1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus Help Needed!

Discussion in 'Virus & Other Malware Removal' started by Jastone, Dec 24, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    Hi guys,

    My sister`s laptop is loaded with viruses and i`ve been trying to help her remove them. Malbytes antimalware has found around 20-25 viruses, but once they have been removed and laptop rebooted, they come right back.

    This issue first arose when she used an external hard drive that had been plugged into this laptop and plugged into a work computer. The work IT guys were alerted to a lot of viruses, including one they said was called facenoob (possibly koobface?).

    There doesn`t appear to be a lot of symptoms besides slow processing and a few weird popup messages in jibberish.

    Thanks for any help.

    Herre are the HiJackThis logs:

    !Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:42:14 PM, on 24/12/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Battery Meter\BTMeter.exe
    C:\Program Files\Wireless Select Switch\WLSS.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AD-AWA~1\AdAware.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Shelley Cooper\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
    O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
    O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
    O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

    --
    End of file - 7439 bytes


    DDS file

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 6.0.2900.5512
    Run by Shelley Cooper at 20:49:07 on 2012-12-24
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1014.339 [GMT 11:00]
    .
    AV: Lavasoft Ad-Aware *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
    FW: Lavasoft Ad-Aware *Disabled*
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Battery Meter\BTMeter.exe
    C:\Program Files\Wireless Select Switch\WLSS.exe
    C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AD-AWA~1\AdAware.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Shelley Cooper\My Documents\Downloads\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com.au/
    uSearch Bar = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
    uSearch Page = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
    uDefault_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
    mStart Page = hxxp://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
    mSearch Bar = hxxp://www.google.com/ie
    mSearch Page = hxxp://www.google.com
    mDefault_Page_URL = hxxp://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
    mDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1090217
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com.au/hws/sb/dell-row/en/side.html?channel=au
    uURLSearchHooks: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - <orphaned>
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
    mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
    mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 61.9.134.49 61.9.133.193
    TCP: Interfaces\{2812BAC5-3700-4658-B56B-73CB2B7CB542} : DHCPNameServer = 61.9.134.49 61.9.133.193
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-2-17 14248]
    R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-24 13560]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-12-24 22064]
    R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-12-14 1236968]
    R2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2012-9-20 3677000]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-12-24 66344]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-2-17 93968]
    R3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [2009-2-17 148056]
    R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2009-2-17 144672]
    R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2009-2-17 269760]
    S0 nnrvxfmw;nnrvxfmw;c:\windows\system32\drivers\iecevuci.sys --> c:\windows\system32\drivers\iecevuci.sys [?]
    S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
    S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-24 33616]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-1-8 11520]
    .
    =============== Created Last 30 ================
    .
    2012-12-24 09:01:27 33616 ----a-w- c:\windows\system32\drivers\gfiark.sys
    2012-12-24 05:19:23 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Antivirus
    2012-12-24 05:17:35 -------- d-----w- c:\documents and settings\shelley cooper\application data\LavasoftStatistics
    2012-12-24 05:16:56 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2012-12-24 05:16:55 22064 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2012-12-24 05:16:14 -------- d-----w- c:\windows\system32\drivers\VDD
    2012-12-24 05:16:14 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-12-24 05:15:06 -------- d-----w- c:\documents and settings\shelley cooper\local settings\application data\Downloaded Installations
    2012-12-24 05:14:41 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
    2012-12-24 05:14:08 -------- d-----w- c:\documents and settings\shelley cooper\local settings\application data\adawarebp
    2012-12-24 05:14:07 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars
    2012-12-24 05:14:04 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
    2012-12-24 05:13:56 -------- d-----w- c:\program files\adawaretb
    2012-12-24 05:13:56 -------- d-----w- c:\documents and settings\shelley cooper\application data\adawaretb
    2012-12-24 05:13:53 -------- d-----w- c:\program files\Toolbar Cleaner
    2012-12-24 05:12:26 -------- d-----w- c:\documents and settings\shelley cooper\application data\Ad-Aware Antivirus
    2012-12-24 05:04:57 -------- d-----w- c:\program files\CCleaner
    2012-12-24 04:57:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-12-24 04:57:50 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2012-12-24 04:26:42 -------- d-----w- c:\documents and settings\shelley cooper\local settings\application data\Deployment
    2012-12-24 04:20:30 -------- d-----w- c:\documents and settings\shelley cooper\application data\Malwarebytes
    2012-12-24 04:19:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-12-24 04:19:08 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-24 04:19:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 20:49:40.50 ===============
    -

