Virus Help Needed!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
Hi guys,

My sister`s laptop is loaded with viruses and i`ve been trying to help her remove them. Malbytes antimalware has found around 20-25 viruses, but once they have been removed and laptop rebooted, they come right back.

This issue first arose when she used an external hard drive that had been plugged into this laptop and plugged into a work computer. The work IT guys were alerted to a lot of viruses, including one they said was called facenoob (possibly koobface?).

There doesn`t appear to be a lot of symptoms besides slow processing and a few weird popup messages in jibberish.

Thanks for any help.

Herre are the HiJackThis logs:

!Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:42:14 PM, on 24/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shelley Cooper\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--
End of file - 7439 bytes


DDS file

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by Shelley Cooper at 20:49:07 on 2012-12-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1014.339 [GMT 11:00]
.
AV: Lavasoft Ad-Aware *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shelley Cooper\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uSearch Bar = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
uSearch Page = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
uDefault_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
mStart Page = hxxp://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
mSearch Bar = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
uURLSearchHooks: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 61.9.134.49 61.9.133.193
TCP: Interfaces\{2812BAC5-3700-4658-B56B-73CB2B7CB542} : DHCPNameServer = 61.9.134.49 61.9.133.193
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-2-17 14248]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-24 13560]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-12-24 22064]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-12-14 1236968]
R2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2012-9-20 3677000]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-12-24 66344]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-2-17 93968]
R3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [2009-2-17 148056]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2009-2-17 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2009-2-17 269760]
S0 nnrvxfmw;nnrvxfmw;c:\windows\system32\drivers\iecevuci.sys --> c:\windows\system32\drivers\iecevuci.sys [?]
S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-24 33616]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-1-8 11520]
.
=============== Created Last 30 ================
.
2012-12-24 09:01:27 33616 ----a-w- c:\windows\system32\drivers\gfiark.sys
2012-12-24 05:19:23 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Antivirus
2012-12-24 05:17:35 -------- d-----w- c:\documents and settings\shelley cooper\application data\LavasoftStatistics
2012-12-24 05:16:56 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2012-12-24 05:16:55 22064 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2012-12-24 05:16:14 -------- d-----w- c:\windows\system32\drivers\VDD
2012-12-24 05:16:14 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-12-24 05:15:06 -------- d-----w- c:\documents and settings\shelley cooper\local settings\application data\Downloaded Installations
2012-12-24 05:14:41 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2012-12-24 05:14:08 -------- d-----w- c:\documents and settings\shelley cooper\local settings\application data\adawarebp
2012-12-24 05:14:07 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars
2012-12-24 05:14:04 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2012-12-24 05:13:56 -------- d-----w- c:\program files\adawaretb
2012-12-24 05:13:56 -------- d-----w- c:\documents and settings\shelley cooper\application data\adawaretb
2012-12-24 05:13:53 -------- d-----w- c:\program files\Toolbar Cleaner
2012-12-24 05:12:26 -------- d-----w- c:\documents and settings\shelley cooper\application data\Ad-Aware Antivirus
2012-12-24 05:04:57 -------- d-----w- c:\program files\CCleaner
2012-12-24 04:57:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-12-24 04:57:50 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-12-24 04:26:42 -------- d-----w- c:\documents and settings\shelley cooper\local settings\application data\Deployment
2012-12-24 04:20:30 -------- d-----w- c:\documents and settings\shelley cooper\application data\Malwarebytes
2012-12-24 04:19:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-12-24 04:19:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-24 04:19:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
============= FINISH: 20:49:40.50 ===============
-

