Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #1  
Old November 25th, 2010, 08:08 PM
johnny_ johnny_ is offline
Senior Member
 
Join Date: Nov 2005
Posts: 246
please help, win32 nuqul.e infected

can someone please help me with this. my bro reinstalled windows but i think he went to some site and got infected again. i dont know what is going.

it doesnt let me do anything. i'm going back and forth between infected computer and laptop with a flash drive trying to install antivirus programs but i cant run anything.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:04:35 PM, on 11/25/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18527)
Boot mode: Safe mode with network support

Running processes:
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:23012
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\s wg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files (x86)\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [bebxknfh] C:\Users\melara\AppData\Local\Temp\xeorqrfhh\tfqnk ojtsbl.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files (x86)\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950D F09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Unknown owner - C:\Windows\system32\AERTSr64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~2\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~2\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~2\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~2\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 7732 bytes

Last edited by johnny_; November 25th, 2010 at 08:11 PM.
Reply With Quote


  #2  
Old November 26th, 2010, 02:21 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,702
Hello again johnny,

The log shows a malware startup, as well as a malware created proxy server setting. But we need to get a more detailed look at things before we start repairs. Vista, so be sure to "right click - Run as administrator" any scan files

FYI - Many of the specialty tools we use in these repairs are not yet updated for 64 bit systems (like the "file missing" entries in that HijackThis log). And before I forget to mention it, that system does need to upgrade to Service Pack 2, to benefit from the changes that will make.



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

----------------

Right off see if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.

Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If RSIT downloads/installs HijackThis be sure to agree to the install of that.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-------------

Also download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each:

cd\

mbr.exe -t


Then type exit and press Enter to close the command window.

The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please.

A lot of posting, but a good comprehensive look at things there.
Reply With Quote
  #3  
Old December 9th, 2010, 06:40 AM
johnny_ johnny_ is offline
Senior Member
 
Join Date: Nov 2005
Posts: 246
Hey Jin, sorry for the delay. I had gone on vacation for a few days and when i got back found that my brother rebooted the computer and reinstalled windows, still was unhappy with the performance and just disconnected everything and is using a laptop. so i reconnected and started the computer but now i'm not sure if its still infected.

Logfile of random's system information tool 1.08 (written by random/random)
Run by melara at 2010-12-09 00:14:35
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 237 GB (80%) free of 295 GB
Total RAM: 4084 MB (87% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2010-11-12 297648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\s wg.dll [2010-11-14 843832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files (x86)\Dell\BAE\BAE.dll [2006-11-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2010-11-12 297648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"=C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"pccguide.exe"=C:\Program Files (x86)\Trend Micro\Internet Security 14\pccguide.exe [2007-08-27 1807696]
"QuickTime Task"=C:\Program Files (x86)\QuickTime\QTTask.exe [2010-09-08 421888]
"iTunesHelper"=C:\Program Files (x86)\iTunes\iTunesHelper.exe [2010-11-17 421160]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
"swg"=C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe [2008-09-18 68856]
"WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe []
"bebxknfh"=C:\Users\melara\AppData\Local\Temp\xeor qrfhh\tfqnkojtsbl.exe [2010-11-23 240640]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files (x86)\Digital Line Detect\DLG.exe
Microsoft Office.lnk - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-12-09 00:14:35 ----D---- C:\rsit
2010-11-25 14:01:08 ----D---- C:\ProgramData\MFAData
2010-11-24 21:47:12 ----D---- C:\Users\melara\AppData\Roaming\Malwarebytes
2010-11-24 21:47:07 ----A---- C:\Windows\SysWOW64\drivers\mbamswissarmy.sys
2010-11-24 21:47:06 ----D---- C:\ProgramData\Malwarebytes
2010-11-24 21:47:06 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-24 21:09:45 ----A---- C:\Windows\ntbtlog.txt
2010-11-22 23:34:56 ----D---- C:\Users\melara\AppData\Roaming\Apple Computer
2010-11-22 23:34:37 ----A---- C:\Windows\SysWOW64\GEARAspi.dll
2010-11-22 23:33:25 ----D---- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2010-11-22 23:33:25 ----D---- C:\Program Files (x86)\iTunes
2010-11-22 23:32:31 ----D---- C:\Program Files (x86)\QuickTime
2010-11-22 23:32:30 ----D---- C:\ProgramData\Apple Computer
2010-11-22 23:32:15 ----D---- C:\Program Files (x86)\Apple Software Update
2010-11-22 23:30:36 ----D---- C:\Program Files (x86)\Bonjour
2010-11-22 23:30:15 ----D---- C:\ProgramData\Apple
2010-11-22 23:30:15 ----D---- C:\Program Files (x86)\Common Files\Apple
2010-11-22 13:44:56 ----A---- C:\Windows\ODBC.INI
2010-11-22 13:44:05 ----D---- C:\Program Files (x86)\Common Files\Designer
2010-11-22 13:42:47 ----D---- C:\Users\melara\AppData\Roaming\Microsoft Web Folders
2010-11-17 18:44:58 ----A---- C:\Windows\SysWOW64\msshsq.dll
2010-11-15 15:27:21 ----A---- C:\Windows\SysWOW64\winhttp.dll
2010-11-15 15:26:38 ----A---- C:\Windows\SysWOW64\sscore.dll
2010-11-15 15:26:38 ----A---- C:\Windows\SysWOW64\netevent.dll
2010-11-15 15:26:15 ----A---- C:\Windows\SysWOW64\inetcomm.dll
2010-11-14 23:08:41 ----D---- C:\Program Files (x86)\Spirent Communications
2010-11-14 23:08:36 ----D---- C:\Program Files (x86)\HTC
2010-11-14 11:34:57 ----A---- C:\Windows\SysWOW64\msshooks.dll
2010-11-14 11:34:57 ----A---- C:\Windows\SysWOW64\msscb.dll
2010-11-14 11:34:57 ----A---- C:\Windows\SysWOW64\mimefilt.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\thawbrkr.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\SearchFilterHost.exe
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\propsys.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\propdefs.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\offfilt.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\msstrc.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\mssprxy.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\mssitlb.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\korwbrkr.dll
2010-11-14 11:34:55 ----A---- C:\Windows\SysWOW64\chsbrkr.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\xmlfilter.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\tquery.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\SearchProtocolHost.exe
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\SearchIndexer.exe
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\rtffilt.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\nlhtml.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\mssvp.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\mssrch.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\mssphtb.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\mssph.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\msscntrs.dll
2010-11-14 11:34:54 ----A---- C:\Windows\SysWOW64\chtbrkr.dll
2010-11-12 12:36:43 ----D---- C:\Users\melara\AppData\Roaming\Template