    Attach file

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 25/02/2009 8:52:38 PM
    System Uptime: 24/12/2012 8:36:39 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | CN0J14
    Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U1 | 1596/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 14 GiB total, 0.576 GiB free.
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    AAC Decoder
    Ad-Aware Antivirus
    Ad-Aware Browsing Protection
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.1
    Advanced Audio FX Engine
    Apple Mobile Device Support
    Apple Software Update
    AutoUpdate
    Battery Meter
    Bonjour
    Browser Address Error Redirector
    CCleaner
    Dell Box.net Launcher
    Dell Support Center (Support Software)
    Dell Webcam Central
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Plus Web Player
    DivX Version Checker
    EMSC
    Google Chrome
    Google Update Helper
    H.264 Decoder
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB953955)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB959252)
    Hotfix for Windows XP (KB961118)
    Integrated Webcam Driver (1.00.03.0720)
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MKV Splitter
    QuickTime
    Realtek High Definition Audio Driver
    SearchAssist
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Spybot - Search & Destroy
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.0.3
    WD SmartWare
    WebFldrs XP
    Windows Media Format Runtime
    Windows Presentation Foundation
    Wireless Select Switch
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    24/12/2012 4:20:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/12/2012 4:20:31 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/12/2012 4:20:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    24/12/2012 4:20:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    .
    ==== End Of File ===========================

    GMER file

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-12-24 21:30:19
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 STEC_PATA_16GB rev.D5221-10
    Running: elsegfzg.exe; Driver: C:\DOCUME~1\SHELLE~1\LOCALS~1\Temp\kwlyrfod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\drivers\sbaphd.sys (GFI ActiveProtection hook driver/GFI Software) ZwCreateKey [0xF6AF54D0]
    SSDT \SystemRoot\system32\drivers\sbaphd.sys (GFI ActiveProtection hook driver/GFI Software) ZwSetValueKey [0xF6AF5520]

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\Drivers\OA004Afx.sys entry point in "init" section [0xAA2E6310]
    ? C:\DOCUME~1\SHELLE~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, A0, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, A3, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, A0, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, A1, 75, 00] {TEST AL, 0xa1; JNZ 0x4}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B914BBA
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, A2, 75, 00] {TEST AL, 0xa2; JNZ 0x4}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, A1, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, A2, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B914C2B
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, A0, 75, 00] {TEST AL, 0xa0; JNZ 0x4}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B914D59
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, A1, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, A2, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, A3, 75, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 94, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 97, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 94, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 95, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B910DAE
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 96, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 95, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 96, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B910E1F
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 94, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B910F4D
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 95, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 96, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 97, 37, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2980] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A50001
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3144] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 84, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 87, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 84, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 85, A8, 00] {TEST AL, 0x85; TEST AL, 0x0}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B917E9E
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 86, A8, 00] {TEST AL, 0x86; TEST AL, 0x0}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 85, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 86, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B917F0F
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 84, A8, 00] {TEST AL, 0x84; TEST AL, 0x0}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91803D
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 85, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 86, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 87, A8, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04CC0001
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3420] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, D3, 00] {SUB [EAX], AL; ROL DWORD [EAX], CL}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, D3, 00] {SUB [EBX], AL; ROL DWORD [EAX], CL}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, D3, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, D3, 00] {TEST AL, 0x1; ROL DWORD [EAX], CL}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91A91A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, D3, 00] {TEST AL, 0x2; ROL DWORD [EAX], CL}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, D3, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, D3, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91A98B
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, D3, 00] {TEST AL, 0x0; ROL DWORD [EAX], CL}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91AAB9
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, D3, 00] {SUB [ECX], AL; ROL DWORD [EAX], CL}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, D3, 00] {SUB [EDX], AL; ROL DWORD [EAX], CL}
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, D3, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3716] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, D4, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, D7, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, D4, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, D5, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B913CEE
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, D6, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, D5, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, D6, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B913D5F
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, D4, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B913E8D
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, D5, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, D6, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, D7, 66, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[3776] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 08, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 0B, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 08, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 09, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B918222
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 0A, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 09, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 0A, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B918293
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 08, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9183C1
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 09, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 0A, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 0B, AC, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2924] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 008C0010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2980] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003E0010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3420] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00BE0010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3716] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00EA0010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3776] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 007D0010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[4004] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00C20010