Attach file

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 25/02/2009 8:52:38 PM
System Uptime: 24/12/2012 8:36:39 PM (0 hours ago)
.
Motherboard: Dell Inc. | | CN0J14
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U1 | 1596/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 14 GiB total, 0.576 GiB free.
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
AAC Decoder
Ad-Aware Antivirus
Ad-Aware Browsing Protection
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1
Advanced Audio FX Engine
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Battery Meter
Bonjour
Browser Address Error Redirector
CCleaner
Dell Box.net Launcher
Dell Support Center (Support Software)
Dell Webcam Central
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
EMSC
Google Chrome
Google Update Helper
H.264 Decoder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Integrated Webcam Driver (1.00.03.0720)
Intel(R) Graphics Media Accelerator Driver
iTunes
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MKV Splitter
QuickTime
Realtek High Definition Audio Driver
SearchAssist
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.3
WD SmartWare
WebFldrs XP
Windows Media Format Runtime
Windows Presentation Foundation
Wireless Select Switch
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
24/12/2012 4:20:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
24/12/2012 4:20:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
24/12/2012 4:20:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
.
==== End Of File ===========================

GMER file

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-12-24 21:30:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 STEC_PATA_16GB rev.D5221-10
Running: elsegfzg.exe; Driver: C:\DOCUME~1\SHELLE~1\LOCALS~1\Temp\kwlyrfod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (GFI ActiveProtection hook driver/GFI Software) ZwCreateKey [0xF6AF54D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (GFI ActiveProtection hook driver/GFI Software) ZwSetValueKey [0xF6AF5520]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\Drivers\OA004Afx.sys entry point in "init" section [0xAA2E6310]
? C:\DOCUME~1\SHELLE~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, A0, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, A3, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, A0, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, A1, 75, 00] {TEST AL, 0xa1; JNZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B914BBA
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, A2, 75, 00] {TEST AL, 0xa2; JNZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, A1, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, A2, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B914C2B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, A0, 75, 00] {TEST AL, 0xa0; JNZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B914D59
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, A1, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, A2, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, A3, 75, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 94, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 97, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 94, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 95, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B910DAE
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 96, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 95, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 96, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B910E1F
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 94, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B910F4D
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 95, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 96, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 97, 37, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A50001
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 84, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 87, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 84, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 85, A8, 00] {TEST AL, 0x85; TEST AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B917E9E
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 86, A8, 00] {TEST AL, 0x86; TEST AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 85, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 86, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B917F0F
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 84, A8, 00] {TEST AL, 0x84; TEST AL, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91803D
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 85, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 86, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 87, A8, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04CC0001
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, D3, 00] {SUB [EAX], AL; ROL DWORD [EAX], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, D3, 00] {SUB [EBX], AL; ROL DWORD [EAX], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, D3, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, D3, 00] {TEST AL, 0x1; ROL DWORD [EAX], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91A91A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, D3, 00] {TEST AL, 0x2; ROL DWORD [EAX], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, D3, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, D3, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91A98B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, D3, 00] {TEST AL, 0x0; ROL DWORD [EAX], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91AAB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, D3, 00] {SUB [ECX], AL; ROL DWORD [EAX], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, D3, 00] {SUB [EDX], AL; ROL DWORD [EAX], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, D3, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, D4, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, D7, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, D4, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, D5, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B913CEE
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, D6, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, D5, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, D6, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B913D5F
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, D4, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B913E8D
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, D5, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, D6, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, D7, 66, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 08, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 0B, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 08, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 09, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B918222
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 0A, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 09, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 0A, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B918293
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 08, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9183C1
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 09, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 0A, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 0B, AC, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2924] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 008C0010
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2980] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003E0010
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3420] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00BE0010
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3716] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00EA0010
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3776] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 007D0010
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[4004] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00C20010

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Thanks
 
Joined
May 7, 2011
Messages
14,142
Hi, my name is Mark and I will be helping you.

IMPORTANT: Please take the time to read this first.
For the benefit of others that are waiting for help please try to respond as fast as you can and make sure you read all of the instructions I will be giving you to follow. Time spent waiting for replies or having to repeat questions keeps other people waiting in the queue for help.

I am in Spain at GMT+1 hour, I check my emails several times a day so will usually reply to your responses within a few hours or less unless it is night time here. During the evening here I will usually reply within minutes. Please try to do the same for a swift clean up. Some Malware needs to be dealt with quickly or it will multiply and become deeply embedded in your system and more difficult to find and remove, so quick replies will have more than one benefit.