======List of files/folders modified in the last 1 months======

2010-12-09 00:07:25 ----D---- C:\Windows\Temp
2010-12-09 00:05:07 ----D---- C:\Windows\Prefetch
2010-11-25 14:02:06 ----D---- C:\Windows\winsxs
2010-11-25 14:01:52 ----SHD---- C:\Windows\Installer
2010-11-25 14:01:48 ----D---- C:\Program Files (x86)\Common Files\microsoft shared
2010-11-25 14:01:08 ----HD---- C:\ProgramData
2010-11-25 14:01:02 ----D---- C:\Windows\System32
2010-11-25 14:01:01 ----D---- C:\Windows\inf
2010-11-24 21:47:46 ----D---- C:\Windows\SysWOW64\drivers
2010-11-24 21:47:06 ----RD---- C:\Program Files (x86)
2010-11-24 21:09:45 ----D---- C:\Windows
2010-11-23 18:27:41 ----SHD---- C:\System Volume Information
2010-11-22 23:34:38 ----D---- C:\Windows\SysWOW64
2010-11-22 23:33:27 ----RD---- C:\Program Files
2010-11-22 23:32:55 ----D---- C:\Program Files (x86)\Internet Explorer
2010-11-22 23:30:15 ----D---- C:\Program Files (x86)\Common Files
2010-11-22 18:13:51 ----SD---- C:\Users\melara\AppData\Roaming\Microsoft
2010-11-22 13:44:40 ----A---- C:\Windows\win.ini
2010-11-22 13:44:19 ----RSD---- C:\Windows\Fonts
2010-11-22 13:43:47 ----D---- C:\Program Files (x86)\Common Files\System
2010-11-22 13:43:42 ----D---- C:\Windows\ShellNew
2010-11-22 13:43:25 ----D---- C:\Windows\MSAgent
2010-11-22 13:43:25 ----D---- C:\Windows\Help
2010-11-22 13:42:47 ----D---- C:\Program Files (x86)\Microsoft Office
2010-11-22 13:39:20 ----D---- C:\Windows\system
2010-11-18 22:13:22 ----SD---- C:\Windows\Downloaded Program Files
2010-11-18 20:55:33 ----D---- C:\Windows\rescache
2010-11-17 23:09:03 ----D---- C:\Windows\SysWOW64\en-US
2010-11-14 12:00:29 ----D---- C:\Windows\Microsoft.NET
2010-11-14 12:00:28 ----RSD---- C:\Windows\assembly
2010-11-14 11:41:31 ----D---- C:\Program Files (x86)\Windows Media Player
2010-11-14 11:41:30 ----D---- C:\Windows\SysWOW64\wbem
2010-11-14 11:41:30 ----D---- C:\Windows\PolicyDefinitions
2010-11-14 11:41:27 ----D---- C:\Windows\AppPatch
2010-11-14 11:23:45 ----D---- C:\Program Files (x86)\Windows Mail
2010-11-12 13:04:32 ----D---- C:\Users\melara\AppData\Roaming\Adobe
2010-11-12 12:28:05 ----SD---- C:\ProgramData\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHlpa64;PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys []
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032e.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys []
R3 tmcfw;Trend Micro Common Firewall Service; C:\Windows\system32\DRIVERS\TM_CFW.sys []
S1 tmtdi;Trend Micro TDI Driver; C:\Windows\system32\DRIVERS\tmtdi.sys []
S2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys []
S2 tmpreflt;tmpreflt; C:\Windows\system32\DRIVERS\tmpreflt.sys []
S2 Tmxpflt;tmxpflt; C:\Windows\system32\drivers\TmXPFlt.sys []
S2 vsapint;vsapint; C:\Windows\system32\DRIVERS\vsapint.sys []
S2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio64.sys []
S3 CAXHWBS2;CAXHWBS2; C:\Windows\system32\DRIVERS\CAXHWBS2.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys []
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\CAX_DPV.sys []
S3 HTCAND64;HTC Device Driver; C:\Windows\System32\Drivers\ANDROIDUSB.sys []
S3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys []
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys []
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys []
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys []
S3 RimUsb;BlackBerry Smartphone; C:\Windows\System32\Drivers\RimUsb_AMD64.sys []
S3 USBAAPL64;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl64.sys []
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\CAX_CNXT.sys []
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys []
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys []
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 AERTFilters;Andrea RT Filters Service; C:\Windows\system32\AERTSr64.exe []