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    Thanks
     
  2. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Hi, my name is Mark and I will be helping you.

    IMPORTANT: Please take the time to read this first.
    For the benefit of others that are waiting for help please try to respond as fast as you can and make sure you read all of the instructions I will be giving you to follow. Time spent waiting for replies or having to repeat questions keeps other people waiting in the queue for help.

    I am in Spain at GMT+1 hour, I check my emails several times a day so will usually reply to your responses within a few hours or less unless it is night time here. During the evening here I will usually reply within minutes. Please try to do the same for a swift clean up. Some Malware needs to be dealt with quickly or it will multiply and become deeply embedded in your system and more difficult to find and remove, so quick replies will have more than one benefit.

    Keep in mind that I cannot see your PC, so please give as much detail as possible if something goes wrong or you receive any error messages.

    Malware can be unpredictable and often time consuming to remove, on rare occasions something can go awry and your system may need to have Windows re-installed. Please make sure before we start that you have copies of all your important data saved to an external hard drive or CD/DVD's. Please make sure you disconnect any external hard drives and/or Flash drives during the clean up.

    If you have run any scans that found an infection please let me know.

    DO NOT run any scans or make any changes that I have not asked you to do as this can cause misleading results and make my job much harder in trying to help you. Please also uninstall any file sharing software i.e. uTorrent, BitTorrent, etc, if you insist on keeping it do not use it until we are finished. Use of file sharing software is one of the easiest ways to get your PC infected.

    If I get no reply from you for two days I will mark the thread as Solved and move on to helping someone else. If you know you will be unable to reply for any length of time please let me know in advance.

    Please don't abandon the thread as soon as your PC starts to work normally again as there will be other important checks to make to help protect your system from re-infection. It is also important to follow the correct procedure when removing the tools used to ensure all quarantined infections are completely removed and infected Restore Points are safely deleted.

    Stick with me and we can quickly clean up your PC, if you cannot dedicate the time then a Reformat and Re-install will be your quickest option.

    _____________________________________________________________________________________

    Please run these two scans and post the logs:

    SCAN 1
    Click on this link to download : ADWCleaner and save it to your desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and click on this icon on your desktop: [​IMG]

    You will then see the screen below, click on the Delete button (as indicated), accept any prompts that appear and allow it to reboot the PC. When the PC has rebooted you will be presented with the report, copy & paste it into your next post.

    [​IMG]



    SCAN 2
    Download RogueKiller (by tigzy) and save direct to your Desktop.
    On the web page click on this: [​IMG]

    • Quit all running programs
    • Start RogueKiller.exe
    • Wait until Prescan has finished.
    • Ensure all boxes are ticked under "Report" tab.
    • Click on Scan.
    • Click on Report when complete. Copy/paste the contents of the report and paste into your next reply.
    • NOTE: DO NOT attempt to remove anything that the scan detects.

    [​IMG]
     
  3. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    # AdwCleaner v2.102 - Logfile created 12/25/2012 at 18:57:34
    # Updated 23/12/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Shelley Cooper - SHELLEYSPC
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Shelley Cooper\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars

    ***** [Registry] *****


    ***** [Internet Browsers] *****

    -\\ Internet Explorer v6.0.2900.5512

    [OK] Registry is clean.