Keep in mind that I cannot see your PC, so please give as much detail as possible if something goes wrong or you receive any error messages.

Malware can be unpredictable and often time consuming to remove, on rare occasions something can go awry and your system may need to have Windows re-installed. Please make sure before we start that you have copies of all your important data saved to an external hard drive or CD/DVD's. Please make sure you disconnect any external hard drives and/or Flash drives during the clean up.

If you have run any scans that found an infection please let me know.

DO NOT run any scans or make any changes that I have not asked you to do as this can cause misleading results and make my job much harder in trying to help you. Please also uninstall any file sharing software i.e. uTorrent, BitTorrent, etc, if you insist on keeping it do not use it until we are finished. Use of file sharing software is one of the easiest ways to get your PC infected.

If I get no reply from you for two days I will mark the thread as Solved and move on to helping someone else. If you know you will be unable to reply for any length of time please let me know in advance.

Please don't abandon the thread as soon as your PC starts to work normally again as there will be other important checks to make to help protect your system from re-infection. It is also important to follow the correct procedure when removing the tools used to ensure all quarantined infections are completely removed and infected Restore Points are safely deleted.

Stick with me and we can quickly clean up your PC, if you cannot dedicate the time then a Reformat and Re-install will be your quickest option.

_____________________________________________________________________________________

Please run these two scans and post the logs:

SCAN 1
Click on this link to download : ADWCleaner and save it to your desktop.

NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and click on this icon on your desktop:


You will then see the screen below, click on the Delete button (as indicated), accept any prompts that appear and allow it to reboot the PC. When the PC has rebooted you will be presented with the report, copy & paste it into your next post.





SCAN 2
Download RogueKiller (by tigzy) and save direct to your Desktop.
On the web page click on this:


  • Quit all running programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished.
  • Ensure all boxes are ticked under "Report" tab.
  • Click on Scan.
  • Click on Report when complete. Copy/paste the contents of the report and paste into your next reply.
  • NOTE: DO NOT attempt to remove anything that the scan detects.

 

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
# AdwCleaner v2.102 - Logfile created 12/25/2012 at 18:57:34
# Updated 23/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Shelley Cooper - SHELLEYSPC
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Shelley Cooper\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.5512

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\Shelley Cooper\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [821 octets] - [25/12/2012 18:57:34]

########## EOF - C:\AdwCleaner[S1].txt - [880 octets] ##########


RogueKiller V8.4.1 [Dec 24 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Shelley Cooper [Admin rights]
Mode : Scan -- Date : 12/25/2012 19:14:22

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: STEC PATA 16GB +++++
--- User ---
[MBR] 30692dff02c38512a66f2b3460767177
[BSP] 57ebeff2313f991a6fe753b171cc7198 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 98304 | Size: 14645 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: JMCR SD/MMC SCSI Disk Device +++++
--- User ---
[MBR] a7f9a7919371b4ba7c603ce704b7be29
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 8192 | Size: 7642 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_12252012_02d1914.txt >>
RKreport[1]_S_12252012_02d1914.txt
 
Joined
May 7, 2011
Messages
14,142
No infections found by those two scans only problem showing is that System Restore has been disabled.

Please run this scan:

1. Download Malwarebytes Anti-Rootkit from this link mbar
2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe



4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:



5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.



