Krypt) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036402.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036403.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036405.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036406.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036407.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036408.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036410.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036412.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036416.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036418.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036421.data (Trojan.Agent.ED) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036424.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036425.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E8F92757-4F9A-47B3-97B4-7A98399BDC03}\RP75\A0036426.data (Trojan.Agent.VOS) -> Quarantined and deleted successfully.

    (end)


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:39:34 PM, on 5/18/2013
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={97785D38-BB65-11E2-A339-0010C69612B9}
    R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: HelloWorldBHO - {1C8501DD-5580-48AB-B25C-6D5DBE835A6A} - C:\Program Files\OApps\SelectionLinks.dll
    O2 - BHO: UnfriendApp - {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\Program Files\UnfriendApp\IE\common.dll
    O2 - BHO: Happy Lyrics - {59C0C5BD-2579-433A-BBB8-AFFD59642BAF} - C:\Program Files\HappyLyrics\hppylrc.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\IPS\IPSBHO.DLL (file missing)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O2 - BHO: Updater By SweetPacks Helper - {C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} - C:\Program Files\Updater By SweetPacks\Extension32.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo] rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\Yahoo\mzokdwhi.dll",ASFGetDataUnitInfo
    O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6E23F769-7F8C-43D8-A2E6-30D2AB33EF53}: NameServer = 8.26.56.26,156.154.70.22
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EBC0F9EA-9A04-408C-B0A3-2DE4E75DA228}: NameServer = 8.26.56.26,156.154.70.22
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
    O23 - Service: Norton AntiVirus (NAV) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe (file missing)
    O23 - Service: Security Center Server - 1303951853 (SecurityCenterServer1303951853) - Unknown owner - C:\WINDOWS\system32\ifdarasee.exe (file missing)
    O23 - Service: Security Center Server - 2952017705 (SecurityCenterServer2952017705) - Unknown owner - C:\WINDOWS\system32\winsec32.exe (file missing)
    O23 - Service: Security Center Server - 3348744567 (SecurityCenterServer3348744567) - Unknown owner - C:\WINDOWS\system32\oxaham.exe (file missing)
    O23 - Service: Security Center Server - 4079863451 (SecurityCenterServer4079863451) - Unknown owner - C:\WINDOWS\system32\abihfout.exe (file missing)

    --
    End of file - 6415 bytes

  2. #2
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Please run the following tools and post their logs.

    1.
    Download AdwCleaner
    • Double click on AdwCleaner.exe to run the tool.
      ***Note: Windows Vista and Windows 7 users:
      Right click in the adwCleaner.exe and select
    • Click the Delete button.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your next reply.
    • Or you can find the logfile at C:\AdwCleaner[R1].txt.


    2.
    • Download RogueKiller on the desktop
    • Close all the running processes
    • Under Vista/Seven, right click -> Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • When prompted, Click Scan
    • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


    Things to include in your next reply::
    AdwCleaner log
    Roguekiller log
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  3. #3
    Member
    Join Date
    May 2013
    Posts
    15
    Points
    0

    Default

    Hi,

    Thank you so much. I ran the AdwCleaner program first. Results below but first I wanted to give you what happened with Rogue Killer

    Rogue Killer will start - it runs the prescan & I get:
    Status: Killed[term proc] Type: SVCHOST PID: 3916 Name: svchost.exe Path: C:\windows\system32\svchost.exe

    It prompts me to run the scan & the scan starts with:
    Searching for CLSID...
    And it never progresses past that point in the scan eventually the machine locks up
    So I don't have a Rogue Killer log. Sorry but I ran it 4 times with the same thing happening.

    Here are the two AdwCleaner logs (R-1 & S-1)

    # AdwCleaner v2.301 - Logfile created 05/20/2013 at 19:59:37
    # Updated 16/05/2013 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Administrator - DEL001
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\END
    Folder Found : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Iminent
    Folder Found : C:\Documents and Settings\Administrator\Application Data\DefaultTab
    Folder Found : C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
    Folder Found : C:\Documents and Settings\Administrator\Local Settings\Application Data\PackageAware
    Folder Found : C:\Program Files\Conduit
    Folder Found : C:\Program Files\HappyLyrics
    Folder Found : C:\Program Files\OApps
    Folder Found : C:\Program Files\SweetIM
    Folder Found : C:\Program Files\Wajam