    -\\ Google Chrome v23.0.1271.97

    File : C:\Documents and Settings\Shelley Cooper\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [821 octets] - [25/12/2012 18:57:34]

    ########## EOF - C:\AdwCleaner[S1].txt - [880 octets] ##########


    RogueKiller V8.4.1 [Dec 24 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Shelley Cooper [Admin rights]
    Mode : Scan -- Date : 12/25/2012 19:14:22

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: STEC PATA 16GB +++++
    --- User ---
    [MBR] 30692dff02c38512a66f2b3460767177
    [BSP] 57ebeff2313f991a6fe753b171cc7198 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 98304 | Size: 14645 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: JMCR SD/MMC SCSI Disk Device +++++
    --- User ---
    [MBR] a7f9a7919371b4ba7c603ce704b7be29
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 8192 | Size: 7642 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1]_S_12252012_02d1914.txt >>
    RKreport[1]_S_12252012_02d1914.txt
     
  4. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    No infections found by those two scans only problem showing is that System Restore has been disabled.

    Please run this scan:

    1. Download Malwarebytes Anti-Rootkit from this link mbar
    2. Unzip the File to a convenient location. (Recommend the Desktop)
    3. Open the folder where the contents were unzipped to run mbar.exe

    [​IMG]

    4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

    [​IMG]

    5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

    6. The following image opens, select Next.

    [​IMG]

    7. The following image opens, select Update

    [​IMG]

    8. When the Update completes, select Next

    [​IMG]

    9. In the following window ensure "Targets" are ticked. Then select "Scan"

    [​IMG]

    10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

    [​IMG]

    11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

    [​IMG]

    12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

    [​IMG]

    13. Select "Exit" to close down.
    14. Copy and paste the two following logs from the mbar folder:

    System - log
    Mbar - log Date and time of scan will also be shown

    [​IMG]
     
  5. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 6.0.2900.5512

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 1.595000 GHz
    Memory total: 1063628800, free: 461127680