7. The following image opens, select Update



8. When the Update completes, select Next



9. In the following window ensure "Targets" are ticked. Then select "Scan"



10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:



11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:



12. Select "Yes" to close down the program. If NO infections were found you will see the following image:



13. Select "Exit" to close down.
14. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

 

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 6.0.2900.5512

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.595000 GHz
Memory total: 1063628800, free: 461127680

------------ Kernel report ------------
12/27/2012 18:29:00
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
gfibto.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\EMSC.SYS
\SystemRoot\system32\DRIVERS\WDFLDR.SYS
\SystemRoot\System32\Drivers\wdf01000.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\jmcr.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\bcmwl5.sys
\SystemRoot\system32\DRIVERS\Rtenicxp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\??\C:\WINDOWS\system32\Drivers\OA004Afx.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\drivers\sbaphd.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\OA004Vid.sys
\SystemRoot\system32\DRIVERS\OA004Ufd.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\sbapifs.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff86a2b170
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\JMCR1Port1Path0Target0Lun0\
Lower Device Object: 0xffffffff86835030
Lower Device Driver Name: \Driver\JMCR\
Driver name found: JMCR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86b64ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff86b88940
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.27.03
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86b64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86b12a78, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86b64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86b652e8, DeviceName: \Device\00000067\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff86b88940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe232c198, 0xffffffff86b64ab8, 0xffffffff82430750
Lower DeviceData: 0xffffffffe2fe6d28, 0xffffffff86b88940, 0xffffffff822af568
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
Read File: File "C:\WINDOWS\system32\drivers\1028_Dell_INS_910.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ABP480N5.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\acpi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\acpiec.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\adpu160m.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\AGP440.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\AGPCPQ.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\aha154x.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\aic78u2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\aic78xx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\aliide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ALIM1541.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\AMDAGP.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amdk6.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amdk7.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\amsint.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\arp1394.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\asc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\asc3350p.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\GEARAspiWDM.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hidclass.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hidusb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hpn.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\i2omp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ini910u.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\intelide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ip6fw.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\asyncmac.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmarpc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmepvc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmlane.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atmuni.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\battc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\bridge.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\bthport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\btwsecfl.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cbidf2k.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\CCDECODE.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cd20xrnt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cdfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cdr4_xp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cdralw2k.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cinemst2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\classpnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cmdide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\compbatt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cpqarray.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\crusoe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dac2w2k.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dac960nt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\diskdump.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmboot.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmio.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dmload.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\dpti2o.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\FilterPC.bmp" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\FilterPC.jpg" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fltMgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\fsvga.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mouhid.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mountmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mraid35x.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MSKSSRV.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MSPCLOCK.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MSPQM.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MSTEE.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\NABTSFEC.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ndis.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\NdisIP.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nic1394.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nikedrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ntfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkflt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkfwd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkipx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnknb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nwlnkspx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\OA004PC.bmp" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\OA004PC.jpg" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\oprghdlr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\p3.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\parport.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\partmgr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\parvdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pci.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pciide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pciidex.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\pcmcia.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\perc2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\asc3550.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cpqdap01.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ftdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\modem.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\nmnt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\perc2hib.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rio8drv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usb8023.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\processr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\PxHelp20.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ql1080.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ql10wnt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ql12160.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ql1240.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ql1280.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rawwan.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rdpdr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\riodrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rmcast.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rndismp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\rootmdm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sdbus.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\secdrv.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\serenum.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sffdisk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sffp_mmc.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sffp_sd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\SISAGP.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\SLIP.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\smclib.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sonydcam.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sparrow.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\stream.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\StreamIP.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\symc810.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\symc8xx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sym_hi.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\sym_u3.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tape.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tdpipe.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tdtcp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tosdvd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\toside.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tsbvcap.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\tunmp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\udfs.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ultra.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbaapl.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbcamd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbcamd2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbintel.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\usbvideo.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\vdmindvd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\VIAAGP.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\viaide.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\volsnap.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wdcsam.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wpdusb.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ws2ifsl.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\WSTCODEC.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ipinip.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\irenum.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\isapnp.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mcd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mf.sys" is compressed (flags = 1)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: A42D04A3

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 96327

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 98304 Numsec = 29993488
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 15408046080 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-30073840-30093840)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff86a2b170, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86a02648, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86a2b170, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86835030, DeviceName: \Device\Scsi\JMCR1Port1Path0Target0Lun0\, DriverName: \Driver\JMCR\
------------ End ----------
Upper DeviceData: 0xffffffffe108cd30, 0xffffffff86a2b170, 0xffffffff82334ab8
Lower DeviceData: 0xffffffffe18a57a0, 0xffffffff86835030, 0xffffffff821dd040
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 0