    ***** [Registry] *****

    Key Found : HKCU\Software\AppDataLow\Software\DynConIE
    Key Found : HKCU\Software\AppDataLow\Software\Search Settings
    Key Found : HKCU\Software\Conduit
    Key Found : HKCU\Software\ConduitSearchScopes
    Key Found : HKCU\Software\DynConIE
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\NetAssistant 3.8.3
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35D-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : HKCU\Software\pc optimizer pro
    Key Found : HKCU\Software\SmartBar
    Key Found : HKCU\Software\Wajam
    Key Found : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
    Key Found : HKLM\SOFTWARE\Classes\AppID\Extension.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
    Key Found : HKLM\SOFTWARE\Classes\Extension.ExtensionHelperObject
    Key Found : HKLM\SOFTWARE\Classes\Extension.ExtensionHelperObject.1
    Key Found : HKLM\SOFTWARE\Classes\Interface\{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3277370
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D5A4199-956E-49BC-B89F-6A35C57C0D13}
    Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
    Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\Software\Default Tab
    Key Found : HKLM\Software\Freeze.com
    Key Found : HKLM\Software\Iminent
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : HKLM\Software\Wajam
    Key Found : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
    Key Found : HKU\S-1-5-21-448539723-1035525444-1417001333-500\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
    Value Found : HKCU\Software\Mozilla\Firefox\Extensions [happylyrics@hpyproductions.net]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={97785D38-BB65-11E2-A339-0010C69612B9}

    *************************

    AdwCleaner[R1].txt - [5831 octets] - [20/05/2013 19:59:37]

    ########## EOF - C:\AdwCleaner[R1].txt - [5891 octets] ##########


    # AdwCleaner v2.301 - Logfile created 05/20/2013 at 20:00:32
    # Updated 16/05/2013 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Administrator - DEL001
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\END
    Folder Deleted : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Iminent
    Folder Deleted : C:\Documents and Settings\Administrator\Application Data\DefaultTab
    Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
    Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\PackageAware
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\Program Files\HappyLyrics
    Folder Deleted : C:\Program Files\OApps
    Folder Deleted : C:\Program Files\SweetIM
    Folder Deleted : C:\Program Files\Wajam

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
    Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\ConduitSearchScopes
    Key Deleted : HKCU\Software\DynConIE
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\NetAssistant 3.8.3
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35D-6118-11DC-9C72-001320C79847}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKCU\Software\pc optimizer pro
    Key Deleted : HKCU\Software\SmartBar
    Key Deleted : HKCU\Software\Wajam
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\Extension.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
    Key Deleted : HKLM\SOFTWARE\Classes\Extension.ExtensionHelperObject
    Key Deleted : HKLM\SOFTWARE\Classes\Extension.ExtensionHelperObject.1
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3277370
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D5A4199-956E-49BC-B89F-6A35C57C0D13}
    Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
    Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\Default Tab
    Key Deleted : HKLM\Software\Freeze.com
    Key Deleted : HKLM\Software\Iminent
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKLM\Software\Wajam
    Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
    Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [happylyrics@hpyproductions.net]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={97785D38-BB65-11E2-A339-0010C69612B9} --> hxxp://www.google.com

    *************************

    AdwCleaner[R1].txt - [5960 octets] - [20/05/2013 19:59:37]
    AdwCleaner[S1].txt - [5905 octets] - [20/05/2013 20:00:32]

    ########## EOF - C:\AdwCleaner[S1].txt - [5965 octets] ##########

    Thanks for the help!
    Angelo

  4. #4
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,

    Try running Roguekiller in Safemode.

    Now reboot into Safe Mode.
    This can be done tapping the F8 key as soon as you start your computer
    You will be brought to a menu where you can choose to boot into safe mode.
    Make sure you choose the option without networking support.
    Please see here for additional details.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  5. #5
    Member
    Join Date
    May 2013
    Posts
    15
    Points
    0

    Default

    Hello,

    Tried to run Rogue Killer in safe mode. Almost the same result:

    Rogue Killer will start - it runs the prescan & I get:
    Status: Killed[term proc] Type: SVCHOST PID: 3916 Name: svchost.exe Path: C:\windows\system32\svchost.exe

    It prompts me to run the scan & the scan starts with:
    Searching for CLSID...
    And it never progresses past that point in the scan -- But this time the computer didn't lock up. It just never progresses past the: "Searching for CLSID..." message.