    ------------ Kernel report ------------
    12/27/2012 18:29:00
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    gfibto.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    MountMgr.sys
    ftdisk.sys
    PartMgr.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    VolSnap.sys
    atapi.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    PxHelp20.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\EMSC.SYS
    \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    \SystemRoot\System32\Drivers\wdf01000.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\jmcr.sys
    \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    \SystemRoot\system32\DRIVERS\bcmwl5.sys
    \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\RtkHDAud.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \??\C:\WINDOWS\system32\Drivers\OA004Afx.sys
    \SystemRoot\System32\Drivers\i2omgmt.SYS
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\drivers\sbaphd.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\OA004Vid.sys
    \SystemRoot\system32\DRIVERS\OA004Ufd.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\sbapifs.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\system32\drivers\kmixer.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR3
    Upper Device Object: 0xffffffff86a2b170
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Scsi\JMCR1Port1Path0Target0Lun0\
    Lower Device Object: 0xffffffff86835030
    Lower Device Driver Name: \Driver\JMCR\
    Driver name found: JMCR
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff86b64ab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
    Lower Device Object: 0xffffffff86b88940
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2012.12.27.03
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff86b64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff86b12a78, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff86b64ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff86b652e8, DeviceName: \Device\00000067\, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff86b88940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe232c198, 0xffffffff86b64ab8, 0xffffffff82430750
    Lower DeviceData: 0xffffffffe2fe6d28, 0xffffffff86b88940, 0xffffffff822af568
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    Read File: File "C:\WINDOWS\system32\drivers\1028_Dell_INS_910.mrk" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ABP480N5.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\acpi.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\acpiec.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\adpu160m.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\AGP440.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\AGPCPQ.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\aha154x.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\aic78u2.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\aic78xx.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\aliide.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ALIM1541.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\AMDAGP.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\amdk6.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\amdk7.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\amsint.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\arp1394.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\asc.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\asc3350p.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\GEARAspiWDM.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\hidclass.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\hidusb.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\hpn.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\i2omp.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ini910u.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\intelide.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ip6fw.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\asyncmac.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\atmarpc.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\atmepvc.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\atmlane.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\atmuni.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\battc.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\bridge.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\bthport.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\btwsecfl.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cbidf2k.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\CCDECODE.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cd20xrnt.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cdfs.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cdr4_xp.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cdralw2k.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cinemst2.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\classpnp.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cmdide.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\compbatt.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cpqarray.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\crusoe.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\dac2w2k.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\dac960nt.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\diskdump.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\dmboot.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\dmio.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\dmload.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\dpti2o.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\FilterPC.bmp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\FilterPC.jpg" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\fltMgr.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\fsvga.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\mouhid.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\mountmgr.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\mraid35x.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\MSKSSRV.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\MSPCLOCK.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\MSPQM.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\MSTEE.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\NABTSFEC.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ndis.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\NdisIP.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nic1394.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nikedrv.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ntfs.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nwlnkflt.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nwlnkfwd.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nwlnkipx.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nwlnknb.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nwlnkspx.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\OA004PC.bmp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\OA004PC.jpg" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\oprghdlr.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\p3.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\parport.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\partmgr.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\parvdm.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\pci.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\pciide.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\pciidex.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\pcmcia.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\perc2.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\asc3550.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\cpqdap01.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ftdisk.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\modem.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\nmnt.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\perc2hib.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\rio8drv.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sr.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\usb8023.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\processr.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\PxHelp20.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ql1080.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ql10wnt.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ql12160.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ql1240.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ql1280.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\rawwan.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\rdpdr.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\riodrv.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\rmcast.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\rndismp.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\rootmdm.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sdbus.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\secdrv.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\serenum.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sffdisk.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sffp_mmc.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sffp_sd.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\SISAGP.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\SLIP.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\smclib.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sonydcam.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sparrow.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\stream.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\StreamIP.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\symc810.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\symc8xx.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sym_hi.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\sym_u3.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\tape.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\tdpipe.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\tdtcp.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\tosdvd.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\toside.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\tsbvcap.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\tunmp.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\udfs.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ultra.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\usbaapl.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\usbcamd.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\usbcamd2.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\usbintel.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\usbvideo.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\vdmindvd.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\VIAAGP.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\viaide.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\volsnap.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\wdcsam.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\wpdusb.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ws2ifsl.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\WSTCODEC.SYS" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\ipinip.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\irenum.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\isapnp.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\mcd.sys" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\mf.sys" is compressed (flags = 1)
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: A42D04A3

    Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 96327

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 98304 Numsec = 29993488
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 15408046080 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-30073840-30093840)...
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff86a2b170, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff86a02648, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff86a2b170, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff86835030, DeviceName: \Device\Scsi\JMCR1Port1Path0Target0Lun0\, DriverName: \Driver\JMCR\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe108cd30, 0xffffffff86a2b170, 0xffffffff82334ab8
    Lower DeviceData: 0xffffffffe18a57a0, 0xffffffff86835030, 0xffffffff821dd040
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 0

    Partition information:

    Partition 0 type is Other (0x6)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 8192 Numsec = 15651840

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 8017936384 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSACCESS.DEV.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\Hx_3081_MValidator.Lck" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.EXCEL.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.EXCEL.DEV.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.GRAPH.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.GROOVE.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.INFOPATH.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.INFOPATHEDITOR.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSACCESS.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSE.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSPUB.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSPUB.DEV.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.MSTORE.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.OIS.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.ONENOTE.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.OUTLOOK.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.OUTLOOK.DEV.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.POWERPNT.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.POWERPNT.DEV.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.RIBBON.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.SETLANG.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft Help\MS.WINWORD.DEV.12.1033.hxn" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.bak" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\dvdcss\CACHEDIR.TAG" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\Office\MSO2057.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\Office\MSO3081.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\UProof\ExcludeDictionaryEN0409.lex" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Application Data\Microsoft\UProof\ExcludeDictionaryEN0809.lex" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.bak" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Desktop\~$kora Wiki 8.docx" is compressed (flags = 1)
    Read File: File "C:\Program Files\Outlook Express\msoe.txt" is compressed (flags = 1)
    Read File: File "C:\Program Files\Windows Media Player\npdrmv2.zip" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\etc\networks" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migrate.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\msobe.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\obeip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\OOBEINFO.INI" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\reg.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Temp\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\ntuser.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\ntuser.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\ntuser.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\explorer.scf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\setuperr.del" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\smscfg.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vb.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vbaddin.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\swflash.inf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ciadmin.htm" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\conf.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\connect.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\mshearts.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\msnauth.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\nocontnt.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ratings.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\update.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\windows.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\winhlp32.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.mof.uninstall" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_DataOracleClientPerfCounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\webAdminNoNavBar.master" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Tasks\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Tasks\SA.DAT" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Web\bullet.gif" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Shelley Cooper\Desktop\~$kora Wiki 8.docx" is compressed (flags = 1)
    Done!
    Scan finished
    =======================================