Partition information:

Partition 0 type is Other (0x6)
Partition is NOT ACTIVE.
Partition starts at LBA: 8192 Numsec = 15651840

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 8017936384 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSACCESS.DEV.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx_3081_MValidator.Lck" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.EXCEL.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.EXCEL.DEV.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.GRAPH.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.GROOVE.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.INFOPATH.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.INFOPATHEDITOR.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSACCESS.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSE.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSPUB.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSPUB.DEV.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSTORE.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.OIS.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.ONENOTE.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.OUTLOOK.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.OUTLOOK.DEV.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.POWERPNT.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.POWERPNT.DEV.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.RIBBON.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.SETLANG.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.DEV.12.1033.hxn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Application Data\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.bak" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\dvdcss\CACHEDIR.TAG" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\Office\MSO2057.acl" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\Office\MSO3081.acl" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\UProof\ExcludeDictionaryEN0409.lex" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\UProof\ExcludeDictionaryEN0809.lex" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.bak" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Desktop\~$kora Wiki 8.docx" is compressed (flags = 1)
Read File: File "C:\Program Files\Outlook Express\msoe.txt" is compressed (flags = 1)
Read File: File "C:\Program Files\Windows Media Player\npdrmv2.zip" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\etc\networks" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\oobe\migip.dun" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\oobe\migrate.isp" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\oobe\msobe.isp" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\oobe\obeip.dun" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\oobe\OOBEINFO.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\oobe\reg.isp" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Temp\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\ntuser.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\ntuser.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\ntuser.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\explorer.scf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\setuperr.del" is compressed (flags = 1)
Read File: File "C:\WINDOWS\smscfg.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\vb.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\vbaddin.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Downloaded Program Files\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Downloaded Program Files\swflash.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\ciadmin.htm" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\conf.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\connect.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\mshearts.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\msnauth.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\nocontnt.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\ratings.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\update.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\windows.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\winhlp32.cnt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.mof.uninstall" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_DataOracleClientPerfCounters_shared12_neutral.h" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\webAdminNoNavBar.master" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Tasks\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Tasks\SA.DAT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Web\bullet.gif" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Shelley Cooper\Desktop\~$kora Wiki 8.docx" is compressed (flags = 1)
Done!
Scan finished
=======================================

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2012.12.27.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Shelley Cooper :: SHELLEYSPC [administrator]

27/12/2012 6:38:26 PM
mbar-log-2012-12-27 (18-38-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 25140
Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Joined
May 7, 2011
Messages
14,142
There is no sign of any bad infections on the system so I would suspect previous runs with Malwarebytes have cured any infections you had and they are no longer returning.

One thing I would highly recommend is a larger hard drive. You only have an 18GB hard drive which I suspect is many years old, with limited space on the drive this can slow system performance and doesn't leave much space for using System Restore which I assume was turned off intentionally. I can also see the drives contents has been compressed to save space which can also slow things down a bit.

I would also recommend replacing Spybot S&D and Ad-aware Anti Virus as they are not recommended programs. You can replace them with Microsoft Security Essentials and SuperAntiSpyware Free version

We just have one more scan to do to check for any infections, this may take several hours to complete. Please also run Security Check to see if anything important needs updating.



Eset online scan instructions.
IMPORTANT ---> Please make sure you follow the instruction to uncheck the box next to Remove found threats. Eset will detect anything that looks even remotely suspicious, this can include legitimate program files. If you do not uncheck the box, as instructed, Eset will automatically remove all suspect files which could leave some of your software inoperative. If you make a mistake these files can be restored from quarantine, but it would be preferable not to add any extra work to the clean up of your system.