    Sorry & thanks,
    Angelo

  6. #6
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    • Download Malwarebytes Anti-Rootkit from HERE
    • Unzip the contents to a folder in a convenient location.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  7. #7
    Member
    Join Date
    May 2013
    Posts
    15
    Points
    0

    Default

    Hi,

    Ran Malwarebytes Anti-Rootkit & logs are below but one thing:

    When the machine boots up into WinXP, it displays the following message that I have to click on to remove:
    RUNDLL
    Error loading C:\Documents and Settings\Adminstrator\Local Settings\Application Data\Yahoo\mzokdwhi.dll
    The specified file cannot be found

    Logs as requested:

    Malwarebytes Anti-Rootkit BETA 1.05.0.1001
    Malwarebytes : Free anti-malware download

    Database version: v2013.03.22.01

    Windows XP Service Pack 3 x86 NTFS (Safe Mode)
    Internet Explorer 8.0.6001.18702
    Administrator :: DEL001 [administrator]

    5/22/2013 7:42:06 PM
    mbar-log-2013-05-22 (19-42-06).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 24354
    Time elapsed: 48 minute(s), 39 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 4
    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_55_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.
    c:\WINDOWS\Temp\DealioToolbar.exe (PUP.Dealio.TB) -> Delete on reboot.
    c:\Documents and Settings\Administrator\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.

    (end)


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.05.0.1001

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    System is currently in a safe mode

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_45

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 1.861000 GHz
    Memory total: 1601556480, free: 1354465280

    ------------ Kernel report ------------
    05/22/2013 18:52:54
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntoskrnl.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    PCIIde.sys
    \WINDOWS\System32\Drivers\PCIIDEX.SYS
    intelide.sys
    pcmcia.sys
    MountMgr.sys
    ftdisk.sys
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\framebuf.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR2
    Upper Device Object: 0xffffffff895d8030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000098\
    Lower Device Object: 0xffffffff89653d50
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    Initialization returned 0x0
    Load Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8983dab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: Unknown
    Lower Device Object: 0xffffffff89873940
    Lower Device Driver Name: Unknown
    Driver name found: atapi
    Initialization returned 0x0
    Load Function returned 0x0
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8983dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff898bd9a0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8983dab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff89873940, DeviceName: Unknown, DriverName: Unknown
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe19c19c0, 0xffffffff8983dab8, 0xffffffff895c9ab8
    Lower DeviceData: 0xffffffffe1d064a0, 0xffffffff89873940, 0xffffffff8959c7b0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    MBR buffers are not equal
    MBR is forged! [177b10df776cbf12774e7e6927767e44]
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: E636E636

    Partition information:

    Partition 0 type is Empty (0x0)
    Partition is ACTIVE.
    Partition starts at LBA: 55 Numsec = 0
    Partition is not bootable
    Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]
    Changing partition to empty and not active. New active partition is 0 on drive 0 ...

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 156296322
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    MBR infection found on drive 0
    Disk Size: 80026361856 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-54-156281488-156301488)...
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff895d8030, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff89653348, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff895d8030, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff89653d50, DeviceName: \Device\00000098\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe1999270, 0xffffffff895d8030, 0xffffffff89588338
    Lower DeviceData: 0xffffffffe1cdd898, 0xffffffff89653d50, 0xffffffff895ca6f0
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 91F72D24

    Partition information:

    Partition 0 type is Other (0x6)
    Partition is ACTIVE.
    Partition starts at LBA: 32 Numsec = 255968
    Partition file system is FAT32
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 131072000 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\FFOv2011-8_Setup.dat" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\FFOv2011-8_Setup.lnk" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\instance.dat" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\{27310A4F-6A97-43C0-928C-FE5313B9949B}.native.bitness.log" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\{27310A4F-6A97-43C0-928C-FE5313B9949B}.native.weight.log" is compressed (flags = 1)
    Infected: c:\WINDOWS\Temp\DealioToolbar.exe --> [PUP.Dealio.TB]
    Read File: File "c:\WINDOWS\$NtUninstallKB2820197$\update.ver" is compressed (flags = 1)
    Read File: File "c:\WINDOWS\$NtUninstallKB2820197$\updatebr.inf" is compressed (flags = 1)
    Infected: c:\Documents and Settings\Administrator\Desktop\winlogon.exe --> [Heuristics.Reserved.Word.Exploit]
    Done!
    Scan finished
    Creating System Restore point...
    Could not create restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.05.0.1001

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_45

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 1.862000 GHz
    Memory total: 1601556480, free: 1149227008