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org

    Database version: v2012.12.27.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 6.0.2900.5512
    Shelley Cooper :: SHELLEYSPC [administrator]

    27/12/2012 6:38:26 PM
    mbar-log-2012-12-27 (18-38-26).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 25140
    Time elapsed: 8 minute(s), 43 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  6. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    There is no sign of any bad infections on the system so I would suspect previous runs with Malwarebytes have cured any infections you had and they are no longer returning.

    One thing I would highly recommend is a larger hard drive. You only have an 18GB hard drive which I suspect is many years old, with limited space on the drive this can slow system performance and doesn't leave much space for using System Restore which I assume was turned off intentionally. I can also see the drives contents has been compressed to save space which can also slow things down a bit.

    I would also recommend replacing Spybot S&D and Ad-aware Anti Virus as they are not recommended programs. You can replace them with Microsoft Security Essentials and SuperAntiSpyware Free version

    We just have one more scan to do to check for any infections, this may take several hours to complete. Please also run Security Check to see if anything important needs updating.



    Eset online scan instructions.
    IMPORTANT ---> Please make sure you follow the instruction to uncheck the box next to Remove found threats. Eset will detect anything that looks even remotely suspicious, this can include legitimate program files. If you do not uncheck the box, as instructed, Eset will automatically remove all suspect files which could leave some of your software inoperative. If you make a mistake these files can be restored from quarantine, but it would be preferable not to add any extra work to the clean up of your system.

    • Disable your existing Anti Virus following these instructions.
    • Please go here to use the Eset Online Scanner.
    • When the web page opens click on this button [​IMG]
    • If you are not using Internet Explorer you will see a message box open asking you to to download the ESET Smart Installer, click on the link and allow it to download and then run it. Accept the Terms of use and click on Start. The required components will download.
    • If using Internet Explorer the Terms of use box will open immediately, accept it and click on Start.
    • After the download is complete the Computer scan settings window will open, IMPORTANT ----> uncheck the box next to Remove found threats and click on Start. The virus signature database will then download which may take some time depending on the speed of your internet connection. The scan will automatically start when the download is complete.
    • This is a very thorough scan and may take several hours to complete depending on how much data you have on your hard drive. Do not interrupt it, be patient and let it finish.
    • A Scan Results window will appear at the end of the scan. If it lists any number of Infected Files click on List of found threats. Click on Copy to clipboard, come back to this thread and right click on the message box. Select Paste and the report will appear, add any comments you have and post the reply.
    • Back on the Eset window, click the Back button and then click on Finish.



    Download Security Check by screen317 from Here or Here.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document into your next reply.
     
  7. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    C:\WINDOWS\system32\9821C4\shell.fne probably a variant of Win32/Agent.IMRSJKB trojan

    Results of screen317's Security Check version 0.99.56
    Windows XP Service Pack 3 x86
    Internet Explorer 6 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    ESET Online Scanner v3
    Ad-Aware Antivirus
    `````````Anti-malware/Other Utilities Check:`````````
    Ad-Aware
    MVPS Hosts File
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.65.1.1000
    CCleaner
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    Google Chrome 23.0.1271.97
    ````````Process Check: objlist.exe by Laurent````````
    Ad-Aware AAWService.exe is disabled!
    Ad-Aware AAWTray.exe is disabled!
    Ad-Aware Antivirus AdAwareService.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 44% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````

    Also, before we finish I would like to run the malwarebytes antimalware program, as that is the one that found up to 20 problems initially. Let me know when I can run that program, just for peace of mind.
     