  • Disable your existing Anti Virus following these instructions.
  • Please go here to use the Eset Online Scanner.
  • When the web page opens click on this button
  • If you are not using Internet Explorer you will see a message box open asking you to to download the ESET Smart Installer, click on the link and allow it to download and then run it. Accept the Terms of use and click on Start. The required components will download.
  • If using Internet Explorer the Terms of use box will open immediately, accept it and click on Start.
  • After the download is complete the Computer scan settings window will open, IMPORTANT ----> uncheck the box next to Remove found threats and click on Start. The virus signature database will then download which may take some time depending on the speed of your internet connection. The scan will automatically start when the download is complete.
  • This is a very thorough scan and may take several hours to complete depending on how much data you have on your hard drive. Do not interrupt it, be patient and let it finish.
  • A Scan Results window will appear at the end of the scan. If it lists any number of Infected Files click on List of found threats. Click on Copy to clipboard, come back to this thread and right click on the message box. Select Paste and the report will appear, add any comments you have and post the reply.
  • Back on the Eset window, click the Back button and then click on Finish.



Download Security Check by screen317 from Here or Here.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document into your next reply.
 

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
C:\WINDOWS\system32\9821C4\shell.fne probably a variant of Win32/Agent.IMRSJKB trojan

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
ESET Online Scanner v3
Ad-Aware Antivirus
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
MVPS Hosts File
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Ad-Aware Antivirus AdAwareService.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 44% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Also, before we finish I would like to run the malwarebytes antimalware program, as that is the one that found up to 20 problems initially. Let me know when I can run that program, just for peace of mind.
 
Joined
May 7, 2011
Messages
14,142
The Mbar scan does the same job as Malwarebytes (made by the same company) but with deeper scanning so it is very unlikely that Malwarebytes will come up with anything. Eset has found one infection, but please do run Mbam again and post the log.

The system requires quite a few updates and the hard drive is badly in need of a defrag. You don't appear to have replaced Ad-aware or Spybot S&D.

=====================================================================
We need to check the file found by Eset.

Go to one of the following online services that analyzes suspicious files:

In the "File to Scan" (Upload or Submit) box, click the "browse" button and locate the following file:

C:\WINDOWS\system32\9821C4\shell.fne <- this file

Click "Open", then click the "Submit" button. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
-- Post back with the results of the file analysis in your next reply.
 

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.24.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Shelley Cooper :: SHELLEYSPC [administrator]

29/12/2012 10:35:01 AM
mbam-log-2012-12-29 (10-35-01).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225595
Time elapsed: 52 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I wasn't able to locate the shell.fne file to inspect, it appears to have disappeared. :confused:

I also installed those two programs to replace the old ones. I ran a defrag last night, but due to such limited free space, it did not perform very well.
 
Joined
May 7, 2011
Messages
14,142
I doubt you will get this PC to run very well unless you can free up some more space on the hard drive, get a larger hard drive to replace it or get an external hard drive to keep all your data on.

What happened with the defrag, did it complete or was there an error.

We need to see if that suspicious file is still on the system and I would suggest running a disc check, and cleaning out all the temporary files.



Please download SystemLook from one of the links below and save it to your Desktop.



  • Double-click SystemLook.exe to run it.
  • Vista/Windows 7 users right-click and select Run As Administrator.
  • Copy and paste everything in the codebox below into the main textfield:
    Code:
    :filefind
    [B]shell.fne[/B]
  • Click the Look button to start the scan.
  • When finished, a Notepad window will open SystemLook.txt with the results of the search and save a copy on your Desktop.
  • Please copy and paste the contents of that log in your next reply.


==============================================================

Disc Check

  • Click on Start then Run and type cmd in the search box and hit Enter. At the C: prompt, type chkdsk /r exactly as written here with the gap before the slash, then hit Enter.
  • You will then see a message "Would you like to schedule this volume to be checked the next time the system restarts? (Y/N)"
  • Type Y for yes, and hit Enter. Then reboot the computer. The disc check will start when Windows begins loading again. Let all 5 phases run and don't use or turn off the computer. (The disc check process may take an hour or more to finish and may appear to freeze which is normal.)
  • When the disc check is done, it will finish loading Windows.
  • When finished click on Start then Run and type: eventvwr.msc and hit Enter.
  • When Event Viewer opens, click on Application in the left pane. In the main pane scroll down until you find Winlogon under the Source column and double-click on it.
  • This is the log created after running the disc check. Click once on the Copy button
  • Come back here and right click on the message box, select Paste from the pop up menu and the log will appear. Then submit the post.