S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-10-16 37664]
S2 Bonjour Service;Bonjour Service; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [2010-10-07 345376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\msco rsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ms corsvw.exe [2010-03-18 138576]
S2 gupdate;Google Update Service (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-06 135664]
S2 PcCtlCom;Trend Micro Central Control Component; C:\PROGRA~2\TRENDM~1\INTERN~1\PcCtlCom.exe [2007-08-27 1471840]
S2 Tmntsrv;Trend Micro Real-time Service; C:\PROGRA~2\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-08-27 345432]
S2 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~2\TRENDM~1\INTERN~1\TmPfw.exe [2007-08-27 923216]
S2 tmproxy;Trend Micro Proxy Service; C:\PROGRA~2\TRENDM~1\INTERN~1\tmproxy.exe [2007-08-27 566872]
S2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio64.exe []
S3 gusvc;Google Software Updater; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-11-06 182768]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-11-17 932640]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-20 19968]
S3 stllssvr;stllssvr; C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe [2008-03-24 74384]
S3 WPFFontCache_v0400;@c:\Windows\Microsoft.NET\Frame work64\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WP F\WPFFontCache_v0400.exe [2010-03-18 1020768]

-----------------EOF-----------------
Reply With Quote
  #4  
Old December 9th, 2010, 06:41 AM
johnny_ johnny_ is offline
Senior Member
 
Join Date: Nov 2005
Posts: 246
info.txt logfile of random's system information tool 1.08 2010-12-09 00:14:39

======Uninstall list======

-->MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
-->MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_A ctiveX.exe -maintain activex
Adobe Reader 8.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Apple Application Support-->MsiExec.exe /I{EE6097DD-05F4-4178-9719-D3170BF098E8}
Apple Software Update-->MsiExec.exe /I{C41300B9-185D-475E-BFEC-39EF732F19B1}
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Browser Address Error Redirector-->regsvr32 /u /s "C:\Program Files (x86)\Dell\BAE\BAE.dll"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dell Getting Started Guide-->MsiExec.exe /I{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}
Digital Line Detect-->C:\Program Files (x86)\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
EDocs-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ct or.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}\setup.exe"
Google Toolbar for Internet Explorer-->"C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_AC0049E063D E2AEA.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {08155812-0202-4D5F-A7FF-12A2782DC548} /qb+ REBOOTPROMPT=""
HTC Driver Installer-->MsiExec.exe /X{6D6664A9-3342-4948-9B7E-034EFE366F0F}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware-->"F:\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2000 SR-1 Small Business-->MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
NetWaiting-->C:\Program Files (x86)\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
QuickTime-->MsiExec.exe /I{E7004147-2CCA-431C-AA05-2AB166B9785D}
Realtek High Definition Audio Driver-->RtlUpd64.exe -r -m -nrg2709
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE-->C:\ProgramData\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {8EAF4926-5B5D-398A-BA46-4603D8095BDE} /qb+ REBOOTPROMPT=""
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)-->c:\Windows\Microsoft.NET\Framework64\v4.0.30319\S etupCache\Client\setup.exe /uninstallpatch {FD8D7C9A-E56A-3E7B-BA6D-FE68F13296E3} /parameterfolder Client
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""