  8. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    The Mbar scan does the same job as Malwarebytes (made by the same company) but with deeper scanning so it is very unlikely that Malwarebytes will come up with anything. Eset has found one infection, but please do run Mbam again and post the log.

    The system requires quite a few updates and the hard drive is badly in need of a defrag. You don't appear to have replaced Ad-aware or Spybot S&D.

    =====================================================================
    We need to check the file found by Eset.

    Go to one of the following online services that analyzes suspicious files:

    In the "File to Scan" (Upload or Submit) box, click the "browse" button and locate the following file:

    C:\WINDOWS\system32\9821C4\shell.fne <- this file

    Click "Open", then click the "Submit" button. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
    -- Post back with the results of the file analysis in your next reply.
     
  9. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.24.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 6.0.2900.5512
    Shelley Cooper :: SHELLEYSPC [administrator]

    29/12/2012 10:35:01 AM
    mbam-log-2012-12-29 (10-35-01).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 225595
    Time elapsed: 52 minute(s), 48 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    I wasn't able to locate the shell.fne file to inspect, it appears to have disappeared. :confused:

    I also installed those two programs to replace the old ones. I ran a defrag last night, but due to such limited free space, it did not perform very well.
     
  10. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    I doubt you will get this PC to run very well unless you can free up some more space on the hard drive, get a larger hard drive to replace it or get an external hard drive to keep all your data on.

    What happened with the defrag, did it complete or was there an error.

    We need to see if that suspicious file is still on the system and I would suggest running a disc check, and cleaning out all the temporary files.



    Please download SystemLook from one of the links below and save it to your Desktop.



    • Double-click SystemLook.exe to run it.
    • Vista/Windows 7 users right-click and select Run As Administrator.
    • Copy and paste everything in the codebox below into the main textfield:
      Code:
      :filefind
      [B]shell.fne[/B]
      
    • Click the Look button to start the scan.
    • When finished, a Notepad window will open SystemLook.txt with the results of the search and save a copy on your Desktop.
    • Please copy and paste the contents of that log in your next reply.


    ==============================================================

    Disc Check

    • Click on Start then Run and type cmd in the search box and hit Enter. At the C: prompt, type chkdsk /r exactly as written here with the gap before the slash, then hit Enter.
    • You will then see a message "Would you like to schedule this volume to be checked the next time the system restarts? (Y/N)"
    • Type Y for yes, and hit Enter. Then reboot the computer. The disc check will start when Windows begins loading again. Let all 5 phases run and don't use or turn off the computer. (The disc check process may take an hour or more to finish and may appear to freeze which is normal.)
    • When the disc check is done, it will finish loading Windows.
    • When finished click on Start then Run and type: eventvwr.msc and hit Enter.
    • When Event Viewer opens, click on Application in the left pane. In the main pane scroll down until you find Winlogon under the Source column and double-click on it.
    • This is the log created after running the disc check. Click once on the Copy button [​IMG]
    • Come back here and right click on the message box, select Paste from the pop up menu and the log will appear. Then submit the post.


    ==========================================================

    Download Temporary file cleaner and save it to the desktop.
    Double click on the icon to run it (it appears as a dark grey dustbin). For Windows 7 and Vista right click the icon and select Run as Administrator.
    When the window opens click on Start. It will close all running programs and clear the desktop icons.
    When complete you may be asked to reboot, if so accept the request and your PC will reboot automatically.
     
  11. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    The defrag ran fine, but gave a warning before running that it wouldnt run very well due to very limited free space.