==========================================================

Download Temporary file cleaner and save it to the desktop.
Double click on the icon to run it (it appears as a dark grey dustbin). For Windows 7 and Vista right click the icon and select Run as Administrator.
When the window opens click on Start. It will close all running programs and clear the desktop icons.
When complete you may be asked to reboot, if so accept the request and your PC will reboot automatically.
 

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
The defrag ran fine, but gave a warning before running that it wouldnt run very well due to very limited free space.

SystemLook 30.07.11 by jpshortstuff
Log created at 14:11 on 31/12/2012 by Shelley Cooper
Administrator - Elevation successful

========== filefind ==========

Searching for "shell.fne"
C:\WINDOWS\system32\9821C4\shell.fne ---hsc- 40960 bytes [00:55 09/09/2009] [00:55 09/09/2009] 5806704A429ED9E86260A4A2E4375028

-= EOF =-

I ran the temporary file cleaner and it removed 178mb of files.

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 31/12/2012
Time: 4:11:35 PM
User: N/A
Computer: SHELLEYSPC
Description:
Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 12 unused index entries from index $SII of file 0x9.
Cleaning up 12 unused index entries from index $SDH of file 0x9.
Cleaning up 12 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

14996743 KB total disk space.
14663896 KB in 38269 files.
15244 KB in 6568 indexes.
0 KB in bad sectors.
125659 KB in use by the system.
65536 KB occupied by the log file.
191944 KB available on disk.

4096 bytes in each allocation unit.
3749185 total allocation units on disk.
47986 allocation units available on disk.

Internal Info:
b0 e6 00 00 30 af 00 00 9a 01 01 00 00 00 00 00 ....0...........
3e 01 00 00 02 00 00 00 ba 01 00 00 00 00 00 00 >...............
cc 58 27 04 00 00 00 00 a4 74 cc 06 00 00 00 00 .X'......t......
9e cf c3 05 00 00 00 00 28 b8 db c0 00 00 00 00 ........(.......
84 8b dc 04 00 00 00 00 9e a0 88 dd 00 00 00 00 ................
99 9e 36 00 00 00 00 00 b0 39 07 00 7d 95 00 00 ..6......9..}...
00 00 00 00 00 60 03 7f 03 00 00 00 a8 19 00 00 .....`..........

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
Joined
May 7, 2011
Messages
14,142
That all looks good and the disc check log shows you only have just under 200MB of free space which is way too small for optimum performance. This might cause problems with the required updates so you need to free up some space by moving data to an external source, CD/DVD's, Flash Dive or external Hard Drive.

Lets try this to get a copy of the suspicious file onto your desktop so you can get it checked following the instructions in post 8.

Click on Start then Run and type cmd into the box and click OK
Now copy and paste the commands below at the command prompt and hit the Enter key after each one.
It should create a copy of the suspect file on your desktop to have checked at Virus Total or Jotti, etc.

cd C:\WINDOWS\system32\9821C4
copy shell.fne C:\Documents and Settings\Shelley Cooper\desktop
 

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
When I try to perform the second line in the command prompt, it says 'the syntax of the command is incorrect'.
 
Joined
May 7, 2011
Messages
14,142
Not sure why that is wrong. Try this routine to show hidden files and folders and then have another look to see if you can find the file.

To enable the viewing of Hidden files follow these steps:​

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.
 

Jastone

Thread Starter
Joined
Jul 2, 2005
Messages
102
Hi Mark,

I am away from the laptop at the moment, but I will try to get my sister to perform the tasks you have asked. Hopefully they are not too difficult for her to perform. It may take a few days to perform.

Sorry for the delay,

Jastone
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top