    ------------ Kernel report ------------
    05/22/2013 19:49:05
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    imofugc.sys
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    \WINDOWS\System32\Drivers\PCIIDEX.SYS
    intelide.sys
    pcmcia.sys
    MountMgr.sys
    ftdisk.sys
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    aswVmm.sys
    aswRvrt.sys
    \SystemRoot\system32\DRIVERS\tunmp.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\b57xp32.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\gtipci21.sys
    \SystemRoot\system32\DRIVERS\SMCLIB.SYS
    \SystemRoot\system32\DRIVERS\bcmwl5.sys
    \SystemRoot\system32\drivers\STAC97.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\HSFHWICH.sys
    \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
    \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    \SystemRoot\System32\Drivers\Modem.SYS
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\System32\Drivers\aswTdi.SYS
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\tcpip6.sys
    \SystemRoot\System32\Drivers\AswRdr.SYS
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\system32\DRIVERS\Ip6Fw.sys
    \SystemRoot\System32\Drivers\aswSP.SYS
    \SystemRoot\System32\Drivers\aswSnx.SYS
    \SystemRoot\System32\Drivers\BTHUSB.sys
    \SystemRoot\System32\Drivers\bthport.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\rfcomm.sys
    \SystemRoot\system32\DRIVERS\BthEnum.sys
    \SystemRoot\system32\DRIVERS\bthpan.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \??\C:\WINDOWS\system32\drivers\aswMonFlt.sys
    \SystemRoot\System32\Drivers\aswFsBlk.SYS
    \SystemRoot\system32\DRIVERS\nwlnkipx.sys
    \SystemRoot\system32\DRIVERS\nwlnknb.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\nwrdr.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\nwlnkspx.sys
    \SystemRoot\System32\Drivers\ParVdm.SYS
    \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR2
    Upper Device Object: 0xffffffff89342030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000009b\
    Lower Device Object: 0xffffffff89846348
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    Initialization returned 0x0
    Load Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff89a4bab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
    Lower Device Object: 0xffffffff89a84d98
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    Initialization returned 0x0
    Load Function returned 0x0
    Downloaded database version: v2013.05.22.10
    Downloaded database version: v2013.05.14.03
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff89a4bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff89a15900, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff89a4bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff89a84d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe318e538, 0xffffffff89a4bab8, 0xffffffff88e0bab8
    Lower DeviceData: 0xffffffffe39ed780, 0xffffffff89a84d98, 0xffffffff88e01728
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: E636E636

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 156296322
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 80026361856 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff89342030, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff89419020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff89342030, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff89846348, DeviceName: \Device\0000009b\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe39cf428, 0xffffffff89342030, 0xffffffff88debab8
    Lower DeviceData: 0xffffffffe1536270, 0xffffffff89846348, 0xffffffff88e46f18
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 91F72D24

    Partition information:

    Partition 0 type is Other (0x6)
    Partition is ACTIVE.
    Partition starts at LBA: 32 Numsec = 255968
    Partition file system is FAT32
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 131072000 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\FFOv2011-8_Setup.dat" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\FFOv2011-8_Setup.lnk" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\instance.dat" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\{27310A4F-6A97-43C0-928C-FE5313B9949B}.native.bitness.log" is compressed (flags = 1)
    Read File: File "c:\Documents and Settings\All Users\Application Data\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}\{27310A4F-6A97-43C0-928C-FE5313B9949B}.native.weight.log" is compressed (flags = 1)
    Read File: File "c:\WINDOWS\$NtUninstallKB2820197$\update.ver" is compressed (flags = 1)
    Read File: File "c:\WINDOWS\$NtUninstallKB2820197$\updatebr.inf" is compressed (flags = 1)
    Done!
    Scan finished
    =======================================

    Thanks - Angelo

  8. #8
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    See if Roguekiller will run now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  9. #9
    Member
    Join Date
    May 2013
    Posts
    15
    Points
    0

    Default

    Sorry should have posted that I tried it after the Malwarebytes Anti-Rootkit in both full xp & safe mode. Same thing. Same message. Searching for CLSID...

    Nothing else happens except it locks in full xp & just runs & runs with that message in safe mode.

    Thanks - Angelo

  10. #10
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Install Recovery Console and Run ComboFix

    This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

    Download Combofix from any of the links below, and save it to your desktop.

    Link 1
    Link 2
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
    • Close any open windows, including this one.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • If you did not have it installed, you will see the prompt below. Choose YES.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
    should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
    Leave your computer alone while ComboFix is running.
    ComboFix will restart your computer if malware is found; allow it to do so.


    Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




Page 1 of 3 123 LastLast