======Security center information======

AV: PC-cillin Internet Security - Virus Protection (outdated)
FW: PC-cillin Internet Security - Firewall
AS: PC-cillin Internet Security - Spyware Protection (outdated)
AS: Windows Defender

======System event log======

Computer Name: melara-PC
Event Code: 10005
Message: DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server:
{145B4335-FE2A-4927-A040-7C35AD3180EF}
Record Number: 31914
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20101209051156.000000-000
Event Type: Error
User:

Computer Name: melara-PC
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
Record Number: 31916
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20101209051159.000000-000
Event Type: Error
User:

Computer Name: melara-PC
Event Code: 7001
Message: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.
Record Number: 31931
Source Name: Service Control Manager
Time Written: 20101209051224.000000-000
Event Type: Error
User:

Computer Name: melara-PC
Event Code: 7001
Message: The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error:
A device attached to the system is not functioning.
Record Number: 31934
Source Name: Service Control Manager
Time Written: 20101209051224.000000-000
Event Type: Error
User:

Computer Name: melara-PC
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
spldr
tmtdi
Wanarpv6
Record Number: 31941
Source Name: Service Control Manager
Time Written: 20101209051224.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: melara-PC
Event Code: 20
Message:
Record Number: 1082
Source Name: Google Update
Time Written: 20101209050415.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: melara-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 1085
Source Name: Microsoft-Windows-WMI
Time Written: 20101209050516.000000-000
Event Type: Error
User:

Computer Name: melara-PC
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 1096
Source Name: Microsoft-Windows-Winlogon
Time Written: 20101209051147.000000-000
Event Type: Warning
User:

Computer Name: melara-PC
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\vistasp1_gdr\com\complus\src\events\tier1\event systemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 1098
Source Name: Microsoft-Windows-EventSystem
Time Written: 20101209051155.000000-000
Event Type: Error
User:

Computer Name: melara-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 1101
Source Name: Microsoft-Windows-WMI
Time Written: 20101209051224.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: melara-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: MELARA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 2

New Logon:
Security ID: S-1-5-21-1228640144-478557661-3270467536-1000
Account Name: melara
Account Domain: melara-PC
Logon ID: 0x1b52c
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x234
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: MELARA-PC
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 2937
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20101209051147.404228-000
Event Type: Audit Success
User:

Computer Name: melara-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-21-1228640144-478557661-3270467536-1000
Account Name: melara
Account Domain: melara-PC
Logon ID: 0x1b52c

Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 2938
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20101209051147.404228-000
Event Type: Audit Success
User:

Computer Name: melara-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: MELARA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 2939
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20101209051156.982628-000
Event Type: Audit Success
User:

Computer Name: melara-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: MELARA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 2940
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20101209051156.982628-000
Event Type: Audit Success
User:

Computer Name: melara-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 2941
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20101209051156.982628-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemR oot%\System32\Wbem;C:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files (x86)\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;. WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.m icrosoft.com\34FB5F65-FFEB-4B61-BF0E-A6A76C450FAA\TraceFormat
"DFSTRACINGON"=FALSE
"RoxioCentral"=C:\Program Files (x86)\Common Files\Roxio Shared\10.0\Roxio Central36\
"asl.log"=Destination=file
"CLASSPATH"=.;C:\Program Files (x86)\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files (x86)\Java\jre1.6.0_05\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------
Reply With Quote
  #5  
Old December 9th, 2010, 06:43 AM
johnny_ johnny_ is offline
Senior Member
 
Join Date: Nov 2005
Posts: 246
nothing popped up on the gmer scan.



Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001

device: opened successfully
user: error reading MBR

Disk trace:
error: Read The handle is invalid.
kernel: error reading MBR


this scans were done without internet access since my brother disconnected the computer and is using a laptop instead. should I try connected the computer to the internet?
Reply With Quote
  #6  
Old December 11th, 2010, 04:03 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,702
Since a long break in repairs can leave any previous work/scans no longer accurate, it really does call for starting a current new request thread. Many of the specialty tool scans we use here have not yet updated for Vista 64 bit, so errors like what the mbr.exe log shows can very likely be due to the the update issue.


Not seeing any malware in the log just posted, which could be expected due to the changes your Brother made. But to be sure no infected files were removed before the change, and then returned, a good idea would to be run a current scan. And yes, you are probably okay for connecting to the Internet again.


Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 12:17 PM.