    SystemLook 30.07.11 by jpshortstuff
    Log created at 14:11 on 31/12/2012 by Shelley Cooper
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "shell.fne"
    C:\WINDOWS\system32\9821C4\shell.fne ---hsc- 40960 bytes [00:55 09/09/2009] [00:55 09/09/2009] 5806704A429ED9E86260A4A2E4375028

    -= EOF =-

    I ran the temporary file cleaner and it removed 178mb of files.

    Event Type: Information
    Event Source: Winlogon
    Event Category: None
    Event ID: 1001
    Date: 31/12/2012
    Time: 4:11:35 PM
    User: N/A
    Computer: SHELLEYSPC
    Description:
    Checking file system on C:
    The type of the file system is NTFS.
    Volume label is OS.

    A disk check has been scheduled.
    Windows will now check the disk.
    Cleaning up minor inconsistencies on the drive.
    Cleaning up 12 unused index entries from index $SII of file 0x9.
    Cleaning up 12 unused index entries from index $SDH of file 0x9.
    Cleaning up 12 unused security descriptors.
    CHKDSK is verifying file data (stage 4 of 5)...
    File data verification completed.
    CHKDSK is verifying free space (stage 5 of 5)...
    Free space verification is complete.

    14996743 KB total disk space.
    14663896 KB in 38269 files.
    15244 KB in 6568 indexes.
    0 KB in bad sectors.
    125659 KB in use by the system.
    65536 KB occupied by the log file.
    191944 KB available on disk.

    4096 bytes in each allocation unit.
    3749185 total allocation units on disk.
    47986 allocation units available on disk.

    Internal Info:
    b0 e6 00 00 30 af 00 00 9a 01 01 00 00 00 00 00 ....0...........
    3e 01 00 00 02 00 00 00 ba 01 00 00 00 00 00 00 >...............
    cc 58 27 04 00 00 00 00 a4 74 cc 06 00 00 00 00 .X'......t......
    9e cf c3 05 00 00 00 00 28 b8 db c0 00 00 00 00 ........(.......
    84 8b dc 04 00 00 00 00 9e a0 88 dd 00 00 00 00 ................
    99 9e 36 00 00 00 00 00 b0 39 07 00 7d 95 00 00 ..6......9..}...
    00 00 00 00 00 60 03 7f 03 00 00 00 a8 19 00 00 .....`..........

    Windows has finished checking your disk.
    Please wait while your computer restarts.


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     
  12. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    That all looks good and the disc check log shows you only have just under 200MB of free space which is way too small for optimum performance. This might cause problems with the required updates so you need to free up some space by moving data to an external source, CD/DVD's, Flash Dive or external Hard Drive.

    Lets try this to get a copy of the suspicious file onto your desktop so you can get it checked following the instructions in post 8.

    Click on Start then Run and type cmd into the box and click OK
    Now copy and paste the commands below at the command prompt and hit the Enter key after each one.
    It should create a copy of the suspect file on your desktop to have checked at Virus Total or Jotti, etc.

    cd C:\WINDOWS\system32\9821C4
    copy shell.fne C:\Documents and Settings\Shelley Cooper\desktop
     
  13. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    When I try to perform the second line in the command prompt, it says 'the syntax of the command is incorrect'.
     
  14. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Not sure why that is wrong. Try this routine to show hidden files and folders and then have another look to see if you can find the file.

    To enable the viewing of Hidden files follow these steps:​

    • Close all programs so that you are at your desktop.
    • Double-click on the My Computer icon.
    • Select the Tools menu and click Folder Options.
    • After the new window appears select the View tab.
    • Put a checkmark in the checkbox labeled Display the contents of system folders.
    • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    • Remove the checkmark from the checkbox labeled Hide protected operating system files.
    • Press the Apply button and then the OK button and shutdown My Computer.
    • Now your computer is configured to show all hidden files.
     
  15. Jastone

    Jastone Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    102
    Hi Mark,

    I am away from the laptop at the moment, but I will try to get my sister to perform the tasks you have asked. Hopefully they are not too difficult for her to perform. It may take a few days to perform.

    Sorry for the delay,

    Jastone
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1082186

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice